PHP Security Tips

PHP Security

September 20, 2011 NWO-PUG 1

E-mail: [email protected]: @dragonmantankIdenti.ca: dragonmantank

Who are you and why are you in my house?

Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a

few that some do TL;DR

https://github.com/dragonmantank

NWO-PUG 2September 20, 2011

The Parts of SecurityIt’s more than just a username/password


What is Secure Programming?

1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly


https://www.owasp.org/index.php/Secure_Coding_Principles

Most Common AttacksAnd how to avoid them


OWASP Top 10

1. Injection2. Cross-Site Scripting3. Broken Authentication and Session

Management4. Insecure Direct Object References5. Cross-Site Request Forgery6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure To Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards

NWO-PUG 6

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

September 20, 2011

Injection


What is Injection?

When a user or service corrupts a command due to improper validation of input


Many Shapes and Sizes

SQL Injection Command Injection HTML Injection


Protecting against Injections Attacks

Filter user input Escape anything not hard-coded Ignore $_REQUEST


SQL Injection


A Bit More Real Life


Protecting against SQL Injection

Use PDO and prepared statements


Command Injection

When your script calls an external program, users can run code


Protecting against Command Injection

If allowing the user to specify commands, use escapeshellcmd()

If allowing the user to specify arguments, use escapeshellarg()


HTML/Script Injection

HTML Injection: When user input is used to create new markup that the application did not expect

Script Injection: When user input is used to add new scripting to a page


HTML/Script Injection


Protecting against HTML/Script Injection

Decide if you really need to take HTML input

If you do: Use an HTML cleaner like Tidy or

htmLawed Create a whitelist of allowed tags

If you don’t: Use htmlentities()/htmlspecialchars()


Cross Site ScriptingOr XSS


What is it?

When a user injects a script into a page or extra JS into a command to send information to another site


How to avoid XSS?

Since this is an injection attack, use the same steps as a HTML/Script injection


Broken Authentication and Session Management


What is it?

Insecure storing of credentials Session IDs exposed via URL Session fixation attacks


Storing Credentials

Hash with a salt using the hash() command

Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not

recommended for secure hashing If you have to use the raw data, encrypt

using mcrypt() Use AES256 (RIJNDAEL 256)


Session IDs in URL

Commonly used when cookies can’t be enabled

Make sure the following is set in your php.ini:

session.use_trans_id = 0session.use_only_cookies = 1


Session Fixation

What happens if your users don’t log out?

Use sessions to detect login status


Insecure Direct Object References


What is it?

Making sure that what the user is accessing they have access to.

Should be handled by checking authorization when accessed, or mapping

This is not an injection attack, but a logic attack


An Example


How to Avoid

Always check to make sure the user has authorization to access the resource

Map variables/whitelist to make it harder


Cross Site Request ForgeryOr CSRF Attacks


What is it?

When unauthorized commands are sent to and from a trusted website

In days gone by, this would be done with Referral checking, but don’t trust referrer information


An example – Bank Transfer

A bank transfer is done via $_GET variables

User is authenticated but not logged out


How to avoid this

Include a hidden element in the form with a one-time value


Security Misconfiguration


Beyond the scope of programming

Check for server hardening guidelines for your OS

Password rotation practices Understanding your settings

Keep your stack up to date!


Insecure Cryptographic Storage


More of a logic problem

Encrypting data in the database, but leaving it unencrypted during output

Using unsalted hashes


How to avoid this

Like when storing credentials, use a salt whenever hashing information

Only decrypt data when it is needed


Failure to Restrict URL Access


What is it?

When users can gain access to parts of the application just through URL manipulation

When the app doesn’t check authorization properly


Security through Obscurity

Don’t trust that just because a user doesn’t know a URL, they can’t get to it

Fuzzers can find all kinds of things, especially if the app is common


How to avoid this

ALWAYS check authorization. The extra CPU cycles are worth it.


Insufficient Transport Layer Protection


Not using SSL when you should

If your data is sensitive, use SSL Are your logins behind SSL?

There isn’t really an excuse. You can get an SSL cert for $9/year.


Unvalidated Redirects and Forwards


What is it?

When an app doesn’t properly validate that the redirect destination is valid


Putting it Together


Attacking from Multiple Fronts

Attackers will employ many different vectors in an attack

HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions

Script injection can lead to Session hijacking


Remember…

1. Minimizing Attack Surface2. Establishing Secure Defaults3. Principle of Least Privilege4. Defense in Depth5. Fail Securely6. Don’t Trust Services or Users7. Separation of Duties8. Avoid Security through Obscurity9. Keep Security Simple10.Fix Security Issues Correctly


https://www.owasp.org/index.php/Secure_Coding_Principles

Questions?


Technology

PHP Security Tips