2013 - mark story - avoiding the owasp
DESCRIPTION
PHP Conference Argentina 2013TRANSCRIPT
AVOIDING THE OWASP Top 10 security exploits
Saturday, 5 October, 13
ME
Illustrator turned developer
PHP developer for 8 years
Architect/Developer at FreshBooks
Lead developer of CakePHP
Saturday, 5 October, 13
SECURITY
Saturday, 5 October, 13
SECURITY CONTINUUM
( )unusable unrestricted
Saturday, 5 October, 13
OWASPOpen Web Application Security Project
Saturday, 5 October, 13
OWASP TOP 10
Saturday, 5 October, 13
INJECTION‘ OR 1=1 ‘--1
Saturday, 5 October, 13
RISKS
Command - Permits arbitrary shell commands.
SQL - Permits query manipulation, and arbitrary SQL.
Bad guys can run arbitrary code/queries.
Saturday, 5 October, 13
$username = $_POST[‘username’];$password = $_POST[‘password’];
$query = “SELECT * FROM userWHERE username = ‘$username’AND password = ‘$password’”;
$user = $db->query($query);
SQL INJECTION EXAMPLE
Saturday, 5 October, 13
$username = “root”;$password = “‘ OR 1 = 1 --”;
USER INPUT
Saturday, 5 October, 13
FINAL QUERY
$query = “SELECT * FROM userWHERE username = ‘root’AND password = ‘‘ OR 1 = 1 --”;
Saturday, 5 October, 13
FINAL QUERY
$query = “SELECT * FROM userWHERE username = ‘root’AND password = ‘‘ OR 1 = 1 --”;
Saturday, 5 October, 13
PREVENTION
Use an ORM or Database abstraction layer that provides escaping. Doctrine, Zend\Table, and CakePHP all do this.
Use PDO and prepared statements.
Never interpolate user data into a query.
Never use regular expressions, magic quotes, or addslashes()
Saturday, 5 October, 13
EXAMPLE (PDO)
$query = “SELECT * FROM userWHERE username = ?AND password = ?”;
$stmt = $db->prepare($query);$stmt->bindValue($username);$stmt->bindValue($password);$result = $db->execute();
Saturday, 5 October, 13
COMMAND INJECTION
$file = $_POST[‘file’];
$res = file_get_contents($file);
echo $res;
Saturday, 5 October, 13
$f = “../../../../../../etc/passwd”;
USER INPUT
Saturday, 5 October, 13
PREVENTION
Escape and validate input.
Check for ..
Check for ;
Ensure the realpath resolves to a file that is allowed.
Saturday, 5 October, 13
2BROKEN AUTHENTICATION & SESSION MANAGEMENT
/index.php?PHPSESSID=pwned
Saturday, 5 October, 13
RISKS
Identity theft.
Firesheep was an excellent example.
Saturday, 5 October, 13
SESSION FIXATION EXAMPLE
<?phpsession_start();if (isset($_GET[‘sessionid’]) {session_id($_GET[‘sessionid’]);
}
Saturday, 5 October, 13
SESSION FIXATION EXAMPLE
<?phpsession_start();if (isset($_GET[‘sessionid’]) {session_id($_GET[‘sessionid’]);
}
Saturday, 5 October, 13
PREVENTION
Rotate session identifiers upon login/logout
Set the HttpOnly flag on session cookies.
Use well tested / mature libraries for authentication.
SSL is always a good idea.
Saturday, 5 October, 13
3 XSS<script>alert(‘cross site scripting’);</script>
Saturday, 5 October, 13
RISKS
Allows bad guys to do things as the person viewing a page.
Steal identities, passwords, credit cards, hijack pages and more.
Saturday, 5 October, 13
XSS EXAMPLE
<p><?php echo $user[‘bio’]; ?>
</p>
Saturday, 5 October, 13
XSS EXAMPLE
<p><?php echo $user[‘bio’]; ?>
</p>
Saturday, 5 October, 13
I know, I can use regular expressions!
Saturday, 5 October, 13
NOSaturday, 5 October, 13
PREVENTION
Regular expressions and strip_tags leave you vulnerable.
The only robust solution is output encoding.
Saturday, 5 October, 13
EXAMPLE
<p><?php echo htmlentities($user[‘bio’],ENT_QUOTES,‘UTF-8’
); ?></p>
Saturday, 5 October, 13
DANGERS
Manually encoding is error prone, and you will make a mistake.
Using a template library like Twig that provides auto-escaping reduces the chances of screwing up.
Encoding is dependent on context.
Saturday, 5 October, 13
4INSECURE DIRECT OBJECT REFERENCE
Saturday, 5 October, 13
RISKS
Bad guys can access information they shouldn’t
Bad guys can modify data they shouldn’t.
Saturday, 5 October, 13
BROKEN PASSWORD UPDATE
<form action=”/user/update” method=”post”><input type=”hidden” name=”userid” value=”4654” /><input type=”text” name=”new_password” /><button type=”submit”>Save</button>
</form>
Saturday, 5 October, 13
PREVENTION
Remember hidden inputs are not really hidden, and can be changed by users.
Validate access to all things, don’t depend on things being hidden/invisible.
If you need to refer to the current user, use session data not form inputs.
Whitelist properties any form can update.
Saturday, 5 October, 13
5SECURITY MISCONFIGURATION
Saturday, 5 October, 13
RISKS
Default settings can be insecure, and intended for development not production.
Attackers can use misconfigured software to gain knowledge and access.
Saturday, 5 October, 13
PREVENTION
Know the tools you use, and configure them correctly.
Keep up to date on vulnerabilities in the tools you use.
Remove/disable any services/features you aren’t using.
Saturday, 5 October, 13
6SENSITIVE DATA EXPOSURE4012 8888 8888 1881
Saturday, 5 October, 13
RISKS
Bad guys get credit cards, personal identification, passwords or health records.
Your company could be fined or worse.
Saturday, 5 October, 13
ASSESSING RISK
Do you have sensitive data?
Is it in plaintext?
Any old/bad crypto in use?
Missing SSL?
Who can access sensitive data?
Saturday, 5 October, 13
7MISSING FUNCTION LEVELACCESS CONTROL
Saturday, 5 October, 13
RISKS
Anyone on the internet can request things.
Missing access control could mean bad guys can do things they shouldn’t be able to.
Saturday, 5 October, 13
PREVENTION
No simple solutions sadly.
Good automated tests help.
Saturday, 5 October, 13
8CROSS SITE REQUEST FORGERY
(CSRF)
Saturday, 5 October, 13
RISKS
Evil websites can perform actions for users logged into your site.
Side effects on GET can be performed via images or CSS files.
Remember the Gmail contact hack.
Saturday, 5 October, 13
CSRF EXAMPLE
Your app
Evil site
Saturday, 5 October, 13
CSRF EXAMPLE
Your app
Evil site
Login
Saturday, 5 October, 13
CSRF EXAMPLE
Your app
Evil site
Login
Accidentally visit
Saturday, 5 October, 13
CSRF EXAMPLE
Your app
Evil site
Login
Accidentally visit
Submit form for evil
Saturday, 5 October, 13
PREVENTION
Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens should be rejected.
Saturday, 5 October, 13
SAMPLE CSRF VALIDATION
<?phpif (!$this->validCsrfToken($data, ‘csrf’)) {throw new ForbiddenException();
}
Saturday, 5 October, 13
9USING COMPONENTS WITH KNOWN VULNERABILITIES
CVE bingo
Saturday, 5 October, 13
RISK
Using old busted software can expose you to documented issues.
CVE databases are filled with version numbers and matching exploits.
Saturday, 5 October, 13
PREVENTION
Do routine upgrades. Keep up to date with all your software.
Read mailing lists and keep an eye out for security releases.
Saturday, 5 October, 13
PREVENTION
Several vulnerability databases around.
https://cve.mitre.org/cve/
Saturday, 5 October, 13
10UNVALIDATED REDIRECTS & FORWARDS
Saturday, 5 October, 13
RISKS
Trusting user input for redirects opens phishing attacks.
Breach of trust with your users.
Saturday, 5 October, 13
PREVENTION
Don’t trust user data when handling redirects.
Saturday, 5 October, 13
THANK YOU
Saturday, 5 October, 13