Upload
markstory
View
6.129
Download
5
Embed Size (px)
DESCRIPTION
Citation preview
AVOIDING THE OWASP Top 10 security exploits
Friday, 2 November, 12
ME
Illustrator turned developer
Team Lead at FreshBooks
Lead developer of CakePHP
PHP developer for 7 years
Friday, 2 November, 12
SECURITY
Friday, 2 November, 12
SECURITY CONTINUUM
( )unusable unrestricted
Friday, 2 November, 12
OWASPOpen Web Application Security Project
Friday, 2 November, 12
OWASP TOP 10
Friday, 2 November, 12
SQL INJECTION‘ OR 1=1 ‘--1
Friday, 2 November, 12
RISKS
Permits query manipulation, and arbitrary SQL.
Bad guys can re-write your queries.
Friday, 2 November, 12
$username = $_POST[‘username’];$password = $_POST[‘password’];
$query = “SELECT * FROM userWHERE username = ‘$username’AND password = ‘$password’”;
$user = $db->query($query);
SQL INJECTION EXAMPLE
Friday, 2 November, 12
$username = “root”;$password = “‘ OR 1 = 1 --”;
USER INPUT
Friday, 2 November, 12
FINAL QUERY
$query = “SELECT * FROM userWHERE username = ‘root’AND password = ‘‘ OR 1 = 1 --’”;
Friday, 2 November, 12
FINAL QUERY
$query = “SELECT * FROM userWHERE username = ‘root’AND password = ‘‘ OR 1 = 1 --’”;
Friday, 2 November, 12
PREVENTION
Use an ORM or Database abstraction layer that provides escaping. Doctrine, Zend\Table, and CakePHP all do this.
Use PDO and prepared statements.
Never put user data into a query.
Never use regular expressions, magic quotes, or addslashes()
Friday, 2 November, 12
EXAMPLE (PDO)
$query = “SELECT * FROM userWHERE username = ?AND password = ?”;
$stmt = $db->prepare($query);$stmt->bindValue($username);$stmt->bindValue($password);$result = $db->execute();
Friday, 2 November, 12
2XSS<script>alert(‘cross site scripting’);</script>
Friday, 2 November, 12
RISKS
Allows bad guys to do things as the person viewing a page.
Steal identities, passwords, credit cards, hijack pages and more.
Friday, 2 November, 12
XSS EXAMPLE
<p><?php echo $user[‘bio’]; ?>
</p>
Friday, 2 November, 12
XSS EXAMPLE
<p><?php echo $user[‘bio’]; ?>
</p>
Friday, 2 November, 12
You may be thinking, I can use regular expressionsto fix this.
Friday, 2 November, 12
NOFriday, 2 November, 12
PREVENTION
Regular expressions and strip_tags leave you vulnerable.
The only solution is output encoding.
Friday, 2 November, 12
EXAMPLE
<p><?php echo htmlentities($user[‘bio’],ENT_QUOTES,‘UTF-8’
); ?></p>
Friday, 2 November, 12
DANGERS
Manually encoding is error prone, and you will make a mistake.
Using a template library like Twig that provides auto-escaping reduces the chances of screwing up.
Encoding is dependent on context.
Friday, 2 November, 12
3BROKEN AUTHENTICATION & SESSION MANAGEMENT
/index.php?PHPSESSID=pwned
Friday, 2 November, 12
RISKS
Identity theft.
Firesheep was an excellent example.
Friday, 2 November, 12
SESSION FIXATION EXAMPLE
<?phpsession_start();if (isset($_GET[‘sessionid’]) {session_id($_GET[‘sessionid’]);
}
Friday, 2 November, 12
SESSION FIXATION EXAMPLE
<?phpsession_start();if (isset($_GET[‘sessionid’]) {session_id($_GET[‘sessionid’]);
}
Friday, 2 November, 12
PREVENTION
Rotate session identifiers upon login/logout
Set the HttpOnly flag on session cookies.
Use well tested / mature libraries for authentication.
SSL is always a good idea.
Friday, 2 November, 12
4INSECURE DIRECT OBJECT REFERENCE
Friday, 2 November, 12
RISKS
Bad guys can access information they shouldn’t
Bad guys can modify data they shouldn’t.
Friday, 2 November, 12
BROKEN PASSWORD UPDATE
<form action=”/user/update” method=”post”><input type=”hidden” name=”userid” value=”4654” /><input type=”text” name=”new_password” /><button type=”submit”>Save</button>
</form>
Friday, 2 November, 12
PREVENTION
Remember hidden inputs are not really hidden, and can be changed by users.
Validate access to all things, don’t depend on things being hidden/invisible.
If you need to refer to the current user, use session data not form inputs.
Whitelist properties any form can update.
Friday, 2 November, 12
5CROSS SITE REQUEST FORGERY
(CSRF)
Friday, 2 November, 12
RISKS
Evil websites can perform actions for users logged into your site.
Side effects on GET can be performed via images or CSS files.
Remember the Gmail contact hack.
Friday, 2 November, 12
CSRF EXAMPLE
Your app
Evil site
Friday, 2 November, 12
CSRF EXAMPLE
Your app
Evil site
Login
Friday, 2 November, 12
CSRF EXAMPLE
Your app
Evil site
Login
Accidentally visit
Friday, 2 November, 12
CSRF EXAMPLE
Your app
Evil site
Login
Accidentally visit
Submit form for evil
Friday, 2 November, 12
PREVENTION
Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens should be rejected.
Friday, 2 November, 12
SAMPLE CSRF VALIDATION
<?phpif (!$this->validCsrfToken($data, ‘csrf’)) {throw new ForbiddenException();
}
Friday, 2 November, 12
6SECURITY MISCONFIGURATION
Friday, 2 November, 12
RISKS
Default settings can be insecure, and intended for development not production.
Attackers can use misconfigured software to gain knowledge and access.
Friday, 2 November, 12
PREVENTION
Know the tools you use, and configure them correctly.
Keep up to date on vulnerabilities in the tools you use.
Remove/disable any services/features you aren’t using.
Friday, 2 November, 12
7INSECURE CRYPTOGRAPHIC STORAGEmd5(‘password’)
Friday, 2 November, 12
RISKS
Weak cryptographic storage can easily be cracked.
Keys can be exposed with encrypted data.
Backups can contain encrypted data & keys.
Compromised passwords can be used to obtain information on other sites.
Friday, 2 November, 12
BAD PASSWORD HASHING
$password;
md5($password);
sha1($password);
Friday, 2 November, 12
BAD PASSWORD HASHING
$password;
md5($password);
sha1($password);
Friday, 2 November, 12
USE BCRYPT FOR PASSWORDS
only you can prevent bad hashing
Friday, 2 November, 12
PREVENTION
Use strong hashing/encryption.
Use one way hashing for passwords. Never use symmetric encryption for passwords.
Don’t collect data if you don’t need it.
Keep keys separate from data.
If you’re using symmetric encryption, be able to rotate keys easily.
Friday, 2 November, 12
BCRYPT IN PHP
// password hashing (bcrypt)$hashed = crypt($pass,‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);
// compare later$hashed = crypt($plaintext, $storedHash);
// check for match$hashed === $storedHash
Friday, 2 November, 12
BCRYPT IN PHP
// password hashing (bcrypt)$hashed = crypt($pass,‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);
// compare later$hashed = crypt($plaintext, $storedHash);
// check for match$hashed === $storedHash
Friday, 2 November, 12
BCRYPT IN PHP
// password hashing (bcrypt)$hashed = crypt($pass,‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);
// compare later$hashed = crypt($plaintext, $storedHash);
// check for match$hashed === $storedHash
Friday, 2 November, 12
BCRYPT IN PHP
// password hashing (bcrypt)$hashed = crypt($pass,‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);
// compare later$hashed = crypt($plaintext, $storedHash);
// check for match$hashed === $storedHash
Friday, 2 November, 12
USE MCRYPT
// encrypt (rijndael)$value = mcrypt_encrypt(‘rijndael-256’, $secretKey, $ccnumber,‘cbc’, $iv
);
// decrypt$value = mcrypt_decrypt(‘rijndael-256’, $secretKey, $encrypted,‘cbc’, $iv
);
Friday, 2 November, 12
8FAILURE TO RESTRICT URL ACCESS
Friday, 2 November, 12
RISK
Hidden things can easily be found.
Creative people will eventually find your hidden URLs
Security through obscurity is a terrible idea.
Friday, 2 November, 12
PREVENTION
Check access to all urls both when you generate links and more importantly when handling requests.
Don’t rely on things staying hidden.
Friday, 2 November, 12
9INSUFFICIENT TRANSPORT LAYER PROTECTION
Friday, 2 November, 12
SSL/TLSFriday, 2 November, 12
10UNVALIDATED REDIRECTS & FORWARDS
Friday, 2 November, 12
RISKS
Trusting user input for redirects opens phishing attacks.
Breach of trust with your users.
Friday, 2 November, 12
PREVENTION
Don’t trust user data when handling redirects.
Friday, 2 November, 12
QUESTIONS?
Friday, 2 November, 12