Embed Size (px)
Citation preview
Vulnerable Active RecordA tale of SQL Injection in PHP Framework
[email protected]/index.htmlilinkedin.com/in/pich4ya
Pichaya MorimotoThailand PHP User Group Meetup
January 28, 2015
★ What is Active Record ?★ Secure by Design ?★ Case Studies★ Exploitation★ Input Validation ★ Defence-in-Depth★ Conclusion
Overview
Active record pattern is an approach to accessing data in a database. A database table or view is wrapped into a class. Thus, an object instance is tied to row(s) in the table.
PHP frameworks also bundle their own ORM implementing the active record pattern. For example, Laravel (Eloquent), CakePHP, Symfony (Doctrine), CodeIgniter and Yii.
$query = $this->db->select('title, content, date');$query->from('table1');$query->where('id', $id);$query->get();
Source: https://en.wikipedia.org/wiki/Active_record_pattern
What is Active Record ?
Secure by Design ?
That’s Magic !
Case Study #1
Get rows from table ‘news’ and order by user input ‘sort’
PHP Framework: CodeIgniter 2.2
Hacker is here, where is SQLi ?
SQLMap == FailedAcunetix == FailedHavij == Failed‘ or ‘1’=’1 , union all select blah blah blah == Failed
SQL Injection Pwnage
Pwned !
What if error message is turned off, is it still vulnerable? Ads: http://slideshare.net/pichayaa/sql-injection-owaspthailand
Stand back I know secure coding!
No more SQL Injection
withType Validation !
Case Study #2
Secure Coding !!
Keep calm and Think Again
Numeric = [Integer, Double, Hex, ...]
id value above is hex encoded of “1 and 1>2 union select CHAR(32,58,32),user(),database(),version(),concat_ws(0x3a,username,password) from ci220news_db” + data field is varchar type ***
A list of security techniques that should be included in every software development project.
★ Parameterize Queries★ Implement Logging, Error Handling and Intrusion Detection★ Leverage Security Features of Frameworks and Security Libraries
and more.. https://www.owasp.org /index.php/OWASP_Proactive_Controls
OWASP Proactive Controls
ProTip: PHP is not allowed to parameterize ‘Order By’ clause ;)Because it isn’t data, it is a column name!
A layered approach to security can be implemented at any level of a complete information security strategy.★ Secure Coding in software requirement★ OS Hardening, reduce attack surface★ Perimeter Security (Network Firewall, IPS/IDS)★ Centralized Log Server / SIEM★ Patch / Vulnerability Management System★ Incident Response Plans★ Web Application Firewall
Source: http://techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/
Defence-in-Depth
Security Today !==
Security Tomorrow
Conclusion
http://framework.zend.com/security/advisory/ZF2014-04http://bakery.cakephp.org/articles/markstory/2013/04/28/security_release_-_cakephp_1_2_12_1_3_16_2_2_8_and_2_3_4
