OWASP Top 10 at International PHP Conference 2014 in Berlin

Tobias Zander | @airbone42

OWASP Top 10

Current state of security

Open Web Application

Security Project

The Top 10 Most

Critical Web

Application Security

RisksNot just Vulnerabilities

http://xkcd.com/327/

Don‘t try this at home!

http://funfive.net/drop-database-license-plate/2670.html

Prepared Statements$stmt = $mysqli->prepare(

'UPDATE users

SET email = ?

WHERE id = 123'‚

);

$stmt->bind_param(

's',

$email

);

DBA

$q = Doctrine_Query::create()

->update('Account')

->set('email', 'foo@bar.de')

->where(

'username LIKE ?',

$username

);

$username = 'A%';

Time-based

SELECT IF(

SUBSTRING(

user_password, 1, 1

) = CHAR(65),

BENCHMARK(

5000000,

ENCODE(‘foo', ‘bar')

),

null

)

FROM users

WHERE user_id = 1;

Injection

• Use prepared statements

• Or stored procedures

• Check for wildcards

www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

eBay

https://twitter.com/kennwhite/status/470545973547397120/photo/1/large

Online-Banking Newsletter

Sollte Ihr Kennwort Sonderzeichen

enthalten, bitten wir Sie, Ihr Kennwort zu

ändern. Durch die technische Umstellung

auf das neue Online-Banking werden nur

noch Kennwörter zugelassen, die

bestimmte Sonderzeichen erlauben. Die

zugelassenen Sonderzeichen im

Kennwort lauten: # ? * + - .

Broken Authentication

• Don‘t limit password strength

• Force long and complex passwords

• Check error messages

• Prevent brute-force-attacks

www.owasp.org/index.php/Authentication_Cheat_Sheet

Session Hijacking

Session ID: abcde

Mr. Evil

Session Fixation

Mr. Evil

Lin

k

Predefined Session ID

Broken Session Management

session.use_trand_sid = Off

session.use_only_cookies = On

session.cookie_secure = On

session.cookie_httponly = On

session.hash_function = sha512

Broken Session Management

• Don‘t expose session ids

• Probably bind sessions to IP

• Reduce Session-Lifetime

• Regenerate Session-Ids

www.owasp.org/index.php/Session_Management_Cheat_Sheet

XSS

echo '<input

type="text"

name="foo"

value="' .

htmlspecialchars(

$string

ENT_QUOTES|

ENT_SUBSTITUTE|

ENT_DISALLOWED,

'UTF-8'

) .

'">';

XSS

$value = '</script>';

echo json_encode(

$value

);

XSS

• Escape output by context

– htmlspecialchars

– json_encode

– …

• Content-Security-Policy

• X-XSS-Protection

• Template engine

Insecure Object Reference

<select>

<option value="2">

moderator

</option>

<option value="3">

editor

</option>

</select>

Insecure Object Reference

<select>

<option value="random-ref-x">

moderator

</option>

<option value="random-ref-y">

editor

</option>

</select>

Insecure Object Reference

• Validate user input

• Use indirect object references

• Check access permissions

Security Misconfiguration

<Directory "/var/www">

AllowOverride All

</Directory>

memory_limit = 1024M

allow_url_fopen = On

allow_url_include = On

;open_basedir =

Security Misconfiguration

<Directory "/var/www">

AllowOverride None

Options -Indexes

</Directory>

memory_limit = 128M

log_errors = On

allow_url_fopen = Off

allow_url_include = Off

open_basedir = /var/www/app

Security Misconfiguration

• Keep your system up-to-date

• Remove setup/deployment routines

• Disable exposure of sensitive data

• Review server settings

• github.com/ioerror/duraconf

Fucking rainbow tableshttp://edwardhotspur.wordpress.com/tag/devil-bunny/

PHP 5.5

password_hash($password);

if (password_verify($password, $hash)) {

// Success!} else {

// Failed :(}

SSDE - Password encryption

• Add a salt

• Use different salts

• Use a strong algorithm (NOT md5)

• Use password_hash in PHP 5.5

• github.com/ircmaxell/password_compat

SSDE - PHP Exposureexpose_php Off

Remove

phpinfo();

SSDE - Secure URLs

• Use TLS for all pages

• Use Secure Cookie Flag

• Keep sensitive data out of the URL

class AdminController {

public function editAction() {

$this->model

->save($this->formData);

}

}

Missing Function Level AC

class AdminController {

public function editAction() {

if (!$this->_isAllowed()) {

throw new Exception(

'insufficient privileges'

);

}

…

Missing Function Level AC

• Standard should disallow all access

• Use roles to keep ACL simple

• ACL model should be very flexible

• Check privileges on each step

class BankaccountController {

public function transferAction() {

if ($this->_isAllowed()) {

$this->transfer(

$amount,

$account

);

}

}

}

Cross Site Request Forgery

Login / create session

Vis

itw

ebsite

Request a

pp…

… through victim‘s browser

evil.com

sensitive.com

CSRF

class BankaccountController {

public function transferAction() {

$this->validateToken();

if ($this->_isAllowed()) {

$this->transfer(

$amount,

$account

);

}

}

}

Infected

profile

TOKEN

My profile

Authenticate user

CSRF

• Use One-Time-Token and secure it

• Authenticate user

– Credentials

– Captcha

www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet

Known Vulnerabilities

• Review third party libraries

• Keep libraries up-to-date -

http://www.versioneye.com/

• Check:

– mailing lists

– boards

– news- and vendor-sites

Redirects and Forwards

Redirects and Forwards

$allowedDomains = array('good.com',

'better.com');

if (!in_array(

$url,

$allowedDomains

)) {

throw new Exception('invalid redirect');

}

$this->_redirectUrl($url);

http://www.lolhome.com/funny-picture-620770644.html

Improper Error Handling

DoS

Security by Obscurity

Insecure File Uploads

Malicious File

Execution

Mail Header Injection

Source Code

Revelation

Hardcoded

Credentials

Clickjacking

Buffer Overflows

XML External Entity

Perfect Pixel Timing

• OWASP Top 10

• CWE/SANS Top 25

• PCI DSS

• Zed Attack Proxy

• Metasploit

• WireShark

• BeEF

http://amzn.to/1vKNLqM

Trust noone!

www.owasp.org security.stackexchange.com

http://www.glittercats.com/image/30189/cute-cats-wallpapers-colorful-wallpaper

Tobias Zander | @airbone42

Questions?

Tobias Zander | @airbone42

Thanks!