OWASP Top 10 2013

AVOIDING THE OWASP Top 10 security exploits

Saturday, 5 October, 13

ME

Illustrator turned developer

PHP developer for 8 years

Architect/Developer at FreshBooks

Lead developer of CakePHP


SECURITY


SECURITY CONTINUUM

( )unusable unrestricted


OWASPOpen Web Application Security Project


OWASP TOP 10


INJECTION‘ OR 1=1 ‘--1


RISKS

Command - Permits arbitrary shell commands.

SQL - Permits query manipulation, and arbitrary SQL.

Bad guys can run arbitrary code/queries.


$username = $_POST[‘username’];$password = $_POST[‘password’];

$query = “SELECT * FROM userWHERE username = ‘$username’AND password = ‘$password’”;

$user = $db->query($query);

SQL INJECTION EXAMPLE


$username = “root”;$password = “‘ OR 1 = 1 --”;

USER INPUT


FINAL QUERY

$query = “SELECT * FROM userWHERE username = ‘root’AND password = ‘‘ OR 1 = 1 --”;


FINAL QUERY

$query = “SELECT * FROM userWHERE username = ‘root’AND password = ‘‘ OR 1 = 1 --”;


PREVENTION

Use an ORM or Database abstraction layer that provides escaping. Doctrine, Zend\Table, and CakePHP all do this.

Use PDO and prepared statements.

Never interpolate user data into a query.

Never use regular expressions, magic quotes, or addslashes()


EXAMPLE (PDO)

$query = “SELECT * FROM userWHERE username = ?AND password = ?”;

$stmt = $db->prepare($query);$stmt->bindValue($username);$stmt->bindValue($password);$result = $db->execute();


COMMAND INJECTION

$file = $_POST[‘file’];

$res = file_get_contents($file);

echo $res;


$f = “../../../../../../etc/passwd”;

USER INPUT


PREVENTION

Escape and validate input.

Check for ..

Check for ;

Ensure the realpath resolves to a file that is allowed.


2BROKEN AUTHENTICATION & SESSION MANAGEMENT

/index.php?PHPSESSID=pwned


RISKS

Identity theft.

Firesheep was an excellent example.


SESSION FIXATION EXAMPLE

<?phpsession_start();if (isset($_GET[‘sessionid’]) {session_id($_GET[‘sessionid’]);

}


SESSION FIXATION EXAMPLE

<?phpsession_start();if (isset($_GET[‘sessionid’]) {session_id($_GET[‘sessionid’]);

}


PREVENTION

Rotate session identifiers upon login/logout

Set the HttpOnly flag on session cookies.

Use well tested / mature libraries for authentication.

SSL is always a good idea.


3 XSS<script>alert(‘cross site scripting’);</script>


RISKS

Allows bad guys to do things as the person viewing a page.

Steal identities, passwords, credit cards, hijack pages and more.


XSS EXAMPLE

<p><?php echo $user[‘bio’]; ?>

</p>


XSS EXAMPLE

<p><?php echo $user[‘bio’]; ?>

</p>


I know, I can use regular expressions!


NOSaturday, 5 October, 13

PREVENTION

Regular expressions and strip_tags leave you vulnerable.

The only robust solution is output encoding.


EXAMPLE

<p><?php echo htmlentities($user[‘bio’],ENT_QUOTES,‘UTF-8’

); ?></p>


DANGERS

Manually encoding is error prone, and you will make a mistake.

Using a template library like Twig that provides auto-escaping reduces the chances of screwing up.

Encoding is dependent on context.


4INSECURE DIRECT OBJECT REFERENCE


RISKS

Bad guys can access information they shouldn’t

Bad guys can modify data they shouldn’t.


BROKEN PASSWORD UPDATE

<form action=”/user/update” method=”post”><input type=”hidden” name=”userid” value=”4654” /><input type=”text” name=”new_password” /><button type=”submit”>Save</button>

</form>


PREVENTION

Remember hidden inputs are not really hidden, and can be changed by users.

Validate access to all things, don’t depend on things being hidden/invisible.

If you need to refer to the current user, use session data not form inputs.

Whitelist properties any form can update.


5SECURITY MISCONFIGURATION


RISKS

Default settings can be insecure, and intended for development not production.

Attackers can use misconfigured software to gain knowledge and access.


PREVENTION

Know the tools you use, and configure them correctly.

Keep up to date on vulnerabilities in the tools you use.

Remove/disable any services/features you aren’t using.


6SENSITIVE DATA EXPOSURE4012 8888 8888 1881


RISKS

Bad guys get credit cards, personal identification, passwords or health records.

Your company could be fined or worse.


ASSESSING RISK

Do you have sensitive data?

Is it in plaintext?

Any old/bad crypto in use?

Missing SSL?

Who can access sensitive data?


7MISSING FUNCTION LEVELACCESS CONTROL


RISKS

Anyone on the internet can request things.

Missing access control could mean bad guys can do things they shouldn’t be able to.


PREVENTION

No simple solutions sadly.

Good automated tests help.


8CROSS SITE REQUEST FORGERY

(CSRF)


RISKS

Evil websites can perform actions for users logged into your site.

Side effects on GET can be performed via images or CSS files.

Remember the Gmail contact hack.


CSRF EXAMPLE

Your app

Evil site


CSRF EXAMPLE

Your app

Evil site

Login


CSRF EXAMPLE

Your app

Evil site

Login

Accidentally visit


CSRF EXAMPLE

Your app

Evil site

Login

Accidentally visit

Submit form for evil


PREVENTION

Add opaque expiring tokens to all forms.

Requests missing tokens or containing invalid tokens should be rejected.


SAMPLE CSRF VALIDATION

<?phpif (!$this->validCsrfToken($data, ‘csrf’)) {throw new ForbiddenException();

}


9USING COMPONENTS WITH KNOWN VULNERABILITIES

CVE bingo


RISK

Using old busted software can expose you to documented issues.

CVE databases are filled with version numbers and matching exploits.


PREVENTION

Do routine upgrades. Keep up to date with all your software.

Read mailing lists and keep an eye out for security releases.


PREVENTION

Several vulnerability databases around.

https://cve.mitre.org/cve/




10UNVALIDATED REDIRECTS & FORWARDS


RISKS

Trusting user input for redirects opens phishing attacks.

Breach of trust with your users.


PREVENTION

Don’t trust user data when handling redirects.


THANK YOU


OWASP Top 10 2013

Technology

final query

query manipulation

query sql injection

user data

etcpasswd user input

arbitrary sql

example pdo

command injection