@asgrim

Dip Your Toesin the Sea of Security

James TitcumbphpDay 2016

@asgrim

James Titcumbwww.jamestitcumb.comwww.roave.comwww.phphants.co.ukwww.phpsouthcoast.co.uk

Who is this guy?

@asgrim

Some simple code...

<?php

$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);

$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);

$result = $a + $b;

printf('The answer is %d', $result);

@asgrim

@asgrim

The Golden Rules

@asgrim

The Golden Rules(my made up golden rules)

@asgrim

1. Keep it simple

@asgrim

2. Know the risks

@asgrim

3. Fail securely

@asgrim

4. Don’t reinvent the wheel

@asgrim

5. Never trust anything

@asgrim

OWASP& the OWASP Top 10

https://www.owasp.org/

@asgrim

Application Security(mainly PHP applications)

@asgrim

Always remember…

Filter InputEscape Output

@asgrim© 2003 Disney/Pixar. All Rights Reserved.

SQL Injection (#1)

@asgrim

SQL Injection (#1)

http://xkcd.com/327/

@asgrim

SQL Injection (#1)

1. Use PDO / mysqli2. Use prepared / parameterized statements

@asgrim

SQL Injection (#1)<?php

// user_id=1; DROP TABLE users; --

$user_id = $_GET['user_id'];

$sql = "

SELECT * FROM users

WHERE user_id = {$user_id}";

$db->execute($sql); ✘

@asgrim

SQL Injection (#1)<?php

$user_id = $_GET['user_id'];

$sql = "

SELECT * FROM users

WHERE user_id = :userid";

$stmt = $db->prepare($sql);

$stmt->bind('userid', $user_id);

$stmt->execute();✓

@asgrim© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

exec($_GET)https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

@asgrim

eval()https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

@asgrim

Cross-Site Scripting / XSS (#3)© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

Cross-Site Scripting / XSS (#3)

● Escape output<?php

$unfilteredInput = '<script type="text/javascript">...</script>';

// Unescaped - JS will run :'(

echo $unfilteredInput;

// Escaped - JS will not run :)

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

@asgrim

Cross-Site Request Forgery / CSRF (#8)

http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html

@asgrim

Cross-Site Request Forgery / CSRF (#8)<?php

if (!$isPost) {

$csrfToken = base64_encode(random_bytes(32)));

$_SESSION['csrf_token'] = $csrfToken;

// ... output the form ...

echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';

} else if ($isPost) {

if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {

die("Token invalid...");

}

// ... handle the form ...

}

@asgrim

<?php

if (!$isPost) {

$csrfToken = base64_encode(random_bytes(32)));

$_SESSION['csrf_token'] = $csrfToken;

// ... output the form ...

echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';

} else if ($isPost) {

if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {

die("Token invalid...");

}

// ... handle the form ...

}

Cross-Site Request Forgery / CSRF (#8)

@asgrim

Cross-Site Request Forgery / CSRF (#8)<?php

if (!$isPost) {

$csrfToken = base64_encode(random_bytes(32)));

$_SESSION['csrf_token'] = $csrfToken;

// ... output the form ...

echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';

} else if ($isPost) {

if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {

die("Token invalid...");

}

// ... handle the form ...

}

@asgrim

Timing attacks

From zend_is_identical:return (Z_STR_P(op1) == Z_STR_P(op2) ||

(Z_STRLEN_P(op1) == Z_STRLEN_P(op2) &&

memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));

@asgrim

Timing attacks

Actual string: “foobar”● a (0.00001)● aa (0.00001)● aaa (0.00001)● aaaa (0.00001)● aaaaa (0.00001)● aaaaaa (0.00002) ← success!● aaaaaaa (0.00001)● aaaaaaaa (0.00001)● aaaaaaaaa (0.00001)

@asgrim

Timing attacks 1 int memcmp(const void* s1, const void* s2,size_t n)

2 {

3 const unsigned char *p1 = s1, *p2 = s2;

4 while(n--)

5 if( *p1 != *p2 )

6 return *p1 - *p2;

7 else

8 p1++,p2++;

9 return 0;

10 }http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation

@asgrim

Timing attacks

Actual string: “foobar”● “aaaaaa” (0.00001)● “baaaaa” (0.00001) ● …● “faaaaa” (0.00002) ← success!● “fbaaaa” (0.00002)● “fcaaaa” (0.00002)● …● “foaaaa” (0.00003) ← success!

@asgrim

Sensitive Data Exposure (#6)© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

Sensitive Data Exposure (#6)

@asgrim© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

curl + https<?php

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

✘

@asgrim

curl + https<?php

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");

✓

@asgrim© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

Third Party Code

@asgrim

Third Party Code!!! WARNING !!!

@asgrim

Third Party Code github.com/ /SecurityAdvisories

!!! WARNING !!!

@asgrim

@asgrim

We are not allsecurity experts!

@asgrim

We are not allsecurity experts!

… but we CAN write secure code

@asgrim

Hack your own system!

© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

What do you want?

Think like a hacker

@asgrim

How do you get it?

Think Differently

@asgrim

Threat ModellingD.R.E.A.D.

© Buena Vista Pictures

@asgrim

Threat Modelling

DamageREAD

© Buena Vista Pictures

@asgrim

Threat Modelling

DamageReproducibilityEAD

© Buena Vista Pictures

@asgrim

Threat Modelling

DamageReproducibilityExploitabilityAD

© Buena Vista Pictures

@asgrim

Threat Modelling

DamageReproducibilityExploitabilityAffected usersD

© Buena Vista Pictures

@asgrim

Threat Modelling

DamageReproducibilityExploitabilityAffected usersDiscoverability

© Buena Vista Pictures

@asgrim

Rank them in orderAnd fix them!

© Buena Vista Pictures

@asgrim

Authentication& Authorization

@asgrim

AuthenticationVerifying Identity

@asgrim

Case Study: Custom Authentication

We thought about doing this…

@asgrim

Case Study: Custom Authentication

We thought about doing this…

@asgrim

Case Study: Custom Authentication

We thought about doing this…

✘

@asgrim

Password Hashingpassword_hash()

@asgrim

AuthorizationVerifying Access

@asgrim

CRYPTOGRAPHYIS

HARD

@asgrim

@asgrim

CRYPTOGRAPHYIS

HARDNEVER EVER “ROLL YOUR OWN”

@asgrim

CRYPTOGRAPHYIS

HARDNEVER EVER “ROLL YOUR OWN”

EVER!!!

@asgrim

How to encrypt then?

@asgrim

I’ve got some great ideas for encryption...

Image: The Guardian (http://goo.gl/pUkyvO)

@asgrim

How to encrypt then?libsodium PECL package

@asgrim

Linux Server Security

@asgrim

Create an SSH Fortress

@asgrim

Firewalls

@asgrim

iptables#!/bin/bash

IPT="/sbin/iptables"

$IPT --flush

$IPT --delete-chain

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP

# Loopback

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# Inbound traffic

$IPT -A INPUT -p tcp --dport ssh -j ACCEPT

$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

# Outbound traffic

$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT

$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

@asgrim

ufwsudo ufw enable

sudo ufw allow 22

sudo ufw allow 80

@asgrim

Mitigate Brute Force Attacks

@asgrim

Install OnlyWhat You Need

@asgrim© 2003 Disney/Pixar. All Rights Reserved.

@asgrim

+

@asgrim

Case Study: Be Minimal

Internets

Postfix

Squid Proxy(badly configured)

hacker

spam

@asgrim

Resources

● http://securingphp.com/● https://www.owasp.org/● http://blog.ircmaxell.com/● https://github.com/paragonie/random_compat● https://github.com/ircmaxell/password_compat● https://paragonie.com/blog● https://websec.io/resources.php

@asgrim

The Golden Rules

1. Keep it simple2. Know the risks3. Fail securely4. Don’t reinvent the wheel5. Never trust anything / anyone

@asgrim

If you follow all this, you get...

@asgrim

If you follow all this, you get...

@asgrim

Any questions? :)

https://joind.in/talk/fc2dcJames Titcumb