Security 202 - Are you sure your site is secure?
Transcript of Security 202 - Are you sure your site is secure?
![Page 1: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/1.jpg)
Are You Sure Your Site Is Secure?
Security 202
Confoo 2011 Edition
By Arne Blankerts, thePHP.cc
![Page 2: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/2.jpg)
What is this talk about?
Myths in web security Broken configurations Typical implementation
issues
![Page 3: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/3.jpg)
Session data
“I can always trust my session datasince I know what I did store”
![Page 4: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/4.jpg)
Session data
Identical for all php instances unless specifically overwritten
Read and write access from php code
May be crafted in shared hosting Session-id takeover from vhost to vhost Session-Content can be modified Can even lead to code execution
[theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";"
session.save_path = "/var/lib/php/session"
![Page 5: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/5.jpg)
Session hijacking
“To protect my users from session hijacking, I did implement a
validation check”
![Page 6: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/6.jpg)
Session hijacking
01 <?php02 session_start();03 $success = true;04 if (($_SESSION['IP'] != $_SERVER['REMOTE_ADDR'])05 or ($_SESSION['VIA'] != $_SERVER['HTTP_VIA'])06 or ($_SESSION['FORWARD'] != $_SERVER['HTTP_X_FORWARDED_FOR'])07 or ($_SESSION['AGENT'] != $_SERVER['HTTP_USER_AGENT'])) {08 // ...09 }
session.php
![Page 7: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/7.jpg)
Session hijacking – what to do?
Determine if hijacking is a problem Regenerate id on every request
Doesn't block it but makes it harder to exploit
Fully switch to https for transport Alternatively use a separate id in ssl context
![Page 8: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/8.jpg)
Cross Site Request Forgery
“I have an anti CSRF token in my forms – So I'm well protected”
![Page 9: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/9.jpg)
CSRF
01 <?php0203 session_start();04 $_SESSION['CSRF']=md5(time());0506 //...
csrftoken.php
validate.php01 <?php0203 session_start();04 if ($_SESSION['CSRF']==$_GET['CSRF']) {05 // ...06 }
![Page 10: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/10.jpg)
CSRF
Regenerate token for every form? Do you keep a backlog of tokens?
Do you validate your session? Session fixation may violate CSRF tokens
What do you base the token on?
![Page 11: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/11.jpg)
CAPTCHA
“I'm using a captcha to protect my forms from abuse – So I'm save.”
![Page 12: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/12.jpg)
CAPTCHA
Conceptual Problems Distortion often unreadable Not the least bit accessible
Breaking can be “crowd sourced”
Implementation issues
![Page 13: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/13.jpg)
CAPTCHA
captcha.php
validation.php
01 <?php02 session_start();03 require 'captchaHelper.php';0405 $code = generateCaptchaCode();06 $_SESSION['CAPTCHA'] = $code;0708 header('Content-type: image/jpeg');09 echo createCaptchaImage($code);
01 <?php02 session_start();0304 if ($_SESSION['CAPTCHA'] != $_REQUEST['code']) {05 die('Captcha value wrong');06 }07 echo 'Welcome!';
![Page 14: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/14.jpg)
Prepared Statements
“I'm using prepared statementsso I'm protected from sql injections”
![Page 15: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/15.jpg)
Prepared Statements
01 <?php0203 $db = new PDO(....);04 $query = $db->prepare('SELECT ... WHERE NAME=:name');05 $query->bindParam(':name', $_GET['name']);0607 //...
![Page 16: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/16.jpg)
Prepared Statements
What about fieldnames? Variable table names? Do you sort your results? Any need for limits?
Still use ext/mysql? Sprintf based implementations?
![Page 17: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/17.jpg)
Drawbacks of sprintf
Manual escaping needed mysql_escape_string vs. mysql_real_escape_string
PDO::quote() does not work with ODBC No knowledge of fieldtype
String vs. Integer exploits PDO::quote vs. mysql(i)_real_escape_string
![Page 18: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/18.jpg)
Password storage
“I know storing clear text passwords is a bad idea. That's why I'm only storing hashes of passwords to
protect my users.”
![Page 19: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/19.jpg)
Password storage
01 <?php0203 $db = new PDO(....);04 $query = $db->prepare(05 'UPDATE user SET PASSWD=:pwd WHERE UID=:uid'06 );07 $query->bindParam(':uid', $_SESSION['uid']);08 $query->bindParam(':pwd', sha1($_POST['pwd']));0910 //...
![Page 20: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/20.jpg)
Most favorite passwords
123456 12345 123456789 Password iloveyou princess rockyou 1234567 12345678
Abc123 Qwertz / Qwerty Dragon Sexgod Football 1234 Pussy Letmein admin
![Page 21: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/21.jpg)
Password storage
Always salt hashes Prepend and/or append additional values
Stretch your passwords Re-apply and calculate the hash 400.000 iterations take <1sec on my laptop
Do a quality check on user supplied codes
![Page 22: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/22.jpg)
Validation
“I know using blacklists is pointless. That's why I use regular expressions to
check for valid chars in a string”
![Page 23: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/23.jpg)
Validation
01 <?php 0203 $name = isset($_GET['name']) ? $_GET['name'] : 'Anonymous User';0405 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) {06 echo "Welcome, $name";07 } else {08 echo "Sorry, that name contains invalid chars";09 }1011 ?>
![Page 24: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/24.jpg)
Clickjacking
“To make sure my site cannot be a victim of clickjacking, I have a Javascript to Break out from
frames or iframes”
![Page 25: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/25.jpg)
Clickjacking
01 <script type=”text/javascript”>02 if (top != self) { top.location.replace(self.location.href); }03 </script>
Old style frame busting code
![Page 26: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/26.jpg)
Clickjacking
01 <script type=”text/javascript”>02 if (top != self) { top.location.replace(self.location.href); }03 </script>
Old style frame busting code
Frame buster busting code01 <script type=”text/javascript”>02 var prevent_bust = 0 03 window.onbeforeunload = function() { prevent_bust++ } 04 setInterval(function() { 05 if (prevent_bust > 0) {06 prevent_bust -= 2 07 window.top.location = 'http://attacker/204.php'; 08 } 09 }, 1); 10 </script>
![Page 27: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/27.jpg)
Clickjacking – what works
JavaScript & CSS Hide content by use display:none Switch to visible if frametest succeeds
Use X-FRAME-OPTIONS header Set to DENY for no iframe embedding Set to SAMEORIGIN to allow from same host
![Page 28: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/28.jpg)
Lessons learned?
Tiny problems add up Some attacks are only effective if various
vectors get combined Combinations of attack vectors may render
your solution useless
Security requires a fully secure eco system
![Page 29: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/29.jpg)
Q & A
![Page 30: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/30.jpg)
Congrats!
![Page 31: Security 202 - Are you sure your site is secure?](https://reader034.fdocuments.net/reader034/viewer/2022042521/557589f5d8b42ae7708b495e/html5/thumbnails/31.jpg)
Contact
Slides will be available
http://talks.thephp.cc
Please rate this talk
http://joind.in/talk/view/2785
Contact options
Email: [email protected] / [email protected]
Follow us on twitter:
@arneblankerts / @thePHPcc