Dip Your Toes in the Sea of Security (PHP Cambridge)
0 likes725 views
This document provides an overview of application security best practices for PHP applications. It discusses common vulnerabilities like SQL injection and cross-site scripting, and how to prevent them through practices like input filtering, output escaping, and prepared statements. It also covers server security topics like SSH hardening, firewall configuration, and minimizing installed software. The main messages are to keep things simple, know the risks, fail securely, avoid custom security implementations, and never fully trust inputs.
![Some simple code...
<?php
$a = (int)$_GET['a'];
$b = (int)$_GET['b'];
$result = $a + $b;
printf('The answer is %d', $result);](https://image.slidesharecdn.com/dipyourtoesintheseaofsecurityphpcambridge-150129024046-conversion-gate01/85/Dip-Your-Toes-in-the-Sea-of-Security-PHP-Cambridge-3-320.jpg)
![SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘](https://image.slidesharecdn.com/dipyourtoesintheseaofsecurityphpcambridge-150129024046-conversion-gate01/85/Dip-Your-Toes-in-the-Sea-of-Security-PHP-Cambridge-16-320.jpg)
![SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓](https://image.slidesharecdn.com/dipyourtoesintheseaofsecurityphpcambridge-150129024046-conversion-gate01/85/Dip-Your-Toes-in-the-Sea-of-Security-PHP-Cambridge-17-320.jpg)
![<?php
if (!$isPost) {
$csrfToken = hash("sha512",mt_rand(0,mt_getrandmax()));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'"
/>';
} else if ($isPost) {
if ($_SESSION['csrf_token'] != $_POST['csrf_token']) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)](https://image.slidesharecdn.com/dipyourtoesintheseaofsecurityphpcambridge-150129024046-conversion-gate01/85/Dip-Your-Toes-in-the-Sea-of-Security-PHP-Cambridge-23-320.jpg)
Dip Your Toes in the Sea of Security (PHP Cambridge)
- 1. Dip Your Toes in the Sea of Security James Titcumb PHP Cambridge 28th January 2015
- 2. James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?
- 3. Some simple code... <?php $a = (int)$_GET['a']; $b = (int)$_GET['b']; $result = $a + $b; printf('The answer is %d', $result);
- 5. The Golden Rules (my made up golden rules)
- 6. 1. Keep it simple
- 7. 2. Know the risks
- 9. 4. Don’t reinvent the wheel
- 10. 5. Never trust anything
- 11. OWASP & the OWASP Top 10 https://www.owasp.org/
- 12. Application Security (mainly PHP applications)
- 13. Always remember… Filter Input Escape Output
- 15. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
- 16. SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
- 17. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
- 20. Cross-Site Scripting / XSS (#3)
- 21. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
- 22. Cross-Site Request Forgery / CSRF (#8)
- 23. <?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
- 24. Errors, Exceptions & Logging (#6)
- 25. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
- 26. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
- 27. WordPress
- 28. WordPress Urgh.
- 29. We are not security experts!
- 30. We are not security experts! … but we CAN write secure code
- 31. Be the threat Think Differently
- 32. What do you want? Think Differently
- 33. How do you get it? Think Differently
- 38. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
- 39. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
- 40. Case Study: Custom Authentication We thought about doing this…
- 41. Case Study: Custom Authentication We thought about doing this…
- 42. Case Study: Custom Authentication We thought about doing this… ✘
- 46. Create an SSH Fortress
- 47. Firewalls
- 48. IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state
- 50. Install Only What You Need
- 51. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
- 52. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/
- 53. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
- 54. If you follow all this, you get...
- 55. If you follow all this, you get...
- 56. Questions?
- 57. James Titcumb @asgrim Thanks for watching!