Security 202 - Are you sure your site is secure?
2 likes2,460 views
This document discusses common web security issues and myths. It addresses session security, session hijacking, CSRF tokens, CAPTCHAs, SQL injections, password storage, input validation, and clickjacking. The key lessons are that small issues can combine to create larger vulnerabilities, and security requires a fully secure system across all components. The document encourages moving beyond simple solutions to more robust approaches like regenerating session IDs, validating entire sessions, strengthening password hashing, and using the X-FRAME-OPTIONS header.
![Session data
[theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";"
session.save_path = "/var/lib/php/session"
Identical for all php instances unless
specifically overwritten
Read and write access from php code
May be crafted in shared hosting
Session-id takeover from vhost to vhost
Session-Content can be modified
Can even lead to code execution](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-4-320.jpg)
![Session hijacking
session.php
01 <?php
02 session_start();
03 $success = true;
04 if (($_SESSION['IP'] != $_SERVER['REMOTE_ADDR'])
05 or ($_SESSION['VIA'] != $_SERVER['HTTP_VIA'])
06 or ($_SESSION['FORWARD'] != $_SERVER['HTTP_X_FORWARDED_FOR'])
07 or ($_SESSION['AGENT'] != $_SERVER['HTTP_USER_AGENT'])) {
08 // ...
09 }](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-6-320.jpg)
![CSRF
csrftoken.php
01 <?php
02
03 session_start();
04 $_SESSION['CSRF']=md5(time());
05
06 //...
validate.php
01 <?php
02
03 session_start();
04 if ($_SESSION['CSRF']==$_GET['CSRF']) {
05 // ...
06 }](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-9-320.jpg)
![CAPTCHA
captcha.php
01 <?php
02 session_start();
03 require 'captchaHelper.php';
04
05 $code = generateCaptchaCode();
06 $_SESSION['CAPTCHA'] = $code;
07
08 header('Content-type: image/jpeg');
09 echo createCaptchaImage($code);
validation.php
01 <?php
02 session_start();
03
04 if ($_SESSION['CAPTCHA'] != $_REQUEST['code']) {
05 die('Captcha value wrong');
06 }
07 echo 'Welcome!';](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-13-320.jpg)
![Prepared Statements
01 <?php
02
03 $db = new PDO(....);
04 $query = $db->prepare('SELECT ... WHERE NAME=:name');
05 $query->bindParam(':name', $_GET['name']);
06
07 //...](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-15-320.jpg)
![Password storage
01 <?php
02
03 $db = new PDO(....);
04 $query = $db->prepare(
05 'UPDATE user SET PASSWD=:pwd WHERE UID=:uid'
06 );
07 $query->bindParam(':uid', $_SESSION['uid']);
08 $query->bindParam(':pwd', sha1($_POST['pwd']));
09
10 //...](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-19-320.jpg)
![Validation
01 <?php
02
03 $name = isset($_GET['name']) ? $_GET['name'] : 'Anonymous User';
04
05 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) {
06 echo "Welcome, $name";
07 } else {
08 echo "Sorry, that name contains invalid chars";
09 }
10
11 ?>](https://image.slidesharecdn.com/security202-110328143223-phpapp02/85/Security-202-Are-you-sure-your-site-is-secure-23-320.jpg)
Security 202 - Are you sure your site is secure?
- 1. Are You Sure Your Site Is Secure? Security 202 Confoo 2011 Edition By Arne Blankerts, thePHP.cc
- 2. What is this talk about? Myths in web security Broken configurations Typical implementation issues
- 3. Session data “I can always trust my session data since I know what I did store”
- 4. Session data [theseer@rikka ~] $ grep "session.save_path" /etc/php.ini | grep -v ";" session.save_path = "/var/lib/php/session" Identical for all php instances unless specifically overwritten Read and write access from php code May be crafted in shared hosting Session-id takeover from vhost to vhost Session-Content can be modified Can even lead to code execution
- 5. Session hijacking “To protect my users from session hijacking, I did implement a validation check”
- 6. Session hijacking session.php 01 <?php 02 session_start(); 03 $success = true; 04 if (($_SESSION['IP'] != $_SERVER['REMOTE_ADDR']) 05 or ($_SESSION['VIA'] != $_SERVER['HTTP_VIA']) 06 or ($_SESSION['FORWARD'] != $_SERVER['HTTP_X_FORWARDED_FOR']) 07 or ($_SESSION['AGENT'] != $_SERVER['HTTP_USER_AGENT'])) { 08 // ... 09 }
- 7. Session hijacking – what to do? Determine if hijacking is a problem Regenerate id on every request Doesn't block it but makes it harder to exploit Fully switch to https for transport Alternatively use a separate id in ssl context
- 8. Cross Site Request Forgery “I have an anti CSRF token in my forms – So I'm well protected”
- 9. CSRF csrftoken.php 01 <?php 02 03 session_start(); 04 $_SESSION['CSRF']=md5(time()); 05 06 //... validate.php 01 <?php 02 03 session_start(); 04 if ($_SESSION['CSRF']==$_GET['CSRF']) { 05 // ... 06 }
- 10. CSRF Regenerate token for every form? Do you keep a backlog of tokens? Do you validate your session? Session fixation may violate CSRF tokens What do you base the token on?
- 11. CAPTCHA “I'm using a captcha to protect my forms from abuse – So I'm save.”
- 12. CAPTCHA Conceptual Problems Distortion often unreadable Not the least bit accessible Breaking can be “crowd sourced” Implementation issues
- 13. CAPTCHA captcha.php 01 <?php 02 session_start(); 03 require 'captchaHelper.php'; 04 05 $code = generateCaptchaCode(); 06 $_SESSION['CAPTCHA'] = $code; 07 08 header('Content-type: image/jpeg'); 09 echo createCaptchaImage($code); validation.php 01 <?php 02 session_start(); 03 04 if ($_SESSION['CAPTCHA'] != $_REQUEST['code']) { 05 die('Captcha value wrong'); 06 } 07 echo 'Welcome!';
- 14. Prepared Statements “I'm using prepared statements so I'm protected from sql injections”
- 15. Prepared Statements 01 <?php 02 03 $db = new PDO(....); 04 $query = $db->prepare('SELECT ... WHERE NAME=:name'); 05 $query->bindParam(':name', $_GET['name']); 06 07 //...
- 16. Prepared Statements What about fieldnames? Variable table names? Do you sort your results? Any need for limits? Still use ext/mysql? Sprintf based implementations?
- 17. Drawbacks of sprintf Manual escaping needed mysql_escape_string vs. mysql_real_escape_string PDO::quote() does not work with ODBC No knowledge of fieldtype String vs. Integer exploits PDO::quote vs. mysql(i)_real_escape_string
- 18. Password storage “I know storing clear text passwords is a bad idea. That's why I'm only storing hashes of passwords to protect my users.”
- 19. Password storage 01 <?php 02 03 $db = new PDO(....); 04 $query = $db->prepare( 05 'UPDATE user SET PASSWD=:pwd WHERE UID=:uid' 06 ); 07 $query->bindParam(':uid', $_SESSION['uid']); 08 $query->bindParam(':pwd', sha1($_POST['pwd'])); 09 10 //...
- 20. Most favorite passwords 123456 Abc123 12345 Qwertz / Qwerty 123456789 Dragon Password Sexgod iloveyou Football princess 1234 rockyou Pussy 1234567 Letmein 12345678 admin
- 21. Password storage Always salt hashes Prepend and/or append additional values Stretch your passwords Re-apply and calculate the hash 400.000 iterations take <1sec on my laptop Do a quality check on user supplied codes
- 22. Validation “I know using blacklists is pointless. That's why I use regular expressions to check for valid chars in a string”
- 23. Validation 01 <?php 02 03 $name = isset($_GET['name']) ? $_GET['name'] : 'Anonymous User'; 04 05 if (ereg("^[a-zA-Z0-9 +-]*$", $name)) { 06 echo "Welcome, $name"; 07 } else { 08 echo "Sorry, that name contains invalid chars"; 09 } 10 11 ?>
- 24. Clickjacking “To make sure my site cannot be a victim of clickjacking, I have a Javascript to Break out from frames or iframes”
- 25. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script>
- 26. Clickjacking Old style frame busting code 01 <script type=”text/javascript”> 02 if (top != self) { top.location.replace(self.location.href); } 03 </script> Frame buster busting code 01 <script type=”text/javascript”> 02 var prevent_bust = 0 03 window.onbeforeunload = function() { prevent_bust++ } 04 setInterval(function() { 05 if (prevent_bust > 0) { 06 prevent_bust -= 2 07 window.top.location = 'http://attacker/204.php'; 08 } 09 }, 1); 10 </script>
- 27. Clickjacking – what works JavaScript & CSS Hide content by use display:none Switch to visible if frametest succeeds Use X-FRAME-OPTIONS header Set to DENY for no iframe embedding Set to SAMEORIGIN to allow from same host
- 28. Lessons learned? Tiny problems add up Some attacks are only effective if various vectors get combined Combinations of attack vectors may render your solution useless Security requires a fully secure eco system
- 29. Q & A
- 30. Congrats!
- 31. Contact Slides will be available http://talks.thephp.cc Please rate this talk http://joind.in/talk/view/2785 Contact options Email: team@thePHP.cc / arne@thePHP.cc Follow us on twitter: @arneblankerts / @thePHPcc