What Is Security - DPUG September 2008

1. What is Security?
DPUG - September 9th 2008
Jason Ragsdale
Wednesday, September 10, 2008 1

2. A good place to start...
php.ini
display_errors = Off
register_globals = Off
open_basedir = ....
What about safe_mode??
Wednesday, September 10, 2008 2

3. Don’t be stupid
Never require/include any file based on user
input without checking it first.
<?php
if (isset($_GET[‘page’])
{
require $_GET[‘page’];
}
?>
URL: script.php?page=/etc/passwd
....
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
Wednesday, September 10, 2008 3

4. Don’t be stupid... 2
If your solution uses eval().... you are doing it
wrong
<?php
if (isset($_GET[‘input’])
{
eval($_GET[‘input’]);
}
?>
URL: script.php?input=passthru(“cat /etc/passwd”);
....
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
Wednesday, September 10, 2008 4

5. Input Filtering
What is input?
Anything the user or interacting system
sends to your site i.e. ($_POST, $_GET,
$_REQUEST, $_COOKIE...)
What is a whitelist?
“A list of approved or favored items”
What is a blacklist?
“A list persons who are disapproved of or
are to be punished or boycotted”
Wednesday, September 10, 2008 5

6. Input Validation
Unfiltered code
Example
<?php
if (isset($_POST[‘username’]))
{
$username = $_POST[‘username’];
}
Wednesday, September 10, 2008 6

7. Input Validation
ctype
Example
<?php
$clean = array();
if (ctype_alnum($_POST[‘username’]))
{
$clean[‘username’] = $_POST[‘username’];
}
Wednesday, September 10, 2008 7

8. Input Validation
Zend_Filter_Input
Example
<?php
if (isset($_POST[‘username’]))
{
$filterChain = new Zend_Filter();
$filterChain->addFilter(new Zend_Filter_Alpha())
->addFilter(new Zend_Filter_StringToLower());
$username = $filterChain->filter($_POST[‘username’]);
}
Wednesday, September 10, 2008 8

9. Input Validation
php/filter
Example
<?php
if (isset($_POST[‘username’]))
{
$username = filter_var(‘username’, FILTER_VALIDATE_REGEXP,
array(
‘options’=>
array(‘regexp’=>’/([a-zA-Z0-9]+)/’)
)
);
}
Wednesday, September 10, 2008 9

10. Output Encoding
What is output?
Anything sent back to the user / sender
of the request (RSS Feed, Form Validate,
User created data...)
htmlentities Example
<?php
$str = “A ‘quote’ is <b>bold</b>”;
//Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt
echo htmlentities($str);
//Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt
echo htmlentities($str, ENT_QUOTES);
Wednesday, September 10, 2008 10

11. Tim Stiles
At this point mention XmlWriter and all
it’s wonders.... ;)
Wednesday, September 10, 2008 11

12. Database Inputs
(or: How I Learned to Stop Worrying and Love the Users)
Wednesday, September 10, 2008 12

13. How do i deal with it?
A input filter (whitelist) combined with
prepared statements... DONE
$clean = array();
if (ctype_alnum($_POST[‘username’]))
{
$clean[‘username’] = $_POST[‘username’];
}
$sql = “SELECT `username` FROM `users` WHERE `username` = :username”;
$sth = $dbh->prepare($sql);
$sth->execute(array(‘:username’=> $clean[‘username’]));
$username = $sth->fetchColumn();
Wednesday, September 10, 2008 13

14. XSS
(Cross Site Scripting)
Example
<?php
echo “<p> Welcome back, {$_GET[‘username’]}.</p>”;
?>
------
Let’s exploit this
------
<p> Welcome back, <script> ....do something bad here... </script>. </p>
Wednesday, September 10, 2008 14

15. XSS
(Cross Site Scripting)
If you do the two items we spoke about
Input Filtering
Output Encoding
You most likely are still vulnerable, but it’ll be a
lot harder to exploit
Almost impossible to completely nullify all
security / XSS stuff (new browsers and plugins all
the time + bad guys keep getting smarter)
Wednesday, September 10, 2008 15

16. CSRF
(Cross Site Request Forgeries)
Somewhere on MyFavoriteForum.com:
<img src=”bank.com/transfermoney.php?
to=me&amount=100.00”>
...if users are logged in, invisible actions can
be taken on their behalf, with their
authority.
Wednesday, September 10, 2008 16

17. CSRF
(Cross Site Request Forgeries)
Solutions
Sign your forms with a token (MD5 hash
with a secret key)
Validate the token before processing the
data
This can be done with Cookie and Session
data as well
Wednesday, September 10, 2008 17

18. Protecting Source Code
Make sure all code file extensions are
blocked from viewing
You can remove them from the html root
Or block them in the apache config
<FilesMatch “.inc$”>
order deny, allow
deny from all
</FilesMatch>
Wednesday, September 10, 2008 18

19. Protecting Source Code
Watch for editor backup files too!
.file.php.tmp
file.php~
etc...
Or don’t edit code on production boxes.
Wednesday, September 10, 2008 19

20. Code Auditing
Set a standard for your team (and yes a
team can be a single person)
Input Filtering Methods
Output Encoding Methods
Database Access Methods
Search code security points (echo, print...)
Enforce these methods
Wednesday, September 10, 2008 20

21. Code Auditing
Default to Secure.
Make being unsecure obvious and auditable
YAHOO_GET_RAW( “blah” )
Wednesday, September 10, 2008 21

22. System Security
Your website is only as secure as the
server/network is it hosted on
Perform regular package updates
Make sure you apply any updated PHP or
Apache code as soon as you can, there are
reasons for security releases
Wednesday, September 10, 2008 22

23. Firewalls & Access
Control
Only allow access to ports that you need to
80 - Web
443 - SSL
22 - SSH
Wednesday, September 10, 2008 23

24. Misc...
Signed Data (MD5)
Encrypted passwords in the DB
Config Files outside DOCROOT
Secret keys outside code, in config files
If it’s customer data USE SSL
Wednesday, September 10, 2008 24

25. Q&A
Wednesday, September 10, 2008 25