Security in PHP Applications: An absolute must! Is you application secure? What does securely written code look like? In this presentation we will talk about what it takes to make a PHP application be written securely. We will focus on secure coding practices and discuss vulnerabilities that must be addressed, including SQL injection, XSS, user authentication and authorization, data validation, and data integrity. There will be example code and working examples to show you what works and what doesn't. We will also discuss how to bake security into system development life cycle and how to convince management that security issues must be addressed. You will come out of this presentation ready to become the Security Hero you've always wanted to be!

1. Security in PHP Applications:
An absolute must!
Mark Niebergall

2. About Mark Niebergall
● PHP since 2005
● MS degree in MIS
● Senior Software Engineer
● UPHPU President
● SSCP, CSSLP Certified and SME for (ISC)2
● Drones, fishing, skiing, father, husband

4. Security Landscape
● Constant attacks: http://map.norsecorp.com/
● Targeting all organizations
● Script kiddies, collectives, nation states,
crackers, thieves, colleagues, insiders,
creative users, and many more

6. Notable Attacks
● IHG hotels
● Tax returns
● Card skimmers, chip-based cards
● DNC, NRSC
● San Francisco Rail
● UK NHS

7. Notable Attacks
● Target
● Home Depot
● Sony Pictures
● Anthem
● JP Morgan Chase
● MySpace
● Sony PSN
● Xbox Live

8. Tech Attacks
● Yahoo!
● IoT devices
○ KrebsOnSecurity.com
○ Dyn DDoS
● Mt. Gox
● Mozilla
● Slack
● Github

9. PHP Version

10. PHP Version
● December 2014: only 25.94% of PHP
installs were secure based on PHP version
● Check your version, upgrade to safe version
● Anthony Ferrara
http://blog.ircmaxell.com/2014/12/php-install-
statistics.html

11. No Organization is Immune

12. Security Topics Covered
● SQL injection
● Cross-site scripting (XSS)
● Cross-Site Request Forgery (CSRF)
● Authentication and authorization
● Data validation
● Data integrity

13. SQL Injection

14. SQL Injection
● SELECT * FROM users WHERE id = $id
● $id = ‘15; UPDATE users SET enabled = 1’
● $this->getDb()->select()->from(‘users’,
‘username’, [‘user_id = ?’ => $id])

15. SQL Injection
● UPDATE product
SET cost = $_GET[‘cost’]
WHERE id = $_GET[‘id’]
● cost = ‘0.01’
● id = ‘1 OR 1=1’
● $this->getDb()->update(‘product’, [‘cost’ =>
$cost], [‘id = ?’ => $id]);

16. SQL Injection
● Use prepared statements (PDO, framework)
● Consider misuses
● Validate data
● Use database features when applicable
○ Views
○ Stored Procedures
○ Functions
○ CTE

17. XSS

18. XSS
http://www.acunetix.com/blog/articles/blind-xss/

19. XSS
● Form of code injection
● Attacker injects malicious script into a site
● Malicious script is sent to different user
● Persistent vs Reflected (non-persistent)
● Server vs Client

20. XSS
● <script>window.location.href=‘http://youtube.
com’</script>
● <script src="http://badsite.com/stealData.js">

21. XSS
● Send private data to attacker
● Redirect to malicious site
● Perform malicious operation

22. XSS
● Filter inbound data
○ filter_input for content
○ data validation
● Escape view data
○ strip_tags($string, [$allowedTags])
● Remove unwanted characters http://ascii.cl/

23. CSRF

24. CSRF
https://www.incapsula.com/web-application-security/cross-site-scripting-xss-attacks.html

25. CSRF
● Attacker causes unauthorized code
execution on a web browser against a target
● Target user is unaware of attack
● Target site performs an action

26. CSRF
● Target logged in on different browser tab
● Hidden form to transfer money to a bank
account
● API to delete accounts
● Perform desired actions that only
authenticated and authorized users can

27. CSRF
● Referer
● CSRF tokens
● Double Cookie Defense
● Encrypted token pattern
● Custom headers
● CAPTCHA
● Re-authentication

28. Authentication and Authorization

29. Authentication and Authorization
● Authentication: user is who they say they are
● Authorization: user has access to resource

30. Authentication and Authorization
● $_SESSION[‘user’] vs $_COOKIE[‘user’]
● javascript:document.cookie="user=admin"
● https://yoursite.com/users.php?id=7

31. Authentication and Authorization
● Do not trust data that can be altered by user
○ GET
○ POST
○ COOKIE
○ SERVER
○ ENV

32. Authentication and Authorization
● Sessions and tokens
● Automatic logouts
● Auditing

33. Authentication and Authorization
● Never assume user has authorization
● Check values from user

34. ● Considerations for authorization
○ Can user gain access to personal or sensitive data
○ Can user change user ‘admin’ email and password
○ Can user manipulate DOM
○ Can user use SQL injection to get unauthorized data
○ Can user use XSS or CSRF
○ Can user see detailed technical errors
Authentication and Authorization

35. Data Validation

36. Data Validation
● Ensure data is clean, correct, and useful

37. Data Validation
● Data type
○ Integer
○ Float
○ String
○ Date

38. Data Validation
● Range and constraint
○ Minimum
○ Maximum
○ Length
○ Matches regular expression

39. Data Validation
● Code and cross-reference
○ Data is useful
○ Database constraints

40. Data Validation
● Structured validation
○ Data type
○ Conditional requirements
○ Data object

41. Data Integrity

42. Data Integrity
● Foreign keys to ensure relational data is
created and kept accurately
● Unique keys to prevent data duplication
● Avoid data corruption and data loss
● Normalization

43. Data Integrity
● Stability
● Performance
● Re-usability
● Maintainability
● Applies to both database and application

44. Development Life Cycle

45. Development Life Cycle
● Analyze application security needs
● Threat modeling
● Risk acceptance level
● Security considerations in requirements
● Project management and developers need
to work closely

46. Development Life Cycle
● Security testing for acceptance
● Code reviews
● Regular review of security landscape and
emerging threats
● Identify weakest points and make a plan to
strengthen those areas

47. Convince Management to Invest

48. Convince Management to Invest
● Explain benefits of investment
○ Brand value
○ Customer loyalty
○ Selling point
● Discuss applicable regulations
● Visibility into current security posture
● Plans and goals
● Get the right people involved

49. Conclusion

50. Resources
● Anthony Ferrara
http://blog.ircmaxell.com/2014/12/php-install-statistics.html
● XSS https://www.owasp.org/index.php/XSS
● CSRF https://www.owasp.org/index.php/CSRF
● Php.net
● http://www.acunetix.com/blog/articles/blind-xss/
● https://www.incapsula.com/web-application-security/cross-site-scripting-xs
s-attacks.html

51. Questions?