Dip Your Toes in the Sea of Security (PHP Cambridge)

•

0 j'aime•719 vues

James Titcumb

Technologie

James Titcumb
www.jamestitcumb.com
www.protected.co.uk
www.phphants.co.uk
www.phpsouthcoast.co.uk
@asgrim
Who is this guy?

Some simple code...
<?php
$a = (int)$_GET['a'];
$b = (int)$_GET['b'];
$result = $a + $b;
printf('The answer is %d', $result);

The Golden Rules
(my made up golden rules)

OWASP
& the OWASP Top 10
https://www.owasp.org/

Application Security
(mainly PHP applications)

Always remember…
Filter Input
Escape Output

SQL Injection (#1)
1. Use PDO / mysqli
2. Use prepared / parameterized statements

$SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘$

SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓

exec($_GET)
https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

eval()
https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

Cross-Site Scripting / XSS (#3)
● Escape output
<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

$<?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)$

curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
✘

curl + https
<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");
✓

We are not security
experts!
… but we CAN write secure code

CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”

CRYPTOGRAPHY
IS
HARD
NEVER EVER “ROLL YOUR OWN”
EVER!!!

Case Study: Custom Authentication
We thought about doing this…

IPTABLES
#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j
ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j
ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state

Case Study: Be Minimal
Internets
Postfix
Squid Proxy
(badly configured)
hacker
spam

Resources
● http://securingphp.com/
● https://www.owasp.org/
● http://blog.ircmaxell.com/

The Golden Rules
1. Keep it simple
2. Know the risks
3. Fail securely
4. Don’t reinvent the wheel
5. Never trust anything / anyone

James Titcumb
@asgrim
Thanks for watching!

Contenu connexe

En vedette

Michael Durante Western Reserve Blackwall Partners 1Q12Michael Durante

Reputation Advocate - The Value of ReviewsReputation Advocate

Инструкция по настройке сервиса Daas на базе мини пкЕлена Кузовкина

Composer Tutorial (PHP Hampshire Sept 2013)James Titcumb

программа «пять ролей менеджера компании франчайзораЕлена Виль-Вильямс

Инструкция по настройке сервиса Daas для WindowsЕлена Кузовкина

krishnamjfire

Aula nefropatias agudas e cronicas 2Ana Carolina Simoneti

Thalassemia and Stem cell transplantspa718

Rockin Online Course for All LearnersTeachGoodStuff

Floating Point Unit (FPU)Silicon Mentor

스펙 없이 대기업 들어가기Ji Hyeok Kim

unity in diversitySamkit Jhabak

SlidejJacobCastillo19

Trabajo de carlos salazarCarhumsapro

Sickle cell disease” (SCD): a project of curative treatment and informatics...Claudio Tancini

Visual resumegiuseppinanapoleone1985

166 окОльга Захарова

คำราชาศัพท์Marr Ps

En vedette (19)

Michael Durante Western Reserve Blackwall Partners 1Q12

Reputation Advocate - The Value of Reviews

Инструкция по настройке сервиса Daas на базе мини пк

Composer Tutorial (PHP Hampshire Sept 2013)

программа «пять ролей менеджера компании франчайзора

Инструкция по настройке сервиса Daas для Windows

krishna

Aula nefropatias agudas e cronicas 2

Thalassemia and Stem cell transplant

Rockin Online Course for All Learners

Floating Point Unit (FPU)

스펙 없이 대기업 들어가기

unity in diversity

Slidej

Trabajo de carlos salazar

Sickle cell disease” (SCD): a project of curative treatment and informatics...

Visual resume

166 ок

คำราชาศัพท์

Similaire à Dip Your Toes in the Sea of Security (PHP Cambridge)

Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)James Titcumb

Dip Your Toes in the Sea of SecurityJames Titcumb

Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)James Titcumb

Dip Your Toes In The Sea Of Security (PHPNW16)James Titcumb

Dip Your Toes in the Sea of Security (phpDay 2016)James Titcumb

Dip Your Toes in the Sea of Security (CoderCruise 2017)James Titcumb

Proposed PHP function: is_literal()Craig Francis

Dip Your Toes in the Sea of Security (PHP South Africa 2017)James Titcumb

Dip Your Toes in the Sea of Security (IPC Fall 2017)James Titcumb

Dip Your Toes in the Sea of Security (ConFoo YVR 2017)James Titcumb

PHPUG PresentationDamon Cortesi

Slidesvti

Ajax SecurityJoe Walker

Eight simple rules to writing secure PHP programsAleksandr Yampolskiy

My app is secure... I thinkWim Godden

Security 202 - Are you sure your site is secure?ConFoo

Application Security around OWASP Top 10Sastry Tumuluri

Php Securityguest7cf35c

Questioning the status quoIvano Pagano

Php Code Audits (PHP UK 2010)Damien Seguy

Similaire à Dip Your Toes in the Sea of Security (PHP Cambridge) (20)

Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)

Dip Your Toes in the Sea of Security

Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)

Dip Your Toes In The Sea Of Security (PHPNW16)

Dip Your Toes in the Sea of Security (phpDay 2016)

Dip Your Toes in the Sea of Security (CoderCruise 2017)

Proposed PHP function: is_literal()

Dip Your Toes in the Sea of Security (PHP South Africa 2017)

Dip Your Toes in the Sea of Security (IPC Fall 2017)

Dip Your Toes in the Sea of Security (ConFoo YVR 2017)

PHPUG Presentation

Slides

Ajax Security

Eight simple rules to writing secure PHP programs

My app is secure... I think

Security 202 - Are you sure your site is secure?

Application Security around OWASP Top 10

Php Security

Questioning the status quo

Php Code Audits (PHP UK 2010)

Plus de James Titcumb

Living the Best Life on a Legacy Project (phpday 2022).pdfJames Titcumb

Tips for Tackling a Legacy Codebase (ScotlandPHP 2021)James Titcumb

Climbing the Abstract Syntax Tree (Midwest PHP 2020)James Titcumb

Best practices for crafting high quality PHP apps (Bulgaria 2019)James Titcumb

Climbing the Abstract Syntax Tree (php[world] 2019)James Titcumb

Best practices for crafting high quality PHP apps (php[world] 2019)James Titcumb

Crafting Quality PHP Applications (PHP Joburg Oct 2019)James Titcumb

Climbing the Abstract Syntax Tree (PHP Russia 2019)James Titcumb

Best practices for crafting high quality PHP apps - PHP UK 2019James Titcumb

Climbing the Abstract Syntax Tree (ScotlandPHP 2018)James Titcumb

Best practices for crafting high quality PHP apps (ScotlandPHP 2018)James Titcumb

Kicking off with Zend Expressive and Doctrine ORM (PHP South Africa 2018)James Titcumb

Best practices for crafting high quality PHP apps (PHP South Africa 2018)James Titcumb

Climbing the Abstract Syntax Tree (PHP Developer Days Dresden 2018)James Titcumb

Climbing the Abstract Syntax Tree (Southeast PHP 2018)James Titcumb

Crafting Quality PHP Applications (PHPkonf 2018)James Titcumb

Best practices for crafting high quality PHP apps (PHP Yorkshire 2018)James Titcumb

Crafting Quality PHP Applications: an overview (PHPSW March 2018)James Titcumb

Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)James Titcumb

Climbing the Abstract Syntax Tree (PHP UK 2018)James Titcumb

Plus de James Titcumb (20)

Living the Best Life on a Legacy Project (phpday 2022).pdf

Tips for Tackling a Legacy Codebase (ScotlandPHP 2021)

Climbing the Abstract Syntax Tree (Midwest PHP 2020)

Best practices for crafting high quality PHP apps (Bulgaria 2019)

Climbing the Abstract Syntax Tree (php[world] 2019)

Best practices for crafting high quality PHP apps (php[world] 2019)

Crafting Quality PHP Applications (PHP Joburg Oct 2019)

Climbing the Abstract Syntax Tree (PHP Russia 2019)

Best practices for crafting high quality PHP apps - PHP UK 2019

Climbing the Abstract Syntax Tree (ScotlandPHP 2018)

Best practices for crafting high quality PHP apps (ScotlandPHP 2018)

Kicking off with Zend Expressive and Doctrine ORM (PHP South Africa 2018)

Best practices for crafting high quality PHP apps (PHP South Africa 2018)

Climbing the Abstract Syntax Tree (PHP Developer Days Dresden 2018)

Climbing the Abstract Syntax Tree (Southeast PHP 2018)

Crafting Quality PHP Applications (PHPkonf 2018)

Best practices for crafting high quality PHP apps (PHP Yorkshire 2018)

Crafting Quality PHP Applications: an overview (PHPSW March 2018)

Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)

Climbing the Abstract Syntax Tree (PHP UK 2018)

Dernier

Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro

Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited

"ML in Production",Oleksandr BaganFwdays

Story boards and shot lists for my a level piececharlottematthew16

AI as an Interface for Commercial BuildingsMemoori

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays

Search Engine Optimization SEO PDF for 2024.pdfRankYa

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos

DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang

WordPress Websites for Engineers: Elevate Your Brandgvaughan

DevEX - reference for building teams, processes, and platformsSergiu Bodiu

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz

Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

Commit 2024 - Secret Management made easyAlfredo García Lavilla

Training state-of-the-art general text embeddingZilliz

Dernier (20)

Unraveling Multimodality with Large Language Models.pdf

Ensuring Technical Readiness For Copilot in Microsoft 365

"ML in Production",Oleksandr Bagan

Story boards and shot lists for my a level piece

AI as an Interface for Commercial Buildings

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Designing IA for AI - Information Architecture Conference 2024

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...

Search Engine Optimization SEO PDF for 2024.pdf

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

DMCC Future of Trade Web3 - Special Edition

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)

WordPress Websites for Engineers: Elevate Your Brand

DevEX - reference for building teams, processes, and platforms

SIP trunking in Janus @ Kamailio World 2024

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost

Developer Data Modeling Mistakes: From Postgres to NoSQL

DevoxxFR 2024 Reproducible Builds with Apache Maven

Commit 2024 - Secret Management made easy

Training state-of-the-art general text embedding

Dip Your Toes in the Sea of Security (PHP Cambridge)

1. Dip Your Toes in the Sea of Security James Titcumb PHP Cambridge 28th January 2015

2. James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?

3. Some simple code... <?php $a = (int)$_GET['a']; $b = (int)$_GET['b']; $result = $a + $b; printf('The answer is %d', $result);

4. The Golden Rules

5. The Golden Rules (my made up golden rules)

6. 1. Keep it simple

7. 2. Know the risks

8. 3. Fail securely

9. 4. Don’t reinvent the wheel

10. 5. Never trust anything

11. OWASP & the OWASP Top 10 https://www.owasp.org/

12. Application Security (mainly PHP applications)

13. Always remember… Filter Input Escape Output

14. SQL Injection (#1) http://xkcd.com/327/

15. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements

16. SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘

17. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓

18. exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code

19. eval() https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults

20. Cross-Site Scripting / XSS (#3)

21. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

22. Cross-Site Request Forgery / CSRF (#8)

23. <?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)

24. Errors, Exceptions & Logging (#6)

25. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘

26. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓

27. WordPress

28. WordPress Urgh.

29. We are not security experts!

30. We are not security experts! … but we CAN write secure code

31. Be the threat Think Differently

32. What do you want? Think Differently

33. How do you get it? Think Differently

34. Threat Modelling D.R.E.A.D.

35. Authentication & Authorization

36. Authentication Verifying Identity

37. CRYPTOGRAPHY IS HARD

38. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”

39. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!

40. Case Study: Custom Authentication We thought about doing this…

41. Case Study: Custom Authentication We thought about doing this…

42. Case Study: Custom Authentication We thought about doing this… ✘

43. Password Hashing password_hash()

44. Authorization Verifying Access

45. Linux Server Security

46. Create an SSH Fortress

47. Firewalls

48. IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state

49. Mitigate Brute Force Attacks

50. Install Only What You Need

51. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam

52. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/

53. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone

54. If you follow all this, you get...

55. If you follow all this, you get...

56. Questions?

57. James Titcumb @asgrim Thanks for watching!