secure coding embedded

8/3/2019 Secure Coding Embedded

1/32

Mohammed Irfan


2/32

A measurement, not a characteristic.

A growing problem that requires a continually

evolving solution. (An application can be called

Secured, if survives even against future attacks.)

Security should be in essential part of application

design (not an after thought).


3/32

Lack of security in an application can lead to:

Loss of important data, money, time etc.

Damages reputation and trust In extreme,Law suits


4/32

Input Validation

SQL Injection

Code Injection

XSS (Cross Site Scripting)

CSRF (Cross Site Request Forgery)

Session Security


5/32

Common development trendsy Lack of proper input validation

y Relying on client side validations only

Problems

y Code injection

y SQL injection

y Command injection

Solutiony Always validate inputs using built in PHP functions (is_int(),is_float(), is_bool(), is_finite(), intval(),floatval(), doubleval(), strlen(), strpos(),ctype_alpha(), ctype_alnum() etc.)


6/32

One of the most common problems with security

SQL queries are injected as input

Also similar to input validation

Possible problems can be: Data removal

Modification of existing values

Unwanted access grant

A

rbitrary data injection All above combined

http://www.youtube.com/watch?v=h2GEwiA-FEU

http://www.youtube.com/watch?v=AFeJ0cfeLpk


7/32

/* articles.php */

$id = $_GET['id'];

$sql = "select * from articles where id =

'$id'";

$result = mysql_query($sql);

Now when we have a call like:

http://www.example.com/articles.php?id=1

It is very much valid and we can expect article with

id 1 will be fetched from the database.


8/32

What if the url is:

http://www.example.com/articles.php?id=1; delete from

articles;

The query becomes

"select * from articles where id = '1';

delete from articles"(deleting of the entire articles table)


9/32

Escaping inputs using addslashes or built in PHPmechanism magic_quotes_gpc. (not recommended)

Using dedicated escaping functions provided by the

database interface MySQL

mysql_escape_string()

mysql_real_escape_string()

PostgreSQL

pg_escape_string() pg_escape_bytea()

SQLite

sqlite_escape_string()


10/32


11/32

So our example will look like this now$id = mysql_real_escape_string($_GET['id']);

$sql = "select * from articles where id = '$id'";

$result = mysql_query($sql);

But, sometimes even escaping can fail!!!$id = "0; delete from articles";

$id = mysql_real_escape_string($id);

// 0; delete from articles

mysql_query("SELECT * FROM articles WHERE id={$id}");

To solve such problem, use explicit casting

$id = (int)$id;


12/32

Database specific escaping is not available for all

databases (MSSQL,ORACLE etc)

Prepared Statements - another approach

Prepared queries are query templates: the structure of

the query is pre-defined and fixed with placeholders that

stand-in for real data. The placeholders are typically type-

specifice.g., int for integer data and text for strings

which allows the database to interpret the data strictly We can use PDO (PHP Data Objects) or PHPs mysqli

extension for prepared statements


13/32


14/32

Code injection occurs when we use parameters from theweb as direct parameter for our code execution.

This is especially important for includes

$module = $_REQUEST['module'];

include("lib/$module");

This is ok: http://example.com/cms?module=login.php

But what if I do this?:http://example.com/cms?module=../passwords.ini


15/32

Make sure the value is the one you expected. Else show errormessage

$requestedModule = $_REQUEST['module'];

switch($requestedModule) {

case "login":

$module = "login"; break;

case logout:

$module = "logout"; break;default:

$module = "error";

}


16/32

Cross Site Scripting (XSS) is a situation where byattacker injects JavaScript code, which is then displayedon the page without further validation. Can lead to embarrassment.

Session take-over. Password theft.

User tracking by 3rd parties.

Common XSS examples: User submitted content sites such as blogs, forums, wikis etc

User comments on different sites.

http://www.youtube.com/watch?v=ptf9ujBZ8GE


17/32


18/32

User (attacker) enters following JavaScript code in a

form field :

document.location = "http://www.mysite.com/"

As input data is not filtered, when the page loads user

will be redirected to mysite.com. (Totallyunexpected?)


19/32

Prevention of XSS is as simple as filtering input datausing one of the following: htmlspecialchars()

Encodes ', ", , & etc.

htmlentities()

Convert anything that there is HTML entity for.

strip_tags()

Strips anything that resembles HTML tags

Allowing of tags in strip_tags() can bedangerous, as tag attributes are not stripped, e.g.,

This is vulnerable!


20/32

Much less widely understood than XSS...

... but almost certainly more common

Cross-site request forgery attacks allow attackers to

force your users to take actions on your site that

they didnt mean to take

N

ot just GET; hidden forms allowPO

ST as well http://www.youtube.com/watch?v=uycmHQM_h64


21/32

UserA is a member of bank.com. He sends money to UserB and found thatthe following URL used

http://bank.com/transfer.do?acct=UserB&amount=100

Now UserA constructs a URL like above to victimize UserC (who is also auser of bank.com)

http://bank.com/transfer.do?acct=UserA&amount=100000

Now UserA sends an email to UserC with a forged request.

View my Pictures!


22/32

Now if userC clicks the link, he is actually initiating the request as he is

already authenticated in the system.

But wait, when userC clicks the link, he will definitely notice that a payment

has been done. So in order to trick userC without any notice. UserA doesthis (zero byte image).

So without any problem, userA has got fund from userC.


23/32

document.forms.csrf.submit();


24/32

Distinguish each and every request generated from

your server.

Distinguish request generated from your site and

also from some other sites.

Do not rely on HTTP Referrer checking as it is not

fully reliable.

Include a form token on every forms that youdisplay. The form token must be unique and ensure

that the request came from your site.

Yahoo! Uses similar approach and calls it Crumb


25/32


26/32

Should be unique peruser(or one user can use

their crumb to attack another)

Hence should be tied to the users session or login cookie

Should be changed over time (even for same formrequest multiple time)

Ajax requests must be from the same domain

Limiting the lifetime of authentication cookies


27/32

Sessions are a common tool for user trackingacross an application

For the duration of a visit, the session is effectively

the users identity If an active session can be obtained by 3rd party, it

can assume the identify of the user whos sessionwas compromised

During standard HTTP transactions, all request andresponse information is transmitted as plain-text.Anyone capable of intercepting these messages cansteal the users session.


28/32

To prevent session id theft, the id should be altered

on every request, invalidating old values.

Because the session changes on every request, the

back button in a browser will no longer work, as it

will make a request with the old session id


29/32

Use HTTPS Pass secure information

Stop session ID being passed via URL

Set session.use_only_cookies so that it is hard to

generate session fixation.

Another session security technique is to compare

the browser signature headers


30/32

There are more security issues out there.

Always try to be proactive on security measure

rather than being reactive.

Keep updated with latest security flaws and fixes

Always try to avoid common pitfalls.


31/32

http://www.modsecurity.org/ (mod_securityApache

module)

http://www.hardened-php.net/ (PHP Security

Patches)

http://www.xssoops.com/ (Security Scanner)

http://www.cgisecurity.com/

http://www.owasp.org/ http://phpsec.org/


32/32

Q &A?

secure coding embedded

Documents