securing your web apps now
DESCRIPTION
The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs. Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.TRANSCRIPT
SECURING YOUR WEB APPS NOWTIPS TO MAKE YOUR SITE LESS HACKABLE
WHO?• Stephan Steynfaardt
• Solutions Architect & Tech Lead
• CISSP certified
• White hat penetration testing
• @ssteynfaardt
WHAT?• Validation
• SQL injection
• OS injection
• Code injection
• File upload
• Information leakage
• Broken Authentication & Session Management
• XSS
WHY?
IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
I don’t even trust the panda
ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
Nothing to do with SSL
WEB APPLICATIONS TESTED BY OWASP
WORLD’S BIGGEST DATA BREACHES
2013
HOW?• More than one security layer
HOW?• More than one security layer• Validate• Escape• Bind SQL• Least privileges• Generic error exceptions
messages• Don't display error messages
VALIDATION
VALIDATION• Client side validation is useless
• Whitelisting acceptance criteria
• Typecast your variables
• Never trust any data
• Respect\Validation
Top 10 OWASP list
SQL INJECTION
SQL INJECTION• Don't use quotes – You only need to
miss one
• Always bind your parameter
BIND PARAMETER
$sql = "SELECT * FROM users WHERE name=:name and age=:age";
$stmt = $db->prepare($sql);
$stmt->execute(array(":name" => $name, ":age" => $age));
SQL INJECTION• Don't use quotes – You only need to
miss one
• Always bind your parameter
• Only allow SQL privileges required
• SQL MAP
Cracking password hashes
SQL MAP
CODE INJECTION
CODE INJECTION• Eval() === Evil
$var = 1;
$newvalue = isset($_GET['id']) ? $_GET['id'] : 0;
eval('$var = ' . $newvalue . ';');
echo $var;
• PHP manual warns you against using eval()
CODE INJECTION• Don’t use preg_replace() with /e
• PHP 5.5 deprecated /e
• Dynamic function injection, don’t call it from the URL
• local.php?file=some_file.log
OS INJECTION
OS INJECTION• Statements executed directly on the OS
• Don’t use system()
• system('nslookup ' . $_POST['host']);
• 'google.com; rm -RF /var/www’
• Download any script with wget
• Validate file_get_contents()
bring your own exploit
FILE UPLOADS
Actually any PHP n00bs
WORDPRESS N00BS
FILE UPLOADS• Upload files outside of the webroot
• Check the mime-type
• file -i logo.pnglogo.png: image/png; charset=binary
• file –i evil_file.png evil_file.png: text/plain; charset=us-ascii
• Rename file
• Move to desired location
INFORMATION LEAKAGE
INFORMATION LEAKAGE• Phpinfo()
• php.ini dispay_error = Off
• php.ini dispay_startup_error = Off
• php.ini error_reporting = E_ALL & ~E_DEPRICATED
• php.ini html_errors = Off
• php.ini log_error = On Always log your errors to a file
OVER SPECIFIC FEEDBACK
OVER SPECIFIC FEEDBACK• Login forms messages
• Forgotten debug statements
• Server headers
• php.ini, expose_php = Off
• httpd.conf, Server Tokens Full | OS | Minor |Major | prod
• modSecurity
SENSITIVE DATA EXPOSURE
All your data are belong to us- NSA
SENSITIVE DATA EXPOSURE• OWASP, top 10 2013, simply not encrypting data
• Only store the data you need
• MD5, SHA1 is not for passwords
• Passwords are easy to guess
• Bcrypt is for passwordsircmaxwell/password-compat zendframework/zend-crypt
• PHP 5.5password_hash()
• cost, more rounds = better security but more time/performance penalty
SENSITIVE DATA EXPOSURE• Directories should be 750 or 755
• Files should be 644 or 640
• Locate directories that are 777 on your server:$ sudo find /var/www/ -type d -perm -002
• Locate files that are 777 on your server:$ sudo find /var/www/ -type f -perm -002
• User should own the web directory
• Group should be the apache user
BROKEN AUTHENTICATION & SESSION MANAGEMENT
BROKEN AUTHENTICATION & SESSION MANAGEMENT
• #2 on OWASP top 10 2013
• Allows attackers to impersonate other user currently logged in.
• Don’t display the sessionID in the URL
• Hidden fields – isAdmin
• Remove the session cookie when done
• Regenerate sessionID's after login
BROKEN AUTHENTICATION & SESSION MANAGEMENT
• session_destoy()session_unet()
• Remember me functions
• chrome://settings/passwords
Cross Site Scripting
XSS
XSS• 65% of websites are venerable to XSS
• 2 types of XXSstoredreflected
• Steal sessionID from cookies
• Escape all form input – htmlspecialhars()
• ezyang/htmlpurifier, escape_html
• cookies HTML Only
• document.write hidden iframe
GOING FORWARD
GOING FORWARD• 57% organizations provided some software security
training
• 40% fewer vulnerabilities
• Resolved issues 59% faster
• owasp.org
• https://security.sensiolabs.org/
GOING FORWARD• 19 Extensions to Turn Google Chrome into Penetration
Testing toolhttp://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/
• PHP security manualhttp://php.net/manual/en/security.php
• Code reviews
• Try it yourself