Introduction To Web Application Security in PHP

Security is Big And Often DifficultPHP doesn’t make it any easier

What we’ll cover• What do we mean by security?• Application Security

• Code• Configuration

• OWASP• OWASP Top Ten

• SQL Injection• XSS• Configuration

Application SecuritySecurity in the SDLC as opposed to network security or data security or physical security

Security in Code and in Deployment

For our purposes we’ll just stick to this:

OWASPAn authority in Web Application Security

Open Web Application Security Project

• Really, many projects are “under” OWASP• OWASP Top Ten• ESAPI• Development Guide• Cheat Sheets• Do not bring to exam

• Testing Guide• More

OWASP Top Ten – Top Web Application Security Issues

Based on the statistics of a number of scanning tools

OWASP Top 10-2013 – A1 InjectionSQL Injection is the variant of this that we’ll cover here

SQL InjectionConfusing the DBMS between logic (written by the developer) and data (provided by the user)

A common query:

$query = "SELECT * FROM user WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "';";

The intention

$query = "SELECT * FROM user WHERE username = 'sue' AND password = 'secret';";

What if $_POST[“username”] is actually SQL Code

The vulnerability:

' OR 1 = 1 #Let’s try this:

An SQL Injection

$query = "SELECT * FROM user WHERE username = '' OR 1 = 1 #' AND password = '';”;

How to protect our code?Use Prepared Statements (available in all modern languages)

Prepared Statements

$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array($_POST["username"], $_POST["password"]));

The Intention

$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("sue", ”secret"));

The Exploit Foiled

$stmt = $dbh->prepare("SELECT * FROM user WHERE username = ? and password = ?");$stmt->execute(array("' OR 1 = 1 #", ""));// the logic is clearly separated // in our code and in transmission// to our database

Hence Why We Learned PDO

OWASP Top 10-2013 – A3 XSS

Cross Site Scripting

Three Variants of XSS1.Reflected XSS2.Stored XSS3.DOM based XSS

Cross Site ScriptingConfusing the browser between the application’s HTML (structure) and Data.

Commonly Used Display Code

<div><?php print $_GET["username"] ?></div>

The Intended Result<div>sue</div>

What if $_GET[“username”] is actually HTML and JavaScript?

The vulnerability:

<script>alert("Hello World")</script>

Let’s try this:

Display Code With Injection

<div><?php print "<script>alert('hello world’)</script>" ?></div>

Display Code With Injection

<div><script>alert('hello world')</script></div>

Reflected XSSThe vulnerability is exploited only in response to a specific request.Example

http://vulnerable.example.org/index.php?data=%3Cscript%3Ealert(%22hello%20world%22)%3Cscript%3E

Stored XSSSubmit request with XSS payload (ex. a blog comment with XSS in the body)

Web app stores the comment in Database (with unencoded XSS Code)

Victim views the stored data (ex. view a blog post which shows comments)

XSS Code is executed by the victim’s browser.

DOM Based XSS • Also known as Type 0 XSS• Out of the scope of this course• Basically, tricking JavaScript to write

out code

Protecting from XSSEncode user inputs

htmlentites()

$foo = “<script>”;$foo = htmlentities($foo, ENT_QUOTES | ENT_HTML5);print $foo; # &lt;script&gt;

html_entity_decode()

foo = "&lt;script&gt;";$foo = html_entity_decode($foo, ENT_QUOTES | ENT_HTML5);print $foo; # "<script>”

When to encode?• Before reflecting• Before displaying information you just

received• Choose either before you persist or

after then be consistent.• Better yet do both but watch out for

double encoding

ConfigurationYour app is not secure if it’s running on a vulnerable server or otherwise deployed insecurely.

This is a topic in itself• Sources to look at:• http://php.net/manual/en/security.php• http://www.phptherightway.com/• Google et al.

Simple Good Things To Do

Use PHP as Module not CGI

Patch!Your software is only as secure as your latest security patch

Hide your fingerprints• http://www.php.net/manual/en/securi

ty.hiding.php• http://httpd.apache.org/docs/current/

mod/core.html#servertokens

Disable dangerous functions (eval())