Web application security

It's very important topic that's gaining more attention from both the developers who

create web applications, and the attackers who try to exploit them

Before move ahead ...

PHP gives many tools to protect data with robust encryption, but encryption is just part of the large and often complex security picture. encrypted data can be unlocked with a key, so protecting that key is very important. If your encryption keys are accessible to unauthorized users (because they're stored in a file accessible via your web server or because they're stored in a file accessible by other users in a shared hosting environment, for example), your data is at risk, no matter how secure your chosen encryption algorithm is.

Sensitive data needs to be protected not only on the server,but also when it's traveling over the network between the server and your users. Data sent over regular HTTP is visible to anyone with access to the network at any point between your server and a user.

Main problems ???

Cross-site scripting (XSS) SQL injection vulnerabilities Cross-site request forgery (CSRF) Other common software settings

Common software settings

Disable Remote URLs for File Handling Functions(allow_url_fopen = Off)

Disable Register Global Restricting What PHP can Read &

Write(open_basedir = /var/www/html/shiksha) Posing Limit(Limiting on PHP's execution time,

memory usage,POST and upload data) Disable Error Message and enable

Logging(display_errors = Off

log_errors = On)

Common software settings

Hiding The Presence Of PHP(expose_php = Off)

Limit Certain File Name Pattern accessible by public user(like .inc file)

Upload file content MIME type check<?php

// verify the file is a PDF or not

$mime = "application/pdf; charset=binary";

exec("file -bi " . $_FILES["myFile"]["tmp_name"], $out);

if ($out[0] != $mime) {

// file is not a PDF !!!!

Common software settings

Access to ClamAV,(command line to verify uploaded image)

<?php

exec("clamscan --stdout " . $_FILES["myFile"]["tmp_name"], $out, $return);

if ($return) { // file is infected

Specify an appropriate value for the upload_max_size, post_max_size, and max_file_uploads directives in php.ini. The upload_max_size directive specifies the maximum size a file upload can be. In addition to the size of the upload, we can limit the size of the entire POST request with the post_max_size directive. max_file_uploads is a newer directive (added in version 5.2.12) which limits the number of file uploads.

Common software settings

Hide directory indexing and .svn folders

Forms based Website Authentication

how to log in

how to remain logged in

how to store passwords

using secret questions

forgotten password functionality

Open ID

"Remember me" checkbox

Browser autocompletion of usernames and passwords

secret urls (public urls protected by digest)

checking password strength

email validation

But ...

Hashing the password is effective against password disclosure, but not against replay attacks, Man-In-The-Middle attacks / hijackings, or brute-force attacks (since we are handing the attacker both username, salt and hashed password).

After sending the authentication tokens, the system needs a way to remember that you have been authenticated - this fact should only ever be stored serverside in the session data. A cookie can be used to reference the session data. Wherever possible, the cookie should have the secure and HTTP Only flags set when sent to the browser. The httponly flag provides some protection against the cookie being read by a XSS attack. The secure flag ensures that the cookie is only sent back via HTTPS, and therefore protects against network sniffing attacks. The value of the cookie should not be predictable. Where a cookie referencing a non-existent session is presented, its value should be replaced immediately to prevent session fixation.

And ...

CAPTCHA

Captchas are annoying and they can be broken (except recaptcha !).All of them are ineffective against cheap third-world labor (according to OWASP, the current sweatshop rate is $1 per 1000 tests), and some implementations are technically illegal in some countries.If you must use a CAPTCHA, use reCAPTCHA, since it is OCR-hard by definition (since it uses already OCR-misclassified book scans).

Form Spoofing ...

<?php

$memcahe_token = md5(uniqid(mt_rand(), true));

?>

<form action="buy.php" method="POST"><input type="hidden" name="token" value="<?php echo $memcahe_token; ?>" /></form>

if ($_POST['token'] != $memcahe_token ||

!isset($memcahe_token) {

/* Prompt user for password. */

} else {

/* Continue. */

}

Avoiding Cross-Site Scripting

/* Note the character encoding. */

header('Content-Type: text/html; charset=UTF-8');

/* Initialize an array for escaped data. */

$html = array();

/* Escape the filtered data. */

$html['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8');

echo "<p>Welcome back, {$html['username']}.</p>";

Keeping Passwords Out of Your Site Files

Because phpinfo( ) displays all of the environment variables, it exposes any passwords you store there. Also, make sure not to expose the contents of $_SERVER in other ways, such as with the print_r( ) function

separate file from the main configuration file

SetEnv DB_USER "raviraj@rocking"

SetEnv DB_PASSWORD "y23a!t@ce8"

Inside the <VirtualHost> directive for the site in the main configuration file (httpd.conf), include this separate file as follows:

Include "/usr/local/apache/database-passwords"

Make sure that this separate file containing the password (e.g., /usr/local/apache/database-passwords) is not readable by any user other than the one that controls the appropriate virtual host.

Verifying Data with Hashes

/* Define a salt. */

define('SALT', 'flyingturtle');

$id = 1337;

$idcheck = md5(SALT . $id);

<input type="hidden" name="id" value="<?php echo $id; ?>" />

<input type="hidden" name="idcheck" value="<?php echo $idcheck; ?>" />

/* Initialize an array for filtered data. */

$clean = array();

/* Define a salt. */

define('SALT', 'flyingturtle');

if (md5(SALT . $_POST['id']) == $_POST['idcheck']) {

$clean['id'] = $_POST['id'];

} else {

/* Error */

}

SSL ...

if ('on' == $_SERVER['HTTPS']) {

//

} else {

}

/* Set an SSL-only cookie named "sslonly" with value "yes" that expires at the end of the current browser session. */

setcookie('sslonly', 'yes', '', '/', 'example.org', true);

Two way Encrypting and Decrypting Data

$algorithm = MCRYPT_BLOWFISH;

$key = 'That golden key that opens the palace of eternity.';

$data = 'The chicken escapes at dawn. Send help with Mr. Blue.';

$mode = MCRYPT_MODE_CBC;

$iv = mcrypt_create_iv(mcrypt_get_iv_size($algorithm, $mode),

MCRYPT_DEV_URANDOM);

$encrypted_data = mcrypt_encrypt($algorithm, $key, $data, $mode, $iv);

$plain_text = base64_encode($encrypted_data);

echo $plain_text . "\n";

$encrypted_data = base64_decode($plain_text);

$decoded = mcrypt_decrypt($algorithm, $key, $encrypted_data, $mode, $iv);

echo $decoded . "\n";

Two way Encrypting and Decrypting Data ...

The mcrypt extension is an interface with mcrypt, a library that implements many different encryption algorithms. The data is encrypted and decrypted by mcrypt_encrypt( ) and mcrypt_decrypt( ), respectively. They each take five arguments. The first is the algorithm to use. To find which algorithms mcrypt supports on your system, call mcrypt_list_algorithms().The second argument is the encryption key; the third argument is the data to encrypt or decrypt. The fourth argument is the mode for the encryption or decryption (a list of supported modes is returned by mcrypt_list_modes()). The fifth argument is an initialization vector (IV), used by some modes as part of the encryption or decryption process.

Think again !!!

Security is stunningly thought-provoking question while writting code, how much and which level security you need

Be aware network level attack (targetting email to individuals in your organisation, containing either malware attachements or links to sites which install malware)

Keyboard key logger

DO Your Best …. :-) Use multi-factor authentication( with some

kind of pseudo-random number gadget) Sanitise all your input Use SSL

Thanks

Ask Anything ...

tussion@ymail.com

Reading List http://www.owasp.org/index.php/Guide_to_Authentication

http://www.cs.umass.edu/~kevinfu/papers/webauth_tr.pdf

http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf

http://pdos.csail.mit.edu/papers/webauth%3asec10.pdf

http://news.ycombinator.com/item?id=55660

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

http://en.wikipedia.org/wiki/Password_cracking