Web Application (PHP) Security

slicedmitesSécurité

16 févr. 2014 (il y a 3 années et 1 mois)

54 vue(s)

Ryan Dewhurst - 20th March 2012
Web Application (PHP)
Security
Tuesday, 20 March 2012
Ryan Dewhurst aka @ethicalhack3r
Projects
Experience
BSc Ethical Hacking for Computer
Security
Security Engineer @ RandomStorm
Hobbyist Security Researcher
Blogger @ ethicalhack3r.co.uk
Contribute to Open Source security
related tools
DevBug
Tuesday, 20 March 2012
Aims of this talk
Briefly show how you can test your own apps.
Introduction to the OWASP Top 10 2010.
Tuesday, 20 March 2012
Why bother with security?
Secure code is better quality code.
Your or your employer’s reputation.
Compliance (PCI,DPA,HIPAA).
The right thing to do, users trust
you with their data.
Tuesday, 20 March 2012
Open Web Application Security Project (OWASP)
“The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide
charitable organization focused on
improving
the
security
of application
software
.”
Top 10 Risks
Testing Guide
Code Review Guide
WIKI
Security Cheat Sheets
Open Source Tools (ZAP, WebGoat....)
Local Chapter Meetings (one in Newcastle soon!)
A lot more!
https://www.owasp.org/index.php/Main_Page
Tuesday, 20 March 2012
OWASP TOP 10 Risks 2010

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery (CSRF)

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2010-Main
Tuesday, 20 March 2012
A1: Injection
SQL, XPath, LDAP, OS Commands...
mysql_query(ʻSELECT pass FROM users WHERE userid =ʼ .
$_GET[ʻidʼ]
);
SELECT pass FROM users WHERE userid = 1
OR 1=1 --
Prevention:
Proper use of prepared statements and stored procedures.
http://php.net/manual/en/pdo.prepared-statements.php
Tuesday, 20 March 2012
A2: Cross-Site Scripting (XSS)
Mainly JavaScript & HTML.
echo(ʻ<h1>Username: ʼ .
$_GET[ʻnameʼ]
. ʻ</h1>ʼ);
Prevention:
Escape all untrusted data. Proper input validation.
<h1>Username:
<scrip>window.location = ʻevil.comʼ</script>
</h1>
echo(ʻ<h1>Username: ʼ .
htmlentities
($_GET[ʻnameʼ]) . ʻ</h1>ʼ);
Tuesday, 20 March 2012
A2: Cross-Site Scripting (XSS)
Zazzle.co.uk still vulnerable. Reported in January.
http://www.zazzle.co.uk/pd/realviewpopup?url=
</style><script>alert(1);</script>
Tuesday, 20 March 2012
A3: Broken Authentication and Session
Management
Passwords properly hashed and salted in the database?
Weak change password functionality?
Sessions in the URL?
Sessions sent over SSL?
Prevention:
Hash & salt passwords stored in the database.
Ensure sensitive data is sent over SSL.
Test all authentication functionality.
Tuesday, 20 March 2012
A4: Insecure Direct Object References
http://www.bank.com/accounts/account.php
?userid=123456
Prevention:
Check authorisation on each request.
http://www.bank.com/accounts/account.php
?userid=12345
7
http://www.facebook.com/photos/album.php
?album_id=1234
http://www.facebook.com/photos/album.php
?album_id=123
5
Tuesday, 20 March 2012
A5: Cross-Site Request Forgery (CSRF)
Prevention:
Use anti CSRF tokens in the URL.
Perform actions on behalf of authenticated user.
http://example.com/app/transferFunds?
amount=1500&destinationAccount=4673243243
Frameworks will normally do this for you. (Symfony, CodeIgniter >= 2.0...)
http://example.com/app/transferFunds?
amount=1500&destinationAccount=4673243243
&token=yt5y5hu
Tuesday, 20 March 2012
A6: Security Misconfiguration
Prevention:
All software up to date? (OS, PHP, MySQL)
Unnecessary features disabled?
Software configured properly?
Default files/folders removed? (documentation)
Server hardening.
Update software.
Configure software.
Tuesday, 20 March 2012
A6: Security Misconfiguration
http://www.apache.org/server-status
Apparently it is not a misconfiguration according to Apache.
It is there purposely according to them.
I would advise to disable it in your Apache configs.
Tuesday, 20 March 2012
A7: Insecure Cryptographic Storage
Prevention:
Offsite backups?
Data backups properly encrypted?
Strong encryption algorithm used? (AES)
Secure key used for decryption?
Keys properly protected.
Tuesday, 20 March 2012
A8: Failure to Restrict URL Access
Prevention:
Check authorisation on every page.
http://www.example.com/admin/add_user.php
http://www.example.com/admin/edit_user.php
Tuesday, 20 March 2012
A9: Insufficient Transport Layer Protection
Prevention:
Ensure all sensitive data is sent over SSL.
Valid SSL certificate.
Add ʻsecureʼ flag to cookies.
SSL used when sensitive is data sent to the server?
SSL properly implemented/configured?
Cookies have the ʻsecureʼ flag?
HTTPS downgrade-able to HTTP?
Tuesday, 20 March 2012
A10: Unvalidated Redirects and Forwards
Prevention:
Warn user when being redirected off site.
Validate redirects.
https://www.ea.com/uk/profile/remote-redirect?returnurl=http://
www.ethicalhack3r.co.uk/
EA.com still vulnerable. Reported in October 2011.
Tuesday, 20 March 2012
How to test your own
applications.
Tuesday, 20 March 2012
OWASP Testing Methodology
Passive
Active
Configuration Management
Business Logic
Authentication
Authorisation
Session Management
Data Validation
Denial of Service
Web Services
Ajax Testing
Browse application
Understand application logic
Information Gathering
Use a HTTP Proxy (ZAP, Burp)
Tuesday, 20 March 2012
Black Box Testing
Arachni Web
Application Scanner
OWASP ZAP
Manual Interaction
Tools/Techniques
Pros
Less effective than white box
Cons
Emulates a ‘real’ attacker*
*real attackers are not limited by time or scope
Less time than white box (cheaper)
Tuesday, 20 March 2012
Post Interpreted (black box)
Tuesday, 20 March 2012
White Box Testing
Tools/Techniques
Pros
More effective than black box
Cons
More thorough test
More time than black box (more
expensive)
RIPS Static Code
Analysis
Manual Source Code
Review
Tester needs to be able to read
code
GNU Grep
Tuesday, 20 March 2012
Pre Interpreted (white box)
Tuesday, 20 March 2012
Demo: RIPS Static Code Analysis
(white box tool)
http://127.0.0.1/~ryan/Sites/rips-0.51/
/Users/ryan/Sites/Sites/jobfinder/
Tuesday, 20 March 2012
What you really need!
Black & White box testing within
your Software Development Life
Cycle (SDLC).
Microsoft Security Development Lifecycle
(SDL)
http://www.microsoft.com/security/sdl/default.aspx
Tuesday, 20 March 2012
Summary
OWASP Top 10 is useful but not extensive list.
OWASP has lots of other great resources, including an up and
coming Newcastle chapter!
It is easy and free to do basic testing of your own apps.
Build security into your development process.
Tuesday, 20 March 2012
“You'll never reach zero security
vulnerabilities”
- Michael Howard
(Software Security Expert, Microsoft)
Tuesday, 20 March 2012
Further Reading
https://www.owasp.org/index.php/Main_Page
http://arachni-scanner.com/
http://rips-scanner.sourceforge.net/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
http://www.youtube.com/watch?v=FYfMZx2hy_8
Tuesday, 20 March 2012
Questions?
http://twitter.com/ethicalhack3r
www.ethicalhack3r.co.uk
Tuesday, 20 March 2012