Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security

Ryan Dewhurst Projects Experience BSc Ethical Hacking for Computer Security Security RandomStorm Hobbyist Security Researcher ethicalhack3r.co.uk Contribute to Open Source security related tools DevBug

Aims of this talk Briefly show how you can test your own apps. Introduction to the OWASP Top

Why bother with security? Open Web Application Security Project (OWASP) Secure code is better quality code. Your or your employer’s reputation. Compliance (PCI,DPA,HIPAA). The right thing to do, users trust you with their data.

Open Web Application Security Project (OWASP) “The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software.” Top 10 Risks Testing Guide Code Review Guide WIKI Security Cheat Sheets Open Source Tools (ZAP, WebGoat....) Local Chapter Meetings (one in Newcastle soon!) A lot more!

OWASP TOP 10 Risks 2010 ■A1: InjectionA1: Injection ■A2: Cross-Site Scripting (XSS)e Scripting (XSS) ■A3: Broken Authentication and Session ManagementA3: Broken ement ■A4: Insecure Direct Object ReferencesA4: Insecure Direct Object References ■A5: Cross-Site Request Forgery (CSRF)A5 ■A6: Security MisconfigurationMisconfiguration ■A7: Insecure Cryptographic StorageA7: Insecure Crypto ■A8: Failure to Restrict URL Accesst URL Access ■A9: Insufficient Transport Layer ProtectionA9: Insufficient Transp ■A10: Unvalidated Redirects and ForwardsRedirects and Forwards

A1: Injection SQL, XPath, LDAP, OS Commands... mysql_query(‘SELECT pass FROM users WHERE userid =’. $_GET[‘id’]); SELECT pass FROM users WHERE userid = 1 OR 1=1 -- Prevention: Proper use of prepared statements and stored procedures.

A2: Cross-Site Scripting (XSS) Mainly JavaScript & HTML. echo(‘ Username: ’. $_GET[‘name’]. ‘ ’); Prevention: Escape all untrusted data. Proper input validation. Username: window.location = ‘evil.com’ echo(‘ Username: ’. htmlentities($_GET[‘name’]). ‘ ’);

A2: Cross-Site Scripting (XSS) Zazzle.co.uk still vulnerable. Reported in January. alert(1);

A3: Broken Authentication and Session Management Passwords properly hashed and salted in the database? Weak change password functionality? Sessions in the URL? Sessions sent over SSL? Prevention: Hash & salt passwords stored in the database. Ensure sensitive data is sent over SSL. Test all authentication functionality.

A4: Insecure Direct Object References Prevention: Check authorisation on each request

A5: Cross-Site Request Forgery (CSRF) Prevention: Use anti CSRF tokens in the URL. Perform actions on behalf of authenticated user Frameworks will normally do this for you. (Symfony, CodeIgniter >= ) 243&token=yt5y5hu

A6: Security Misconfiguration Prevention: All software up to date? (OS, PHP, MySQL) Unnecessary features disabled? Software configured properly? Default files/folders removed? (documentation) Server hardening. Update software. Configure software.

A6: Security Misconfiguration Apparently it is not a misconfiguration according to Apache. It is there purposely according to them. I would advise to disable it in your Apache configs.

A7: Insecure Cryptographic Storage Prevention: Offsite backups? Data backups properly encrypted? Strong encryption algorithm used? (AES) Secure key used for decryption? Keys properly protected.

A8: Failure to Restrict URL Access Prevention: Check authorisation on every page.

A9: Insufficient Transport Layer Protection Prevention: Ensure all sensitive data is sent over SSL. Valid SSL certificate. Add ‘secure’ flag to cookies. SSL used when sensitive is data sent to the server? SSL properly implemented/configured? Cookies have the ‘secure’ flag? HTTPS downgrade-able to HTTP?

A10: Unvalidated Redirects and Forwards Prevention: Warn user when being redirected off site. Validate redirects. redirect?returnurl= redirect?returnurl= EA.com still vulnerable. Reported in October 2011.

How to test your own applications.

OWASP Testing Methodology PassiveActive Configuration ManagementBusiness LogicAuthenticationAuthoris ationSession ManagementData ValidationDenial of ServiceWeb ServicesAjax Testing Browse application Understand application logic Information Gathering Use a HTTP Proxy (ZAP, Burp)

Black Box Testing Arachni Web Application Scanner OWASP ZAP Manual Interaction Tools/TechniquesPros Less effective than white box Cons Emulates a ‘real’ attacker* *real attackers are not limited by time or scope Less time than white box (cheaper)

Post Interpreted (black box)

White Box Testing Tools/TechniquesPros More effective than black box Cons More thorough test More time than black box (more expensive) RIPS Static Code Analysis Manual Source Code Review Tester needs to be able to read code GNU Grep

Pre Interpreted (white box)

Demo: RIPS Static Code Analysis (white box tool) /Users/ryan/Sites/Sites/jobfinder/

What you really need! Black & White box testing within your Software Development Life Cycle (SDLC). Microsoft Security Development Lifecycle (SDL)

Summary OWASP Top 10 is useful but not extensive list. OWASP has lots of other great resources, including an up and coming Newcastle chapter! It is easy and free to do basic testing of your own apps. Build security into your development process.

“You'll never reach zero security vulnerabilities” - Michael Howard (Software Security Expert, Microsoft)

Further Reading

Questions?