John Coggeshall Copyright 2006, Zend Technologies Inc.

Size: px

Start display at page:

Dylan Elliott
5 years ago
Views:

2 Welcome! Welcome to PHP Security Basics Who am I: John Coggeshall Lead, North American Professional Services PHP 5 Core Contributor Author: PHP 5 Unleashed Member of Zend s Education Advisory Board 10-Dec-07 # 2

3 What We ll Cover Today: An Introduction to the World of Security How To Think about Security Attack Vectors 101 Open Forum for Questions 10-Dec-07 # 3

4 WASC In summer 2006, according to a Mitre s Common Vulnerabilities and Exposures report, SQL Injection vulnerability has become a web application flaw second only to cross-site scripting. Furthermore, some experts argue that this vulnerability is even more significant due to its prevalence in custom web applications created by inexperienced programmers and its direct effect on the database, which is often the most sensitive part of a web application, more critical than the server systems which are typically more exposed. delectix.com COMPUTERWORLD Security ComputerWeekly.com Copyright 2007, Zend Technologies Inc. # 2 Winter, 2007

5 Scope Security is too large a topic to fully discuss in a 45 minute webinar In fact, Web Application Security could be one s life work The Operating System The Web Server The Database Server The Application The Protocol The Browser The Client Side Language We are going to stay focused on understanding the Principles of security, with a brief discussion of some common attacks 10-Dec-07 # 5

6 Lingo In my discussions I ll be using a few terms - some are common, some are my own: Attacker: The bad guy trying to acquire the Principal Principal: The target of the attacker, be it data or functional change to your application Attack Vector: An approach used to achieve the compromise of the Principal Strategic Data: Information used by an attacker to formulate his attack vectors 10-Dec-07 # 6

7 Let s Get Started Can you describe security? Security is information Keeping private information away from others who want it Getting information from others who want your private information Information IS power The power to steal your data The power to change the behavior of your application The power to prevent 10-Dec-07 # 7

8 The Principal The Principal is the ultimate goal of the Attacker, and it takes many forms Examples: Acquisition of your private data Credit Card numbers, passwords Introduction of unintended function Acquisition of someone else s data Further infection of other systems The Principal is what you must protect Attackers are interested in a vast array of Principals 10-Dec-07 # 8

9 Understand your Principal Before you can hope to defend anything, you have to understand what you re defending What about your application would be appealing to an attacker? I don t see many Attackers trying to steal other people s online dating accounts I do see a lot of online dating sites concerned about their customer s financial data being compromised Not to say that security everywhere isn t important, but it is a never-ending struggle Focus on what you think the Principal is Make sure you can identify other Principals as they become apparent 10-Dec-07 # 9

10 Common Principals Every one has these in common: Your Visitors Your Database Your Server Every application has its own unique Principals as well The first step in securing your application is identifying the Principals The second step is identifying your attack vectors 10-Dec-07 # 10

11 Understand the Attack Vectors Once you ve identified as many Principals as you can, you now have to defend them Again, you can t defend against what you don t know Often there are common Attack Vectors useful in attacking many principals Injection Attacks (SQL, HTTP, HTML, JS, etc., etc., etc.) Prediction Attacks (Session Fixation, Algorithm Compromising) Every web application should defend against the usual suspects, and thus the common Principals But what about your application? Don t forget about specific principals and attacks against them 10-Dec-07 # 11

12 Defense In Depth It is critical to realize that no one step will ensure security In fact, no combination can ensure it either There is a best strategy defense in depth which means employing a broad range of overlapping security tactics to present a defense to all attack vectors The concept is to make it so difficult for an attacker to break through all the security measures in place that they are likely to give up and attack a site that is easier to assault Copyright 2007, Zend Technologies Inc. # 4 Winter, 2007

13 SQL Injection Attacks SQL (Structured Query Language): involve attacks on a database, by injecting SQL code into a user form that is then submitted Attack provides attacker with access to data within the database, according to the database user rights, where they could: Download the entire database contents Wipe out the entire contents Corrupt the database structure Change the data itself Cause DOS (Denial of Service) Copyright 2007, Zend Technologies Inc. # 13 Winter, 2007

14 SQL Injection Attacks (continued) Examples: $query = "SELECT * FROM table WHERE id = {$_GET['id']}"; (returns entire table) (deletes entire table) 1; ALTER TABLE table CHANGE col1 col1 CHAR(12) (corrupts table) Corrupt as above; then change data type back (truncates string values) 1; SELECT BENCHMARK( , SHA1(REPEAT(CURDATE(), 10))) (DOS) $query = UPDATE users SET password= {$_GET[ newpass ]} WHERE user_id = {$userid} $_GET[ newpass ] = foo WHERE user_id= admin -- ; (controls password) Copyright 2007, Zend Technologies Inc. # 14 Winter, 2007

15 Cross-Site Scripting (XSS) XSS: Cross-Site Scripting attacks are an injection of HTML, CSS, or script code into a page JavaScript is especially a threat Displaying data mis-interpreted by the browser is the primary cause Example of an attack: Form input User input details are gathered by probing vulnerable dynamically generated form error messages on a web site The attacker alters the site s HTML and inserts malicious code into a link on what looks like the original web site when the link is clicked by the user, the attacker s web site handles the request instead of the intended web site 10-Dec-07 # 15

17 Session Fixation User gets a "fixed" session ID Usually via an specially crafted URL made to look like a real site Unless specified, PHP will use an assigned session ID as the ID being used i.e., from cookie or URL Basically, you have made an unpredictable value used in secure transactions predictable 10-Dec-07 # 17

18 Remember It s about Information If you re not designing applications that help you identify your Principals and how they are attacked, you will fail Take the extra time to validate your assumptions You think it s an integer? Check that You think that environment variable is A or B? Make sure it s not C before you use it LOG LOG LOG LOG LOG LOG LOG LOG And analyze them. Be ready to respond to new threats 10-Dec-07 # 18

19 Remember, It s About Information Every piece of information you give the attacker will help him formulate his attack vector If you were a attacker, what could you derive from the following error message? Notice: Undefined index: passwd in /usr/local/zend/apache2/htdocs/includes/usr.inc 10-Dec-07 # 19

20 Thank you! Questions? For additional info on our PHP security classes, please visit: Our next 6-hour online seminar Building Security into your PHP Applications - is being offered on June 26-28, but seats are filling fast! 10-Dec-07 # 20

NET 311 INFORMATION SECURITY

NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)