Recomendados
Recomendados
Mais conteúdo relacionado
Destaque
Destaque (19)
Semelhante a Dip Your Toes in the Sea of Security (PHP Cambridge)
Semelhante a Dip Your Toes in the Sea of Security (PHP Cambridge) (20)
Mais de James Titcumb
Mais de James Titcumb (20)
Último
Último (20)
Dip Your Toes in the Sea of Security (PHP Cambridge)
- 1. Dip Your Toes in the Sea of Security James Titcumb PHP Cambridge 28th January 2015
- 2. James Titcumb www.jamestitcumb.com www.protected.co.uk www.phphants.co.uk www.phpsouthcoast.co.uk @asgrim Who is this guy?
- 3. Some simple code... <?php $a = (int)$_GET['a']; $b = (int)$_GET['b']; $result = $a + $b; printf('The answer is %d', $result);
- 5. The Golden Rules (my made up golden rules)
- 6. 1. Keep it simple
- 7. 2. Know the risks
- 9. 4. Don’t reinvent the wheel
- 10. 5. Never trust anything
- 11. OWASP & the OWASP Top 10 https://www.owasp.org/
- 12. Application Security (mainly PHP applications)
- 13. Always remember… Filter Input Escape Output
- 15. SQL Injection (#1) 1. Use PDO / mysqli 2. Use prepared / parameterized statements
- 16. SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
- 17. SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
- 20. Cross-Site Scripting / XSS (#3)
- 21. Cross-Site Scripting / XSS (#3) ● Escape output <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
- 22. Cross-Site Request Forgery / CSRF (#8)
- 23. <?php if (!$isPost) { $csrfToken = hash("sha512",mt_rand(0,mt_getrandmax())); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if ($_SESSION['csrf_token'] != $_POST['csrf_token']) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
- 24. Errors, Exceptions & Logging (#6)
- 25. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
- 26. curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
- 27. WordPress
- 28. WordPress Urgh.
- 29. We are not security experts!
- 30. We are not security experts! … but we CAN write secure code
- 31. Be the threat Think Differently
- 32. What do you want? Think Differently
- 33. How do you get it? Think Differently
- 38. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
- 39. CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
- 40. Case Study: Custom Authentication We thought about doing this…
- 41. Case Study: Custom Authentication We thought about doing this…
- 42. Case Study: Custom Authentication We thought about doing this… ✘
- 46. Create an SSH Fortress
- 47. Firewalls
- 48. IPTABLES #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state
- 50. Install Only What You Need
- 51. Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
- 52. Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/
- 53. The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
- 54. If you follow all this, you get...
- 55. If you follow all this, you get...
- 56. Questions?
- 57. James Titcumb @asgrim Thanks for watching!