PHP Security, Redfined

Transcript

1. PHP  Security,  Redefined Chris  Cornutt  -­‐  AppSec  USA  2015

2. 2 Chris  Cornutt PHP  developer  for  15+  years Focus  on

    appsec  for  5+  years Application  Security  Engineer     @  Pardot  (Salesforce) @enygma   @securingphp

3. A  BIT  OF  HISTORY

4. PHP:  The  Language • Over  20  years  since  first  

   inception   • Used  by  over  80%  of  the   web   • Latest  is  PHP  5.6.x   • PHP  7  coming  late  2015   • PHP  5.3  is  still  most   widely  installed,  5.4  is   gaining 4

5. PHP:  The  Language • Support  schedule 5 http://php.net/supported-­‐versions.php PHP  5.4

    no  longer  supported,  5.5  in  security  only  support  &  5.6  in  full  support

6. COMMUNITY  LEADERS

7. 7 Scott  Arciszewski Ryan  Mauger Anthony  Ferrara Pádraic  Brady Elizabeth

    Smith Ilia  Alshanetsky Beth  Tucker  Long Michelangelo          van  Dam Wim  Godden

8. LIBRARIES  &  TOOLING

9. Composer • The  missing  package   manager  for  PHP  (not

     PEAR)   • Open  Source  project   • Use  has  exploded   • Packagist   • One  command  (install/ update)   • No  vetting  of  packages 9

10. Frameworks • Major  frameworks   • Security  advisories  and  

    updates   • Paid  audit  of  Symfony   (v2)   • Update  to  database  of   vulnerable  components 10

11. Drupal • Started  15  years  ago   • Used  by

     major  services   and  sites   • Renewed  security  efforts   • Dedicated  security  team   • Security  Advisories   • Reviews  of  core  and   contributed  components 11 https://www.drupal.org/security-­‐team

12. WordPress • About  14  years  old   • Used  by

     58%  of  sites  that   use  CMSes   • [email protected]   • Security  advisories  and   updates  (core  &  contrib)   • Over  two  thirds  of  issues   are  with  plugins,  not  core 12

13. Libraries  &  Tooling ircmaxell/random-­‐lib   A  Library  For  Generating  Secure

     Random  Numbers   padraic/SecurityMultiTool   A  multitool  library  offering  access  to  recommended  security  related  libraries,  standardized   implementations  of  security  defenses,  and  secure  implementations  of  commonly  performed   tasks.   respect/validation   The  most  awesome  validation  engine  ever  created  for  PHP   psecio/iniscan   A  scanner  to  evaluate  php.ini  security   sensiolabs/security-­‐checker   A  security  checker  for  your  composer.lock 13

14. Libraries  &  Tooling defuse/php-­‐encryption   Secure  PHP  Encryption  Library,  vetted

     by  infosec  community  members   twigphp/Twig   The  flexible,  fast,  and  secure  template  language  for  PHP   14

15. THE  CURRENT

16. Native  Password  Hashing • Available  in  PHP  >=  5.5  

    • User-­‐friendly  crypt()  with  safer  defaults   • Bcrypt  by  default,  cost  of  10   • password_hash,  password_verify,   password_needs_rehash 16

17. Native  Password  Hashing 17 <?php // old way, prone to

    flaws because users $pwdCrypt = crypt($input, '$2y$10$'.$salt); // to hash the password $hashed = password_hash($input, PASSWORD_DEFAULT); // to verify the password if (password_verify($inputPassword, $hashedPassword) { echo ‘Valid password!’ } // password_needs_rehash

18. Crypt()  Errors  with  No  Salt • PHP  >=  5.6  

    • Previously  allowed  no  salt  (d’oh)   • Now  throws  E_NOTICE 18 PHP Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash.

19. OpenSSL  Updates • PHP  >=  5.6   • Verifies  peer

     by  default  on  SSL/TLS  connections   • Support  for  x509  fingerprinting   • Default  ciphers  updated  (to  Mozilla  list),   OPENSSL_DEFAULT_STREAM_CIPHERS   • Compression  enabled  by  default 19

20. OpenSSL  Updates • Set  preferred  cipher  order   • Get

     protocol  and  cipher  on  request   • SSL  context  options  for  forward  secrecy   • SSL/TLS  version  selection   • Generating,  extracting  verifying  public  key/ challenges  (SPKAC) 20

21. OpenSSL:  CA  Path  &  File  Override • openssl.capath, openssl.cafile •

    Per-­‐case  basis  rather  than  global   • used  with  verify_peer 21

22. Timing  Safe  Hash  Comparison • PHP  >=  5.6   •

    ===  open  to  timing  attack  issues   • hash_equals 22 if (hash_equals($hash1, $hash2) === true) { echo ‘Party on Wayne!’; }

23. Deprecation  of  /e  Regex  Modifier • PHP  >=  5.5  

    • /e  modifier  allowed  for  eval   • PHP  automatically  called  eval  on  match  string   • Deprecated  in  5.5.0  and  removed  in  PHP  7.0 23 PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead

24. Strict  Session  Handling • PHP  >=  5.5   • session.use_strict_mode

    • Prevents  uninitialized  sessions  (IDs)   • New  session  is  started  regardless  of  what’s   sent  in  cookies   • Prevents  session  fixation 24

25. THE  FUTURE  (PHP  7)

26. Scalar  Type  Hinting • Function-­‐level  type  hints   • array,

    callable and  class/interface   • now  includes  bool, int, float  and   string 26 declare(strict_types=1); function foo(\App\UserInterface $user, int $accountId) { /* awesome code goes here */ }

27. Return  Types • Enforces  correct  return  types   • Throws

     TypeError  if  invalid  (on  strict)   • Unless  strict  is  enabled,  types  are  coerced 27 // coerced function sum($a, $b): float { return $a + $b; } declare(strict_types=1); function sum($a, $b): int { return $a + $b; }

28. Native  CSPRNG • Natively  implemented  in  the  language   •

    Replaces  external  tools  &  libraries   • Replaces  poor  practices:  rand()  or  mt_rand()   • random_bytes  and  random_int   • Sources:   • CryptGenRandom  (Windows)   • arc4random_buf  (BSDish)   • /dev/arandom  or  /dev/urandom 28

29. Uniform  Variable  Syntax • Leads  to  less  errors  in  variable

     interpretation   • Support  for:   • nested  double-­‐colon,  parentheses   • operations  on  (…)  expressions 29 $$foo['bar']['baz'] ${$foo['bar']['baz']} ($$foo)['bar']['baz'] $foo->$bar['baz'] $foo->{$bar['baz']} ($foo->$bar)['baz'] $foo->$bar['baz']() $foo->{$bar['baz']}() ($foo->$bar)['baz']() Foo::$bar['baz']() Foo::{$bar['baz']}() (Foo::$bar)['baz']()

30. Unicode  Escape  Syntax • Use  Unicode  in  normal  strings  

    • supported  through  \u  escape  character   • better  Unicode  handling  in  normal  strings 30 $heart = "a \u{1F49A}"; echo $heart.’ - ‘.strlen($heart); a - 6

31. Engine  Exceptions • Fatal  errors  previously  terminated  execution   a.k.a

     The  White  Page  of  Death   • Error  (formerly  EngineException)  replaces   Fatal   • Now  catchable   • Includes  TypeError, ParseError  and   AssertionError 31

32. Filtered  Unserialize • Problem:  destructor  called  in  unserialized   objects

      • allowed_classes  option,  defaults  true  (BC)   • __PHP_Incomplete_Class 32 unserialize($data, ["allowed_classes" => true]); unserialize($data, ["allowed_classes" => false]); unserialize($data, ["allowed_classes" => [‘UserClass’] ]);

33. …AND  SO

34. 34 WHY  IS  THIS  IMPORTANT?

35. 35

36. 36 “As  investment  and  innovation  in  open  source  security  

    increases,  open  source  has  the  potential  to  become   safer  and  more  secure  than  ever  before,  making  it  more   desirable  for  companies  that  are  concerned  about   today’s  changing  threat  landscape.”   Sara  Purdon,  Protecode

37. 37 Thanks! @enygma Questions?