3. The bald guy in the front
Johann-Peter Hartmann
Full-time PHP Developer since 3.0.4
loves LAMP the great people, it‘s fun.
Security is just fun
CTO and Founder of Mayflower GmbH
CEO of SektionEins GmbH
14. Why do it, anyway?
Best way: verify the whole application
Second best: audit the whole source code
Average: 2000 LOC/Day
More than one year for a 500.000 LOC application.
Marco just told me that he got a 3.000.000 LOC
application
17. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
18. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
19. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
20. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
Information Disclosure (SQL-Injections, XSS, ...)
21. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
Information Disclosure (SQL-Injections, XSS, ...)
Denial of service (Logout after 3 failed logins)
22. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
Information Disclosure (SQL-Injections, XSS, ...)
Denial of service (Logout after 3 failed logins)
Elevation of Privileges (Code executions ...)
32. Where start auditing?
risk = chance of attack * damage potential
High risk example: SQL-Injection in a Login Form
33.
34. Tools needed for manual
Source Code Audits
Some people say: you just need „grep“
A decent Code Browser with
syntax highlightening
good code navigation
Dynamic Code Analysis: Debugger with
Step Thru
Variable Introspection, Conditional Breakpoints
35. Critical Function Analysis
Some functions are more dangerous than other
methods.
Every exploit class got its own set of functions
think of: SQL Injections, Code Executions
So just search for every critical function and check if
the parameters are escaped correctly
36. SQL Injections
Functions: mysql_query, mysqli_query, pdo::query, ...
Your own database abstraction layer
What to check
Are the parameters correctly escaped?
Even numbers, sort orders and directions?
Table and Column names?
look out for proper escaping of values, column names
and sort orders etc
37. Code Executions
Functions:
eval(), create_function(), preg_replace with modifier e,
usort, uasort, *_callback functions
Written and included code:
Templates in Smarty
Cache data
Look out for: (external) variables in php-code
Strings can contain code executions! “{${phpinfo}}“
39. Shell Executions
Functions:
shell_exec (BackTicks!), exec(), system(), popen(),
passthru()
mail()!
binary name and arguments need to be escaped
Check for existance of escape_shell_cmd and
escape_shell_args
40. Information leakage
Functions: fopen(), fread(), file(), ...
Vulnerabilities:
read local files containing database passwords
read intranet URLs
read local server configuration files
Check for injection of „/../../etc/passwd%00“
41. Input Flow Analysis
Check the way that variables take inside the application
Faster than a critical function analysis
PHP accepts every external variable by default
The variables are from an untrusted environment
As soon PHP got a taint mode, PHP does help you a
lot
42. Input Flow Analysis
$_GET, $_POST, $_COOKIE
some $_SERVER variables! Don‘t trust $HTTP_HOST.
register_globals makes it hard to follow
Check if external variables or results of them are used
in critical functions
43. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
44. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
45. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
46. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
URLs: urlencode()
47. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
URLs: urlencode()
JavaScript- and Stylesheet-Strings: addcslashes()
48. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
URLs: urlencode()
JavaScript- and Stylesheet-Strings: addcslashes()
HTML: Whitelist-Filters like htmlpurifier
49. Tools for Static Analysis
RATS: http://www.fortifysoftware.com/security-
resources/rats.jsp
finds simple bugs like TOCTOU
PHP-SAT http://www.program-transformation.org/
PHP/PhpSat
got a freely definable set of rules for security
checks
Armorize CodeSecure http://www.armorize.com/
HyperSource, Fortify
50. Other tools
XSSS for automated XSS search
http://www.sven.de/XSSS
A lot of other web security scanners
SPIDynamics WebInspect
NStalker
Chorizo does PHP gray box scanning
.. a lot more
51. Summary
Even if you have time to do a full code review use risk
analysis to focus
Code review:
Use critical function analysis and output check or input
flow analysis
Tools can help you, but they don‘t do your job
53. Questions?
Contact me at:
johann-peter.hartmann@sektioneins.de
Notas del editor
\n
Formally i am the boss of stefan esser. I am not sure if he knows it, though. \n\n
\n
\n
\n
\n
\n
A database is 40.000 Bugs. Any database.\n
Message: The number one target is information theft. \n
Don‘t care about XSS, care about SQL injection first. \n
That‘s something that banking or insurance companies do. Security Experts for real world security do it, and so does the microsoft security development lifecycle.\n
So in six years time stefan would be able to tell marco „Look, there has been a bug“\n
What to audit: are there money issues? privacy issues? are children involved? sexual preferences? \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
White box audits\n
Basically you need an IDE for hacking! Like Zend IDE, PDT\n
\n
Parameter binding does just help 80% for sql injection!\n