Security
XSS
- The attacker submit a form with html code
- javascript
- a fake login form
- The victim browse a page which contains those data and unwittingly execute the code
- The page may not be related to the initial form used by the attacker (ie: the admin panel)
XSS
- The attacker forge a link wich contains malicious code
- The victim follow the link and get the a page which execute the code
- ie: lost_password?email=...
XSS
- The attacker upload an html file wich contains maliscious code
- fake login page
- retrieve cookie and other local informations
XSS
- escape output
- use framework (twig)
- do not disable the security
- force browser to download uploaded files
- disposition: attachement
CSRF
- The attacker forge a link to an unsecured page
- could be GET or POST
-
The victim, throught it browser and it session execute the maliscious code
- ie: <img src="http://site.com/users/123/delete">
CSRF
- Use unguessable token in each "write actions"
- Activated by default with Symfony2
Retrieve list of user
- When a page display differents message according to the error
- "User does not exists" vs "Incorrect password"
- login page AND password lost
- irrelevant if the application contains a sigup page
Counting entities
- When the information could be strategycal
- invoice-2015-001
- /api/virtual-machine/24
Horizontal privilege escalation
- always check if the user is allowed to access to the resources
- isGranted()
- voters
- do not forget uploaded files
- even if the resource is marked as shared
- especially if the path to the resource is guessable
Password autocompletion
- The attacker has access to the victim's machine
- Retrieve the password from the browser's storage
Password autocompletion
- Add autocomplete=off
FileSystem manipulation
- When the application allows the user to create folders and upload files
- The attacker can "browse" outside the "application's root" directory by using ".." in the path
FileSystem manipulation
- Assert the real_path of path starts with the root directory
Code execution
- The attacker upload a PHP file. It can run it throught the "download" link
- The attacker upload PHP script name foo.jpg
- Then he upload a .htaccess which add and handler for .jpg files
Code execution
- Block htaccess files (AllowOverride: None)
- Use a front controller
- Rename files
System call
- The attacker can run system command
- exec
- passthru
- shell_exec
- system
- proc_open
- popen
- curl_exec
- curl_multi_exec
- parse_ini_file
- show_source
- ``
System call
- The attacker force the script to execute a remote script
- include_once $_GET['action'];
System call
- If possible disable those functions with the directive disable_functions
- sets allow_url_fopen to false (use Guzzle/curl to retrieve remote resources)
Unsecured cookies
- Without HTTPS, the cookies are readables.
- The attacker can steal the sessionId
- The cookies can be handle with javascript
- The attacker can read the sessionId thanks to an XSS
Unsecured cookies
- add the flag "secure" to the cookie
- add the flag "HttpOnly" to the session's cookie
framework:
session:
cookie_secure: true
cookie_httponly: true
Unsecure SSL
- Using an expired certificat
- Using weak algorithme (sha1)
- Allowing a weak algorithme (rc4)
Unsecure SSL
- https://www.ssllabs.com/ssltest/analyze.html
- SSLProtocol ALL -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- SSLCipherSuite ALL:!LOW:!aNULL:!md5:!RC4
Unsupported versions
- OS
- Kernel
- WebServer (apache/nginx)
- PHP
- packages
Unsupported versions
- apt-get upgrade
- apt-get dist-upgrade / reinstall
- docker pull
- composer update
- don't fix the versions (use "^")
Security should not be an option
Nadim Kobeissi
- Display the site with HTTP and/or HTTPS ?
- No the choice HTTP does not exists
Security
By Jérémy DERUSSÉ
Security
- 1,194