Security

XSS

  • The attacker submit a form with html code
    • javascript
    • a fake login form
  • The victim browse a page which contains those data and unwittingly execute the code
    • The page may not be related to the initial form  used by the attacker (ie: the admin panel)

XSS

  • The attacker forge a link wich contains malicious code
  • The victim follow the link and get the a page which execute the code
    • ie: lost_password?email=...

XSS

  • The attacker upload an html file wich contains maliscious code
    • fake login page
    • retrieve cookie and other local informations

XSS

  • escape output
  • use framework (twig)
    • do not disable the security
  • force browser to download uploaded files
    • disposition: attachement

CSRF

  • The attacker forge a link to an unsecured page
    • could be GET or POST
  • The victim, throught it browser and it session execute the maliscious code
    • ie: <img src="http://site.com/users/123/delete">

CSRF

  • Use unguessable token in each "write actions"
  • Activated by default with Symfony2

Retrieve list of user

  • When a page display differents message according to the error
    • "User does not exists" vs "Incorrect password"
    • login page AND password lost
    • irrelevant if the application contains a sigup page

 

Counting entities

  • When the information could be strategycal
    • invoice-2015-001
    • /api/virtual-machine/24

Horizontal privilege escalation

  • always check if the user is allowed to access to the resources
    • isGranted()
    • voters
  • do not forget uploaded files
    • even if the resource is marked as shared
    • especially if the path to the resource is guessable

Password autocompletion

  • The attacker has access to the victim's machine
  • Retrieve the password from the browser's storage

Password autocompletion

  • Add autocomplete=off

FileSystem manipulation

  • When the application allows the user to create folders and upload files
  • The attacker can "browse" outside the "application's root" directory by using ".." in the path

FileSystem manipulation

  • Assert the real_path of path starts with the root directory

Code execution

  • The attacker upload a PHP file. It can run it throught the "download" link

 

  • The attacker upload PHP script name foo.jpg
  • Then he upload a .htaccess which add and handler for .jpg files

Code execution

  • Block htaccess files (AllowOverride: None)
  • Use a front controller
  • Rename files

System call

  • The attacker can run system command
    • exec
    • passthru
    • shell_exec
    • system
    • proc_open
    • popen
    • curl_exec
    • curl_multi_exec
    • parse_ini_file
    • show_source
    • ``

System call

  • The attacker force the script to execute a remote script
    • include_once $_GET['action'];

System call

  • If possible disable those functions with  the directive disable_functions
  • sets allow_url_fopen to false (use Guzzle/curl to retrieve remote resources)

Unsecured cookies

  • Without HTTPS, the cookies are readables.
  • The attacker can steal the sessionId

 

  • The cookies can be handle with javascript
  • The attacker can read the sessionId thanks to an XSS 

Unsecured cookies

  • add the flag "secure" to the cookie
  • add the flag "HttpOnly" to the session's cookie
framework:
  session:
    cookie_secure:   true
    cookie_httponly: true

Unsecure SSL

  • Using an expired certificat
  • Using weak algorithme (sha1)
  • Allowing a weak algorithme (rc4)

Unsecure SSL

  • https://www.ssllabs.com/ssltest/analyze.html
    • SSLProtocol ALL -SSLv2 -SSLv3
    • SSLHonorCipherOrder on
    • SSLCipherSuite ALL:!LOW:!aNULL:!md5:!RC4

Unsupported versions

  • OS
  • Kernel
  • WebServer (apache/nginx)
  • PHP
  • packages

Unsupported versions

  • apt-get upgrade
  • apt-get dist-upgrade / reinstall
  • docker pull
  • composer update
  • don't fix the versions (use "^")

Security should not be an option

Nadim Kobeissi

  • Display the site with HTTP and/or HTTPS ?
  • No the choice HTTP does not exists
Made with Slides.com