PHP: The Security Underperformer?

PHP logo

Marc Wickenden

@marcwickenden


Director @4ARMED

Cyber Security services


About 15 years in IT

Started out as Unix Sysadmin

Love coding but am not a developer

Picture of Marc

So, what's the problem?

Woah there cowboy! Critical?

Trivial, unintended access to data or the underlying system

Straw poll

Wanna see some examples?


            if (isset($_GET['id'])) {
              $sql = "SELECT users.* FROM users WHERE id = " . $_GET['id'];
            } else {
              die("No id specified");
            }
            $result = mysqli_query($db, $sql);
          

Demo Time


            // controllers/productPost.php
            function getProducts(){
              if(isset($_POST['qstring'])){
                $allData = explode("|",$_POST['qstring']);
                $productid = $allData[0];
                $qaction = $allData[1];

              $resultarray = $this->product_model->listAgainstProduct($productid,$qaction);

            // models/product_model.php
            function listAgainstProduct($product_id='',$qaction=''){
              if($product_id){
                $query = $this->db->query("select tbl_products.*
                where tbl_products.product_id =".$product_id." AND tbl_status.status_type_id=2
                AND tbl_status.status_type_id!=32 order by tbl_status.status_name ASC");
          

Is it really that common?

http://securityreactions.tumblr.com/post/31920638587/php-code-audit

WTF is going on?

Popularity

Designer vs Developer

So many helpful resources

Maybe I'm worrying about nothing?

Shit.

But these are all free. It's the Wild West

Apparently not

Hrm.

Are we comparing like for like?

Not Invented Here

Frameworks are better

(from a security perspective at least)

But...

Most common issue I see in frameworks?


					
					

What about the PHP interpreter itself?

Stefan Esser

Did it work?

Summary

  1. Large user base with big % of non-developers
  2. Lots and lots of really bad code examples out there
  3. Relatively low framework adoption
  4. Historic issues with PHP core development
  5. Legacy default settings were not secure

What now?

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

Workshops

It's in your hands

Questions?

marc@4armed.com