On the way to creating a secure web resource. Part 2 - Development
I am pleased to continue to share my views on approaches to creating secure web resources and web applications and move on from the first part , which contains some generally useful security instructions for creating an infrastructure for a project, and to the second, developing the application itself.
It is logical to start with them, with their knowledge and experience. The fault of the employee himself is that he does not have sufficient knowledge of security development is minimal. Primary responsibility on management, HR and anyone else. The problem occurs at the recruitment stage. Consider a typical interview, even based on the guides, which were laid out here on HabrΓ©:
No one anywhere (including the last article in the comments) has ever mentioned the security aspects. "The fish rots from the head" and this is a fact. What do I suggest? When recruiting employees, firstly, to figure it out myself, although in the basic points of programming, including security view and ask questions about them. And I propose the following questions, the answers to which (and most importantly - a detailed explanation) will give at least some picture of the developerβs knowledge in the field of security. Choose some typical constructions and vulnerabilities in them:
')
We ask opinion. It doesn't matter if the applicant knows whether it is reflected, stored or DOM XSS. The main thing is that he understands that such constructions are unacceptable (and it will be cool if he knows the consequences of such constructions. And even cooler is the solution). The task can be complicated with the substitution of data through JS, obtained from somewhere.
This is a reference to one of my previous articles (the problem is not contrived, but was taken from practice). And so, we are looking for a specialist in Zend, he is cool to answer all the questions, but ... It is quite normal for such constructions. Or substitutes in where the array that came from GET / POST through implode.
Loading pictures. People who have at least some experience will say at once that no one writes this anymore. $ _FILES ["file"] ["type"] is assigned a value from HTTP, which is easily "forged". Well, okay, the candidate says that we just change to βfile - ibβ or use PEAR / Zend for this and thatβs the end (at the same time it refers to stackoverflow ). But here he will be wrong (but better). It is quite easy to create an evil.php file containing php code, while having image headers. So what is needed is to check the headers of an already received file (via `file`, PEAR or Zend, for example), and set an extension to it, based on the specified mime-type.
I want to say that incorrect (inaccurate) answers should not be decisive when accepting an employee (this opinion is based on rational motives, not from a security point of view), but keep in mind that an employee needs to study certain material in this area. And the first time you need to check its code, especially in some important points (like downloading files).
And we have already accepted employees. They need to conduct a separate work and periodically "give heat", sorting out any found vulnerable code for all. Or at least a mailing list with links to read on this topic.
And so, we move from the human to the technical factor.
I'll start with the directory structure. It is practiced by many:
I use a similar directory structure, and I see no problems with it. Let's start with the last item - htdocs. In htdocs we have only 1 php script - index.php (referring to the first part of the article), a kind of bootsrtap, which starts the whole application and gives the necessary functionality depending on the location. There is all the static and upload from users. Only 1 file remains executable to php, and this is great!
app - application, rendered as htdocs, this excludes such constructions in module files as useless as:
Direct access to files is basically impossible. Also, we do not need to create a bunch of empty index.html in each folder, if for some unknown reason we have enabled indexing in directories and we cannot disable it.
config.ini is also not accessible from the web, so it will not be given to plain-text by direct access to it.
Cron-scripts (or scripts for jenkins'a) are also conveniently stored in the directory we need.
Let us analyze the most popular pattern of using design patterns - MVC and decide where we are and what will be.
Validation. Much depends on what is accepted in your team. Usually, nevertheless, validation of data is given here at model initialization. But it can be successfully done elsewhere (service as an example).
Here I will consider the perennial question - where to convert HTML special characters? For example, phpbb does this when writing data to the database and, as a result, the data takes up more space. Message
It can also lead to errors in the order of data validation (which are present in phpbb).
My opinion is that the data should be recorded in the form in which they came. And convert specials. output characters in the template engine.
Of course, direct conversion specials. characters when writing to the database is more secure than converting them to the output. Since in one place the developer did everything correctly, and in another place he forgot (or another developer brought them). But the first option can be considered a crutch.
The main vulnerabilities are most often found in places with data manipulation. Here I want to repeat what I wrote about in my first articles, and suggest using the following construction:
Where errorLog () will add an error entry to the database, send an email to dev@example.com or something else. You will always be aware of all the problems that occur on the project. Also, if we use New Relic (which was mentioned in the first part of the article), then we will get similar beautiful monitoring:
An example of error logging when someone tried to find the address of phpmyadmin, for example, using nikto
Time, log, and the number of occurrences of this error. error.log in the modern version.
If your product is updated by iterations, then the process of checking the paged code for production easily fits into such a process organization. A full diff is done and viewed by experienced programmers or the security department (person).
Product development on the framework is not a panacea for security (this was especially confirmed by RoR from the very beginning of the year). Using the most popular engines and full use of their API in the development of modules is also not a panacea ( WordPress => 3.5 XMLRPC pingback additional issues ).
My opinion remains the same, that it is better to write all the code from scratch, while already having experience in security (and better in hacking / pentest). But, of course, it is practically inappropriate in the modern world, since it requires quite large additional costs for a business (and itβs quite difficult to find so many specialists at once).
By the way, on this subject I have an excellent schedule (about which I learned from Alexey Babenko from Informzashchita, who himself, in turn, found out about him on one of the overseas internships on security)
The optimal level of security at minimum cost. Picture found here
From which we can conclude that the initial investment gives a quick and sharp leap in security. But the more investments there are, the less the risks will decrease.
Series:
The security hole has not been fixed, as product managers want a new feature
Programmers
It is logical to start with them, with their knowledge and experience. The fault of the employee himself is that he does not have sufficient knowledge of security development is minimal. Primary responsibility on management, HR and anyone else. The problem occurs at the recruitment stage. Consider a typical interview, even based on the guides, which were laid out here on HabrΓ©:
- PHP developer job interview - rating 54
- Candidates with the declared status of "PHP-expert" and questions on logic - rating 46, there is also an interview plan
- Interview. Today - rating 68
- The perfect job interview? - rating 71, discussion of the βperfectβ interview
No one anywhere (including the last article in the comments) has ever mentioned the security aspects. "The fish rots from the head" and this is a fact. What do I suggest? When recruiting employees, firstly, to figure it out myself, although in the basic points of programming, including security view and ask questions about them. And I propose the following questions, the answers to which (and most importantly - a detailed explanation) will give at least some picture of the developerβs knowledge in the field of security. Choose some typical constructions and vulnerabilities in them:
')
Xss
<?php $name = $_GET['name']; echo "Hello, <b>$name</b>!"; ?> We ask opinion. It doesn't matter if the applicant knows whether it is reflected, stored or DOM XSS. The main thing is that he understands that such constructions are unacceptable (and it will be cool if he knows the consequences of such constructions. And even cooler is the solution). The task can be complicated with the substitution of data through JS, obtained from somewhere.
SQLi
<?php $value = "id = ".$_GET['id']; $select->where($value); ?> This is a reference to one of my previous articles (the problem is not contrived, but was taken from practice). And so, we are looking for a specialist in Zend, he is cool to answer all the questions, but ... It is quite normal for such constructions. Or substitutes in where the array that came from GET / POST through implode.
File upload
<?php if ($_FILES["file"]["type"] == "image/gif") || $_FILES["file"]["type"] == "image/jpeg" || $_FILES["file"]["type"] == "image/png") { // Uploaded file is image, all ok move_uploaded_file ... } ?> Loading pictures. People who have at least some experience will say at once that no one writes this anymore. $ _FILES ["file"] ["type"] is assigned a value from HTTP, which is easily "forged". Well, okay, the candidate says that we just change to βfile - ibβ or use PEAR / Zend for this and thatβs the end (at the same time it refers to stackoverflow ). But here he will be wrong (but better). It is quite easy to create an evil.php file containing php code, while having image headers. So what is needed is to check the headers of an already received file (via `file`, PEAR or Zend, for example), and set an extension to it, based on the specified mime-type.
I want to say that incorrect (inaccurate) answers should not be decisive when accepting an employee (this opinion is based on rational motives, not from a security point of view), but keep in mind that an employee needs to study certain material in this area. And the first time you need to check its code, especially in some important points (like downloading files).
And we have already accepted employees. They need to conduct a separate work and periodically "give heat", sorting out any found vulnerable code for all. Or at least a mailing list with links to read on this topic.
And so, we move from the human to the technical factor.
Hierarchy
I'll start with the directory structure. It is practiced by many:
example.com βββ app β βββ config.ini β βββ framework β βββ src β βββ controller β βββ model β βββ view βββ crontab β βββ daily_flush_stat.php β βββ weekly_remove_cache.sh βββ htdocs βββ css βββ img βββ index.php βββ js I use a similar directory structure, and I see no problems with it. Let's start with the last item - htdocs. In htdocs we have only 1 php script - index.php (referring to the first part of the article), a kind of bootsrtap, which starts the whole application and gives the necessary functionality depending on the location. There is all the static and upload from users. Only 1 file remains executable to php, and this is great!
app - application, rendered as htdocs, this excludes such constructions in module files as useless as:
if (!defined('IN_SITE')) die ("Hack attempt!"); Direct access to files is basically impossible. Also, we do not need to create a bunch of empty index.html in each folder, if for some unknown reason we have enabled indexing in directories and we cannot disable it.
config.ini is also not accessible from the web, so it will not be given to plain-text by direct access to it.
Cron-scripts (or scripts for jenkins'a) are also conveniently stored in the directory we need.
Application code
Let us analyze the most popular pattern of using design patterns - MVC and decide where we are and what will be.
Model
Validation. Much depends on what is accepted in your team. Usually, nevertheless, validation of data is given here at model initialization. But it can be successfully done elsewhere (service as an example).
View
Here I will consider the perennial question - where to convert HTML special characters? For example, phpbb does this when writing data to the database and, as a result, the data takes up more space. Message
WOW >>> "NEW NEW NEW" will take not 42 bytes (in UTF8), but 82, since it will be WOW >>> "NEW NEW NEW" It can also lead to errors in the order of data validation (which are present in phpbb).
My opinion is that the data should be recorded in the form in which they came. And convert specials. output characters in the template engine.
Of course, direct conversion specials. characters when writing to the database is more secure than converting them to the output. Since in one place the developer did everything correctly, and in another place he forgot (or another developer brought them). But the first option can be considered a crutch.
Controller
The main vulnerabilities are most often found in places with data manipulation. Here I want to repeat what I wrote about in my first articles, and suggest using the following construction:
try { // try something } catch (Exception $e) { echo ", . !" errorLog($e->getMessage()); } Where errorLog () will add an error entry to the database, send an email to dev@example.com or something else. You will always be aware of all the problems that occur on the project. Also, if we use New Relic (which was mentioned in the first part of the article), then we will get similar beautiful monitoring:
An example of error logging when someone tried to find the address of phpmyadmin, for example, using nikto
Time, log, and the number of occurrences of this error. error.log in the modern version.
Iterations
If your product is updated by iterations, then the process of checking the paged code for production easily fits into such a process organization. A full diff is done and viewed by experienced programmers or the security department (person).
Framework, CMS / CMF
Product development on the framework is not a panacea for security (this was especially confirmed by RoR from the very beginning of the year). Using the most popular engines and full use of their API in the development of modules is also not a panacea ( WordPress => 3.5 XMLRPC pingback additional issues ).
Findings?
My opinion remains the same, that it is better to write all the code from scratch, while already having experience in security (and better in hacking / pentest). But, of course, it is practically inappropriate in the modern world, since it requires quite large additional costs for a business (and itβs quite difficult to find so many specialists at once).
By the way, on this subject I have an excellent schedule (about which I learned from Alexey Babenko from Informzashchita, who himself, in turn, found out about him on one of the overseas internships on security)
The optimal level of security at minimum cost. Picture found here
From which we can conclude that the initial investment gives a quick and sharp leap in security. But the more investments there are, the less the risks will decrease.
Series:
- On the way to creating a secure web resource. Part 1 - server software
- On the way to creating a secure web resource. Part 2 - Development
- On the way to creating a secure (web) resource. Part 3 - office, staff
Source: https://habr.com/ru/post/168823/
All Articles