1 of 27

Développement PHP sécurisé

IGF – Juillet 2017 (Alger)�Emilio Pérez Mayuet�Guillermo Obispo San Román�

2 of 27

Index

Introduction
Le langage de programmation
Le Framework
Les librairies de tiers
Bonus Track +

3 of 27

PHP est une technologie open source qui est à la fois:

Un langage de programmation,
Un Framework pour le développement web, et
Une grand communauté qui produit des nombreux modules.

Introduction

4 of 27

Des principaux questions à prendre en compte

Faiblement typé
Exceptions et gestion des erreurs
Le fichier de configuration php.ini
Built-in intégrées dangereux

Le langage de programmation

5 of 27

Faiblement typé

PHP va convertir automatiquement les données d'un type incorrect dans le type attendu
Masquer des erreurs par le développeur ou des injections
Essayer d’utiliser des fonctions et opérateurs qui ne font pas de conversion de type implicite
Tous les opérateurs ne disposent pas de versions strictes
De nombreuses fonctions intégrées utilisent par défaut des fonctions de comparaison faiblement typées
Ce qui rend difficile l'écriture du code correct

Le langage de programmation

6 of 27

Faiblement typé

Éviter des conversions de type implicites, ej: Utiliser “===” au lieu de “==”.
Il y a des opérateurs sans versions strictes comme majeure que “>” ou moindre que “<”.
Plusieurs fonctions intégrées (comme in_array) utilisent par défaut des fonctions de comparaison faiblement typées, ce qui rend difficile l'écriture du code correct.

Le langage de programmation

DEMO 1

7 of 27

Le langage de programmation

8 of 27

Exceptions et gestion des erreurs

Librairies que n'utilisent pas d'exceptions, mais signalent les erreurs d'une autre façon (par exemple via des avis)
Permettent au code défectueux de continuer à fonctionner
Dans d’autres langues de haut niveau les conditions d'erreur entraînent l'arrêt du programme (plus sûr)

Pour les erreurs du développeur et les erreurs d'exécution

Le langage de programmation

9 of 27

Le langage de programmation

10 of 27

Le fichier de configuration php.ini

PHP dépend fortement des valeurs de paramètres de configuration
Y compris la façon dont les erreurs sont traitées
Écriture de code qui fonctionne correctement en toutes circonstances très difficile
Différentes librairies peuvent différentes concernant ces paramètres
Difficile utilisation correcte du code tiers

Le langage de programmation

11 of 27

Built-in intégrées dangereux

PHP est doté de nombreuses fonctions intégrées qui semblent fournir de la sécurité,

mais sont souvent buggés et, en fait, sont des moyens inutiles de résoudre les problèmes de sécurité

P.e., addslashes, mysql_escape_string, mysql_real_escape_string
Obsolètes et supprimés mais compatibilité ascendante
PHP fournit une structure « array » de données qui est un mélange confus entre un array et un dictionnaire
Cette confusion peut introduire des failles de sécurité critiques

Le langage de programmation

12 of 27

Le langage de programmation

13 of 27

Des principaux questions à prendre en compte

Routage d’URL
Gestion des entrées
Langage de modèle
D’autres

Le Framework de développement

14 of 27

Routage d’URL

Le mécanisme intégré de routage d'URL de PHP est d'utiliser des fichiers se terminant par « .php » dans la structure de répertoire. Cela ouvre plusieurs vulnérabilités:

Vulnérabilité d'exécution à distance pour toutes les fonctions de transfert de fichiers qui ne désinfectez pas le nom de fichier.
Assurez-vous que lors de l'enregistrement des fichiers téléchargés, le contenu et le nom sont convenablement désinfecté.

Le Framework de développement

URL routing

PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:

Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use .htaccess to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.

15 of 27

Le Framework de développement

DEMO 4

URL routing

PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:

Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use .htaccess to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.

16 of 27

Routage d’URL

Le code source, y compris fichiers de configuration, sont stockés dans des répertoires accessibles au public avec les fichiers qui sont destinés à être téléchargés.
Une mauvaise configuration (ou l'absence de configuration) peut signifier que les fichiers de code source ou configuration qui contiennent des informations secrètes peuvent être téléchargés par des attaquants.
Vous pouvez utiliser .htaccess pour limiter l'accès. Ce n'est pas idéal, car il est peu sûr par défaut, mais il n'y a pas d'autre alternative.

Le Framework de développement

URL routing

PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:

Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use .htaccess to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.

17 of 27

Routage d’URL

Le mécanisme de routage d'URL est la même que le système de module. Cela signifie qu'il est possible souvent pour les pirates d’utiliser des fichiers comme points d'entrée qui ne sont pas conçus en tant que tel. Cela peut ouvrir des vulnérabilités où les mécanismes d'authentification sont contournées entièrement - un simple refactoring qui extraire du code dans un fichier séparé peut ouvrir une vulnérabilité.

Le Framework de développement

URL routing

PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:

Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use .htaccess to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.

18 of 27

Routage d’URL

Ceci est rendu facilement en PHP en particulier parce qu'il a des demandes de données globalement accessibles ($ _GET etc.), de sorte que le code de niveau fichier peut être code impératif qui fonctionne à la demande, plutôt que d'avoir besoin d’un code de gestion de la demande d'être dans les définitions de fonction.

Le Framework de développement

URL routing

PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:

Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use .htaccess to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.

19 of 27

Routage d’URL

L'absence d'un mécanisme approprié de routage d'URL conduit souvent à les développeurs de créer des méthodes propres ad hoc. Ceux-ci sont souvent précaires et ne parviennent pas à appliquer des restrictions d'autorisation appropriées sur des différentes fonctionnalités de traitement de la demande.

Le Framework de développement

URL routing

PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:

Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use .htaccess to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.

20 of 27

Gestion des entrées

Au lieu de traiter les entrées HTTP comme de simples chaînes, PHP construira des arrays depuis l’entrée HTTP, pour le control du client
Cela peut conduire à la confusion sur les données, et peut conduire facilement à des bogues de sécurité

Le Framework de développement

21 of 27

Le Framework de développement

22 of 27

Langage de modèle

PHP est essentiellement un langage de modèle
Cependant, les codes HTML ne sont pas HTML échappés par défaut
Ce qui le rend très problématique pour une utilisation dans une application web

Le Framework de développement

23 of 27

D’autres

Un framework web devrait fournir un mécanisme de protection CSRF activé par défaut
PHP est doté d'un framework web rudimentaire qui est suffisamment fonctionnel pour permettre de créer des sites web
Aucune connaissance de la nécessité de la protection CSRF

Le Framework de développement

24 of 27

Le Framework de développement

DEMO 6

25 of 27

Les librairies et les projets écrits en PHP sont souvent insécurisés
En particulier sans frameworks web appropriés
Il ne faut pas faire confiance au code PHP trouvé sur le web
Le code PHP mal écrit entraîne souvent des avertissements émis

Solution: éteindre tous les avis, ce qui est exactement le contraire de ce qu'il faut faire et entraîne un code progressivement pire

Les librairies de tiers�

26 of 27

Des principaux questions à prendre en compte

Mettre à jour régulièrement PHP
Configuration
Erreurs courantes sur le traitement de $ _FILES
Pas d’utiliser $ _Request
Utiliser « Prepared Statement »
UTF-8 (arab, français)
Database Cheat Sheet
XSS Cheat Sheet
CSRF Cheat Sheet
Authentification et gestion de session
Vérification du code avec un collègue

Le Bonus Track +

27 of 27

IGF – Juillet 2017 (Alger)�Emilio Pérez Mayuet�Guillermo Obispo San Román

صحا