1. PHP Security
Hacks, attacks, and getting your site
back
Mizno Kruge
Carijasa, CTO
Email : mizno.kruge@gmail.com
Mobile : +62 813 1097 4914
Telegram : @mizno
2. the protection of computer systems from
the theft or damage to their hardware,
software or information, as well as from
disruption or misdirection of the services
3. From the news…
143 millions CC
$2.28 billion
market value.
https://techcrunch.com/tag/equifax-hack/
8. Data Link
Data packets are encoded and decoded
into bits
Media Access Control (MAC) : gains
access to the data and transmit
permission
Logical Link Control(LLC): controls
frame synchronization, flow control and
error checking
Tunnels, SSH, PPP, MAC (Ethernet
DSL, ISDN, FDDI)
9.
10. Network
switching and routing technologies,
creating logical paths, known as virtual
circuits, for transmitting data
from node to node
AppleTalk DDP, IP
11. Transport
Provides transparent transfer of data
between end systems, or hosts, and is
responsible for end-to-end error
recovery and flow control
TCP: Fast, low to moderate data
UDP : Slow, low to big data
13. Presentation
Provides independence from
differences in data representation
(e.g., encryption) by translating from
application to network format, and vice
versa
Encryption, ASCII, EBCDIC, TIFF, GIF,
PICT, JPEG, MPEG, MIDI.
14. Application
Provides application services for file
transfers, e-mail, and
other network software services. Telnet
and FTP are applications that exist
entirely in the application level. Tiered
application architectures are part of this
layer.
WWW browsers, Telnet, HTTP, FTP
17. Attack!
Active
attempts to alter system resources or
affect their operation
Passive
attempts to learn or make use of
information from the system but does
not affect system resources
23. Vulnerability
a weakness which allows an attacker to
reduce a system's information
assurance
intersection of three elements: a system
susceptibility or flaw, attacker access to
the flaw, and attacker capability to
exploit the flaw
30. SQL Injection Basics
$value = $_REQUEST['value'];
SELECT * FROM x WHERE y = '[MALICIOUS CODE
HERE]' ";
$sql = "SELECT * FROM x WHERE y = '$value'
";
$database->query($sql);
34. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "password'" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = 'password'';
$
$
35. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "password'" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = 'password'';
$
~~
$
38. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "' test" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
$
$
39. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "' test" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
$
$
~~~~~~~~
40. ~~~~~~~~
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
SELECT * FROM users WHERE username = 'admin'
AND password = '';
SELECT * FROM users WHERE username = 'admin'
AND password = '' OR (something that is true);
SELECT * FROM users WHERE username = 'admin'
AND (true);
SELECT * FROM users WHERE username = 'admin';
41. SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test
42. SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test
SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
~~~~~~~~~~~~~~~
43. SELECT * FROM users WHERE username = 'admin' AND
password = ' ';
SELECT * FROM users WHERE username = 'admin' AND
password = ' ';
44. SELECT * FROM users WHERE username = 'admin' AND
password = '' ';
'
SELECT * FROM users WHERE username = 'admin' AND
password = '' ';
~~~
45. SELECT * FROM users WHERE username = 'admin' AND
password = '' ' ';
' '
SELECT * FROM users WHERE username = 'admin' AND
password = '' ' ';
~~~~~~~~~~~~~~
46. SELECT * FROM users WHERE username = 'admin' AND
password = '' OR ' ';
' OR '
SELECT * FROM users WHERE username = 'admin' AND
password = '' OR ' ';
47. SELECT * FROM users WHERE username = 'admin' AND
password = '' OR '1'='1';
' OR '1'='1
SELECT * FROM users WHERE username = 'admin' AND
password = '' OR '1'='1';
53. Username
Password
Log In
admin
' AND (SELECT id FROM user LIMIT 1) = '
Unknown error.
ErrorsQuery
SELECT * FROM users WHERE username = 'admin' AND
password = '' AND (SELECT id FROM user LIMIT 1) = '';
58. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/123
SELECT * FROM books WHERE id
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => 'The Great Gats
'author' => 'F. Scott Fitzge
'price' => 9.75
}
59. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999
SELECT * FROM books WHERE id =
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
}
60. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/?????
SELECT * FROM books WHERE id =
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
61. SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column
1
Column 2 Column 3
Foo Bar 123
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Foo Bar 123
UNION
62. SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column
1
Column 2 Column 3
(SELECT
)
1 1
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
(SELECT) 1 1
UNION
64. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT
creditcards
SELECT * FROM books WHERE id =
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
65. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT
number AS 'title', 1 AS 'author', 1 AS 'price' FROM
creditcards
SELECT * FROM books WHERE id =
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
66. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT
number AS 'title', 1 AS 'author', 1 AS 'price' FROM
creditcards
SELECT * FROM books WHERE id =
99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS
'price' FROM creditcards
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
67. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT
number AS 'title', 1 AS 'author', 1 AS 'price' FROM
creditcards
SELECT * FROM books WHERE id =
99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS
'price' FROM creditcards
$id = …;
$sql = "SELECT title, author,
price FROM books WHERE id = "
. $id;
$data = $database-
>query($sql);
{
'title' => '4012-3456-7890-
'author' => 1,
'price' => 1
68. $val = $_REQUEST['value'];
$sql = "SELECT * FROM x WHERE y = '$val'
";
$database->query($sql);
Protecting Against
SQL Injection
Block input with
special characters
69. Protecting
Against SQL
Injection
Block input with
special characters
Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
$database->query($sql);
' OR '1'
= '1
' OR '1'
= '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'
70. Protecting
Against SQL
Injection
Block input with
special characters
Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
$database->query($sql);
' OR '1'
= '1
' OR '1'
= '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'
71. Protecting
Against SQL
Injection
Block input with
special characters
Escape user input
Use prepared
statements
$mysqli = new mysqli("localhost", "user", "pass", "db");
$q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' ");
$q->bind_param(1, $_REQUEST['value']);
$q->execute();
Native PHP:
● mysqli
● pdo_mysql
Frameworks / Libraries:
● Doctrine
● Eloquent
● Zend_Db
72. Other Types of Injection
NoSQL databases
OS Commands
LDAP Queries
SMTP Headers
73. XSS
Cross-Site Scripting
Injecting code into
the webpage (for
other users)
• Execute malicious
scripts
• Hijack sessions
• Install malware
• Deface websites
74. XSS Attack
Basics
Raw code/script
is injected onto a
page
$value = $_POST['value'];
$value = $rssFeed->first->title;
$value = db_fetch('SELECT x FROM table');
<?php echo $value ?>
75. XSS – Cross-Site Scripting
Basics
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
81. XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
Short URL: http://short.ly/3bs8a
Original URL:
hello world!
OK
X
82. XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
Short URL: http://short.ly/3bs8a
Original URL:
93. CSRF
Cross-Site Request
Forgery
Execute unwanted
actions on another
site which user is
logged in to.
• Change password
• Transfer funds
• Anything the user
can do
94. CSRF – Cross-Site Request
Forgery
Hi Facebook! I am
colinodell and my
password is *****.
Welcome Colin!
Here’s your
news feed.
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
95. CSRF – Cross-Site Request
Forgery
Hi other website!
Show me your
homepage.
Sure, here you go!
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
97. CSRF – Cross-Site Request
Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
Tell Facebook we want to
change our password to
hacked123
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
98. CSRF – Cross-Site Request
Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
Hi Facebook! Please
change my password
to hacked123.
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
Done!
100. CSRF – Cross-Site Request
Forgery
short.ly
Please wait while we redirect you to
X
101. Protecting
Against CSRF
Attacks
Use randomized
CSRF tokens <input type="hidden" name="token"
value="ao3i4yw90sae8rhsdrf">
1. Generate a random string per user.
2. Store it in their session.
3. Add to form as hidden field.
4. Compare submitted value to session
1.Same token? Proceed.
2.Different/missing? Reject the
request.
110. Protecting
Against
Insecure Direct
Object
References
Check permission
on data input
Check permission
on data output
• Do they have permission to
access this object?
• Do they have permission to
even know this exists?
• This is not “security
through obscurity”
118. Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption)
• Customer information
• Credit card numbers
• Credentials
Sensitive Data Exposure
119. Security Misconfiguration &
Components with Known
Vulnerabilities
Default accounts enabled; weak passwords
• admin / admin
Security configuration
• Does SSH grant root access?
• Are weak encryption keys used?
Out-of-date software
• Old versions with known issues
• Are the versions exposed?
• Unused software running (FTP server)
123. Protecting
Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-
to-date
• Install critical updates
immediately
• Install other updates regularly
124. Protecting
Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-
to-date
Keep sensitive data
out of web root
• Files which provide version
numbers
• README, CHANGELOG, .git, composer.lock
• Database credentials & API keys
• Encryption keys
125. Protecting
Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-
to-date
Keep sensitive data
out of web root
Use strong
encryption
• Encrypt with a strong private
key
• Encrypt backups and data-in-
transit
• Use strong hashing techniques
for passwords
126. Protecting
Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-
to-date
Keep sensitive data
out of web root
Use strong
encryption
Test your systems
• Scan your systems with automated
tools
• Test critical components
yourself
• Automated tests
• Manual tests
127. Next Steps
Test your own applications for
vulnerabilities
Learn more about security & ethical hacking
Enter security competitions (like CtF)
Stay informed
128.
129. WordPress Hacks
Warning! Massive Number of GoDaddy
WordPress Blogs Hacked!
DreamHost: One Million Domains Hacked;
WordPress Blogs Infected
WordPress Sites on GoDaddy, Bluehost
Hacked
Reuters Hacked Again, Outdated
WordPress Blog At Fault?
InMotion Hosting Servers Hacked,
Thousands of Web Sites Affected
130. WordPress Hacks
History shows there have been very few
“WordPress Hacks”
“ In the vast majority of cases I see,
attackers get in some other way, and
then once already in the system, they
go looking for WordPress installs.” --
Mark Jaquith
132. WordPress Hacks
Most hacks that affect WordPress
actually originate outside of WordPress
Core.
TimThumb (PHP library, many
themes/plugins)
Uploadify (jQuery plugin, many
themes/plugins)
Adserve (plugin)
WassUp (plugin)
Is Human (plugin)
133. Shared Hosting
Shared hosting? Shared security!
Other users on the same server as you
can become a security risk that affects
you
What about your own users? Can you
trust everyone who has a login for your
site? Really trust them?
https://www.tcpiputils.com/reverse-ip
http://www.ipneighbour.com/
134. How do hackers get in?
Known exploits in vulnerable software
Brute-force password hacking
Network scanners
Firesheep
Wifi vulnerabilities (WEP/WPA)
Automated tools
Rootkits
140. Now What?
You can no longer trust any code files
Nuke the site, start from trusted, fresh
copies
Save wp-config.php and wp-content/uploads
Reinstall data from backups
You do have backups, right?
Right?
141. What do I back up?
Database
Uploaded media (wp-content/uploads)
Custom themes and plugins
wp-config.php
Keep a list of your installed third-party
plugins
142. How do I back up?
Backup Buddy
VaultPress
WordPress Backup to Dropbox
143. It can happen to you
It can happen to me
It can happen to everyone, eventually
-- Yes, It Can Happen, 90125
144. Healthy Paranoia
Use strong passwords
Two-factor authentication -- Google
Authenticator plugin
Use separate WordPress logins for
publishing day-to-day content and for
site administration
Limit who can login to your site, and
what permissions they have
Create temporary accounts for developers, if
necessary
145. Healthy Paranoia
Use secure protocols: SFTP, SCP, SSH --
not FTP
If possible, enforce SSL on WordPress logins
and dashboard access
Ensure MySQL server is not accessible to
other hosts
Same goes for memcache (or any other data
store)
146. Getting help
Security is part of the cost of doing business, like insurance
If you don’t know how to do all this, retain the services of
someone who does
Managed hosting:
Page.ly
WordPress.com
WP Engine
Zippykid
Cloudways
AWS with pre-built WP optimized
