the security state of
play

The Security State of Open Source PHP Applications Dr. Johannes - PowerPoint PPT Presentation

Jul 24, 2023 •33 likes •673 views

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

  1. The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

  2. Introduction About Johannes Dahse ● Master IT Security at RUB, Germany (2006 - 2012) ● Capture The Flag (CTF) Contests ● Security Consultant ● Developer of RIPS open source security scanner (2009 - 2011) ● PhD in „Static Code Analysis“ at RUB (2013 - 2016) ● CEO & Co-Founder RIPS Technologies GmbH

  3. Introduction Why care about PHP security? #1 Choice 22 Attacks/Day of cyber criminals on an average website 90% $3.8M use open source libraries average data breach costs

  4. Introduction The Security State of Top 5 PHP Applications Top 50 PHP Applications PHP Application Extensions Top 6 PHP Frameworks

  5. The Security State of the Top 5 PHP Applications

  6. The Security State of the Top 5 PHP Applications CMS Market Share WordPress 25% Joomla! Drupal 1% Magento 2% 60% 5% Typo3 7% Other Source: w3techs.com

  7. Top 5 PHP Applications Security Features Application Prepared Template CSRF Password Security Auto Bug Bounty (latest version) Statements Engine Protection Hashing Team Update* Program WordPress vsprintf() none yes phpass yes yes yes Joomla! MySQLi custom yes bcrypt yes no no Drupal PDO Twig yes salted sha-512 yes no 2015 Magento PDO custom yes salted sha-256 yes no yes Typo3 Doctrine Fluid yes pbkdf2 yes yes no *Pro/Con Discussion: https://www.drupal.org/node/2367319

  8. Top 5 PHP Applications Vulnerabilities Number of Vulnerabilities per Year 45 40 WordPress 35 Joomla! 30 25 Drupal 20 15 Magento 10 Typo3 5 0 2010 2011 2012 2013 2014 2015 2016 2017 Source: cvedetails.com

  9. Top 5 PHP Applications Vulnerabilities Number of Critical Vulnerabilities per Year (CVSS Score > 7) 8 WordPress 7 6 Joomla! 5 4 Drupal 3 Magento 2 1 Typo3 0 2010 2011 2012 2013 2014 2015 2016 2017 Source: cvedetails.com

  10. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 ● MySQL‘s utf8 charset only supports 3-byte characters ● Strings with 4-byte characters will be truncated when inserted into utf8 columns Insert: test 𝌇 123 Result: test ● Solution: Use MySQL strict mode or latin1 charset https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  11. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  12. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 < div class="comment" id="comment-1" > < div class="comment-content" > < a title='test 𝌇 123' >click</ a > </ div > </ div > https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  13. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 < div class="comment" id="comment-1" > < div class="comment-content" > < a title='test </div> </div> https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  14. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 < div class="comment" id="comment-1" > < div class="comment-content" > < a title='test </div> </div> <div class="comment" id="comment-2"> <div class="comment-content"> hack' onmouseover=' alert(1) ' style='width :100%; height :100%; … ' </ div > </ div > https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  15. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  16. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 class LoginController extends JControllerLegacy { public function login() { ⋮ $app = JFactory:: getApplication (); ⋮ $model = $this->getModel( 'login' ); $credentials = $model->getState( 'credentials' ); ⋮ $app->login($credentials, array ( 'action' => 'core.login.admin' )); } https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  17. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 class JApplicationCms extends JApplicationWeb { public function login($credentials, $options = array ()) { ⋮ $authenticate->authenticate($credentials, $options); } } class JAuthentication extends Jobject { public function authenticate($credentials, $options = array ()) { ⋮ $plugin ->onUserAuthenticate($credentials, $options, $response); } https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  18. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 class PlgAuthenticationLdap extends JPlugin { public function onUserAuthenticate($credentials, $options, &$response){ ⋮ $userdetails = $ldap->simple_search( str_replace( '[search]' , $credentials[ 'username' ], $this-> params ->get( 'search_string' ) // uid=[search] ) ); } https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  19. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 XXX;(&(uid=Admin)(userPassword= A* )) XXX;(&(uid=Admin)(userPassword= B* )) XXX;(&(uid=Admin)(userPassword= C* )) ... XXX;(&(uid=Admin)(userPassword= s* )) ... XXX;(&(uid=Admin)(userPassword= se* )) ... XXX;(&(uid=Admin)(userPassword= sec* )) ... XXX;(&(uid=Admin)(userPassword= secretPassword )) https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  20. Top 5 PHP Applications Vulnerability Demo #2

  21. Top 5 PHP Applications Conclusion ● Good security features by default ● Great security teams ● Bug bounty programs ● But very attractive targets ● Average 14 security issues reported per year ● Average 1-2 critical issues reported per year https://codex.wordpress.org/Hardening_WordPress ● As secure/insecure as any other popular software https://docs.joomla.org/Security_Checklist/en https://www.drupal.org/docs/8/security https://magento.com/security/best-practices https://docs.typo3.org/typo3cms/SecurityGuide/

  22. The Security State of the Top 50 PHP Applications

  23. The Security State of the Top 50 PHP Applications ● PHP Applications within the list of popular CMS (w3techs.com) ● E.g. PrestaShop, phpBB, SugarCRM ● Popular PHP Applications with a similar high google trend ● E.g. phpMyAdmin, Piwik, Roundcube ● 50 Applications, 13.2 MLOC total (300 KLOC average) ● Automated code analysis

  24. Top 50 PHP Applications Security State Time To Fix (if) Critical Detected by RIPS Security Contact Available 33% 39% 42% 44% 56% 58% 28% Yes No Yes No 2 weeks 6 weeks 3 month

  25. Top 50 PHP Applications Attack Vectors File Inclusion Code Execution SQL Injection Path Traversal File Upload PHP Object Injection Command Execution Cross-Site Scripting

  26. Top 50 PHP Applications Critical Examples Software Attack Vector detected by RIPS Roundcube Command Execution via Email FreePBX Command Execution via Cross-Site Scripting Coppermine Command Execution via SQL Injection osClass Command Execution via Local File Inclusion Expression Engine Command Execution via PHP Object Injection KLIQQI CMS Command Execution via Cross-Site Request Forgery Redaxo CMS Command Execution via Cross-Site Request Forgery Precurio Command Execution via Path Traversal Serendipity Command Execution via Logical Flaw https://demo.ripstech.com

  27. Top 50 PHP Applications Vulnerability Example #1 CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2 https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

  28. Top 50 PHP Applications Vulnerability Example #1 CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2 $from = rcube_utils:: get_input_value ( '_from' , rcube_utils:: INPUT_POST ); $RCMAIL->deliver_message($MAIL, $from, $mailto, $error); public function deliver_message(&$message, $from, $mailto, &$error) { ⋮ if (filter_var(ini_get( 'safe_mode' ), FILTER_VALIDATE_BOOLEAN )) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail($to, $subject, $msg_body, $header_str, "-f $from " ); https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

  29. Top 50 PHP Applications Vulnerability Example #1 CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2 $from = rcube_utils:: get_input_value ( '_from' , rcube_utils:: INPUT_POST ); $RCMAIL->deliver_message($MAIL, $from, $mailto, $error); public function deliver_message(&$message, $from, $mailto, &$error) { ⋮ if (filter_var(ini_get( 'safe_mode' ), FILTER_VALIDATE_BOOLEAN )) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail ($to, $subject, $msg_body, $header_str, "-f $from " ); https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Recommend

The State: Militarism, National Security, Imperialism Lecture points: Nation and State under

The State: Militarism, National Security, Imperialism Lecture points: Nation and State under

Session 9 The State: Militarism, National Security, Imperialism Lecture points: Nation and State under Security The State of Siege Politics as Force War is the New Nation The Absolute Security Agenda Reordering

377 views • 8 slides
Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical Security Approaches Adam Healy, CISO State of Crypto Asset Security 2016 Market Capitalization NASDAQ 1 ~$7.8 trillion London Stock Exchange 1

291 views • 12 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &amp;

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &amp;

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &amp; Google Brain Lecture for Prof. Trent Jaegers CSE 543 Computer Security Class November 2017 - Penn State Thank you to my collaborators Patrick

635 views • 59 slides
Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The

Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The

CSC 4103 - Operating Systems Spring 2008 Lecture - XX Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The Security Problem Security must consider external environment of the system, and

236 views • 7 slides
St State ate of Al f Alas aska ka Presented by Department of Administration State Security

St State ate of Al f Alas aska ka Presented by Department of Administration State Security

St State ate of Al f Alas aska ka Presented by Department of Administration State Security Office Mark Breunig, CISO April 30, 2019 1 A Brief History External Factors Increasing external threats Successful cyber-attacks, and

387 views • 9 slides
Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about

Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about

CS 166: Information Security Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about information security? Computer Security in the News Computer Crime for Fun &amp; Profit Attackers have gone from

942 views • 48 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides
20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79 % required breach 48 % exists? improve 62 % security page 03 * Gemalto The State of IoT Security Honeypot A honeypot is a computer

631 views • 25 slides
U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

ISSLOB SSC CYBERSECURITY AWARENESS U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST SP 800-50 A proven, reliable solution that verifies retention of material and concepts A well

344 views • 17 slides
New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York

New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York

New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York State Division of Homeland Security and Emergency Services Office of Cyber Security Office of Cyber Security Overview Established as the Office

451 views • 31 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Update: State Funding for Border Security September 1, 2015 February 29, 2016 PRESENTED TO THE

Update: State Funding for Border Security September 1, 2015 February 29, 2016 PRESENTED TO THE

Update: State Funding for Border Security September 1, 2015 February 29, 2016 PRESENTED TO THE JOINT COMMITTEE ON BORDER SECURITY LEGISLATIVE BUDGET BOARD STAFF May 2016 Update: State Funding for Border Security These materials include

538 views • 41 slides
2017-18 Non Public Test Security Training Office of the State Superintendent of Education

2017-18 Non Public Test Security Training Office of the State Superintendent of Education

2017-18 Non Public Test Security Training Office of the State Superintendent of Education January 26, 2018 Agenda Test Security ACCESS for ELLs Alternate Assessments PARCC 2 Test Security 2017-18 Test Security Agenda

1.84k views • 129 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Security (and finale) Dan Ports, CSEP 552 Today Security: what if parts of your

Security (and finale) Dan Ports, CSEP 552 Today Security: what if parts of your

Security (and finale) Dan Ports, CSEP 552 Today Security: what if parts of your distributed system are malicious? BFT: state machine replication Bitcoin: peer-to-peer currency Course wrap-up Security Too broad a

730 views • 62 slides
$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION

$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION

$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION PERF/SCALE STANDARDS HOW: DIGITAL TRANSFORMATION WEB SERVICES REST MICROSERVICES TASKS (PROCESSES) DECISIONS IF IF (RULES) BUSINESS ON

488 views • 30 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Bitcoin Portland State University CS 410/510 Blockchain Development &amp; Security Pecursor #1:

Bitcoin Portland State University CS 410/510 Blockchain Development &amp; Security Pecursor #1:

Bitcoin Portland State University CS 410/510 Blockchain Development &amp; Security Pecursor #1: Ledgers Portland State University CS 410/510 Blockchain Development &amp; Security Led edger gers At the beginning of written history (~3000

1.19k views • 61 slides
Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G. Kesidis January 22-23, 2009 EE and CSE Depts Penn State kesidis@engr.psu.edu . George Kesidis, Penn State University GENI Security Workshop 01/22/09

277 views • 12 slides
Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Defense Mechanisms for Software Security Static enforcement of security properties Analyze the code before it is run (e.g., during compile

661 views • 34 slides
Quantitative Security Colorado State University Yashwant K Malaiya CS 559 L6: Probability &amp;

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 L6: Probability &amp;

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 L6: Probability &amp; Intrusion Detection CSU Cybersecurity Center Computer Science Dep 1 Quantitative Security 1 About this Course CS 559 is a research-oriented

615 views • 35 slides

More recommend