So, here I am with 900+ pages of code, php code, each one a 1000+ lines long, no more than 20000... All vulnerable to sql injection. So rather than spend the better part of a year going in and incorporating mysql real escape string on every user input, I was planning on writing a program that would search lines of code and input it where ever it finds it needs it, for instance at every post variable. Any one deem this plausible? And if so what language would you recommend doing it in? I have a few ideas using php, but nothing solid. And I fear js would just be too slow.all help appreciated
I don't necessarily recommend this because you are essentially turning on magic quotes but if you don't have time to fix it properly then you could add this to a bootstrap file and include it in all of your scripts
foreach ($_POST as &$v) {
$db->escape($v); // mysql_real_escape_string() or mysqli or pdo
}
unset($v);
You will need to modify this to check $v for arrays and escape those accordingly. You will also want to do the same for $_GET.
Be aware that while this may prevent the sql injection, it could cause other issues. I recommend getting some time to refactor.
As I mentioned in a comment, there's already at least one SO question asking for a static analysis tool to handle this. If there's an existing tool that's being used by multiple other projects, that usually makes it more trustworthy than something that hasn't been used by anyone.
Unfortunately, that question doesn't have any good answers. A quick search for PHP static analyzers turned up PHP Source Code Security Framework and PHP_CodeSniffer, but I know nothing about these beyond their names, so don't take that as an endorsement.
If you do have to build it yourself, your Python tag implies that you'd like to write it in Python. Normally, I'd say this is a great choice. But for something like this, getting buy-in from as many other people as possible is critical to being able to trust your code, and I think you might have more buy-in if you wrote it in, just because you can be sure that anyone who wants to use your tool will know PHP.
There is one alternative possibility: If your code follows a very consistent style, it might be possible to do something much simpler, that, despite not being generally applicable, does find all the SQL injection holes in your particular code. Since you're trying to write code that you can convince yourself is foolproof, the simplicity benefits might be worth it in this case.
Sorry this is all so vague, but it's a pretty vague question. All I can really say is that it's plausible in principle; I can't really guess whether it's feasible in practice.
Related
I am using create_function to run some user-code at server end. I am looking for any of these two:
Is there a way to sanitize the code passed to it to prevent something harmful from executing?
Alternately, is there a way to specify this code to be run in a sandboxed environment so that the user can't play around with anything else.
Thanks!
http://php.net/runkit
You could use the tonkenizer to figure out what the code will do, then whitelist certain functions and operations. I think it would end up being very difficult (or impossible) to make it foolproof, especially given PHP's flexibility:
$f = "shell_exec";
$arg = 'rm -rf /';
$f($arg); // ouch
call_user_func($f, $arg); // ouch
eval("$f('$arg');"); // ouch
$newF = create_user_function('', "$f('$arg');");
$newF(); // ouch
The only kind of sandbox that will give you 100% security (well, 99.9%...) is a virtual machine you can just throw away afterwards.
We use the tokenizer to analyze code statically, as well as modify the code to perform runtime checks for certain things. This is done with the tokenizer and scripts based on the tokenizer. Since the tokenizer is the same one PHP actually uses, it improves your luck over writing your own.
I've seen people using regexes to try to analyze a language. This is a really bad idea.
But ...
Since PHP is a pretty stupid-easy grammar, and you have access to the tokenizer, you can actually stop most of the badness by disallowing variable functions, and only allowing a small number of whitelisted functions to be called. If you don't need OOP, even better.
However, we don't feel confident enough that we nailed 100% of the problems, and we use this to power a sandbox for the backend users who are paying customers, not every user on planet earth with a keyboard, and perhaps malice.
I too think the people here who poo-poo the idea 100% as "bad practice" need to get a clue. There are reasons to do this.
You cannot reliably sanitize the user input - a determined hacker will find some obscure way to circumvent your sanitization code.
Sandboxing could be possible, but is equally crippling. If you really want to be safe, you should create a sandbox for each call. After all, someone could execute bogus code that is harmful to all other users of your sandbox.
I don't think you really want to allow that. Think of it this way: you are providing programmatic access to the server!
You could try using Quercus, a Java based PHP interpreter, to create a safe sandboxed PHP environment. You can do the same for JavaScript using Rhino, so I think it might be possible with Quercus.
You could consider creating a custom(ized) language that your users can make use of. Then it's up to you to create the library of supported functions that could very well be just wrappers of PHP's native functions. But even then, making it hack-proof or simply working is a tedious job at best. Perhaps you should re-evaluate why you want users to have code access in the first place? I'd love to help out if you need someone to discuss this with (or update your question, I guess? :)
Hope you can work it out!
-Dave
The is a class on GitHub that may help, early stages but looks promising.
https://github.com/fregster/PHPSandbox
Overall bad idea and too dangerous IMO, no matter what protections you put into place. Better create a pseudo-language limited to exactly what users are allowed to do.
I wondered if I should write my code clean and readable or rather small and unreadable... Or should I write it readable and then compress it afterwards when I'm publishing it on the web?
Ps. I'm building a web app,
the faster, the better!
Thanks_
I think you are greatly underestimating PHP's performance if you think this will affect it.
Write clean, readable code. In fact write code as if the next guy to maintain it is a sociopath that knows where you live.
Edit In response to AESM's comment... not in any way that matters. Also you can edit your question if you want to expand on it, instead of leaving a comment.
PHP parses the code before executing. The first stage is tokenization, which throws out all comments and whitespaces, and converts all identifiers to tokens. This means neither meaningfull names, nor sensible comments and clean formatting will have any effects at runtime. In fact all speed effects you seem to expect from compression are already lost during tokenization.
If you do have "bigger" source files due to clean coding, then tokenization will effectively take longer. However this effect is barely meassurable compared to actual parsing and execution.
If you feel you want to optimize at that point, please consider using eaccelerator, which makes an actual difference.
greetz
back2dos
"Programs must be written for people to read, and only incidentally for machines to execute."
I'd say, write a clean/readable code and then eliminate the bottlenecks, if needed.
I am using create_function to run some user-code at server end. I am looking for any of these two:
Is there a way to sanitize the code passed to it to prevent something harmful from executing?
Alternately, is there a way to specify this code to be run in a sandboxed environment so that the user can't play around with anything else.
Thanks!
http://php.net/runkit
You could use the tonkenizer to figure out what the code will do, then whitelist certain functions and operations. I think it would end up being very difficult (or impossible) to make it foolproof, especially given PHP's flexibility:
$f = "shell_exec";
$arg = 'rm -rf /';
$f($arg); // ouch
call_user_func($f, $arg); // ouch
eval("$f('$arg');"); // ouch
$newF = create_user_function('', "$f('$arg');");
$newF(); // ouch
The only kind of sandbox that will give you 100% security (well, 99.9%...) is a virtual machine you can just throw away afterwards.
We use the tokenizer to analyze code statically, as well as modify the code to perform runtime checks for certain things. This is done with the tokenizer and scripts based on the tokenizer. Since the tokenizer is the same one PHP actually uses, it improves your luck over writing your own.
I've seen people using regexes to try to analyze a language. This is a really bad idea.
But ...
Since PHP is a pretty stupid-easy grammar, and you have access to the tokenizer, you can actually stop most of the badness by disallowing variable functions, and only allowing a small number of whitelisted functions to be called. If you don't need OOP, even better.
However, we don't feel confident enough that we nailed 100% of the problems, and we use this to power a sandbox for the backend users who are paying customers, not every user on planet earth with a keyboard, and perhaps malice.
I too think the people here who poo-poo the idea 100% as "bad practice" need to get a clue. There are reasons to do this.
You cannot reliably sanitize the user input - a determined hacker will find some obscure way to circumvent your sanitization code.
Sandboxing could be possible, but is equally crippling. If you really want to be safe, you should create a sandbox for each call. After all, someone could execute bogus code that is harmful to all other users of your sandbox.
I don't think you really want to allow that. Think of it this way: you are providing programmatic access to the server!
You could try using Quercus, a Java based PHP interpreter, to create a safe sandboxed PHP environment. You can do the same for JavaScript using Rhino, so I think it might be possible with Quercus.
You could consider creating a custom(ized) language that your users can make use of. Then it's up to you to create the library of supported functions that could very well be just wrappers of PHP's native functions. But even then, making it hack-proof or simply working is a tedious job at best. Perhaps you should re-evaluate why you want users to have code access in the first place? I'd love to help out if you need someone to discuss this with (or update your question, I guess? :)
Hope you can work it out!
-Dave
The is a class on GitHub that may help, early stages but looks promising.
https://github.com/fregster/PHPSandbox
Overall bad idea and too dangerous IMO, no matter what protections you put into place. Better create a pseudo-language limited to exactly what users are allowed to do.
I'm looking for an automated way to fuzz my app or scan it for vulnerabilities. Please assume that my hacking knowledge is 0. Also the source is on my localhost so I need a way to fuzz it locally without relying on an internet connection. Can some security experts give me some hints or recommendations? I'm not sure what options are best.
Edit:
Thanks for the effort to answer, but none so far seems to get the point. I'd like to be more specific (because it helps the question) but without influencing opinions or sounding like I'm advertising a specific product. I'm looking for something like wapiti (sorry to mention names, but had to, because answers so far like learn about sql injections, xss etc. are obviously not real "expert" answers to this question. I already know about these (seriously, does this question sound like it could asked by someone who doesn't know salt about security?)
I'm not asking whether I should test, I'm asking how I should test. I already decided to incorporate automation (and there's no turning back in this decision unless someone gives me an expert answer that proves it useless), so please respect my decision that I'd like to automate. I don't want to go through every compiled xss, sql injection, etc. hack list and try it manually myself against my site (even hackers don't hack that way). Super extra points to anyone who gets the question.
Some people are asking why not just learn.
Best practices (which I know) are not the same as knowing hacking. Some people want to argue they're a flip-coin, but I definitely don't agree :) hence I need a protection tool by someone with the "hacker mentality". How is that going to hurt, in fact, you should try it too ;) Expert answers please from those who know.
There are services that will do automated scans for vulnerabilities. They will not catch everything, but will help you identify problems. Your best bet is to use one of these services and LEARN SOME SECURITY best practices.
Start learning about sql injection and cross site scripting. these are the biggest and easiest to fix vulnerabilities.
Programming defensively is a skill that IMHO every programmer should learn.
There is no substitute for understanding these issues on your own.
To strictly answer your question the way you should test is by using a tool. There are 2 main types of tools you can use, a security scanner which actively probes a running website or a static analysis tool which runs on the source code you use to build your webapp.
The short answer is you want a security scanning tool like wapiti or burp. Tools like these dynamically construct and execute security tests uniquely for your site. You could manually attempt to exploit your own site but that would take lots of time and not provide any value. It would be useless for you to go through a list of known xss or sql injection issues because each issue is unique to the site it applies to. Furthermore these tools can attack your site better then you can giving you a more rigorous security stress test.
There are 2 main tools you can use, static analysis tools and dynamic analysis tools. Static analysis tools read in your source code, figure out the way the data flows through the app and look for security issues. At their root most security issues are allowing a user to control some data that flows into an inappropriate part of an application so even though the app isn't running and you rub up against the halting problem, static analysis method of "guessing" and trying out each code path can yield good results. Static analysis tools are language dependent and most are expensive. Some free ones are fxcop (C#), PMD and findbugs (java), see http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
Dynamic analysis tools (more commonly just called "security scanner") require you setup your webapp so it can run tests against it, this sounds like more what you want. My favorite tool here is burp, some free ones include wapiti which is good as well. These tools will look at how your app handles data, look for inputs and fill them with malicious data in an attempt to trigger vulnerabilities. An example test would be for testing reflected cross-site scripting, the scanner would look at a page and insert javascript into every querystring value, cookie value, form value etc and then render the page to see if the malicious javascript was echod back to the page.
You likely don't need or want a fuzzer. Fuzzing tools mostly help you when there is a lot of parsing code so a fuzzer is not the best fit for a webapp whereas it would be a good fit for a protocol you are making. There is limited fuzzing capabilities in the security scanner tools listed above and you probably don't need more then this. Fuzzers also take time to build. Fuzzers often find more stuff in c/c++ code because there are less libraries built in already doing the right thing, in the webapp case there is less "room for fuzzers to play" so to speak.
Before you go crazy on automation (which will likely yield results you probably won't understand), I'd suggest that you read up of writing secure code instead and learn to identify the things you are doing wrong. Here are some tutorials to get you started:
http://php.net/manual/en/security.php
Failing that, I'd suggest outsourcing your code to a security firm if you can afford it.
Good luck!
Provided you know C, You can work with spike, Its always good to do a manual check for overflows in anything that could conceivably be touched by an end-user, The usual %x%x%x tests for format string attacks, and just to be diligent in your static analysis.
PeachFuzz and SPIKE are both well documented.
Failing that, writing your own is trivial.
Knowing what fuzzing is and how you may want to approach does not necessarily lead to the skills necessary to thoroughly test and evaluate your software for vulnerabilities and flaws. You need to use automated testing, but in a tuned manner where you modify the testing that the tool is doing as you find new input paths, interactions, and so on.
Basically, what I'm saying is that you need to know what you are doing if you want this to be a real value add. You cannot just pick a tool, run it, and expect to get good results. You need someone who does this type of testing to work either with or for you. Tools are useful, but can only produce useful results when used by someone skilled in this art.
I've used Paros - http://www.parosproxy.org/ - its free, easy to use and displays both the cause of the error, the possible fix and how to replicate it (usually a link).
It easy to configure and spiders your entire site - it can also spider local installations.
It has a gui as well.
Its old, but its good and easy.
I tried to configure WAPITI but it was simply too hard for me.
I've been researching this topic for many years for my own application and found a fantastic tool recently which was based on PAROS (see my other answer above)
Its ZAP from OWASP and is the ducks nuts.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
One of the best things you can do is integrate ZAP into your project automation / build so whenever you do a build the test runs.
Even better, you can sit it next to your selenium automated tests to 'collect' the pages you test, then......scan the hell out of them!
Its really well documented, but you'll need a fast PC as it runs hundreds of tests per page. If you're doing a whole site it can take some time.
There are some other tools you might want to consider
http://sqlmap.org/
I found this tool....scarily easy to use and very very comprehensive.
Whenever I got what I thought was a 'false positive' with ZAP, I'd scan the page with SQLmap (you gotta figure out how to use Python - its easy, took a couple of hours) and SQLmap would either verify the false positive or find the vulnerability.
I am wondering what security concerns there are to implementing a PHP evaluator like this:
<?php eval($_POST['codeInput']); %>
This is in the context of making a PHP sandbox so sanitising against DB input etc. isn't a massive issue.
Users destroying the server the file is hosted on is.
I've seen Ruby simulators so I was curious what's involved security wise (vague details at least).
Thanks all. I'm not even sure on which answer to accept because they are all useful.
Owen's answer summarises what I suspected (the server itself would be at risk).
arin's answer gives a great example of the potential problems.
Geoff's answer and randy's answer echo the general opinion that you would need to write your own evaluator to achieve simulation type capabilities.
don't do that.
they basically have access to anything you can do in PHP (look around the file system, get/set any sort of variables, open connections to other machines to insert code to run, etc...)
The eval() function is hard to sanitize and even if you did there would surely be a way around it. Even if you filtered exec, all you need to do is to somehow glue the string exec into a variable, and then do $variable(). You'd need to really cripple the language to achieve at least some sort of imaginary security.
could potentially be in really big trouble if you eval()'d something like
<?php
eval("shell_exec(\"rm -rf {$_SERVER['DOCUMENT_ROOT']}\");");
?>
it's an extreme example but it that case your site would just get deleted. hopefully your permissions wouldn't allow it but, it helps illustrate the need for sanitization & checks.
There are a lot of things you could say.. The concerns are not specific to PHP.
Here's the simple answer:
Any input to your machine (or database) needs to be sanitized.
The code snippet you've posted pretty much lets a user run any code they want, so it's especially dangerous.
There is a pretty good introductory article on code injection here:
Wikipedia on Code Injection.
If you allow arbitrary code to be run on your server, it's not your server any more.
Dear god NO. I cringe even at the title. Allowing user to run any kind of arbitrary code is like handing the server over to them
I know the people above me already said that. But believe me. That's never enough times that someone can tell you to sanitize your input.
If you really, really want to allow user to run some kind of code. Make a subset of the commands available to the user by creating some sort of psudo language that the user can use to do that. A-la the way bbcode or markdown works.
If you are looking to build an online PHP interpreter, you will need to build an actual REPL interpreter and not use eval.
Otherwise, never ever execute arbitrary user code. Ever.
Do NOT allow unfiltered code to be executed on your server, period.
If you'd like to create a tool that allows for interactive demonstration of a language such as the tool seen here: http://tryruby.hobix.com/ I would work on coding a sub portion of the language yourself. Ideally, you'll be using it to demonstrate simple concepts to new programmers, so it's irrelevant if you properly implement all the features.
By doing this you can control the input via a white list of known acceptable input. If the input isn't on the white list it isn't executed.
Best of luck!
As already answered, you need to sanitize your inputs. I guess you could use some regex-filtring of some kind to remove unwanted commands such as "exec" and basically every malicious command PHP has got to offer (or which could be exploited), and that's a lot.