Hacker News new | ask | show | jobs
by david_shaw 3785 days ago
My background's in application security assessments. I've seen this hundreds (or more) times, from developers that should really know better.

"Hey, there's SQLi in this input form! Better make sure ' OR 1=1;-- is blacklisted," but don't properly parameterize their queries or sanitize input.
1 comments
dsacco 3785 days ago
"Hey, they reported cross-site scripting! Let's blacklist angle brackets, that'll do the trick!"

In case this is not clear to anyone in 2016, blacklisting known-dangerous characters is not an adequate bug fix. It's a rabbit hole, you will burn hours trying to blacklist every character or character combination that can cause a vulnerability just to have someone own you anyway.

link
TTPrograms 3785 days ago
What's current best practice?
link
sarciszewski 3785 days ago
The proper fixes for common web application vulnerabilities are as follows:

Session Hijacking/Fixation/etc.: Use TLS.

SQL Injection: Prepared statements that AREN'T emulated; PHP's defaults are bad here.

EDIT: If you're writing in another language, make sure it's not providing string escaping masquerading as prepared statements, but actual prepared statements. (My earlier comment was too broad; some forms of emulated prepared statements might be OK, but PHP's is dangerous.)

Cross-Site Scripting: Context-aware escaping (templating libraries) + Security Headers

Cross-Site Request Forgery: CSRF tokens

Password storage: bcrypt, scrypt, PBKDF2-SHA2, Argon2

Encryption, Digital Signatures, Authenticated Key Exchanges, etc.: Hire an expert, don't do it yourself based on the advice contained within HN comments.

File Inclusion / Directory Traversal: Don't write your applications in a dumb way that makes these vulnerabilities possible. But if you must, use something like realpath() with a sanity check based on the expected parent directory (in PHP).

XML External Entities: Make sure you disable the entity loader:

    libxml_disable_entity_loader(true);
PHP Object Injection in PHP 5: don't ever pass user input to unserialize(); use json_decode() instead.

PHP Object Injection in PHP 7: either disable object loading or whitelist the allowed types; i.e. unserialize($var, false); or unserialize($var, ['DateTime']);

These are just some of the common problems I frequently find, of course. There are more basic ways to mess up an application ("not even checking that you're authenticated" being at the top of that list).

https://paragonie.com/blog/2015/08/gentle-introduction-appli...

Further reading and resources:

* https://securityheaders.io

* https://github.com/paragonie/awesome-appsec

And if anyone wants their code reviewed: https://paragonie.com/services

link
red_admiral 3785 days ago
"Encryption, Digital Signatures, Authenticated Key Exchanges, etc.":

If you just want to get data from A to B over the network, TLS 1.2 (but upgrade to 1.3 when it's ready). For an app(lication) where you control the code on both ends, with additional certificate pinning. Probably still worth hiring an expert to make sure you're doing it right but you have less chance of shooting yourself in the foot than if you try and roll your own.

Sometimes I think if cryptographers wrote libraries that the rest of us could use and "just work", security worldwide would improve. Bernstein's NaCl and the derived libsodium is a good starting point though.

link
sarciszewski 3785 days ago
> If you just want to get data from A to B over the network, TLS 1.2 (but upgrade to 1.3 when it's ready).

Right. If you're not using TLS for your network communications, then your communications are not secure.

Some people also have other requirements (e.g. "I need to store SSNs, how can I encrypt them and still be able to search by them in MySQL?") which require separate app-layer crypto. In those situations, don't roll your own. :)

> Probably still worth hiring an expert to make sure you're doing it right but you have less chance of shooting yourself in the foot than if you try and roll your own.

Agreed.

> Sometimes I think if cryptographers wrote libraries that the rest of us could use and "just work", security worldwide would improve.

Ah yes, boring cryptography. :)

> Bernstein's NaCl and the derived libsodium is a good starting point though.

Strongly agreed.

link
ryanlol 3785 days ago
>PHP Object Injection in PHP 5: don't ever pass user input to unserialize(); use json_decode() instead.

>PHP Object Injection in PHP 7: either disable object loading or whitelist the allowed types; i.e. unserialize($var, false); or unserialize($var, ['DateTime']);

I'd stick to not unserializing user input in both cases, that's a can of worms you just don't want to open.

Also, RNG bugs are common and exploitable enough to be worth noting: Never use mt_rand, stick to openssl_random_pseudo_bytes.

link
sarciszewski 3785 days ago
That's the more sound advice.

Also, random_bytes() > openssl_random_pseudo_bytes() :P

Though if you use random_compat[1] it might be the same function ;)

[1]: https://github.com/paragonie/random_compat

link
derefr 3785 days ago
Do prepared statements count as emulated if the DB doesn't support prepared statements, but the DB adapter is doing replacement during the encoding-to-typed-binary-wire-protocol step (i.e. replacement of typed tokens with other typed tokens) rather than by just concatenating strings?
link
sarciszewski 3785 days ago
By prepared statements, I mean your application actually sends the query string in a separate packet from the data, and thereby gives the data no opportunity to corrupt the query string.

You can stop all known attacks with escaping, but then you run into fun corner cases like http://stackoverflow.com/a/12118602/2224584

What PHP does is silently perform string escaping for you instead of doing a prepared statement. This is stupid, but PHP Internals discussions are painful (so changing it is unlikely to happen any time soon) and the userland fix is easy:

https://github.com/paragonie/easydb/blob/f90fbca34ac7b7b96f7...

If you're sending a 1+N packets (for N >= 1) to your RDBMS for each new query, then you're probably using prepared statements.

link
derefr 3785 days ago
That doesn't really address my question. There are real prepared statements like you're talking about; there's the crap PHP does; and then there's what you get if you use e.g. Erlang's Postgres library, which is that you pass it this:

    execute("SELECT foo FROM bar WHERE baz = ?", [5])
and it becomes something like this:

    db_socket ! encode_to_wire_format(
      {'SELECT', "foo", "bar", [{'baz', 5}]}
    ))
Postrges's prepared statements aren't being used, but the distinction between "tainted" user-generated data and the "trusted" statement is maintained, because the 5 in the above is typed data being sent over the wire in a length-prefixed binary encoding, rather than string data being serialized+escaped into another string.

Which is to say, if you (or your users) tried to put a fragment of SQL in place of the 5 above, it'd just get treated as string-typed data, rather than SQL. You don't need packet-level separation to achieve that.

But is this approach still bad for "emulating" prepared statements, somehow? I don't see how.

link
ineedtosleep 3785 days ago
Is it too early to be suggesting Argon2? I've not heard of it until now, but the Wikipedia entry[1] shows that the paper was just released late last year.

[1] https://en.wikipedia.org/wiki/Argon2

link
sarciszewski 3785 days ago
> Is it too early to be suggesting Argon2?

Most environments don't have an implementation for it yet, and the ones that do will probably only get it through libsodium for the first few years.

> I've not heard of it until now, but the Wikipedia entry[1] shows that the paper was just released late last year.

Argon2 was the winner of the Password Hashing Competition, a several-year cryptography competition to find a new password hashing algorithm that would be secure against an attacker armed with a large GPU cluster.

The judges included a lot of famous cryptographers and security experts. Of particular note: Colin Percival, the author of scrypt, and Jens Steube, the project lead for hashcat.

I've read the paper and I think Argon2 will stand the test of time, but I could (of course) be wrong.

link
technion 3785 days ago 

    Most environments don't have an implementation for it yet
The speed with which environments actually got implementations of previous secure algorithms was half the problem with their use, but I think Argon2 has this nailed. The README now links bindings for Go, Haskell, JavaScript, JVM, Lua, OCaml, Python, Ruby and Rust.

Disclaimer: I wrote the Ruby one.

https://github.com/P-H-C/phc-winner-argon2

link
hayleox 3785 days ago
My suggestion, if you really want to overkill and knock it out of the park: use both. Run it through bcrypt, then through Argon2. If something happens where one of them is deemed insecure/bad practice, you've still got the other one.
link
technion 3785 days ago
This falls into the category of "coming up with your own system". It sounds theoretically as strong as either one, but it could end up weaker overall.

Define X as the maximum time you can allow a hash to run on your server, before it either starts to annoy users, or becomes a DoS issue. Moving from "Argon2, such that it runs for X" to "both algorithms, with a total cost X" means both of them are running with a much reduced work strength.

In the case of Argon2, there is an "iterations" counter, but t=2 is already reasonable, and on low end hardware, you may see t=1. So as per the spec, reducing runtime in order to make whole thing work is going to involve reducing m.

Except bcrypt is already not memory hard, and you've just reduced the only memory constraint in your algorithm.

And entirely possible there are bigger issues I didn't up with two minutes of thinking about it.

link
sarciszewski 3785 days ago
If you're going to use both, pay a crypto engineer (such as one of the authors of either library) to write that for you.

Don't do it yourself.

link