Kludges and PHP. Why Should You Use a WAF?

Date aired: December 6, 2017

In this webinar, Jean will explore some examples of PHP coding done incorrectly. Jean will also show you how badly written code is an invitation for hackers to exploit a website.

Jean Delefrati

Software Engineer

Jean started programming at the age of 12, and has been a web programmer since 2002. His hometown is Londrina, Paraná, Brazil where he enjoys participating in capture-the-flag events and watching TV series. When he is not working on the computer, he plays the violin, guitar, and bass, as well as spend time with his son, Nicolas.

Questions & Answers

Question #1: What about a stakeholder who needs admin level access but is also the weakest link? How to educate them?

Answer:One way to approach this is to put controls in place such as 2FA or Captcha. Education on creating strong passwords is also key. All stakeholders must understand their role in security.

Question #2: Why do I need to protect all sites in an environment?

Answer: When a hosting environment has multiple sites then there is a risk of cross-contamination. This means if one site gets infected then it can easily spread to other sites on the server. Therefore, one unprotected site can pose a risk to other sites, even if they are protected. Learn More

Question #3: What about websites that get little traffic?

Answer: Most attacks are random and the size/traffic on the site is not a factor, they can still be attacked.

Question #4: How should I handle security for clients I am just building the site for?

Answer: You can introduce them to the concept and value of security. Then, find a vendor that they can work with directly to provide them the right tools. :

Question #5: What do I say to clients that I can't sell on investing on security?

Answer:All you can do is educate them and convey the value. Sometimes folks will learn the hard way.

Question #6: If I'm just starting out and don't have the income to invest in security, what can I do?

Answer:One possibility is to refer clients to a security company and they can fund it themselves. Your biggest responsibility is to educate them and help them have a plan on how to approach security.

Question #7: What about if I'm managing multiple sites across different hosting platforms? Can Sucuri still handle that?

Answer:Yes, Sucuri is completely remote so the hosting environment is not important. As long as you have access to the DNS A record to point to the Sucuri Firewall. Our platforms also work with any CMS.

Question #8: What about the customers who say they do not need security because nobody ever attacked their sites?

Answer:The risk of a site being attacked is real but not everyone is going to be willing to take a proactive approach. If you have educated the client on the risks then it is up to them to act. The best thing you can do is have a plan to react if they do have an issue in the future.

Question #9: As a Web hosting and Web Development Company, how do we apply for the partner program and what is the financial gain for us?

Answer:To learn more you can reach out to us via chat, fill out our web form, or reach out to me directly at dana@sucuri.net. The financial gain is tough for us to define as it depends on your business model and what approach fits best.

Question #10: Great webinar, thanks Dana!! During the "Detect" portion of the talk, you mentioned "measuring file integrity." Do you have any specific tips or tools for that process?

Answer:Yes, for sure. The risk of cross-contamination comes from multiple sites sharing a hosting environment. Learn More

Question #11: At this moment, I have a lot of websites already online, so you think it’s a good idea to convince customers to invest in security? How would you propose that?

Answer:Education is the most important step. If the clients understand the risk then it will be easier to propose a solution. Also, think about the risk to you and your company if the sites are hacked. What are the costs to you if this happens.

Question #12: How does the Sucuri firewall stack up against services like Cloudflare?

Answer:The Sucuri firewall is similar in some ways but our approach to Malware is what really sets us apart. Other vendors tend to address only the OWASP top 10 vulnerabilities. Sucuri uses a virtual patching system and application profiles to protect against known threats as well as uncovering and patching emerging threats. This is crucial when it comes to open source CMS.

Question #13: What should be done with each new site?

Answer:One step is to engage with a security solution provider, like Sucuri, to put tools in place such as a Firewall and Detection. Also, there are several things you can do to increase the security posture of a site, check this out: Learn More

Question #14: What are best practices to harden new sites for clients when built?

Answer:This article will give you a good start: .

Question #15: One thing we struggle with is CloudProxy + CloudFlare. We don't use CloudProxy because we're unclear on the setup of them together. Would be nice if Sucuri had better/more specific docs on that setup.

Answer:That is a good suggestion. If you are interested in using our Firewall please reach out to me directly and I can help you with the set up. Dana@sucuri.net

Question #15: I haven't used the Sucuri Firewall because many of our clients are using https. My site for example uses a Comodo certificate, and I would have to upgrade my plan for the firewall to work with it. Any solution here?

Answer:Yes, for sure. Our professional plans include the ability to add your cert/key to the firewall dashboard. If you are using the basic plan, we can create a certificate at the firewall. Once it propagates and you fix any mixed content warnings, you will have full https.

Question #16: What about sites already public when activating Sucuri WAF, so that hackers have already mapped the IP address, they can bypass the firewall. How can you harden and prevent attacks ?

Answer:We recommend a htaccess update to prevent firewall bypass.Learn More

See all Questions & Answers

Expand

Transcript

Name: Jean Delefrati - Title: Software Engineer

Hello everybody, my name is Jean. And I am a PHP Developer at Sucuri. So, as you can see behind me, this is my current office set-up. And I love this kind of set-up because it gets me close to nature. So you may hear some random birds and nature noise in the background.

And at the same time I do love work with technology. And this set-up allows me to do that. I work with PHP, as I said, for Sucuri and ... even when I'm not working with ... at work, I do am I always on my computer. I love to participate, for example, in information security challenges or competitions. We have a team here in my home town called [Londrina Hacker Club 00:02:00]. We do work and challenges for capture the flag competitions and we play just for fun. And just because we want to learn some new things.

My first experience with computers was when I was very young, still a child. But I started with programming in 1995 when I was 12 at the time. After that, I started working as a Webmaster, when Webmaster was a thing. This word meant something, actually, in 2001.

And with PHP, I first started working with PHP in 2003. At the time it was PHP 3 or 4. So, after that I work in the Web Agency with a lot of different code and different people with different backgrounds. So I got a lot of experience working this kind of ... with different kind of codes and different styles.

After that, I started in Sucuri in 2015. It's funny when I say to ... when I first meet somebody new, and they ask me, "Oh, where do you work?" And I say, "I work for Sucuri, it's a great company, it's an American Company". And they would say, "Wow, that's nice! And what do you do there?" And I would say, "Well, I am a Software Engineer". And they would say, "Wow, that's cool, that's cool! And what language do you work for ... do you work with?" And I would say, "PHP". And they will probably say something like, "Oh, sorry about that."

So I know that PHP has a bad reputation as a language. And I understand but I still love the language anyway. And there are reasons why PHP has a bad reputation. For example: when it first was created it was meant to be used as a language to write personal home page. That is what PHP stood for in the beginning. But, now with all the progress all the development of the language, now it doesn't stand for that anymore. Now it stands for PHP Hyper Text Preprocessor.

And it's a great language, it's free, it's open source. It has a very active community. A lot of people to ask for if you need some help if you need something. It has a great performance, especially after PHP 7, because before that a lot of people were complaining about the performance of PHP.

And it's easy to learn. There are a lot of people that comes from PHP for example from C or C++ or Perl because it's close to PHP. At least the syntax of the language. And there is a lot of people also, that uses PHP as their first language to learn, to develop something, to program something. So, there is a lot of new comers. And PHP is [Mute Platform 00:05:33], so you can use for example, in a lot of different web servers like: Apache, Nginx and you also can use PHP as a stand-alone program in your computer.

So, also it allows you to do a lot of things, to manipulate data, manipulate files, work with databases, a lot of things. And it's very malleable, because it uses dynamic typing. This is one reason why a lot of people start with PHP. Almost everything in PHP is an object or an array.

So, PHP is a language that is very used ... there is a lot of people using PHP. According to some researchers. For example: more that 80% of the internet use PHP or at least the first 1000 websites from Alexa. So, there is a lot of people using PHP and it's still growing.

But the problem is, with all those new comers a lot of people learn new things in PHP having so many things in so different ways to do the same thing. You may end up with something like that. And what is that?

It's a Swiss knife that has almost everything that you want or even what you don't need. PHP has a lot of different ways to do the same thing. And sometimes you don't need to use everything. You just need, for example, a small knife. So, you be get confused and you may get ... may even hurt yourself. So, that's why a lot of people do Kludges to make things work with PHP. And what are Kludges? Well Kludges are also known as McGiverism or Improvisation or something that is done without planning or an alternative method or a quick and dirty solution or alternative engineering, or a computer program that has been revised and tinkered with so much that it will never work. There is also a word for a programming paradigm called Work-Around Oriented Programming Data. People joke about when you are doing a lot of Kludges in your code.

And Kludges, as a slang term can be a system specially a computer system that is constituted of poorly matched elements or of elements originally intended for other applications. So, something that it was intended to do something, and you just re-arrange it to make it fit in your code.

And what are the kinds and causes of Kludges? First of all, there is a lot of ways for you to add Kludges in your code or in your work. It can be Kludges in your code can be Kludges in your configuration. The way you are configuring your language or in your web server, whatever. Or in your programming model, the way you are putting could ... for example the way you are developing something. Or in the structure, for example, you could be using, I don't know, files in a way that is Kludgy. Creating a lot of files in the same folder. There's a lot of ways for you to make Kludges.

And what causes them? Usually it's because of lack of experience. Because somebody that is starting with the language or starting with the technology or just because of lack of logic.

So, somebody that doesn't, wasn't think very well on how to do something. Or because of lack of methodology. Or because you are not using a methodology. Or because of laziness. It happens. Sometimes you don't want to think. Just go with the flow and copy some codes that are working somewhere and hoping that it's going to work where you are working right now.

Or just because you are in your hurry. It happens sometimes when you get on a Friday at 5 p.m. and your boss is calling you and saying that you have to finish something and send something to production and you have this hurry, and you have to do something, and you do a Kludge.

Or because of Legacy Code. That happens when you have a code that is so old, with code that was meant to work in a way because you didn't have a right way to do something and then it just gets the Legacy.

Or because you are working with a Frankenstein Code. For example, when there is a lot of Developers working the same code, and they are using different methodologies and with different experience and everybody working together without a good coordination. You may end up with code that didn't work very well.

And so I have some examples of Kludges with PHP. It just that a small sample because you can do almost every kind of Kludges. A lot of ways for you to do something that is Kludges. I going to give you some examples.

For example: this is the classic one. The thing is that, usually when there is somebody that is starting with PHP or with a web language. They are using a form, for example, and they see that they have a lot of input fields. And they think with themselves, "Well I don't want to check every field to required these in my database. I don't want to check if the name is correct. I just want to record everything in the database. I don't want to write a huge code or something like that".

They do something this. And what is this? It's a code that checks for all the fields, all the posts data that comes from the user and it just requires the data in the database. It creates a string with all the data and records in the database. But the problem here, is that you are not validating properly your code.

And just to give an idea. With this kind of code, a Hacker, for example could make an injection in your database by the field, the name of the field that you sent. So, this is very unsafe. This is something that you should never do. You should always validate the data.

It's almost like you were thinking, "Well, I don't have to think, you don't have to think if the code does everything for you". But, your job as a Developer is to think.

This is another one. This is something more common, currently. There is a lot of people that are saying in the internet that when you are a good Developer, or a Senior Developer you don't use “Else”. Why should you use Else. But, they forget, sometimes that you do have ... or at least do something better, for example. In this case, there is a Bug in PHP. It's not a Bug, it's a feature. That doesn't check for the kind of the variable the type of the variable. So, for example in this case, we are checking if “action” is a string, right? But if the “action” is not a string. In this case PHP is going to say that every here is true. So, if the user sends something like this. Like an action that is in array. Well this case, the Hacker or the user would get all your HML codes, well, PHP is going to check that it's all the same, it's all valid.

There is another one. This is very common, also. For example, in this case, the user, instead of checking what the ... the Developer instead of checking what the user can do, they're checking what the user cannot do. So, it's a black list. So in this case, they are checking if the session is empty. But the problem is, in this case, if the session hadn't been initialized, well, the session would be “null”. And in this case, “null” is different from empty. So, you should always check what the user can do and not what they cannot do.

Also, this is something very common. It's not really a Kludges, I think, it's more like a problem for ... that can create Kludges. When you have a bad indentation, or you don't have an indentation in your code. And you have a lot of code and all together, all with a lot of problems in the ... it can cause a lot of problems because if somebody tries to check this code and doesn't see where a “if” is starting or “while” is starting. They may get lost and to make it work they will just go with the flow. Copy a code from some place and paste it here and go ahead. This is very dangerous.

There is another one. This is very common, also. For example in this case the Developer is checking, it's not using PHP functions to check for the list of files in the folder. What's the problem with that? PHP allows you to do that. Cause PHP, as I say, allows you to do almost everything in different ways. But it's not really protecting the inputs. In this case, it's just adding slashes to a string, for example.

The folder but sometimes we forget that for web you can have ... some characters are safe, for example “pipe” or * are safe. But, when you are using ... executing a Shell Code, well this is not safe. So, sometimes that happens, and you should be ready for that. An attacker, for example, with this, get the password files, for example from your users or your database could get the data file from your database. So this is very dangerous. It's almost like you are trying to protect your code, you are trying to protect your data but, you are trusting in the user ... in the input from the user. So, you have a chain, a big chain protecting you, your code, your data but you have a small link made of plastic.

This is another one. It's something not very common but does happen. It's just an example. When the Developer doesn't want you check everything, just want to save the data and save a log. So, in this case they fake and exception with PHP. So, What's the problem with that? Well, it's going to work, it's going to give the user the correct answer. But the problem is, in this case, it's probably going to mess with the syslogs and if a sysadmin or even a Developer wants to check the logs. They are going to check and see there is an exception an error that say that everything is fine. The data was saved, it's crazy. So you can do that with PHP.

Or, even this one. This one is pretty common actually. It's something specially when you are starting to work with auto loads for an MVC or for a framework that you are building, something like that. You use this kind of function that is going to get the class from the URL or something like that. And the problem here is, if the Hacker knows about this, and they try to get a file that is not a PHP, there is some ways to bypass this and get this file. And get all your data. So, it shouldn't auto load everything, you should present to do a white list and make and sanitize your inputs and everything. You should never trust the user input, as I said.

Well, so how to avoid Kludges. First of all, use your head. So, instead of just going with the flow, coping and pasting code without knowing exactly what you are going to do, no, think ahead. Think well what you are doing. Don't rush yourself. Take your time to write your code. Sometimes when you have a very old code, or a code that you don't understand very well, you should re-factor this code. Make it work. Or sometimes you even should re-write your code, if you don't know what it is doing. So sometimes you have to re-write. And use the kiss principle, that is keep is simple and stupid. Instead of doing a big code with a lot of different kind of things that the code does, instead of this, you should make small functions, small methods that do simple and stupid things. Because, it easier, even to read the code.

And use standards. Because, PHP has a lot of standards. Has standards for the indentation, how to make auto loads, how to ... standards for almost everything. And when you are following standards, it's much harder for you to make Kludges. You still can do them but your code will at least, will look easier to understand and to fix, if something goes wrong.

And use a CDN with cache to avoid direct access to your code. So instead of the user getting right to your codes, right to your website, use a CDN that first cashes your page, and the user gets the cashed page, not the really PHP code. And be aware that attacks are unavoidable. Have backups and monitoring. That's very important.

And use a WAF. And what is a WAF? A WAF is a Web Application Firewall. And how a WAF can help you? Well, a WAF acts as an intermediary service between your websites application and the visitor reaching for it. So just like the CDN, it's going to avoid the direct access to your code to your data. And it's going to intercept and remove malicious requests before they can cause damage. So, if somebody sends a payload or a malicious input, it's going to get this, remove it and send the request to your server. This way it can help you to keep your work, your server, your environment, and your customers safe.

And just for an addendum here. Most of the attacks happen because Hackers are actively searching for huge amounts of websites for common vulnerabilities. So, you may think, "Well I have this small shop for, I don't know, for my town or whatever, and I don't think that the hackers are searching for me, they are not going to reach me". But what you should keep in mind is that sometimes the Hackers, they are not searching for you specifically. They are searching a huge amount of websites that they know, for example using a web search for something that they know that this is something this is vulnerable. So they search actively for this huge amount of files. And when they get websites that are vulnerable then they are going to try to attack. And sometimes, it's even automatic. They are not really thinking, "Oh this one is a good one". No, it’s all automatic.

And a WAF is especially effective if you do not have full control over your code. For example, if you are using plug-ins or codes from other sources. For example, Frameworks, or common CMS, sometimes they get a zero day vulnerability, and you don't have time to update and all those things. Or you don't want to, you are insecure to update something and break stuff. Or just because you prefer to do everything in house. For example, you may not have all the experience for a team that is focused in security. And you just do your work there, and you are open ... open your environment for Hackers. Or just because you cannot or you don't want to upgrade your server or the language versions. For example, you may have a function that you need that is in PHP 5.4 and you cannot re-write everything right now. You cannot re-factor everything. So a WAF is going to know that you are using a version that is vulnerable and already have all the security measures to protect your server. To protect your data.

And it's also affective if you use Legacy Code or you don't know very well the entire code. If you have a code that is ... for example for an older version of PHP or another language and it already has a vulnerability, and you don't know about this. So a WAF is going to protect you. Or if you have sensitive data from yourself or from your users. And you may think that maybe, "Well I don't have sensitive data because I don't record the credit card numbers or something like that, I only record the users email and password. So for my dashboard or whatever". But you should never forget that a lot of users re-use this same password. So, it's a pretty big chance that a lot of this passwords is the same for the users in their email, in their bank account or something like that. That happens a lot.

And how much does this data ... what's the value of this data? For you and for your users? Also an WAF cannot help you in some case. For example, it won't replace existing controls. You may not think that a WAF is a "Magic Bullet" that just by installing a WAF you are protected and you should, for example, keep your server open or whatever.

So, no, a WAF is going to help a lot to protect your data. But, it's going to complement the protection that you already have, or you should already have. And a WAF won't re-write your code, so it won't help you with you write simpler code because it won't re-write it. It won't help you to re-write less Kludges if you are already writing some Kludges.

And I'm going to speak a little ... talk a little about the Sucuri-WAF. It's a web application file and an intrusion prevention system. That was specifically developed to address the challenge of site security. So, it employs virtual patching and hardening technologies that mitigate attacks on your network without requiring the site owner to taking any further actions.

So, if you have, the Sucuri-WAF you are going to protect your website, you are going to protect your data without needing to always get back and configuring stuff after you first configure it. You don't have to go back all the time in checking everything and re-checking your ... if everything is good or ... I mean. So, in this case the Sucuri-WAF is going to have some analytic data that you can get some reports that you can get, and it's going to prevent a lot of different payload and inputs ... malicious inputs. And it's going to help you protect your website.

And how does it work? It works as a wall between the outside access and your server. So, for the outside users or browsers, or whatever, to get your website, they will have to pass through the firewall. And the firewall is going to drop all malicious request before they get to your website or your server.

Well a bonus here, on how not to configure a WAF. First of all, not configuring it. Not pointing your website to the WAF. As I say, the WAF is going to be a wall between your users and your website. But you have to configure it so make it pass it. Or just by leaving loose ends.

And what are loose ends? It's a partial configuration. For example, if you have a website that uses multiple domains to get to your website, and you just configure one of them and not all of them, or something like that. Or just if you open your server, as I say, for doing a partial configuration. Or for example, as I said, the firewall the Sucuri Firewall allows you to White-list and Black list stuff. But sometimes you just once you have the WAF and white list everything. You can do that, the firewall allows you to do that. But, it's not a good idea because if you are white listing everything, you are allowing everything. Or the opposite, black listing everything, that means blocking everything from the user, from all requests to get to your website. Or by whitelisting unsafe code. This is something that, well, you should not do.

Basically, that's it. I want say thanks. And Thank you.

See Full Transcript

Expand

Resources

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Resources

Webinar - UPCOMING - Sucuri Introduces the Sales Enablement Department

During this webinar, you will meet our Sales Enablement team and preview the marketing information packages we have created for web agencies.....

Webinar - Fire Chat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face.....

Webinar - Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we....

Webinar - Beginner's Guide to CDN's

All content is not created equally. Reducing the time it takes for each piece of data to travel from the host server to the client will provide lower latency and a more optimized user experience. Ultimately, this helps avoid dropoffs in users as a result of extended load times.....

Webinar - How to Optimize Your Website for Best Performance

Attention spans are getting shorter, and search engines are favoring websites with faster loading times and lower bounce rates. By optimizing your website performance, you can rank higher in search results, increase and retain your traffic and create an optimal user experience.....