Static code analysis for PHP templates

Templating is cool. Everybody is using Twig today. Other popular choices are: Smarty, Mustache and Latte. You may also want to read what Fabien Potencier has written about PHP templates languages. It makes sense.

Still I can think of two reasons why we don’t want a templating language and we rather use PHP itself for templating. First reason: PHP templating is easier to learn than a PHP templating language.  Second reason: it executes faster.

PHP templating languages improve security

I tried to understand what the primary reason is that people are using a templating language. It seems to be ease of use, while keeping the application secure. The following example shows how easily you can write unsafe code:

Hello <?php echo $POST['name']; ?>!

It would only be safe to print a POST variable when using:

<?php echo htmlspecialchars($POST['name'],ENT_QUOTES,'UTF-8'); ?>

A templating language typically allows you to write something like:

Hello {{ name }}!

I agree that security is improved by using a templating language. The templating language escapes the output strings in order to prevent XSS vulnerabilities. But still I wonder: Can’t we get the same security benefits when we use native PHP for templating?

Helper function

As you have seen the PHP way of escaping is rather long. Fortunately, you can easily define a function that allows an alternative syntax, for instance:

Hello <?php e($POST['name']); ?>!

Yup, that is the “e” for “echo” :-). Now we can report all native (unescaped) echo function calls as being potentially unsafe. This can be achieved by doing static code analysis. While analyzing the code the analyzer could complain like this:

PHP Warning:  In "template.php" you should not use "echo" on line 1. Error raised  in analyzer.php on line 11

This could be limited to debug mode as static code analysis actually takes some time and may harm the performance of your application.

Static code analysis in PHP

I worked out the idea of secure PHP templating using static code analysis. In development (debug) mode it should warn the programmer when he uses a potentially non-safe construct.

The following analyzer script shows how this works:

<?php
$tokens    = array('T_ECHO', 'T_PRINT', 'T_EXIT', 'T_STRING', 'T_EVAL', 'T_OPEN_TAG_WITH_ECHO');
$functions = array('echo', 'print', 'die', 'exit', 'var_dump', 'eval', '<?=');
$filename  = 'template.php';

$all_tokens = token_get_all(file_get_contents($filename));
foreach ($all_tokens as $token) {
  if (is_array($token)) {
    if (in_array(token_name($token[0]),$tokens)) {
      if (in_array($token[1],$functions)) {
        trigger_error('In "'.$filename.'" you should not use "'.htmlentities($token[1]).'" on line '.$token[2].'. Error raised ', E_USER_WARNING);
      }
    }
  }
}

It will analyze the “template.php” file and report potentially insecure or erroneous language constructs.

This form of templating and static code analysis is fully implemented in the MindaPHP framework that you can find on my Github account. You can find the source code of the PHP static code analyzer class here.

Limit concurrent PHP requests using Memcache

When you run a website you may want to use nginx reverse proxy to cache some of your static assets and also to limit the amount of connections per client IP to each of your applications. Some good modules for nginx are:

Many people are not running a webfarm, but they still want to protect themselves against scrapers and hackers that may slow the website (or even make it unavailable). The following script allows you to protect your PHP application from too many concurrent connections per IP address. You need to have Memcache installed and you need to be running a PHP web application that uses a front controller.

Installing Memcache for PHP

Run the following command to install Memcache for PHP on a Debian based Linux machine (e.g. Ubuntu):

sudo apt-get install php5-memcache memcached

This is easy. You can flush your Memcache data by running:

telnet 0 11211
flush_all

You may have to restart apache for the Memcache extension to become active.

sudo service apache2 restart

Modifying your front controller

It is as simple as opening up your “index.php” or “app.php” (Symfony) and then pasting in the following code in the top of the file:

<?php
function firewall($concurrency,$spinLock,$interval,$cachePrefix,$reverseProxy)
{
  $start = microtime(true);
  if ($reverseProxy && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = array_pop(explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']));
  }
  else {
    $ip = $_SERVER['REMOTE_ADDR'];
  }
  $memcache=new Memcache();
  $memcache->connect('127.0.0.1', 11211);
  $key=$cachePrefix.'_'.$ip;
  $memcache->add($key,0,false,$interval);
  register_shutdown_function(function() use ($memcache,$key){ $memcache->decrement($key); });
  while ($memcache->increment($key)>$concurrency) {
    $memcache->decrement($key);
    if (!$spinLock || microtime(true)-$start>$interval) {
      http_response_code(429);
      die('429: Too Many Requests');
    }
    usleep($spinLock*1000000);
  }
}
firewall(10,0.15,300,'fw_concurrency_',false);

Add these lines if you want to test the script in stand-alone mode:

session_start();
session_write_close();
usleep(3000000);

With the default setting you can protect a small WordPress blog as it limits your visitors to do 10 concurrent(!) requests per IP address. Note that this is a lot more than 10 visitors per IP address. A normal visitor does not do concurrent requests to PHP as your browser tends to send only one request at a time. Even multiple users may not do concurrent requests (if you are lucky). In case concurrent requests do happen they will be delayed for “x” times 150 ms until the concurrency level (from that specific IP) is below 10. Other IP addresses are not affected/slowed down.

If you use a reverse proxy you can configure this (to get the correct IP address from the “X-Forwarded-For” header). Also if you set “$spinLock” to “false” then you will serve “429: Too Many Requests” if there are too many concurrent requests instead of stalling the connection.

This functionality is included as the “Firewall” feature of the new MindaPHP framework and also as the firewall functionality in the LeaseWeb Memcache Bundle for Symfony. Let me know what you think about it using the comments below.

Open source privacy tools µBlock and µMatrix

In the past we have been giving some attention to the tools Adblock Plus and RequestPolicy when we talked about enhancing your privacy and security online.

“The user decides what web content is acceptable or not in their browser.” – µBlock manifesto

Today we want to introduce you to two alternative (open source) tools for this, made by Raymond Hill: µBlock and µMatrix

µBlock

This is a simple tool, comparable to Adblock Plus, but it is open source and light-weight and very user friendly. This tool uses the approach and block-lists as AdBlock Plus and has the main advantage of being more lightweight as you can see in the graph below:

ublock

Source code and more information: https://github.com/gorhill/uBlock

µMatrix

This tool is comparable to RequestPolicy and is aimed at blocking non first party requests, like RequestPolicy. It has a nice matrix that you can easily click to allow/disallow certain requests. I have found that it works much better as it also allows related 3rd party domains. For instance redditmedia.com is not blocked on reddit.com, where RequestPolicy would block it.

umatrix

Source code and more information: https://github.com/gorhill/uMatrix

Installation

On the following links you find the installable extensions for Chromium and Firefox:

Conclusion

Both tools enhance your security and privacy online. They are easy to use and have great integration with the free Chrome (Chromium) browser. Unfortunately µMatrix is not yet available for Firefox, but this may only be a matter of time. I would highly recommend to use both tools in your Chromium install and I would recommend µBlock also on Firefox.

Working in the cloud to prevent viruses & trojans

This post touches some of the IT security topics that modern companies may have to deal with.

Endpoint security? Problematic!

Endpoint security is the security of your company’s laptop and desktop computers. The security of these computers in the outer perimeter of the network is a hot topic. You see the problem with home users that do not have the security devices and software that companies have. Viruses that encrypt personal documents with a password and ask a ransom to release it are common. Banking trojans are widespread as there is much money to be made. But also company databases containing millions of user credentials get stolen. Even PC manufacturers turn malicious under the pressure of advertisers. They ship new laptops with self-signed root certificates that nullify the web’s security system.

BYOD policy? Unstoppable!

Today Bring-Your-Own-Device (BYOD) policies are more popular than ever as people bring their private smart-phones to work. They identify with the device and the brand of the phone. Even the color of the phone or the installed software is part of their identity. People also want to use USB sticks, USB drives and their tablets at work as it has become part of their IT vocabulary. Working remote is encouraged and devices are carried from work to home and vice versa. This causes laptops to be connected to malicious networks, get stolen or just get lost. Fingerprint scanners and full-disk encryption and hardware tokes may help a bit, but do not solve all problems.

PC or Mac? Yes, indeed!

Apple laptops (and phones) are very expensive and have become important status symbols in the workplace. Some colleagues may be lucky to get a shiny Apple laptop or phone from the boss. Others are not that privileged and try to fake their success by buying one with their own money. For phones this is fully accepted. For laptops you see that more and more companies start to allow this. Companies see less interoperability problems, because all major business applications have become browser based. This causes the importance of the choice of desktop operating system to diminish rapidly.

Laptops without viruses

When Google launched it’s ChromeBook concept in 2011 I was expecting companies to start buying these for their employees. This laptop can safely be stolen, destroyed and is (by design) not vulnerable to viruses and trojans. It is even resilient against lost data due to forgotten backups. It’s secret? The laptop does not store any data on the it’s internal hard-disk, but stores everything in the cloud. You can simply reset the laptop to factory defaults, whenever the laptop misbehaves, without losing any data. Google has also started offering complementary corporate email and calendaring solutions. I really thought they had a winner on their hands. I was wrong. Companies did not massively convert.

Super fast and secure development workstations in the cloud!

At LeaseWeb we had (and still have) VMs to do development on, but these are not setup (or fast enough) to run your graphical development tools or VM tools like vagrant or docker. I identified this problem (in 2012) and started an experiment with working fully in the cloud.

I started offering a multi-user desktop development environment for a small group of 5 developers on a single server. The dual CPU server with 64 GB ram was operated by the team’s system engineer. The advantages were great: work from any machine without having to install your development environment. Connect from work or home to the same desktop and take up where you left off. You could also easily share files on the local disks and backups were made for you on the corporate backup systems. The environment was graphical and was totally over-dimensioned and thus super fast.

It failed (for that team). The multi-user desktop environment lifted most of the complaints that existed, but developers now felt that they had less freedom (and less privacy). Apparently they did not care about the source code not leaving the company or any of the other security advantages of working in the cloud (viruses, trojans and backups).

Fast forward to today. Many developers run Linux (often with encrypted disks) on their fast i5 laptops with 8GB of RAM. They put all their work in JIRA and Git, which are both in the cloud. So I guess that there is not much to gain anymore by moving development to the cloud.

But can’t anyone work in the cloud?

Could this pattern of working in the cloud also be applied to a company’s non-development department? These departments may have access to more important (financial) information and their employees may have less IT knowledge. This may cause viruses and trojans to pose a higher risk.

You could set up some (Windows) terminal servers with Remote Desktop Protocol (RDP) and work on these machines. You could run software updates during the nights, make backups for users and lock the system down to prevent viruses and trojans. Employees could use the local browser (on their ChromeBooks) for Internet usage and a locked down remote browser for the company web applications. This way the corporate (sensitive) data should stay protected.

What do you think? Would it work? Use the comments..

Browse safer by disabling SSLv3 in Firefox

vulnerable poodle sslv3

You may be at risk! A man-in-the-middle attack may be effective between you and any site that runs on HTTPS. This is explained two days ago by Google in their publication about the POODLE attack. It explains that SSLv3 has a vulnerability and negotiation of this protocol can be enforced by a man-in-the-middle. That man-in-the-middle is able to read (part of) the plaintext of your secure communication with the server. You can click the above image (that links to https://www.poodletest.com/) and if you are vulnerable you will see a poodle.

Fixing the vulnerability is also very easy. If you run a server you may want to check out my post on fixing the POODLE issue in Nginx and Apache. Even transfers from browsers that are not fixed can then no longer be intercepted  and decoded by a man-in-the-middle.

firefox poodle fix

But you should also fix this issue in your browser right now! In Firefox you simply type “about:config” in the address bar and then “tls” in the search bar. Change the value of “security.tls.version.min” from “0” to “1” as the above screenshot illustrates:

Mozilla says that it is making Firefox 34 safe from POODLE by disabling SSLv3 by default. – betanews.com

This change is so easy (only costs a few seconds and requires a browser restart) that I would not wait for Mozilla to release Firefox 34. If you run another browser, and you are looking for a guide, you may want to check out tomsguide.com.