Forem: dewbiez

PHP Frameworks Discussion (beware lots of opinions)

dewbiez — Thu, 04 Oct 2018 16:16:23 +0000

I prefer either Phalcon, or modular with independent composer packages that are not coupled to others. I did Laravel development for a while, but I couldn't seem to get the performance I wanted out of it.

What about you?

PHP Package: Caller

dewbiez — Sat, 29 Sep 2018 22:14:42 +0000

fobber / caller

A library for calling functions, closures, classes and methods.

About

This is a library that can be used to call functions, closures(AKA: anonymous functions), classes and methods. It can be used for calling dynamic values, say a handler in an HTTP router. Or containers.

Installation

You can install this via composer, or manually download the files.

composer require fobber/caller

Caller Documentation

\Fobber\Caller\Caller::callClosure(
    \Closure $closure,
    array    $parameters = []
);
\Fobber\Caller\Caller::callFunction(
    string $function,
    array  $parameters = []
);
\Fobber\Caller\Caller::callClass(
    string $class,
    array  $parameters = []
);
\Fobber\Caller\Caller::callMethod(
    object $object,
    string $method,
    array  $parameters  = [],
    bool   $static_only = false
);

Caller Basic Usage

require_once __DIR__.'/path/to/autoload.php';

use \Fobber\Caller\{
    Validator,
    Caller
};

use \Fobber\Exceptions\{
    InvalidFunctionException,
    InvalidClassException,
    InvalidMethodException
};

$validator = new Validator;
$caller    = new Caller($validator);

Calling Closures

$value = $caller->

…

View on GitHub

Hey! I published my first library to composer. Any PHP developers have time to read some code, you can check out my package on GitHub/Packagist.

If you read the code, it'd be nice if you'd let me know what you think.

You can install it via Composer, like so:

composer require fobber/caller

It's a library for calling things like functions, closures, classes and methods. You might be wondering why I would make something like this, but I made it so you can utilize it to make calls to dynamic values/handlers. Let's say you're building a Router library. And you want to able to separate your code into different files, like Controllers.

So you could so something similar to:

$object = $caller->callClass(IndexController::class);
$method = '__invoke';
$parameters = [$request, $response];
$caller->callMethod($object, $method, $parameters);

Or later once I got it implemented:

$caller->call('IndexController', [$request, $response]);

And with a neat little feature, you can have prefix and suffix parameters. If say all your controllers and their methods need a $request and $response, you can set it. And all you have to do is this:

$caller->call('IndexController');

PHP Security: Passwords

dewbiez — Sat, 22 Sep 2018 02:53:35 +0000

My Password Rules

Minimum length of 16 characters.
Maximum length of 256, 512, 1,024 or 2,048 characters.
Make sure the password isn't pwned.
ALLOW PASTING OF PASSWORDS!

Microsoft has a maximum password length of 16 characters.

Does that sound good to you? Well, it certainly shouldn't. It's not often applications have such low maximum lengths for passwords(correct me if I'm wrong). But it's really bad to limit your password lengths like Microsoft did.

It's debatable whether you should enforce password rules such as special characters, uppercase letter, lowercase letter, etc. I don't believe that's the better thing to do. I strongly disagree with password rules like that.

All the application should do is make sure my secret is long enough, and hash it slowly so my secret won't be found out within anyone's lifetime.

A lot of sites have a minimum password length of 6 or 8 characters. That's not good. It really isn't. Even if they're using Argon2 with a high cost. 12 characters is okay ... but I like to set the minimum to around 16 characters long.

Why allow such a big maximum number of characters? It's ridiculous!

You're right. It probably is. But I like to make sure password managers are able to input super long passwords.

Storing Passwords

I'll show you how easy it is to securely hash passwords in PHP >= 5.6. It's automatically salted.

$hashed_password = password_hash('string', PASSWORD_DEFAULT);

The default password hashing algorithm as of PHP 7.2 and lower is bcrypt. But note, while bcrypt is good, it truncates passwords at 72 characters, and is vulnerable to null bytes.

My preferred way of storing passwords will probably differ from yours.

My Technique

HMAC the password.
Hash the HMAC.
Encrypt the hash.

Why the heck are you HMACing the password?!

Well, that's because when say someone is registering to your site. What if they put in a 4 megabyte password, and send multiple requests? This could effectively DDoS you. However, you can prevent that, by pre-hashing with a fast algorithm such as SHA256. Or you can validate the password and make sure it doesn't go past a maximum number of characters. And if it passes the validation, then you can hash the password, etc.

But that's not the only problem it can solve. What if you're storing PINs? Only 4 digit numbers, can be brute-forced within a reasonable amount of time. Think about it, you're only hashing 4 characters. You can turn 4 characters, into a really long string with an HMAC. And there you go, it's better than just storing 4 characters.

How does it DDoS you?

It requires a lot of computing power for say Argon2. Now remember, password hashing algorithms are meant to be slow. So if it takes 1 second to hash a 8 character password, it might take 10 seconds to hash a 1 megabyte password. Which is why we shorten or lengthen a password to a set length so we don't have that issue.

But mixing up different algorithms is dangerous!

It can be, but I highly doubt hashing a SHA3-512 hexadecimal output will do anything bad in a Argon2 hash function, because it's literally just numbers and letters. Isn't that what a password usually is?

Okay, but why are you encrypting the hash?

It's not a performance issue if you're using fast encryption algorithms.

Still! Why? It adds no benefits, and makes your application harder to maintain.

That's actually a good argument. However, say your database server is separate from your application server. If an attacker only gets access, to the database, they first have to find the encryption key to decrypt the hash, or eventually break it, only to have to stop dead in their tracks with a really slow hashed password. But in the real world, I doubt someone would try to brute-force AES encryption, they'd probably start looking for the key. But doing this can buy you time, possibly enough time to rotate your keys and tell users their data has been compromised.

The Code

I can also show you a quick basic implementation in PHP.

First, we of course need a password.

$password = 'my super secret password';

Now that's done, we can setup the HMAC's algorithm and key.

$hmac_algorithm = 'sha3-512';
$hmac_key       = random_bytes(32);

Step 1: Make the HMAC.

$hmac = hash_hmac($hmac_algorithm, $password, $hmac_key);

Ta da! Now that's done, let's move on to setting the password hashing up.

$password_hash_cost      = 4;
$password_hash_algorithm = PASSWORD_ARGON2I;
$password_hash_options   = [
    'memory_cost' => $password_hash_cost * PASSWORD_ARGON2_DEFAULT_MEMORY_COST,
    'time_cost'   => $password_hash_cost * PASSWORD_ARGON2_DEFAULT_TIME_COST,
    'threads'     => $password_hash_cost * PASSWORD_ARGON2_DEFAULT_THREADS
];

Step 2: Make the hash.

$hash = password_hash(
    $hmac,
    $password_hash_algorithm,
    $password_hash_options
);

Yep! That's all done. We need to setup that next step though.

$encryption_key   = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
$encryption_nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

Step 3: Make the ciphertext.

$ciphertext = sodium_crypto_secretbox(
    $hash,
    $encryption_nonce,
    $encryption_key
);

I ran the above code, and these were the following outputs:

HMAC output: 876dd083d78abd57c267a4cb3b64788c468f7ff9a88ab91800e5ae3cc3e25f646510fc2e2a9ccd9395ba01b814dbe76efa2acb985a7733330f4abc6b5157474c

Hash output: $argon2i$v=19$m=4096,t=8,p=8$ZEJXdlN2QU8vb3RIU3RxeA$0hU3ZokcZpPJwfmdmzwXD5KFfdmh/MyZRAFx4tLIJkc

Ciphertext output: 319dfbac430ad505b7daccfb8c827f36389b1dc747d3b3fc6cd1334e060b156800dec5268c79fe46367ad1be3ddac70540ddc19a6fb70348018a5ed27bcd2fb822a83e289833ec6d3294881eed6e45b94fa8c5a6f502ddb0851956587d6a2817bc45f82251b7e633de9cc3c2779e9b

Note, I converted the ciphertext to hexadecimal. And by default the HMAC output is converted to hexadecimal. I was using PHP 7.2.9, and I was using libsodium for encryption.

I am by no means an expert in cryptography, or it's implementation. And this was my opinion on passwords, yours will probably differ.

That'll be it for today, I hope you enjoyed the article, and that perhaps you opened your mind a little more about passwords.

EDIT, PLEASE READ:

Don't use my technique. Read the comments. Just use password hashing algorithms such as Argon2 or Bcrypt to store your passwords.

Like I said before. Encrypting the password hashes will only be effective if you keep the application and database on separate servers/hardware, assuming the attackers only gain access to your database.

PHP Security: Introduction

dewbiez — Thu, 20 Sep 2018 10:58:16 +0000

Often, these days vulnerabilities are still being found in web applications. PHP has a pretty bad reputation regarding security, including one of the most popular frameworks WordPress. It's not to say making applications without vulnerabilities is easy- or that it's possible. But we really should try harder.

Us as PHP developers, need to make sure our data is safe from attackers. We need to stop this nonsense. And it's a big issue, big companies and businesses are continuing to be exploited and breached because of their security. I believe one of the big companies recently had a database breach, and they looked like they were stored with base64 and either sha1 or md5 hashing. I don't recall which company this was.

But remember, hashing, encryption, is only a small part of keeping your applications secure. You also have SQL injection, cross-site scripting, session hijacking, remote file inclusion, cross-site request forgeries.

And that's to name a few off the top of my head. There's a lot to cover in web application security.

You can start off with PHP The Right Way, and PHP Delusions. They're great, especially for beginners(at least I think so).

Let's get real.

That stuff up there? Those links? Their information? It's absolutely great! It really is. It's basic, more of a baseline. A starting point, if you will.

Paragonie

They make open-source software, for PHP security!

Their blog is amazing! However, they're not well known. They really should be though. So why don't you help with that? Once you're convinced they're amazing, start recommending their posts, and them in general.

They cover a lot of things. If you wanna get serious about web application security, I highly recommend you bookmark that page, follow them on Twitter, and keep an eye out for any future blog posts.

Don't forget to go through their archives. There is a lot of stuff there.

Psst! They're on here too.

Scott ArciszewskiFollow

I do crypto/appsec/development for Paragon Initiative Enterprises.

Come on, let's make our web more secure! If you wanna post any links in the comments regarding security, please do so!

Extra Links

Three Steps For Increasing The Security of Your Web Apps

Jamie ・ Sep 13 '18

#http #webappsecurity #security #owasp

OWASP - Who?

Jamie ・ Sep 19 '18

#owasp #security

PHP Security: Passwords

dewbiez ・ Sep 22 '18

#php #security #cryptography

Symmetric Encryption Key Storage

dewbiez — Wed, 22 Aug 2018 06:49:17 +0000

I was wondering ... if say you're using something like AES(symmetric based), while you can use it to protect data, encrypting it. How do you protect the key used to encrypt the data? Where should you store it? How should you retrieve it?

Learning Resources

dewbiez — Wed, 22 Aug 2018 00:31:57 +0000

Dev

A community regarding software development, lots of help and articles available.

DevDocs

Provides an easy to use way to search through many popular documentations, more being added. With offline support!

Read the Docs

Another site for reading documentation? Hmm!

Alligator

Articles about front-end web development, and don't forget to check out their resources!

Scotch

Another articles site, regarding many technologies.

Egghead

A videos site for web developers.

Sabe

Articles and courses on web development.

Exercism

Exercises, courses and things like that.

Bento

A website for website developers.

Hackr

Courses, tutorials and a forum.

Coligo

Some more tutorials for you.

Taha Shashtari

A person writing about Vue.js, worth checking out.

The Ninja Vault

A site with blog posts on technologies.

Resilient Web Design

This is amazing! Please go read it.

Learn to Code HTML & CSS

Looks REALLY good, I highly suggest this for HTML and CSS developers.

HTML, CSS & JavaScript

I don't know what else to say about this, just look at it.

Codrops Useful Resources

Yay! More resources.

LearnStartup

It has LOTS of stuff you can learn about. Building games(both web based and not) and websites.

Hopscotch

Learn to code with games!

CodeCombat

Another way of learning to code with games.

ILoveCoding

A way to learn to code.

Coding Avengers

I know I wanna become an Avenger. A coding Avenger!

Viking Code School

Really cool name, but besides that come learn to code.

Programming Motherfucker

Try not to take offense to this. It's actually what it's called, but ya know. Why not check it out? Become a gangster! A pogramming gangster. ;)

Friday Front-End

A news letter on front-end, sent to you every Friday. I think.

Dev-Tips

Get Weekly developer tips in your inbox.

Web Tools Weekly

Another weekly inbox thing for developers.

After Hours Programming

A lot of tutorials on software developing.

DevShed

Worth checking out, a developer community.

Devdojo

Another website focused on web development with videos.

Sitepoint

Tutorialzine

Articles plus a community with forums. Mostly front-end.

Tutorialspoint

Tutorials, tutorials and oh yeah, more tutorials.

Vitallogic

Articles duh! Probably not as promising as the other links on here though.

Tuts+

Tutorials! And plus more tutorials. Has some good ones.

CleverProgrammer

Learn Python. He's really good.

Scrimba

Something else to check out! It has video courses along with a built in editor. Definitely check it out.

CodeSchool

Not free, but it's supposed to be really good.

PHP School

Schooling you on PHP, check it out. Looks pretty cool.

NodeSchool

Now schooling you on Node.js, pretty cool huh?

VueSchool

Whoa! A school on Vue too? YEP! Free too!

VueMastery

And I can't forget them! Note, a lot of the stuff you have to pay for. But it's supposed to be really good.

W3Schools

Web tutorials, not recommended for beginners as this has some outdated content. Don't want beginners using bad practices now do we? Non-beginners should be smart enough to know what not to trust. They also have some resources.

FreeCodeCamp

Amazing tutorials, and don't forget to check out their medium blog. I would highly recommend this for coding beginners.

Codecademy

Another great source to get started in the world of coding. I highly recommend this for coding beginners as well.

CSS-Tricks

Great tips, snippets and articles. This is also not strictly CSS related.

Eloquent JavaScript

A really good site(book) on JavaScript? Find out for yourself! It looks promising.

JS: The Right Way

Do JavaScript better than you did before???

Modern JavaScript Tutorials

Here is some modern JavaScript tutorials for ya!

PHP Delusions

A pretty good site, having one of the best tutorials/guides on database interaction.

Paragonie PHP Security

While yes they are mainly focused on PHP security, you can still apply their concepts to other languages you use. FYI, they're awesome. By far the best site or resources regarding security on PHP.

PHP: The Right Way

Seriously, if you're a PHP developer you really should read this. It's got best(better) practices. Highly recommended.

PHP Best Practices

Not as promising as PHP The Right Way, but shouldn't be too bad.

PHP Docs

You better read some of the stuff on PHP on here.

PHP Security Stuff

Yes, more on PHP security. Check it out, probably a good idea.

PHP Collaboration Standards

You definitely should look at this. It's standard guideline stuff.

Laracasts

Tons of videos on web development. Some of them free, check them out.

Laravel News

News on the Laravel framework and packages.

Laravel & VueJS

Articles regarding Laravel and Vue.js.

Hacksplaining

Learn stuff about hacking! It's pretty good, done it myself.

XeusHack

Hacking tutorials. Something else worth checking out.

Elite Hackers

Ahem, sshh and delete your history. Heading into dangerous territory. Probably should view this site with TOR or something.

Khan Academy

Has some stuff related to software development, but is general purpose.

Udemy

Has lots of courses on software development, and many other things.

Handling Passwords

dewbiez — Mon, 20 Aug 2018 23:28:28 +0000

Rules

Minimum length of either 8 or 16 characters.
A maximum length of 2,048 characters.
Check if password is in breaches? (optional)

It's probably a good idea to make sure they're not putting in a common or breached password. I don't have any other rules, it's pretty simple. I think having the one or more numbers, symbols, capital letters, is a bit overrated. I don't really need it, do I? Got any examples/scenarios on why an application would need or should have something like that? Please, share.

And I encourage people who are writing password this.

Storage

And as for storing passwords, I'm not just gonna leave it as plain-text, unless of course my intent is to steal credentials. So I'd use a strong hashing algorithm like Bcrypt or some variation of Argon2. Hashing the passwords is good enough, or so some of us believe. While I don't doubt that hashing the password is good, I believe that it could be taken further to protecting the passwords.

Yes, encrypt the hash, with something strong. Preferably AES-256 or AES-128. And perhaps a more complex approach signing keys with RSA and encrypting with AES based on that. Not gonna get too far into it(I don't wanna start talking about stuff I don't understand).

Doing it this way gives hackers/crackers whatever you wish to call them, another step. To decrypt the hash, then finally deal with the hash.

Summary

Make sure the password is within (8 or 16)-2,048 characters threshold, optionally check if it's common or breached. Hash the password, then encrypt the hashed password, and finally store it somewhere.

Forem: dewbiez

PHP Frameworks Discussion (beware lots of opinions)

PHP Package: Caller

fobber / caller

A library for calling functions, closures, classes and methods.

About

Installation

Caller Documentation

Caller Basic Usage

Calling Closures

PHP Security: Passwords

My Password Rules

Storing Passwords

My Technique

The Code

EDIT, PLEASE READ:

PHP Security: Introduction

Let's get real.

Scott ArciszewskiFollow

Extra Links

Three Steps For Increasing The Security of Your Web Apps

Jamie ・ Sep 13 '18

OWASP - Who?

Jamie ・ Sep 19 '18

Next Article

PHP Security: Passwords

dewbiez ・ Sep 22 '18

Symmetric Encryption Key Storage

Learning Resources

Handling Passwords

Rules

Storage

Summary

Recommendations

You Wouldn't Base64 a Password! Cryptography Terms and Concepts for Developers

Scott Arciszewski for Paragon Initiative Enterprises ・ Dec 13 '16

Do password rules impact security?

Dominik Weber ・ Jul 8 '18

How to Prevent Your Users from Using Breached Passwords

Randall Degges for Okta ・ Jun 11 '18