AVOIDING THE OWASP
Top 10 security exploits

Saturday, 5 October, 13
ME

Illustrator turned developer
PHP developer for 8 years
Architect/Developer at FreshBooks
Lead developer of CakePHP

Sa...
SECURITY

Saturday, 5 October, 13
SECURITY CONTINUUM

(

unusable

Saturday, 5 October, 13

)

unrestricted
OWASP
Open Web Application Security Project

Saturday, 5 October, 13
OWASP TOP 10

Saturday, 5 October, 13
1

INJECTION

Saturday, 5 October, 13

‘ OR 1=1 ‘--
RISKS

Command - Permits arbitrary shell commands.
SQL - Permits query manipulation, and arbitrary SQL.
Bad guys can run a...
SQL INJECTION EXAMPLE
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$query = “SELECT * FROM user
WHERE u...
USER INPUT
$username = “root”;
$password = “‘ OR 1 = 1 --”;

Saturday, 5 October, 13
FINAL QUERY

$query = “SELECT * FROM user
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;

Saturday, 5 October, 13
FINAL QUERY

$query = “SELECT * FROM user
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;

Saturday, 5 October, 13
PREVENTION
Use an ORM or Database abstraction layer that
provides escaping. Doctrine, ZendTable, and
CakePHP all do this.
...
EXAMPLE (PDO)
$query = “SELECT * FROM user
WHERE username = ?
AND password = ?”;
$stmt = $db->prepare($query);
$stmt->bind...
COMMAND INJECTION

$file = $_POST[‘file’];
$res = file_get_contents($file);
echo $res;

Saturday, 5 October, 13
USER INPUT
$f = “../../../../../../etc/passwd”;

Saturday, 5 October, 13
PREVENTION

Escape and validate input.
Check for ..
Check for ;
Ensure the realpath resolves to a file that is allowed.

Sa...
2

BROKEN AUTHENTICATION
& SESSION MANAGEMENT
/index.php?PHPSESSID=pwned

Saturday, 5 October, 13
RISKS

Identity theft.
Firesheep was an excellent example.

Saturday, 5 October, 13
SESSION FIXATION EXAMPLE
<?php
session_start();
if (isset($_GET[‘sessionid’]) {
session_id($_GET[‘sessionid’]);
}

Saturda...
SESSION FIXATION EXAMPLE
<?php
session_start();
if (isset($_GET[‘sessionid’]) {
session_id($_GET[‘sessionid’]);
}

Saturda...
PREVENTION

Rotate session identifiers upon login/logout
Set the HttpOnly flag on session cookies.
Use well tested / mature ...
3

XSS

<script>alert(‘cross site scripting’);</script>

Saturday, 5 October, 13
RISKS

Allows bad guys to do things as the person viewing a
page.
Steal identities, passwords, credit cards, hijack pages
...
XSS EXAMPLE

<p>
<?php echo $user[‘bio’]; ?>
</p>

Saturday, 5 October, 13
XSS EXAMPLE

<p>
<?php echo $user[‘bio’]; ?>
</p>

Saturday, 5 October, 13
I know, I can use regular expressions!

Saturday, 5 October, 13
NO
Saturday, 5 October, 13
PREVENTION

Regular expressions and strip_tags leave you
vulnerable.
The only robust solution is output encoding.

Saturda...
EXAMPLE
<p>
<?php echo htmlentities(
$user[‘bio’],
ENT_QUOTES,
‘UTF-8’
); ?>
</p>

Saturday, 5 October, 13
DANGERS

Manually encoding is error prone, and you will make
a mistake.
Using a template library like Twig that provides a...
4

INSECURE DIRECT OBJECT
REFERENCE

Saturday, 5 October, 13
RISKS

Bad guys can access information they shouldn’t
Bad guys can modify data they shouldn’t.

Saturday, 5 October, 13
BROKEN PASSWORD UPDATE
<form action=”/user/update” method=”post”>
<input type=”hidden” name=”userid” value=”4654” />
<inpu...
PREVENTION
Remember hidden inputs are not really hidden, and
can be changed by users.
Validate access to all things, don’t...
5

SECURITY
MISCONFIGURATION

Saturday, 5 October, 13
RISKS

Default settings can be insecure, and intended for
development not production.
Attackers can use misconfigured softw...
PREVENTION

Know the tools you use, and configure them
correctly.
Keep up to date on vulnerabilities in the tools you
use.
...
6

SENSITIVE DATA EXPOSURE
4012 8888 8888 1881

Saturday, 5 October, 13
RISKS

Bad guys get credit cards, personal identification,
passwords or health records.
Your company could be fined or worse...
ASSESSING RISK
Do you have sensitive data?
Is it in plaintext?
Any old/bad crypto in use?
Missing SSL?
Who can access sens...
7

MISSING FUNCTION LEVEL
ACCESS CONTROL

Saturday, 5 October, 13
RISKS

Anyone on the internet can request things.
Missing access control could mean bad guys can do
things they shouldn’t ...
PREVENTION

No simple solutions sadly.
Good automated tests help.

Saturday, 5 October, 13
8

CROSS SITE REQUEST
FORGERY

Saturday, 5 October, 13

(CSRF)
RISKS

Evil websites can perform actions for users logged
into your site.
Side effects on GET can be performed via images ...
CSRF EXAMPLE

Your app
Evil site

Saturday, 5 October, 13
CSRF EXAMPLE

Your app
Evil site

Login

Saturday, 5 October, 13
CSRF EXAMPLE

Your app
Evil site

Login
Accidentally visit
Saturday, 5 October, 13
CSRF EXAMPLE

Your app

Submit form for evil
Evil site

Login
Accidentally visit
Saturday, 5 October, 13
PREVENTION

Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens
should be reject...
SAMPLE CSRF VALIDATION
<?php
if (!$this->validCsrfToken($data, ‘csrf’)) {
throw new ForbiddenException();
}

Saturday, 5 O...
9

USING COMPONENTS WITH
KNOWN VULNERABILITIES

Saturday, 5 October, 13

CVE bingo
RISK

Using old busted software can expose you to
documented issues.
CVE databases are filled with version numbers and
matc...
PREVENTION

Do routine upgrades. Keep up to date with all your
software.
Read mailing lists and keep an eye out for securi...
PREVENTION

Several vulnerability databases around.
https://cve.mitre.org/cve/

Saturday, 5 October, 13
10

UNVALIDATED REDIRECTS &
FORWARDS

Saturday, 5 October, 13
RISKS

Trusting user input for redirects opens phishing
attacks.
Breach of trust with your users.

Saturday, 5 October, 13
PREVENTION

Don’t trust user data when handling redirects.

Saturday, 5 October, 13
THANK YOU

Saturday, 5 October, 13
Upcoming SlideShare
Loading in...5
×

2013 - Mark story - Avoiding the Owasp

329

Published on

PHP Conference Argentina 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
329
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2013 - Mark story - Avoiding the Owasp

  1. 1. AVOIDING THE OWASP Top 10 security exploits Saturday, 5 October, 13
  2. 2. ME Illustrator turned developer PHP developer for 8 years Architect/Developer at FreshBooks Lead developer of CakePHP Saturday, 5 October, 13
  3. 3. SECURITY Saturday, 5 October, 13
  4. 4. SECURITY CONTINUUM ( unusable Saturday, 5 October, 13 ) unrestricted
  5. 5. OWASP Open Web Application Security Project Saturday, 5 October, 13
  6. 6. OWASP TOP 10 Saturday, 5 October, 13
  7. 7. 1 INJECTION Saturday, 5 October, 13 ‘ OR 1=1 ‘--
  8. 8. RISKS Command - Permits arbitrary shell commands. SQL - Permits query manipulation, and arbitrary SQL. Bad guys can run arbitrary code/queries. Saturday, 5 October, 13
  9. 9. SQL INJECTION EXAMPLE $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query); Saturday, 5 October, 13
  10. 10. USER INPUT $username = “root”; $password = “‘ OR 1 = 1 --”; Saturday, 5 October, 13
  11. 11. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --”; Saturday, 5 October, 13
  12. 12. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --”; Saturday, 5 October, 13
  13. 13. PREVENTION Use an ORM or Database abstraction layer that provides escaping. Doctrine, ZendTable, and CakePHP all do this. Use PDO and prepared statements. Never interpolate user data into a query. Never use regular expressions, magic quotes, or addslashes() Saturday, 5 October, 13
  14. 14. EXAMPLE (PDO) $query = “SELECT * FROM user WHERE username = ? AND password = ?”; $stmt = $db->prepare($query); $stmt->bindValue($username); $stmt->bindValue($password); $result = $db->execute(); Saturday, 5 October, 13
  15. 15. COMMAND INJECTION $file = $_POST[‘file’]; $res = file_get_contents($file); echo $res; Saturday, 5 October, 13
  16. 16. USER INPUT $f = “../../../../../../etc/passwd”; Saturday, 5 October, 13
  17. 17. PREVENTION Escape and validate input. Check for .. Check for ; Ensure the realpath resolves to a file that is allowed. Saturday, 5 October, 13
  18. 18. 2 BROKEN AUTHENTICATION & SESSION MANAGEMENT /index.php?PHPSESSID=pwned Saturday, 5 October, 13
  19. 19. RISKS Identity theft. Firesheep was an excellent example. Saturday, 5 October, 13
  20. 20. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Saturday, 5 October, 13
  21. 21. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Saturday, 5 October, 13
  22. 22. PREVENTION Rotate session identifiers upon login/logout Set the HttpOnly flag on session cookies. Use well tested / mature libraries for authentication. SSL is always a good idea. Saturday, 5 October, 13
  23. 23. 3 XSS <script>alert(‘cross site scripting’);</script> Saturday, 5 October, 13
  24. 24. RISKS Allows bad guys to do things as the person viewing a page. Steal identities, passwords, credit cards, hijack pages and more. Saturday, 5 October, 13
  25. 25. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Saturday, 5 October, 13
  26. 26. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Saturday, 5 October, 13
  27. 27. I know, I can use regular expressions! Saturday, 5 October, 13
  28. 28. NO Saturday, 5 October, 13
  29. 29. PREVENTION Regular expressions and strip_tags leave you vulnerable. The only robust solution is output encoding. Saturday, 5 October, 13
  30. 30. EXAMPLE <p> <?php echo htmlentities( $user[‘bio’], ENT_QUOTES, ‘UTF-8’ ); ?> </p> Saturday, 5 October, 13
  31. 31. DANGERS Manually encoding is error prone, and you will make a mistake. Using a template library like Twig that provides autoescaping reduces the chances of screwing up. Encoding is dependent on context. Saturday, 5 October, 13
  32. 32. 4 INSECURE DIRECT OBJECT REFERENCE Saturday, 5 October, 13
  33. 33. RISKS Bad guys can access information they shouldn’t Bad guys can modify data they shouldn’t. Saturday, 5 October, 13
  34. 34. BROKEN PASSWORD UPDATE <form action=”/user/update” method=”post”> <input type=”hidden” name=”userid” value=”4654” /> <input type=”text” name=”new_password” /> <button type=”submit”>Save</button> </form> Saturday, 5 October, 13
  35. 35. PREVENTION Remember hidden inputs are not really hidden, and can be changed by users. Validate access to all things, don’t depend on things being hidden/invisible. If you need to refer to the current user, use session data not form inputs. Whitelist properties any form can update. Saturday, 5 October, 13
  36. 36. 5 SECURITY MISCONFIGURATION Saturday, 5 October, 13
  37. 37. RISKS Default settings can be insecure, and intended for development not production. Attackers can use misconfigured software to gain knowledge and access. Saturday, 5 October, 13
  38. 38. PREVENTION Know the tools you use, and configure them correctly. Keep up to date on vulnerabilities in the tools you use. Remove/disable any services/features you aren’t using. Saturday, 5 October, 13
  39. 39. 6 SENSITIVE DATA EXPOSURE 4012 8888 8888 1881 Saturday, 5 October, 13
  40. 40. RISKS Bad guys get credit cards, personal identification, passwords or health records. Your company could be fined or worse. Saturday, 5 October, 13
  41. 41. ASSESSING RISK Do you have sensitive data? Is it in plaintext? Any old/bad crypto in use? Missing SSL? Who can access sensitive data? Saturday, 5 October, 13
  42. 42. 7 MISSING FUNCTION LEVEL ACCESS CONTROL Saturday, 5 October, 13
  43. 43. RISKS Anyone on the internet can request things. Missing access control could mean bad guys can do things they shouldn’t be able to. Saturday, 5 October, 13
  44. 44. PREVENTION No simple solutions sadly. Good automated tests help. Saturday, 5 October, 13
  45. 45. 8 CROSS SITE REQUEST FORGERY Saturday, 5 October, 13 (CSRF)
  46. 46. RISKS Evil websites can perform actions for users logged into your site. Side effects on GET can be performed via images or CSS files. Remember the Gmail contact hack. Saturday, 5 October, 13
  47. 47. CSRF EXAMPLE Your app Evil site Saturday, 5 October, 13
  48. 48. CSRF EXAMPLE Your app Evil site Login Saturday, 5 October, 13
  49. 49. CSRF EXAMPLE Your app Evil site Login Accidentally visit Saturday, 5 October, 13
  50. 50. CSRF EXAMPLE Your app Submit form for evil Evil site Login Accidentally visit Saturday, 5 October, 13
  51. 51. PREVENTION Add opaque expiring tokens to all forms. Requests missing tokens or containing invalid tokens should be rejected. Saturday, 5 October, 13
  52. 52. SAMPLE CSRF VALIDATION <?php if (!$this->validCsrfToken($data, ‘csrf’)) { throw new ForbiddenException(); } Saturday, 5 October, 13
  53. 53. 9 USING COMPONENTS WITH KNOWN VULNERABILITIES Saturday, 5 October, 13 CVE bingo
  54. 54. RISK Using old busted software can expose you to documented issues. CVE databases are filled with version numbers and matching exploits. Saturday, 5 October, 13
  55. 55. PREVENTION Do routine upgrades. Keep up to date with all your software. Read mailing lists and keep an eye out for security releases. Saturday, 5 October, 13
  56. 56. PREVENTION Several vulnerability databases around. https://cve.mitre.org/cve/ Saturday, 5 October, 13
  57. 57. 10 UNVALIDATED REDIRECTS & FORWARDS Saturday, 5 October, 13
  58. 58. RISKS Trusting user input for redirects opens phishing attacks. Breach of trust with your users. Saturday, 5 October, 13
  59. 59. PREVENTION Don’t trust user data when handling redirects. Saturday, 5 October, 13
  60. 60. THANK YOU Saturday, 5 October, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×