OWASP Top 10 at International PHP Conference 2014 in Berlin

1,698 views
1,526 views

Published on

With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right.
Every 3 years, the open web application security project (OWASP) releases a new Top 10 vulnerabilities, this talk will walk you through 2013s list.
I'll present you the possible attack scenarios and how you can protect against them.
In addition we'll look at more security issues which are not part of the Top 10, but that you should definitely keep in mind.

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,698
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OWASP Top 10 at International PHP Conference 2014 in Berlin

  1. 1. Tobias Zander | @airbone42 OWASP Top 10
  2. 2. Current state of security
  3. 3. Open Web Application Security Project
  4. 4. The Top 10 Most Critical Web Application Security Risks Not just Vulnerabilities
  5. 5. http://xkcd.com/327/
  6. 6. Don‘t try this at home! http://funfive.net/drop-database-license-plate/2670.html
  7. 7. Prepared Statements $stmt = $mysqli->prepare( 'UPDATE users SET email = ? WHERE id = 123'‚ ); $stmt->bind_param( 's', $email );
  8. 8. DBA $q = Doctrine_Query::create() ->update('Account') ->set('email', 'foo@bar.de') ->where( 'username LIKE ?', $username ); $username = 'A%';
  9. 9. Time-based SELECT IF( SUBSTRING( user_password, 1, 1 ) = CHAR(65), BENCHMARK( 5000000, ENCODE(‘foo', ‘bar') ), null ) FROM users WHERE user_id = 1;
  10. 10. Injection • Use prepared statements • Or stored procedures • Check for wildcards www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  11. 11. eBay https://twitter.com/kennwhite/status/470545973547397120/photo/1/large
  12. 12. Online-Banking Newsletter Sollte Ihr Kennwort Sonderzeichen enthalten, bitten wir Sie, Ihr Kennwort zu ändern. Durch die technische Umstellung auf das neue Online-Banking werden nur noch Kennwörter zugelassen, die bestimmte Sonderzeichen erlauben. Die zugelassenen Sonderzeichen im Kennwort lauten: # ? * + - .
  13. 13. Broken Authentication • Don‘t limit password strength • Force long and complex passwords • Check error messages • Prevent brute-force-attacks www.owasp.org/index.php/Authentication_Cheat_Sheet
  14. 14. Session Hijacking Session ID: abcde Mr. Evil
  15. 15. Session Fixation Mr. Evil Link Predefined Session ID
  16. 16. Broken Session Management session.use_trand_sid = Off session.use_only_cookies = On session.cookie_secure = On session.cookie_httponly = On session.hash_function = sha512
  17. 17. Broken Session Management • Don‘t expose session ids • Probably bind sessions to IP • Reduce Session-Lifetime • Regenerate Session-Ids www.owasp.org/index.php/Session_Management_Cheat_Sheet
  18. 18. XSS echo '<input type="text" name="foo" value="' . htmlspecialchars( $string ENT_QUOTES| ENT_SUBSTITUTE| ENT_DISALLOWED, 'UTF-8' ) . '">';
  19. 19. XSS $value = '</script>'; echo json_encode( $value );
  20. 20. XSS • Escape output by context – htmlspecialchars – json_encode – … • Content-Security-Policy • X-XSS-Protection • Template engine
  21. 21. Insecure Object Reference <select> <option value="2"> moderator </option> <option value="3"> editor </option> </select>
  22. 22. Insecure Object Reference <select> <option value="random-ref-x"> moderator </option> <option value="random-ref-y"> editor </option> </select>
  23. 23. Insecure Object Reference • Validate user input • Use indirect object references • Check access permissions
  24. 24. Security Misconfiguration <Directory "/var/www"> AllowOverride All </Directory> memory_limit = 1024M allow_url_fopen = On allow_url_include = On ;open_basedir =
  25. 25. Security Misconfiguration <Directory "/var/www"> AllowOverride None Options -Indexes </Directory> memory_limit = 128M log_errors = On allow_url_fopen = Off allow_url_include = Off open_basedir = /var/www/app
  26. 26. Security Misconfiguration • Keep your system up-to-date • Remove setup/deployment routines • Disable exposure of sensitive data • Review server settings • github.com/ioerror/duraconf
  27. 27. Fucking rainbow tables http://edwardhotspur.wordpress.com/tag/devil-bunny/
  28. 28. PHP 5.5 password_hash($password); if (password_verify($password, $hash)) { // Success! } else { // Failed :( }
  29. 29. SSDE - Password encryption • Add a salt • Use different salts • Use a strong algorithm (NOT md5) • Use password_hash in PHP 5.5 • github.com/ircmaxell/password_compat
  30. 30. SSDE - PHP Exposure expose_php Off Remove phpinfo();
  31. 31. SSDE - Secure URLs • Use TLS for all pages • Use Secure Cookie Flag • Keep sensitive data out of the URL
  32. 32. class AdminController { public function editAction() { $this->model ->save($this->formData); } }
  33. 33. Missing Function Level AC class AdminController { public function editAction() { if (!$this->_isAllowed()) { throw new Exception( 'insufficient privileges' ); } …
  34. 34. Missing Function Level AC • Standard should disallow all access • Use roles to keep ACL simple • ACL model should be very flexible • Check privileges on each step
  35. 35. class BankaccountController { public function transferAction() { if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } } }
  36. 36. Cross Site Request Forgery Login / create session Visitwebsite Requestapp… … through victim‘s browser evil.com sensitive.com
  37. 37. CSRF class BankaccountController { public function transferAction() { $this->validateToken(); if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } }
  38. 38. Infected profile TOKEN My profile
  39. 39. Authenticate user
  40. 40. CSRF • Use One-Time-Token and secure it • Authenticate user –Credentials –Captcha www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet
  41. 41. Known Vulnerabilities • Review third party libraries • Keep libraries up-to-date - http://www.versioneye.com/ • Check: – mailing lists – boards – news- and vendor-sites
  42. 42. Redirects and Forwards
  43. 43. Redirects and Forwards $allowedDomains = array('good.com', 'better.com'); if (!in_array( $url, $allowedDomains )) { throw new Exception('invalid redirect'); } $this->_redirectUrl($url);
  44. 44. http://www.lolhome.com/funny-picture-620770644.html
  45. 45. Improper Error Handling
  46. 46. DoS
  47. 47. Security by Obscurity
  48. 48. Insecure File Uploads
  49. 49. Malicious File Execution
  50. 50. Mail Header Injection
  51. 51. Source Code Revelation
  52. 52. Hardcoded Credentials
  53. 53. Clickjacking
  54. 54. Buffer Overflows
  55. 55. XML External Entity
  56. 56. Perfect Pixel Timing
  57. 57. • OWASP Top 10 • CWE/SANS Top 25 • PCI DSS • Zed Attack Proxy • Metasploit • WireShark • BeEF http://amzn.to/1vKNLqM
  58. 58. Trust noone! www.owasp.org security.stackexchange.com http://www.glittercats.com/image/30189/cute-cats-wallpapers-colorful-wallpaper
  59. 59. Tobias Zander | @airbone42 Questions?
  60. 60. Tobias Zander | @airbone42 Thanks!

×