Your SlideShare is downloading. ×
0
Tobias Zander | @airbone42
OWASP Top 10
Current state of security
Open Web Application
Security Project
The Top 10 Most
Critical Web
Application Security
Risks
Not just Vulnerabilities
http://xkcd.com/327/
Don‘t try this at home!
http://funfive.net/drop-database-license-plate/2670.html
Prepared Statements
$stmt = $mysqli->prepare(
'UPDATE users
SET email = ?
WHERE id = 123'‚
);
$stmt->bind_param(
's',
$ema...
DBA
$q = Doctrine_Query::create()
->update('Account')
->set('email', 'foo@bar.de')
->where(
'username LIKE ?',
$username
)...
Time-based
SELECT IF(
SUBSTRING(
user_password, 1, 1
) = CHAR(65),
BENCHMARK(
5000000,
ENCODE(‘foo', ‘bar')
),
null
)
FROM...
Injection
• Use prepared statements
• Or stored procedures
• Check for wildcards
www.owasp.org/index.php/SQL_Injection_Pre...
eBay
https://twitter.com/kennwhite/status/470545973547397120/photo/1/large
Online-Banking Newsletter
Sollte Ihr Kennwort Sonderzeichen
enthalten, bitten wir Sie, Ihr Kennwort zu
ändern. Durch die t...
Broken Authentication
• Don‘t limit password strength
• Force long and complex passwords
• Check error messages
• Prevent ...
Session Hijacking
Session ID: abcde
Mr. Evil
Session Fixation
Mr. Evil
Link
Predefined Session ID
Broken Session Management
session.use_trand_sid = Off
session.use_only_cookies = On
session.cookie_secure = On
session.coo...
Broken Session Management
• Don‘t expose session ids
• Probably bind sessions to IP
• Reduce Session-Lifetime
• Regenerate...
XSS
echo '<input
type="text"
name="foo"
value="' .
htmlspecialchars(
$string
ENT_QUOTES|
ENT_SUBSTITUTE|
ENT_DISALLOWED,
'...
XSS
$value = '</script>';
echo json_encode(
$value
);
XSS
• Escape output by context
– htmlspecialchars
– json_encode
– …
• Content-Security-Policy
• X-XSS-Protection
• Templat...
Insecure Object Reference
<select>
<option value="2">
moderator
</option>
<option value="3">
editor
</option>
</select>
Insecure Object Reference
<select>
<option value="random-ref-x">
moderator
</option>
<option value="random-ref-y">
editor
...
Insecure Object Reference
• Validate user input
• Use indirect object references
• Check access permissions
Security Misconfiguration
<Directory "/var/www">
AllowOverride All
</Directory>
memory_limit = 1024M
allow_url_fopen = On
...
Security Misconfiguration
<Directory "/var/www">
AllowOverride None
Options -Indexes
</Directory>
memory_limit = 128M
log_...
Security Misconfiguration
• Keep your system up-to-date
• Remove setup/deployment routines
• Disable exposure of sensitive...
Fucking rainbow tables
http://edwardhotspur.wordpress.com/tag/devil-bunny/
PHP 5.5
password_hash($password);
if (password_verify($password, $hash)) {
// Success!
} else {
// Failed :(
}
SSDE - Password encryption
• Add a salt
• Use different salts
• Use a strong algorithm (NOT md5)
• Use password_hash in PH...
SSDE - PHP Exposure
expose_php Off
Remove
phpinfo();
SSDE - Secure URLs
• Use TLS for all pages
• Use Secure Cookie Flag
• Keep sensitive data out of the URL
class AdminController {
public function editAction() {
$this->model
->save($this->formData);
}
}
Missing Function Level AC
class AdminController {
public function editAction() {
if (!$this->_isAllowed()) {
throw new Exc...
Missing Function Level AC
• Standard should disallow all access
• Use roles to keep ACL simple
• ACL model should be very ...
class BankaccountController {
public function transferAction() {
if ($this->_isAllowed()) {
$this->transfer(
$amount,
$acc...
Cross Site Request Forgery
Login / create session
Visitwebsite
Requestapp…
… through victim‘s browser
evil.com
sensitive.c...
CSRF
class BankaccountController {
public function transferAction() {
$this->validateToken();
if ($this->_isAllowed()) {
$...
Infected
profile
TOKEN
My profile
Authenticate user
CSRF
• Use One-Time-Token and secure it
• Authenticate user
–Credentials
–Captcha
www.owasp.org/index.php/CSRF_Prevention_...
Known Vulnerabilities
• Review third party libraries
• Keep libraries up-to-date -
http://www.versioneye.com/
• Check:
– m...
Redirects and Forwards
Redirects and Forwards
$allowedDomains = array('good.com',
'better.com');
if (!in_array(
$url,
$allowedDomains
)) {
throw ...
http://www.lolhome.com/funny-picture-620770644.html
Improper Error Handling
DoS
Security by Obscurity
Insecure File Uploads
Malicious File
Execution
Mail Header Injection
Source Code
Revelation
Hardcoded
Credentials
Clickjacking
Buffer Overflows
XML External Entity
Perfect Pixel Timing
• OWASP Top 10
• CWE/SANS Top 25
• PCI DSS
• Zed Attack Proxy
• Metasploit
• WireShark
• BeEF
http://amzn.to/1vKNLqM
Trust noone!
www.owasp.org security.stackexchange.com
http://www.glittercats.com/image/30189/cute-cats-wallpapers-colorful...
Tobias Zander | @airbone42
Questions?
Tobias Zander | @airbone42
Thanks!
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
Upcoming SlideShare
Loading in...5
×

OWASP Top 10 at International PHP Conference 2014 in Berlin

1,286

Published on

With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right.
Every 3 years, the open web application security project (OWASP) releases a new Top 10 vulnerabilities, this talk will walk you through 2013s list.
I'll present you the possible attack scenarios and how you can protect against them.
In addition we'll look at more security issues which are not part of the Top 10, but that you should definitely keep in mind.

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,286
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "OWASP Top 10 at International PHP Conference 2014 in Berlin"

  1. 1. Tobias Zander | @airbone42 OWASP Top 10
  2. 2. Current state of security
  3. 3. Open Web Application Security Project
  4. 4. The Top 10 Most Critical Web Application Security Risks Not just Vulnerabilities
  5. 5. http://xkcd.com/327/
  6. 6. Don‘t try this at home! http://funfive.net/drop-database-license-plate/2670.html
  7. 7. Prepared Statements $stmt = $mysqli->prepare( 'UPDATE users SET email = ? WHERE id = 123'‚ ); $stmt->bind_param( 's', $email );
  8. 8. DBA $q = Doctrine_Query::create() ->update('Account') ->set('email', 'foo@bar.de') ->where( 'username LIKE ?', $username ); $username = 'A%';
  9. 9. Time-based SELECT IF( SUBSTRING( user_password, 1, 1 ) = CHAR(65), BENCHMARK( 5000000, ENCODE(‘foo', ‘bar') ), null ) FROM users WHERE user_id = 1;
  10. 10. Injection • Use prepared statements • Or stored procedures • Check for wildcards www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  11. 11. eBay https://twitter.com/kennwhite/status/470545973547397120/photo/1/large
  12. 12. Online-Banking Newsletter Sollte Ihr Kennwort Sonderzeichen enthalten, bitten wir Sie, Ihr Kennwort zu ändern. Durch die technische Umstellung auf das neue Online-Banking werden nur noch Kennwörter zugelassen, die bestimmte Sonderzeichen erlauben. Die zugelassenen Sonderzeichen im Kennwort lauten: # ? * + - .
  13. 13. Broken Authentication • Don‘t limit password strength • Force long and complex passwords • Check error messages • Prevent brute-force-attacks www.owasp.org/index.php/Authentication_Cheat_Sheet
  14. 14. Session Hijacking Session ID: abcde Mr. Evil
  15. 15. Session Fixation Mr. Evil Link Predefined Session ID
  16. 16. Broken Session Management session.use_trand_sid = Off session.use_only_cookies = On session.cookie_secure = On session.cookie_httponly = On session.hash_function = sha512
  17. 17. Broken Session Management • Don‘t expose session ids • Probably bind sessions to IP • Reduce Session-Lifetime • Regenerate Session-Ids www.owasp.org/index.php/Session_Management_Cheat_Sheet
  18. 18. XSS echo '<input type="text" name="foo" value="' . htmlspecialchars( $string ENT_QUOTES| ENT_SUBSTITUTE| ENT_DISALLOWED, 'UTF-8' ) . '">';
  19. 19. XSS $value = '</script>'; echo json_encode( $value );
  20. 20. XSS • Escape output by context – htmlspecialchars – json_encode – … • Content-Security-Policy • X-XSS-Protection • Template engine
  21. 21. Insecure Object Reference <select> <option value="2"> moderator </option> <option value="3"> editor </option> </select>
  22. 22. Insecure Object Reference <select> <option value="random-ref-x"> moderator </option> <option value="random-ref-y"> editor </option> </select>
  23. 23. Insecure Object Reference • Validate user input • Use indirect object references • Check access permissions
  24. 24. Security Misconfiguration <Directory "/var/www"> AllowOverride All </Directory> memory_limit = 1024M allow_url_fopen = On allow_url_include = On ;open_basedir =
  25. 25. Security Misconfiguration <Directory "/var/www"> AllowOverride None Options -Indexes </Directory> memory_limit = 128M log_errors = On allow_url_fopen = Off allow_url_include = Off open_basedir = /var/www/app
  26. 26. Security Misconfiguration • Keep your system up-to-date • Remove setup/deployment routines • Disable exposure of sensitive data • Review server settings • github.com/ioerror/duraconf
  27. 27. Fucking rainbow tables http://edwardhotspur.wordpress.com/tag/devil-bunny/
  28. 28. PHP 5.5 password_hash($password); if (password_verify($password, $hash)) { // Success! } else { // Failed :( }
  29. 29. SSDE - Password encryption • Add a salt • Use different salts • Use a strong algorithm (NOT md5) • Use password_hash in PHP 5.5 • github.com/ircmaxell/password_compat
  30. 30. SSDE - PHP Exposure expose_php Off Remove phpinfo();
  31. 31. SSDE - Secure URLs • Use TLS for all pages • Use Secure Cookie Flag • Keep sensitive data out of the URL
  32. 32. class AdminController { public function editAction() { $this->model ->save($this->formData); } }
  33. 33. Missing Function Level AC class AdminController { public function editAction() { if (!$this->_isAllowed()) { throw new Exception( 'insufficient privileges' ); } …
  34. 34. Missing Function Level AC • Standard should disallow all access • Use roles to keep ACL simple • ACL model should be very flexible • Check privileges on each step
  35. 35. class BankaccountController { public function transferAction() { if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } } }
  36. 36. Cross Site Request Forgery Login / create session Visitwebsite Requestapp… … through victim‘s browser evil.com sensitive.com
  37. 37. CSRF class BankaccountController { public function transferAction() { $this->validateToken(); if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } }
  38. 38. Infected profile TOKEN My profile
  39. 39. Authenticate user
  40. 40. CSRF • Use One-Time-Token and secure it • Authenticate user –Credentials –Captcha www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet
  41. 41. Known Vulnerabilities • Review third party libraries • Keep libraries up-to-date - http://www.versioneye.com/ • Check: – mailing lists – boards – news- and vendor-sites
  42. 42. Redirects and Forwards
  43. 43. Redirects and Forwards $allowedDomains = array('good.com', 'better.com'); if (!in_array( $url, $allowedDomains )) { throw new Exception('invalid redirect'); } $this->_redirectUrl($url);
  44. 44. http://www.lolhome.com/funny-picture-620770644.html
  45. 45. Improper Error Handling
  46. 46. DoS
  47. 47. Security by Obscurity
  48. 48. Insecure File Uploads
  49. 49. Malicious File Execution
  50. 50. Mail Header Injection
  51. 51. Source Code Revelation
  52. 52. Hardcoded Credentials
  53. 53. Clickjacking
  54. 54. Buffer Overflows
  55. 55. XML External Entity
  56. 56. Perfect Pixel Timing
  57. 57. • OWASP Top 10 • CWE/SANS Top 25 • PCI DSS • Zed Attack Proxy • Metasploit • WireShark • BeEF http://amzn.to/1vKNLqM
  58. 58. Trust noone! www.owasp.org security.stackexchange.com http://www.glittercats.com/image/30189/cute-cats-wallpapers-colorful-wallpaper
  59. 59. Tobias Zander | @airbone42 Questions?
  60. 60. Tobias Zander | @airbone42 Thanks!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×