OWASP Top 10 at International PHP Conference 2014 in Berlin
Upcoming SlideShare
Loading in...5
×
 

OWASP Top 10 at International PHP Conference 2014 in Berlin

on

  • 509 views

With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right. ...

With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right.
Every 3 years, the open web application security project (OWASP) releases a new Top 10 vulnerabilities, this talk will walk you through 2013s list.
I'll present you the possible attack scenarios and how you can protect against them.
In addition we'll look at more security issues which are not part of the Top 10, but that you should definitely keep in mind.

Statistics

Views

Total Views
509
Views on SlideShare
461
Embed Views
48

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 48

http://54.191.147.212 48

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OWASP Top 10 at International PHP Conference 2014 in Berlin OWASP Top 10 at International PHP Conference 2014 in Berlin Presentation Transcript

  • Tobias Zander | @airbone42 OWASP Top 10
  • Current state of security
  • Open Web Application Security Project
  • The Top 10 Most Critical Web Application Security Risks Not just Vulnerabilities
  • http://xkcd.com/327/
  • Don‘t try this at home! http://funfive.net/drop-database-license-plate/2670.html
  • Prepared Statements $stmt = $mysqli->prepare( 'UPDATE users SET email = ? WHERE id = 123'‚ ); $stmt->bind_param( 's', $email );
  • DBA $q = Doctrine_Query::create() ->update('Account') ->set('email', 'foo@bar.de') ->where( 'username LIKE ?', $username ); $username = 'A%';
  • Time-based SELECT IF( SUBSTRING( user_password, 1, 1 ) = CHAR(65), BENCHMARK( 5000000, ENCODE(‘foo', ‘bar') ), null ) FROM users WHERE user_id = 1;
  • Injection • Use prepared statements • Or stored procedures • Check for wildcards www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • eBay https://twitter.com/kennwhite/status/470545973547397120/photo/1/large
  • Online-Banking Newsletter Sollte Ihr Kennwort Sonderzeichen enthalten, bitten wir Sie, Ihr Kennwort zu ändern. Durch die technische Umstellung auf das neue Online-Banking werden nur noch Kennwörter zugelassen, die bestimmte Sonderzeichen erlauben. Die zugelassenen Sonderzeichen im Kennwort lauten: # ? * + - .
  • Broken Authentication • Don‘t limit password strength • Force long and complex passwords • Check error messages • Prevent brute-force-attacks www.owasp.org/index.php/Authentication_Cheat_Sheet
  • Session Hijacking Session ID: abcde Mr. Evil
  • Session Fixation Mr. Evil Link Predefined Session ID
  • Broken Session Management session.use_trand_sid = Off session.use_only_cookies = On session.cookie_secure = On session.cookie_httponly = On session.hash_function = sha512
  • Broken Session Management • Don‘t expose session ids • Probably bind sessions to IP • Reduce Session-Lifetime • Regenerate Session-Ids www.owasp.org/index.php/Session_Management_Cheat_Sheet
  • XSS echo '<input type="text" name="foo" value="' . htmlspecialchars( $string ENT_QUOTES| ENT_SUBSTITUTE| ENT_DISALLOWED, 'UTF-8' ) . '">';
  • XSS $value = '</script>'; echo json_encode( $value );
  • XSS • Escape output by context – htmlspecialchars – json_encode – … • Content-Security-Policy • X-XSS-Protection • Template engine
  • Insecure Object Reference <select> <option value="2"> moderator </option> <option value="3"> editor </option> </select>
  • Insecure Object Reference <select> <option value="random-ref-x"> moderator </option> <option value="random-ref-y"> editor </option> </select>
  • Insecure Object Reference • Validate user input • Use indirect object references • Check access permissions
  • Security Misconfiguration <Directory "/var/www"> AllowOverride All </Directory> memory_limit = 1024M allow_url_fopen = On allow_url_include = On ;open_basedir =
  • Security Misconfiguration <Directory "/var/www"> AllowOverride None Options -Indexes </Directory> memory_limit = 128M log_errors = On allow_url_fopen = Off allow_url_include = Off open_basedir = /var/www/app
  • Security Misconfiguration • Keep your system up-to-date • Remove setup/deployment routines • Disable exposure of sensitive data • Review server settings • github.com/ioerror/duraconf
  • Fucking rainbow tables http://edwardhotspur.wordpress.com/tag/devil-bunny/
  • PHP 5.5 password_hash($password); if (password_verify($password, $hash)) { // Success! } else { // Failed :( }
  • SSDE - Password encryption • Add a salt • Use different salts • Use a strong algorithm (NOT md5) • Use password_hash in PHP 5.5 • github.com/ircmaxell/password_compat
  • SSDE - PHP Exposure expose_php Off Remove phpinfo();
  • SSDE - Secure URLs • Use TLS for all pages • Use Secure Cookie Flag • Keep sensitive data out of the URL
  • class AdminController { public function editAction() { $this->model ->save($this->formData); } }
  • Missing Function Level AC class AdminController { public function editAction() { if (!$this->_isAllowed()) { throw new Exception( 'insufficient privileges' ); } …
  • Missing Function Level AC • Standard should disallow all access • Use roles to keep ACL simple • ACL model should be very flexible • Check privileges on each step
  • class BankaccountController { public function transferAction() { if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } } }
  • Cross Site Request Forgery Login / create session Visitwebsite Requestapp… … through victim‘s browser evil.com sensitive.com
  • CSRF class BankaccountController { public function transferAction() { $this->validateToken(); if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } }
  • Infected profile TOKEN My profile
  • Authenticate user
  • CSRF • Use One-Time-Token and secure it • Authenticate user –Credentials –Captcha www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet
  • Known Vulnerabilities • Review third party libraries • Keep libraries up-to-date - http://www.versioneye.com/ • Check: – mailing lists – boards – news- and vendor-sites
  • Redirects and Forwards
  • Redirects and Forwards $allowedDomains = array('good.com', 'better.com'); if (!in_array( $url, $allowedDomains )) { throw new Exception('invalid redirect'); } $this->_redirectUrl($url);
  • http://www.lolhome.com/funny-picture-620770644.html
  • Improper Error Handling
  • DoS
  • Security by Obscurity
  • Insecure File Uploads
  • Malicious File Execution
  • Mail Header Injection
  • Source Code Revelation
  • Hardcoded Credentials
  • Clickjacking
  • Buffer Overflows
  • XML External Entity
  • Perfect Pixel Timing
  • • OWASP Top 10 • CWE/SANS Top 25 • PCI DSS • Zed Attack Proxy • Metasploit • WireShark • BeEF http://amzn.to/1vKNLqM
  • Trust noone! www.owasp.org security.stackexchange.com http://www.glittercats.com/image/30189/cute-cats-wallpapers-colorful-wallpaper
  • Tobias Zander | @airbone42 Questions?
  • Tobias Zander | @airbone42 Thanks!