0
OWASP PHP Top 5 plus CSRF Bipin Upadhyay , Satyam Computers http://projectbee.org/
<ul><li>The first matrix I designed was  quite   </li></ul><ul><li>naturally, perfect . It was a work of art.  </li></ul><...
Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li...
Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li...
Who Am I? <ul><li>I am  SpiderMan </li></ul><ul><li>Apart from that, I: </li></ul><ul><ul><li>Work for  Satyam Computers, ...
Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li...
Network Sec. versus App Sec. Ports Firewall/IDS/IPS 80 443 0 65535 Web Server Attacker
Network Sec. versus App Sec… Ports Firewall/NATed IP 0 65535 Malicious OR Compromised Web Server Victim
How serious is the matter! <ul><li>90% of web applications have serious vulnerabilities  – Gartner Group </li></ul><ul><li...
Scary  Cracks <ul><li>Credit Cards & Google </li></ul><ul><li>Google.com UTF-7 XSS Vulnerability </li></ul><ul><li>Yamanne...
OWASP <ul><li>A free and open community focused on improving App Security </li></ul><ul><li>Guides, tools, etc. freely ava...
Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li...
OWASP Top 5 <ul><li>The Boring Trio   </li></ul><ul><ul><li>P1.  Remote Code Execution </li></ul></ul><ul><ul><li>P4.  PH...
OWASP Top 5 <ul><li>The Boring Trio   </li></ul><ul><ul><li>P1.  Remote Code Execution </li></ul></ul><ul><ul><li>P4.  PH...
OWASP Top 5 <ul><li>The Exciting Duo   </li></ul><ul><ul><li>P3.  SQL Injection Attacks </li></ul></ul><ul><ul><li>P2.  X...
P3. SQL Injections – Intro  <ul><li>Unsanitized data entering databases, can be  executed as an SQL query </li></ul>
P3. SQL Injections – Intro  <ul><li>Unsanitized data entering databases, can be  executed as an SQL query </li></ul>Source...
P3. SQL Injections – Intro  <ul><li>Demo </li></ul>
P3. SQL Injections – Mitigation <ul><li>Validate data; prefer whitelisting </li></ul><ul><li>Use  PDO , if possible; OR </...
P2. XSS – Intro <ul><li>OWASP Top - 10 2007  #1 </li></ul><ul><li>Any type of user input that is reflected back to the use...
P2. XSS – Intro <ul><li>XSS attacks include, but not limited to: </li></ul><ul><ul><li>Cookie Theft & Session Hijacking </...
P2. XSS – Intro <ul><li>Reflective XSS Demo </li></ul><ul><li>Stored XSS Demo </li></ul>
P2. XSS – Mitigation <ul><li>Proper  encoding  can avoid most problems </li></ul><ul><li>Input Encoding </li></ul><ul><ul>...
CSRF – Intro <ul><li>Also called  Unauthorized Requests. </li></ul><ul><li>The server is  punished / exploited  for trusti...
CSRF – Intro <ul><li>GET-CSRF Demo </li></ul><ul><li>POST-CSRF Demo </li></ul>
CSRF – Mitigation <ul><li>Identify points to protect; not all are equally important </li></ul><ul><li>Use  nonces  – one t...
Purification algo <ul><li>Sanitize  anything that comes from the user. </li></ul><ul><li>Order of purification  is equally...
About Satyam <ul><li>PHP </li></ul><ul><ul><li>Satyam’s PHP Unit is actively involved in  consulting and developing PHP Ba...
<ul><li>String.fromCharCode(84,104,97,110,107,32,89,111,117,33) </li></ul><ul><li>i.e., Thank You!   </li></ul>
Thank You   <ul><li>Got Queries?  Kindly raise your hands. </li></ul>
Upcoming SlideShare
Loading in...5
×

[Php Camp]Owasp Php Top5+Csrf

3,104

Published on

Presentation on OWASP PHP Top 5 and CSRF, presented at PHPCamp, Pune, on Sept'20th, 2008

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,104
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
82
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Transcript of "[Php Camp]Owasp Php Top5+Csrf"

    1. 1. OWASP PHP Top 5 plus CSRF Bipin Upadhyay , Satyam Computers http://projectbee.org/
    2. 2. <ul><li>The first matrix I designed was quite </li></ul><ul><li>naturally, perfect . It was a work of art. </li></ul><ul><li>Flawless. Sublime. A triumph only equaled by </li></ul><ul><li>its monumental failure . </li></ul>
    3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li></ul></ul><ul><li>OWASP PHP Top 5 </li></ul><ul><ul><li>The Boring 3 </li></ul></ul><ul><ul><li>The Exciting 2 </li></ul></ul><ul><ul><li>CSRF </li></ul></ul>
    4. 4. Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li></ul></ul><ul><li>OWASP PHP Top 5 </li></ul><ul><ul><li>The Boring 3 </li></ul></ul><ul><ul><li>The Exciting 2 </li></ul></ul><ul><ul><li>CSRF </li></ul></ul>
    5. 5. Who Am I? <ul><li>I am SpiderMan </li></ul><ul><li>Apart from that, I: </li></ul><ul><ul><li>Work for Satyam Computers, </li></ul></ul><ul><ul><li>work as PHP Lead, </li></ul></ul><ul><ul><li>currently working on OpenSocial, </li></ul></ul><ul><ul><li>also work on App Sec, and </li></ul></ul><ul><ul><li>am also a part of OWASP Bangalore Chapter. </li></ul></ul><ul><li>I can be pinged @: </li></ul><ul><ul><li>Om-[AT]-Projectbee-[Dot]-org , & </li></ul></ul><ul><ul><li>http:// projectbee.org/ </li></ul></ul>
    6. 6. Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li></ul></ul><ul><li>OWASP PHP Top 5 – Intro & Mitigation </li></ul><ul><ul><li>The Boring 3 </li></ul></ul><ul><ul><li>The Exciting 2 </li></ul></ul><ul><ul><li>CSRF </li></ul></ul>
    7. 7. Network Sec. versus App Sec. Ports Firewall/IDS/IPS 80 443 0 65535 Web Server Attacker
    8. 8. Network Sec. versus App Sec… Ports Firewall/NATed IP 0 65535 Malicious OR Compromised Web Server Victim
    9. 9. How serious is the matter! <ul><li>90% of web applications have serious vulnerabilities – Gartner Group </li></ul><ul><li>78% of attacks are at the web application level – Symantec </li></ul><ul><li>XSS and SQLI replacing buffer overflows as the favourite hacker initiative – Mitre </li></ul><ul><li>Every 8-9/10 sites vulnerable to XSS – WASC </li></ul>
    10. 10. Scary Cracks <ul><li>Credit Cards & Google </li></ul><ul><li>Google.com UTF-7 XSS Vulnerability </li></ul><ul><li>Yamanner </li></ul><ul><li>“ Samy is my Hero” OR Samy Worm </li></ul><ul><li>GMail CSRF Vulnerability </li></ul>
    11. 11. OWASP <ul><li>A free and open community focused on improving App Security </li></ul><ul><li>Guides, tools, etc. freely available for use </li></ul><ul><li>OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities </li></ul><ul><li>YOU can start your own project and/or contribute too </li></ul>
    12. 12. Agenda <ul><li>Introduction </li></ul><ul><li>AppSecurity </li></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>OWASP </li></ul></ul><ul><li>OWASP PHP Top 5 – Intro & Mitigation </li></ul><ul><ul><li>The Boring 3 </li></ul></ul><ul><ul><li>The Exciting 2 </li></ul></ul><ul><ul><li>CSRF </li></ul></ul>
    13. 13. OWASP Top 5 <ul><li>The Boring Trio  </li></ul><ul><ul><li>P1. Remote Code Execution </li></ul></ul><ul><ul><li>P4. PHP Configurations </li></ul></ul><ul><ul><li>P5. File System Attacks </li></ul></ul><ul><li>The Exciting Duo  </li></ul><ul><ul><li>P3. SQL Injection Attacks </li></ul></ul><ul><ul><li>P2. XSS (Cross Site Scripting) </li></ul></ul>
    14. 14. OWASP Top 5 <ul><li>The Boring Trio  </li></ul><ul><ul><li>P1. Remote Code Execution </li></ul></ul><ul><ul><li>P4. PHP Configurations </li></ul></ul><ul><ul><li>P5. File System Attacks </li></ul></ul><ul><li>Arguably, a little outdated </li></ul><ul><li>They don’t excite me enough to talk here  </li></ul><ul><li>Read yourself :D </li></ul>
    15. 15. OWASP Top 5 <ul><li>The Exciting Duo  </li></ul><ul><ul><li>P3. SQL Injection Attacks </li></ul></ul><ul><ul><li>P2. XSS (Cross Site Scripting) </li></ul></ul><ul><li>Injection Attacks also regarded as A2 in OWASP Top 10 </li></ul><ul><li>XSS stands A1 in OWASP Top 10 </li></ul><ul><li>The femme-fatale attacks  </li></ul>
    16. 16. P3. SQL Injections – Intro <ul><li>Unsanitized data entering databases, can be executed as an SQL query </li></ul>
    17. 17. P3. SQL Injections – Intro <ul><li>Unsanitized data entering databases, can be executed as an SQL query </li></ul>Source: http://xkcd.com
    18. 18. P3. SQL Injections – Intro <ul><li>Demo </li></ul>
    19. 19. P3. SQL Injections – Mitigation <ul><li>Validate data; prefer whitelisting </li></ul><ul><li>Use PDO , if possible; OR </li></ul><ul><li>Use parameterized queries – MySqli or PEAR packages; OR </li></ul><ul><li>Use mysql_real_escape_string </li></ul><ul><li>Turn OFF magic_quotes_gpc </li></ul>
    20. 20. P2. XSS – Intro <ul><li>OWASP Top - 10 2007 #1 </li></ul><ul><li>Any type of user input that is reflected back to the user without being purified . </li></ul><ul><li>Input can be HTML, CSS, or Javascript </li></ul><ul><li>Three kinds – Reflective, Persistent, & DOM Based XSS </li></ul>
    21. 21. P2. XSS – Intro <ul><li>XSS attacks include, but not limited to: </li></ul><ul><ul><li>Cookie Theft & Session Hijacking </li></ul></ul><ul><ul><li>Site Defacement & Phishing </li></ul></ul><ul><ul><li>Key logging </li></ul></ul><ul><ul><li>History Theft </li></ul></ul><ul><ul><li>Port Scanning </li></ul></ul><ul><ul><li>CSRF & Web Worms </li></ul></ul><ul><ul><li>DoS-ing </li></ul></ul><ul><ul><li>… limited only by imagination </li></ul></ul>
    22. 22. P2. XSS – Intro <ul><li>Reflective XSS Demo </li></ul><ul><li>Stored XSS Demo </li></ul>
    23. 23. P2. XSS – Mitigation <ul><li>Proper encoding can avoid most problems </li></ul><ul><li>Input Encoding </li></ul><ul><ul><li>prefer UTF-8 and ISO-8859-1 </li></ul></ul><ul><ul><li>refer http://ha.ckers.org/charsets.html </li></ul></ul><ul><li>Output Encoding </li></ul><ul><ul><li>avoid rich html input from user </li></ul></ul><ul><ul><li>decimal encode input – htmlspecialchars() , htmlentities() </li></ul></ul><ul><ul><li>refer OWASP_Encoding_Project </li></ul></ul><ul><li>Use HTMLPurifier to allow white listed HTML </li></ul>
    24. 24. CSRF – Intro <ul><li>Also called Unauthorized Requests. </li></ul><ul><li>The server is punished / exploited for trusting the user. </li></ul><ul><li>CSRF is, arguably, more dangerous than XSS. </li></ul><ul><li>Doesn’t necessarily require javascript. </li></ul><ul><li>OWASP Top - 10 2007 #5, (also called the Sleeping Giant ) </li></ul>
    25. 25. CSRF – Intro <ul><li>GET-CSRF Demo </li></ul><ul><li>POST-CSRF Demo </li></ul>
    26. 26. CSRF – Mitigation <ul><li>Identify points to protect; not all are equally important </li></ul><ul><li>Use nonces – one time tokens </li></ul><ul><li>Embed nonces in URL, or forms </li></ul>
    27. 27. Purification algo <ul><li>Sanitize anything that comes from the user. </li></ul><ul><li>Order of purification is equally important </li></ul>
    28. 28. About Satyam <ul><li>PHP </li></ul><ul><ul><li>Satyam’s PHP Unit is actively involved in consulting and developing PHP Based Web Applications </li></ul></ul><ul><ul><li>Also competent in smooth migration from existing infrastructure to PHP based solutions </li></ul></ul><ul><ul><li>A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc, etc., being used by developers for streamlined development </li></ul></ul><ul><li>OpenSocial </li></ul><ul><ul><li>Early adopters of OpenSocial </li></ul></ul><ul><ul><li>Dedicated t eam of Java & PHP developers working on OpenSocial </li></ul></ul><ul><ul><li>Currently helping a Social Network, with 10 million registered user base, become OpenSocial complaint </li></ul></ul>
    29. 29. <ul><li>String.fromCharCode(84,104,97,110,107,32,89,111,117,33) </li></ul><ul><li>i.e., Thank You!  </li></ul>
    30. 30. Thank You  <ul><li>Got Queries? Kindly raise your hands. </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×