[Php Camp]Owasp Php Top5+Csrf
Upcoming SlideShare
Loading in...5
×
 

[Php Camp]Owasp Php Top5+Csrf

on

  • 4,523 views

Presentation on OWASP PHP Top 5 and CSRF, presented at PHPCamp, Pune, on Sept'20th, 2008

Presentation on OWASP PHP Top 5 and CSRF, presented at PHPCamp, Pune, on Sept'20th, 2008

Statistics

Views

Total Views
4,523
Views on SlideShare
4,509
Embed Views
14

Actions

Likes
2
Downloads
77
Comments
0

4 Embeds 14

http://www.slideshare.net 6
http://my.zur887.net 5
http://www.linkedin.com 2
http://www.health.medicbd.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

[Php Camp]Owasp Php Top5+Csrf [Php Camp]Owasp Php Top5+Csrf Presentation Transcript

  • OWASP PHP Top 5 plus CSRF Bipin Upadhyay , Satyam Computers http://projectbee.org/
    • The first matrix I designed was quite
    • naturally, perfect . It was a work of art.
    • Flawless. Sublime. A triumph only equaled by
    • its monumental failure .
  • Agenda
    • Introduction
    • AppSecurity
      • Why?
      • OWASP
    • OWASP PHP Top 5
      • The Boring 3
      • The Exciting 2
      • CSRF
  • Agenda
    • Introduction
    • AppSecurity
      • Why?
      • OWASP
    • OWASP PHP Top 5
      • The Boring 3
      • The Exciting 2
      • CSRF
  • Who Am I?
    • I am SpiderMan
    • Apart from that, I:
      • Work for Satyam Computers,
      • work as PHP Lead,
      • currently working on OpenSocial,
      • also work on App Sec, and
      • am also a part of OWASP Bangalore Chapter.
    • I can be pinged @:
      • Om-[AT]-Projectbee-[Dot]-org , &
      • http:// projectbee.org/
  • Agenda
    • Introduction
    • AppSecurity
      • Why?
      • OWASP
    • OWASP PHP Top 5 – Intro & Mitigation
      • The Boring 3
      • The Exciting 2
      • CSRF
  • Network Sec. versus App Sec. Ports Firewall/IDS/IPS 80 443 0 65535 Web Server Attacker
  • Network Sec. versus App Sec… Ports Firewall/NATed IP 0 65535 Malicious OR Compromised Web Server Victim
  • How serious is the matter!
    • 90% of web applications have serious vulnerabilities – Gartner Group
    • 78% of attacks are at the web application level – Symantec
    • XSS and SQLI replacing buffer overflows as the favourite hacker initiative – Mitre
    • Every 8-9/10 sites vulnerable to XSS – WASC
  • Scary Cracks
    • Credit Cards & Google
    • Google.com UTF-7 XSS Vulnerability
    • Yamanner
    • “ Samy is my Hero” OR Samy Worm
    • GMail CSRF Vulnerability
  • OWASP
    • A free and open community focused on improving App Security
    • Guides, tools, etc. freely available for use
    • OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities
    • YOU can start your own project and/or contribute too
  • Agenda
    • Introduction
    • AppSecurity
      • Why?
      • OWASP
    • OWASP PHP Top 5 – Intro & Mitigation
      • The Boring 3
      • The Exciting 2
      • CSRF
  • OWASP Top 5
    • The Boring Trio 
      • P1. Remote Code Execution
      • P4. PHP Configurations
      • P5. File System Attacks
    • The Exciting Duo 
      • P3. SQL Injection Attacks
      • P2. XSS (Cross Site Scripting)
  • OWASP Top 5
    • The Boring Trio 
      • P1. Remote Code Execution
      • P4. PHP Configurations
      • P5. File System Attacks
    • Arguably, a little outdated
    • They don’t excite me enough to talk here 
    • Read yourself :D
  • OWASP Top 5
    • The Exciting Duo 
      • P3. SQL Injection Attacks
      • P2. XSS (Cross Site Scripting)
    • Injection Attacks also regarded as A2 in OWASP Top 10
    • XSS stands A1 in OWASP Top 10
    • The femme-fatale attacks 
  • P3. SQL Injections – Intro
    • Unsanitized data entering databases, can be executed as an SQL query
  • P3. SQL Injections – Intro
    • Unsanitized data entering databases, can be executed as an SQL query
    Source: http://xkcd.com
  • P3. SQL Injections – Intro
    • Demo
  • P3. SQL Injections – Mitigation
    • Validate data; prefer whitelisting
    • Use PDO , if possible; OR
    • Use parameterized queries – MySqli or PEAR packages; OR
    • Use mysql_real_escape_string
    • Turn OFF magic_quotes_gpc
  • P2. XSS – Intro
    • OWASP Top - 10 2007 #1
    • Any type of user input that is reflected back to the user without being purified .
    • Input can be HTML, CSS, or Javascript
    • Three kinds – Reflective, Persistent, & DOM Based XSS
  • P2. XSS – Intro
    • XSS attacks include, but not limited to:
      • Cookie Theft & Session Hijacking
      • Site Defacement & Phishing
      • Key logging
      • History Theft
      • Port Scanning
      • CSRF & Web Worms
      • DoS-ing
      • … limited only by imagination
  • P2. XSS – Intro
    • Reflective XSS Demo
    • Stored XSS Demo
  • P2. XSS – Mitigation
    • Proper encoding can avoid most problems
    • Input Encoding
      • prefer UTF-8 and ISO-8859-1
      • refer http://ha.ckers.org/charsets.html
    • Output Encoding
      • avoid rich html input from user
      • decimal encode input – htmlspecialchars() , htmlentities()
      • refer OWASP_Encoding_Project
    • Use HTMLPurifier to allow white listed HTML
  • CSRF – Intro
    • Also called Unauthorized Requests.
    • The server is punished / exploited for trusting the user.
    • CSRF is, arguably, more dangerous than XSS.
    • Doesn’t necessarily require javascript.
    • OWASP Top - 10 2007 #5, (also called the Sleeping Giant )
  • CSRF – Intro
    • GET-CSRF Demo
    • POST-CSRF Demo
  • CSRF – Mitigation
    • Identify points to protect; not all are equally important
    • Use nonces – one time tokens
    • Embed nonces in URL, or forms
  • Purification algo
    • Sanitize anything that comes from the user.
    • Order of purification is equally important
  • About Satyam
    • PHP
      • Satyam’s PHP Unit is actively involved in consulting and developing PHP Based Web Applications
      • Also competent in smooth migration from existing infrastructure to PHP based solutions
      • A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc, etc., being used by developers for streamlined development
    • OpenSocial
      • Early adopters of OpenSocial
      • Dedicated t eam of Java & PHP developers working on OpenSocial
      • Currently helping a Social Network, with 10 million registered user base, become OpenSocial complaint
    • String.fromCharCode(84,104,97,110,107,32,89,111,117,33)
    • i.e., Thank You! 
  • Thank You 
    • Got Queries? Kindly raise your hands.