Your SlideShare is downloading. ×
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

[Php Camp]Owasp Php Top5+Csrf

3,083

Published on

Presentation on OWASP PHP Top 5 and CSRF, presented at PHPCamp, Pune, on Sept'20th, 2008

Presentation on OWASP PHP Top 5 and CSRF, presented at PHPCamp, Pune, on Sept'20th, 2008

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,083
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
82
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. OWASP PHP Top 5 plus CSRF Bipin Upadhyay , Satyam Computers http://projectbee.org/
    • 2.
      • The first matrix I designed was quite
      • naturally, perfect . It was a work of art.
      • Flawless. Sublime. A triumph only equaled by
      • its monumental failure .
    • 3. Agenda
      • Introduction
      • AppSecurity
        • Why?
        • OWASP
      • OWASP PHP Top 5
        • The Boring 3
        • The Exciting 2
        • CSRF
    • 4. Agenda
      • Introduction
      • AppSecurity
        • Why?
        • OWASP
      • OWASP PHP Top 5
        • The Boring 3
        • The Exciting 2
        • CSRF
    • 5. Who Am I?
      • I am SpiderMan
      • Apart from that, I:
        • Work for Satyam Computers,
        • work as PHP Lead,
        • currently working on OpenSocial,
        • also work on App Sec, and
        • am also a part of OWASP Bangalore Chapter.
      • I can be pinged @:
        • Om-[AT]-Projectbee-[Dot]-org , &
        • http:// projectbee.org/
    • 6. Agenda
      • Introduction
      • AppSecurity
        • Why?
        • OWASP
      • OWASP PHP Top 5 – Intro & Mitigation
        • The Boring 3
        • The Exciting 2
        • CSRF
    • 7. Network Sec. versus App Sec. Ports Firewall/IDS/IPS 80 443 0 65535 Web Server Attacker
    • 8. Network Sec. versus App Sec… Ports Firewall/NATed IP 0 65535 Malicious OR Compromised Web Server Victim
    • 9. How serious is the matter!
      • 90% of web applications have serious vulnerabilities – Gartner Group
      • 78% of attacks are at the web application level – Symantec
      • XSS and SQLI replacing buffer overflows as the favourite hacker initiative – Mitre
      • Every 8-9/10 sites vulnerable to XSS – WASC
    • 10. Scary Cracks
      • Credit Cards & Google
      • Google.com UTF-7 XSS Vulnerability
      • Yamanner
      • “ Samy is my Hero” OR Samy Worm
      • GMail CSRF Vulnerability
    • 11. OWASP
      • A free and open community focused on improving App Security
      • Guides, tools, etc. freely available for use
      • OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities
      • YOU can start your own project and/or contribute too
    • 12. Agenda
      • Introduction
      • AppSecurity
        • Why?
        • OWASP
      • OWASP PHP Top 5 – Intro & Mitigation
        • The Boring 3
        • The Exciting 2
        • CSRF
    • 13. OWASP Top 5
      • The Boring Trio 
        • P1. Remote Code Execution
        • P4. PHP Configurations
        • P5. File System Attacks
      • The Exciting Duo 
        • P3. SQL Injection Attacks
        • P2. XSS (Cross Site Scripting)
    • 14. OWASP Top 5
      • The Boring Trio 
        • P1. Remote Code Execution
        • P4. PHP Configurations
        • P5. File System Attacks
      • Arguably, a little outdated
      • They don’t excite me enough to talk here 
      • Read yourself :D
    • 15. OWASP Top 5
      • The Exciting Duo 
        • P3. SQL Injection Attacks
        • P2. XSS (Cross Site Scripting)
      • Injection Attacks also regarded as A2 in OWASP Top 10
      • XSS stands A1 in OWASP Top 10
      • The femme-fatale attacks 
    • 16. P3. SQL Injections – Intro
      • Unsanitized data entering databases, can be executed as an SQL query
    • 17. P3. SQL Injections – Intro
      • Unsanitized data entering databases, can be executed as an SQL query
      Source: http://xkcd.com
    • 18. P3. SQL Injections – Intro
      • Demo
    • 19. P3. SQL Injections – Mitigation
      • Validate data; prefer whitelisting
      • Use PDO , if possible; OR
      • Use parameterized queries – MySqli or PEAR packages; OR
      • Use mysql_real_escape_string
      • Turn OFF magic_quotes_gpc
    • 20. P2. XSS – Intro
      • OWASP Top - 10 2007 #1
      • Any type of user input that is reflected back to the user without being purified .
      • Input can be HTML, CSS, or Javascript
      • Three kinds – Reflective, Persistent, & DOM Based XSS
    • 21. P2. XSS – Intro
      • XSS attacks include, but not limited to:
        • Cookie Theft & Session Hijacking
        • Site Defacement & Phishing
        • Key logging
        • History Theft
        • Port Scanning
        • CSRF & Web Worms
        • DoS-ing
        • … limited only by imagination
    • 22. P2. XSS – Intro
      • Reflective XSS Demo
      • Stored XSS Demo
    • 23. P2. XSS – Mitigation
      • Proper encoding can avoid most problems
      • Input Encoding
        • prefer UTF-8 and ISO-8859-1
        • refer http://ha.ckers.org/charsets.html
      • Output Encoding
        • avoid rich html input from user
        • decimal encode input – htmlspecialchars() , htmlentities()
        • refer OWASP_Encoding_Project
      • Use HTMLPurifier to allow white listed HTML
    • 24. CSRF – Intro
      • Also called Unauthorized Requests.
      • The server is punished / exploited for trusting the user.
      • CSRF is, arguably, more dangerous than XSS.
      • Doesn’t necessarily require javascript.
      • OWASP Top - 10 2007 #5, (also called the Sleeping Giant )
    • 25. CSRF – Intro
      • GET-CSRF Demo
      • POST-CSRF Demo
    • 26. CSRF – Mitigation
      • Identify points to protect; not all are equally important
      • Use nonces – one time tokens
      • Embed nonces in URL, or forms
    • 27. Purification algo
      • Sanitize anything that comes from the user.
      • Order of purification is equally important
    • 28. About Satyam
      • PHP
        • Satyam’s PHP Unit is actively involved in consulting and developing PHP Based Web Applications
        • Also competent in smooth migration from existing infrastructure to PHP based solutions
        • A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc, etc., being used by developers for streamlined development
      • OpenSocial
        • Early adopters of OpenSocial
        • Dedicated t eam of Java & PHP developers working on OpenSocial
        • Currently helping a Social Network, with 10 million registered user base, become OpenSocial complaint
    • 29.
      • String.fromCharCode(84,104,97,110,107,32,89,111,117,33)
      • i.e., Thank You! 
    • 30. Thank You 
      • Got Queries? Kindly raise your hands.

    ×