OWASP PHP Top 5 plus CSRF Bipin Upadhyay , Satyam Computers http://projectbee.org/

The first matrix I designed was quite naturally, perfect . It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure .

The first matrix I designed was quite

naturally, perfect . It was a work of art.

Flawless. Sublime. A triumph only equaled by

its monumental failure .

Agenda Introduction AppSecurity Why? OWASP OWASP PHP Top 5 The Boring 3 The Exciting 2 CSRF

Introduction

AppSecurity

Why?

OWASP

OWASP PHP Top 5

The Boring 3

The Exciting 2

CSRF

Agenda Introduction AppSecurity Why? OWASP OWASP PHP Top 5 The Boring 3 The Exciting 2 CSRF

Introduction

AppSecurity

Why?

OWASP

OWASP PHP Top 5

The Boring 3

The Exciting 2

CSRF

Who Am I? I am SpiderMan Apart from that, I: Work for Satyam Computers, work as PHP Lead, currently working on OpenSocial, also work on App Sec, and am also a part of OWASP Bangalore Chapter. I can be pinged @: Om-[AT]-Projectbee-[Dot]-org , & http:// projectbee.org/

I am SpiderMan

Apart from that, I:

Work for Satyam Computers,

work as PHP Lead,

currently working on OpenSocial,

also work on App Sec, and

am also a part of OWASP Bangalore Chapter.

I can be pinged @:

Om-[AT]-Projectbee-[Dot]-org , &

http:// projectbee.org/

Agenda Introduction AppSecurity Why? OWASP OWASP PHP Top 5 – Intro & Mitigation The Boring 3 The Exciting 2 CSRF

Introduction

AppSecurity

Why?

OWASP

OWASP PHP Top 5 – Intro & Mitigation

The Boring 3

The Exciting 2

CSRF

Network Sec. versus App Sec. Ports Firewall/IDS/IPS 80 443 0 65535 Web Server Attacker

Network Sec. versus App Sec… Ports Firewall/NATed IP 0 65535 Malicious OR Compromised Web Server Victim

How serious is the matter! 90% of web applications have serious vulnerabilities – Gartner Group 78% of attacks are at the web application level – Symantec XSS and SQLI replacing buffer overflows as the favourite hacker initiative – Mitre Every 8-9/10 sites vulnerable to XSS – WASC

90% of web applications have serious vulnerabilities – Gartner Group

78% of attacks are at the web application level – Symantec

XSS and SQLI replacing buffer overflows as the favourite hacker initiative – Mitre

Every 8-9/10 sites vulnerable to XSS – WASC

Scary Cracks Credit Cards & Google Google.com UTF-7 XSS Vulnerability Yamanner “ Samy is my Hero” OR Samy Worm GMail CSRF Vulnerability

Credit Cards & Google

Google.com UTF-7 XSS Vulnerability

Yamanner

“ Samy is my Hero” OR Samy Worm

GMail CSRF Vulnerability

OWASP A free and open community focused on improving App Security Guides, tools, etc. freely available for use OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities YOU can start your own project and/or contribute too

A free and open community focused on improving App Security

Guides, tools, etc. freely available for use

OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities

YOU can start your own project and/or contribute too

Agenda Introduction AppSecurity Why? OWASP OWASP PHP Top 5 – Intro & Mitigation The Boring 3 The Exciting 2 CSRF

Introduction

AppSecurity

Why?

OWASP

OWASP PHP Top 5 – Intro & Mitigation

The Boring 3

The Exciting 2

CSRF

OWASP Top 5 The Boring Trio  P1. Remote Code Execution P4. PHP Configurations P5. File System Attacks The Exciting Duo  P3. SQL Injection Attacks P2. XSS (Cross Site Scripting)

The Boring Trio 

P1. Remote Code Execution

P4. PHP Configurations

P5. File System Attacks

The Exciting Duo 

P3. SQL Injection Attacks

P2. XSS (Cross Site Scripting)

OWASP Top 5 The Boring Trio  P1. Remote Code Execution P4. PHP Configurations P5. File System Attacks Arguably, a little outdated They don’t excite me enough to talk here  Read yourself :D

The Boring Trio 

P1. Remote Code Execution

P4. PHP Configurations

P5. File System Attacks

Arguably, a little outdated

They don’t excite me enough to talk here 

Read yourself :D

OWASP Top 5 The Exciting Duo  P3. SQL Injection Attacks P2. XSS (Cross Site Scripting) Injection Attacks also regarded as A2 in OWASP Top 10 XSS stands A1 in OWASP Top 10 The femme-fatale attacks 

The Exciting Duo 

P3. SQL Injection Attacks

P2. XSS (Cross Site Scripting)

Injection Attacks also regarded as A2 in OWASP Top 10

XSS stands A1 in OWASP Top 10

The femme-fatale attacks 

P3. SQL Injections – Intro Unsanitized data entering databases, can be executed as an SQL query

Unsanitized data entering databases, can be executed as an SQL query

P3. SQL Injections – Intro Unsanitized data entering databases, can be executed as an SQL query Source: http://xkcd.com

Unsanitized data entering databases, can be executed as an SQL query

P3. SQL Injections – Intro Demo

Demo

P3. SQL Injections – Mitigation Validate data; prefer whitelisting Use PDO , if possible; OR Use parameterized queries – MySqli or PEAR packages; OR Use mysql_real_escape_string Turn OFF magic_quotes_gpc

Validate data; prefer whitelisting

Use PDO , if possible; OR

Use parameterized queries – MySqli or PEAR packages; OR

Use mysql_real_escape_string

Turn OFF magic_quotes_gpc

P2. XSS – Intro OWASP Top - 10 2007 #1 Any type of user input that is reflected back to the user without being purified . Input can be HTML, CSS, or Javascript Three kinds – Reflective, Persistent, & DOM Based XSS

OWASP Top - 10 2007 #1

Any type of user input that is reflected back to the user without being purified .

Input can be HTML, CSS, or Javascript

Three kinds – Reflective, Persistent, & DOM Based XSS

P2. XSS – Intro XSS attacks include, but not limited to: Cookie Theft & Session Hijacking Site Defacement & Phishing Key logging History Theft Port Scanning CSRF & Web Worms DoS-ing … limited only by imagination

XSS attacks include, but not limited to:

Cookie Theft & Session Hijacking

Site Defacement & Phishing

Key logging

History Theft

Port Scanning

CSRF & Web Worms

DoS-ing

… limited only by imagination

P2. XSS – Intro Reflective XSS Demo Stored XSS Demo

Reflective XSS Demo

Stored XSS Demo

P2. XSS – Mitigation Proper encoding can avoid most problems Input Encoding prefer UTF-8 and ISO-8859-1 refer http://ha.ckers.org/charsets.html Output Encoding avoid rich html input from user decimal encode input – htmlspecialchars() , htmlentities() refer OWASP_Encoding_Project Use HTMLPurifier to allow white listed HTML

Proper encoding can avoid most problems

Input Encoding

prefer UTF-8 and ISO-8859-1

refer http://ha.ckers.org/charsets.html

Output Encoding

avoid rich html input from user

decimal encode input – htmlspecialchars() , htmlentities()

refer OWASP_Encoding_Project

Use HTMLPurifier to allow white listed HTML

CSRF – Intro Also called Unauthorized Requests. The server is punished / exploited for trusting the user. CSRF is, arguably, more dangerous than XSS. Doesn’t necessarily require javascript. OWASP Top - 10 2007 #5, (also called the Sleeping Giant )

Also called Unauthorized Requests.

The server is punished / exploited for trusting the user.

CSRF is, arguably, more dangerous than XSS.

Doesn’t necessarily require javascript.

OWASP Top - 10 2007 #5, (also called the Sleeping Giant )

CSRF – Intro GET-CSRF Demo POST-CSRF Demo

GET-CSRF Demo

POST-CSRF Demo

CSRF – Mitigation Identify points to protect; not all are equally important Use nonces – one time tokens Embed nonces in URL, or forms

Identify points to protect; not all are equally important

Use nonces – one time tokens

Embed nonces in URL, or forms

Purification algo Sanitize anything that comes from the user. Order of purification is equally important

Sanitize anything that comes from the user.

Order of purification is equally important

About Satyam PHP Satyam’s PHP Unit is actively involved in consulting and developing PHP Based Web Applications Also competent in smooth migration from existing infrastructure to PHP based solutions A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc, etc., being used by developers for streamlined development OpenSocial Early adopters of OpenSocial Dedicated t eam of Java & PHP developers working on OpenSocial Currently helping a Social Network, with 10 million registered user base, become OpenSocial complaint

PHP

Satyam’s PHP Unit is actively involved in consulting and developing PHP Based Web Applications

Also competent in smooth migration from existing infrastructure to PHP based solutions

A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc, etc., being used by developers for streamlined development

OpenSocial

Early adopters of OpenSocial

Dedicated t eam of Java & PHP developers working on OpenSocial

Currently helping a Social Network, with 10 million registered user base, become OpenSocial complaint

String.fromCharCode(84,104,97,110,107,32,89,111,117,33) i.e., Thank You! 

String.fromCharCode(84,104,97,110,107,32,89,111,117,33)

i.e., Thank You! 

Thank You  Got Queries? Kindly raise your hands.

Got Queries? Kindly raise your hands.