Scared Straight: Mitigating OWASP Top 10 with PHP

SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP

DISCLAIMER

DISCLAIMER• I am NOT a “security expert"

DISCLAIMER• I am NOT a “security expert"• But I know a little about web security

DISCLAIMER• I am NOT a “security expert"• But I know a little about web security• Taken SANS DEV422: Defending Web Application Security Essentials

DISCLAIMER• I am NOT a “security expert"• But I know a little about web security• Taken SANS DEV422: Defending Web Application Security Essentials• I don’t know everything

ASSUMPTIONS

ASSUMPTIONS• This is an introduction-level talk

ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous

ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous• You’ve heard of some security vulns

ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous• You’ve heard of some security vulns• Again, I don’t know everything

TALK STRUCTURE

TALK STRUCTURE• What is the risk?

TALK STRUCTURE• What is the risk?• Typical Impact

TALK STRUCTURE• What is the risk?• Typical Impact• How is it exploited?

TALK STRUCTURE• What is the risk?• Typical Impact• How is it exploited?• How to prevent it when using PHP?

OWASP http://www.owasp.org

OpenWebApplicationSecurityProject

OWASP• Non-proﬁt focused on improving security of application software• Focused on awareness of risks and education on mitigating those risks• Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated

http://www.owasp.org

OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation

INJECTION

INJECTION SI T? I Tricking an application into unintended HATW commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection

CT INJECTION PA IM IC AL Technical Impact: SEVERET YP Entire database read or modified Access files on the filesystem Uses a programs elevated privileges to carry out unauthorized execution

LO I TE D? INJECTION P T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation

T I T? INJECTION EN R EV P TOHOW

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine

T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services

T I T? INJECTION EN R EV P TO OW SYSTEM LEVELKU ITH D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U

T I T? INJECTION EN R EV P TOHOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE

T I T? INJECTION EN R EV P TOHOW HTML Injection

T I T? INJECTION EN R EV P TO SQL Injection - Prepared StatementsHOW

T I T? INJECTION EN R EV P TOHOW SQL Injection Source: http://xkcd.com/327/

CROSS SITE SCRIPTING (XSS)

CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser

CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit

CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code

CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit

CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the ﬁle itself or more commonly in a database

CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the ﬁle itself or more commonly in a database Delivered to all visitors just by visiting the page

CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE ICT YP

CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE ICT YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site

CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T IHOW Source: Dave Wichers OWASP Top 10 Presentation

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TOHOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TOHOW

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP ﬁlter_* methods

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP ﬁlter_* methods http://www.php.net/manual/en/ref.ﬁlter.php

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ??? MEH

CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW http://htmlpuriﬁer.org/

BROKEN AUTHENTICATIONAND SESSION MANAGEMENT

BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented

BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless”

BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request

BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID

BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID

BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?

BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP

BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to...

BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password

BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password Change another user’s personal info

BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link

BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation

BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Rely on strong authentication and session management controls Integrate Shibboleth into your application

BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Proper Session Storage Default conﬁg stores sessions in a global temp directory

BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization

BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handlingHOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)

BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPSHOW NEVER deliver unencrypted network trafﬁc when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js

INSECURE DIGITAL OBJECT REFERENCES

INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?

INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE ICT YP

INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE ICT YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object

INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SIHOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access

INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TOHOW

INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TOHOW

CROSS SITE REQUEST FORGERY (CSRF)

CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victims browser is tricked into issuing aW command to a vulnerable web application

CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victims browser is tricked into issuing aW command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic

CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP

CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application?

CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?

CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?

CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?

CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?

CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/ﬁle.php?action=delete&id=12345

CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW Destructive actions are executed with minimal or no veriﬁcation of the origin of the request HTTP POST => http://mydomain.com/ﬁle.php?action=delete

CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways...

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Generate token and store in users session Source: http://shiﬂett.org/articles/cross-site-request-forgeries

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Use token in POST form Source: http://shiﬂett.org/articles/cross-site-request-forgeries

CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Validate when POST received Source: http://shiﬂett.org/articles/cross-site-request-forgeries

SECURITY MISCONFIGURATION

SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundationW

SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundationW From the Operating System up through Apache All PHP extensions All installed libraries on the server

SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP

SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch

SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server

SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server “Root” the server

SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen

SECURITY MISCONFIGURATION I TE D? P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation

SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW

SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list

SECURITY MISCONFIGURATION T I T? EN R EV P TO OWKU ITH D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U

SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists

INSECURE CRYPTOGRAPHIC STORAGE

INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HATW conﬁdential data

INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HATW confidential data Database data Log files Backup files Password files

INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU?W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm

INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU?W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm

INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact:T YPSEVERE

INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact:T YPSEVERE Attacker accesses or modiﬁes conﬁdential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press

INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts:T YPSEVERE High risk of... signiﬁcant ﬁnancial loss legal liability public distrust harm ...if this data is disclosed

INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation

INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW

INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored

INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html

INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm

INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit conﬁdential data over unencrypted means

FAILURE TO RESTRICT URL ACCESS

FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pagesW Public users could access your admin functionality

FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE ICT YP

FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE ICT YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions

FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile

FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Presentation Layer Access Control

FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Presentation Layer Access Control DOESN’T WORK

FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Unlinked URLs http://mydomain.com/you/will/never/ﬁnd/this/index.html

FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Unlinked URLs http://mydomain.com/you/will/never/ﬁnd/this/index.html DOESN’T WORK

FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW

FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW Disallow requests to unauthorized page types http://mydomain.com/uploads

FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!

INSUFFICIENT TRANSPORT LAYER PROTECTION

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues

INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending conﬁdential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications

INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE ICT YP

INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE ICT YP Expose users’ conﬁdential data Account theft

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use conﬁdential data?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU?HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application...

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use conﬁdential data?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use conﬁdential data? Send it over email?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use conﬁdential data? Send it over email? Send it to a database?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use conﬁdential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you...

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?

INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send conﬁdential data

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send conﬁdential data 1. Build a web form that stores it in a secure database

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send conﬁdential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send conﬁdential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow speciﬁc users to access it using Shibboleth

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store conﬁdential data in our secure Oracle database

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Require HTTPS on all secure pages

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html

INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source

UNVALIDATED REDIRECTS AND FORWARDS

UNVALIDATED REDIRECTS AND FORWARDS SI T? I HATW URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common

UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE ICT YP Install malware Phishing site Bypass authorization controls

UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation

UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TOHOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters

UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TOHOW

Questions?

My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guidehttp://www.owasp.org/index.php/OWASP_Testing_Project

SourcesOWASP Sources:- OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS>- OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet>- OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide>- OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project>- OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx>- OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>Links:- Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/- Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.htmlSoftware:- HTMLPurifier <http://htmlpurifier.org/>- KeePass <http://keepass.info/>- KeePassX <http://www.keepassx.org/>- WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project>Photos:http://www.flickr.com/photos/mrbenn/2337943659/http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.eduhttp://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting

Scared Straight: Mitigating OWASP Top 10 with PHP

by John Kary

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 4

Statistics