OWASP Top 10 2013

5,672
-1

Published on

A talk given at PHP conference argentina in 2013.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,672
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
115
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

OWASP Top 10 2013

  1. 1. AVOIDING THE OWASP Top 10 security exploits Saturday, 5 October, 13
  2. 2. ME Illustrator turned developer PHP developer for 8 years Architect/Developer at FreshBooks Lead developer of CakePHP Saturday, 5 October, 13
  3. 3. SECURITY Saturday, 5 October, 13
  4. 4. SECURITY CONTINUUM ( )unusable unrestricted Saturday, 5 October, 13
  5. 5. OWASP Open Web Application Security Project Saturday, 5 October, 13
  6. 6. OWASP TOP 10 Saturday, 5 October, 13
  7. 7. INJECTION ‘ OR 1=1 ‘-- 1Saturday, 5 October, 13
  8. 8. RISKS Command - Permits arbitrary shell commands. SQL - Permits query manipulation, and arbitrary SQL. Bad guys can run arbitrary code/queries. Saturday, 5 October, 13
  9. 9. $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query); SQL INJECTION EXAMPLE Saturday, 5 October, 13
  10. 10. $username = “root”; $password = “‘ OR 1 = 1 --”; USER INPUT Saturday, 5 October, 13
  11. 11. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --”; Saturday, 5 October, 13
  12. 12. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --”; Saturday, 5 October, 13
  13. 13. PREVENTION Use an ORM or Database abstraction layer that provides escaping. Doctrine, ZendTable, and CakePHP all do this. Use PDO and prepared statements. Never interpolate user data into a query. Never use regular expressions, magic quotes, or addslashes() Saturday, 5 October, 13
  14. 14. EXAMPLE (PDO) $query = “SELECT * FROM user WHERE username = ? AND password = ?”; $stmt = $db->prepare($query); $stmt->bindValue($username); $stmt->bindValue($password); $result = $db->execute(); Saturday, 5 October, 13
  15. 15. COMMAND INJECTION $file = $_POST[‘file’]; $res = file_get_contents($file); echo $res; Saturday, 5 October, 13
  16. 16. $f = “../../../../../../etc/passwd”; USER INPUT Saturday, 5 October, 13
  17. 17. PREVENTION Escape and validate input. Check for .. Check for ; Ensure the realpath resolves to a file that is allowed. Saturday, 5 October, 13
  18. 18. 2BROKEN AUTHENTICATION & SESSION MANAGEMENT /index.php?PHPSESSID=pwned Saturday, 5 October, 13
  19. 19. RISKS Identity theft. Firesheep was an excellent example. Saturday, 5 October, 13
  20. 20. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Saturday, 5 October, 13
  21. 21. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Saturday, 5 October, 13
  22. 22. PREVENTION Rotate session identifiers upon login/logout Set the HttpOnly flag on session cookies. Use well tested / mature libraries for authentication. SSL is always a good idea. Saturday, 5 October, 13
  23. 23. 3XSS <script>alert(‘cross site scripting’);</script> Saturday, 5 October, 13
  24. 24. RISKS Allows bad guys to do things as the person viewing a page. Steal identities, passwords, credit cards, hijack pages and more. Saturday, 5 October, 13
  25. 25. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Saturday, 5 October, 13
  26. 26. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Saturday, 5 October, 13
  27. 27. I know, I can use regular expressions! Saturday, 5 October, 13
  28. 28. NO Saturday, 5 October, 13
  29. 29. PREVENTION Regular expressions and strip_tags leave you vulnerable. The only robust solution is output encoding. Saturday, 5 October, 13
  30. 30. EXAMPLE <p> <?php echo htmlentities( $user[‘bio’], ENT_QUOTES, ‘UTF-8’ ); ?> </p> Saturday, 5 October, 13
  31. 31. DANGERS Manually encoding is error prone, and you will make a mistake. Using a template library like Twig that provides auto- escaping reduces the chances of screwing up. Encoding is dependent on context. Saturday, 5 October, 13
  32. 32. 4INSECURE DIRECT OBJECT REFERENCE Saturday, 5 October, 13
  33. 33. RISKS Bad guys can access information they shouldn’t Bad guys can modify data they shouldn’t. Saturday, 5 October, 13
  34. 34. BROKEN PASSWORD UPDATE <form action=”/user/update” method=”post”> <input type=”hidden” name=”userid” value=”4654” /> <input type=”text” name=”new_password” /> <button type=”submit”>Save</button> </form> Saturday, 5 October, 13
  35. 35. PREVENTION Remember hidden inputs are not really hidden, and can be changed by users. Validate access to all things, don’t depend on things being hidden/invisible. If you need to refer to the current user, use session data not form inputs. Whitelist properties any form can update. Saturday, 5 October, 13
  36. 36. 5SECURITY MISCONFIGURATION Saturday, 5 October, 13
  37. 37. RISKS Default settings can be insecure, and intended for development not production. Attackers can use misconfigured software to gain knowledge and access. Saturday, 5 October, 13
  38. 38. PREVENTION Know the tools you use, and configure them correctly. Keep up to date on vulnerabilities in the tools you use. Remove/disable any services/features you aren’t using. Saturday, 5 October, 13
  39. 39. 6SENSITIVE DATA EXPOSURE 4012 8888 8888 1881 Saturday, 5 October, 13
  40. 40. RISKS Bad guys get credit cards, personal identification, passwords or health records. Your company could be fined or worse. Saturday, 5 October, 13
  41. 41. ASSESSING RISK Do you have sensitive data? Is it in plaintext? Any old/bad crypto in use? Missing SSL? Who can access sensitive data? Saturday, 5 October, 13
  42. 42. 7MISSING FUNCTION LEVEL ACCESS CONTROL Saturday, 5 October, 13
  43. 43. RISKS Anyone on the internet can request things. Missing access control could mean bad guys can do things they shouldn’t be able to. Saturday, 5 October, 13
  44. 44. PREVENTION No simple solutions sadly. Good automated tests help. Saturday, 5 October, 13
  45. 45. 8CROSS SITE REQUEST FORGERY (CSRF) Saturday, 5 October, 13
  46. 46. RISKS Evil websites can perform actions for users logged into your site. Side effects on GET can be performed via images or CSS files. Remember the Gmail contact hack. Saturday, 5 October, 13
  47. 47. CSRF EXAMPLE Your app Evil site Saturday, 5 October, 13
  48. 48. CSRF EXAMPLE Your app Evil site Login Saturday, 5 October, 13
  49. 49. CSRF EXAMPLE Your app Evil site Login Accidentally visit Saturday, 5 October, 13
  50. 50. CSRF EXAMPLE Your app Evil site Login Accidentally visit Submit form for evil Saturday, 5 October, 13
  51. 51. PREVENTION Add opaque expiring tokens to all forms. Requests missing tokens or containing invalid tokens should be rejected. Saturday, 5 October, 13
  52. 52. SAMPLE CSRFVALIDATION <?php if (!$this->validCsrfToken($data, ‘csrf’)) { throw new ForbiddenException(); } Saturday, 5 October, 13
  53. 53. 9USING COMPONENTS WITH KNOWNVULNERABILITIES CVE bingo Saturday, 5 October, 13
  54. 54. RISK Using old busted software can expose you to documented issues. CVE databases are filled with version numbers and matching exploits. Saturday, 5 October, 13
  55. 55. PREVENTION Do routine upgrades. Keep up to date with all your software. Read mailing lists and keep an eye out for security releases. Saturday, 5 October, 13
  56. 56. PREVENTION Several vulnerability databases around. https://cve.mitre.org/cve/ Saturday, 5 October, 13
  57. 57. 10UNVALIDATED REDIRECTS & FORWARDS Saturday, 5 October, 13
  58. 58. RISKS Trusting user input for redirects opens phishing attacks. Breach of trust with your users. Saturday, 5 October, 13
  59. 59. PREVENTION Don’t trust user data when handling redirects. Saturday, 5 October, 13
  60. 60. THANKYOU Saturday, 5 October, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×