Securing your web apps now
Upcoming SlideShare
Loading in...5
×
 

Securing your web apps now

on

  • 350 views

The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs. ...

The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs.
Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.

Statistics

Views

Total Views
350
Views on SlideShare
349
Embed Views
1

Actions

Likes
0
Downloads
9
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing your web apps now Securing your web apps now Presentation Transcript

  • SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
  • WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
  • WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
  • WHY?
  • IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
  • IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
  • I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
  • Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
  • WORLD’S BIGGEST DATA BREACHES 2013
  • HOW? • More than one security layer
  • HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
  • VALIDATION
  • VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
  • Top 10 OWASP list SQL INJECTION
  • SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
  • BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
  • SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
  • Cracking password hashes SQL MAP
  • CODE INJECTION
  • CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
  • CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
  • OS INJECTION
  • OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
  • bring your own exploit FILE UPLOADS
  • Actually any PHP n00bs WORDPRESS N00BS
  • FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
  • INFORMATION LEAKAGE
  • INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
  • OVER SPECIFIC FEEDBACK
  • OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
  • SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
  • SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
  • SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
  • BROKEN AUTHENTICATION & SESSION MANAGEMENT
  • BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
  • BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
  • Cross Site Scripting XSS
  • XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
  • GOING FORWARD
  • GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
  • GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself