SECURING
YOUR WEB
APPS NOW
TIPS TO MAKE YOUR SITE LESS HACKABLE
WHO?
• Stephan Steynfaardt
• Solutions Architect & Tech Lead
• CISSP certified
• White hat penetration testing
• @ssteynfa...
WHAT?
• Validation
• SQL injection
• OS injection
• Code injection
• File upload
• Information leakage
• Broken Authentica...
WHY?
IT NEEDS TO BE EASY ENOUGH FOR
ANYBODY, EVEN MY MOTHER
IT’S NOT JUST OUR MOTHERS
VISITING WEBSITES.
I don’t even trust the panda
ANY 4 YEAR OLD WITH AN
INTERNET CONNECTION
Nothing to do with SSL
WEB APPLICATIONS TESTED BY OWASP
WORLD’S
BIGGEST
DATA
BREACHES
2013
HOW?
• More than one security layer
HOW?
• More than one security layer
• Validate
• Escape
• Bind SQL
• Least privileges
• Generic error exceptions
messages
...
VALIDATION
VALIDATION
• Client side validation is useless
• Whitelisting acceptance criteria
• Typecast your variables
• Never trust ...
Top 10 OWASP list
SQL INJECTION
SQL INJECTION
• Don't use quotes – You only need to
miss one
• Always bind your parameter
BIND PARAMETER
$sql = "SELECT * FROM users
WHERE name=:name and age=:age";
$stmt = $db->prepare($sql);
$stmt->execute(arra...
SQL INJECTION
• Don't use quotes – You only need to
miss one
• Always bind your parameter
• Only allow SQL privileges requ...
Cracking password hashes
SQL MAP
CODE INJECTION
CODE INJECTION
• Eval() === Evil
$var = 1;
$newvalue = isset($_GET['id']) ? $_GET['id'] : 0;
eval('$var = ' . $newvalue . ...
CODE INJECTION
• Don’t use preg_replace() with /e
• PHP 5.5 deprecated /e
• Dynamic function injection, don’t
call it from...
OS INJECTION
OS INJECTION
• Statements executed directly on the OS
• Don’t use system()
• system('nslookup ' . $_POST['host']);
• 'goog...
bring your own exploit
FILE UPLOADS
Actually any PHP n00bs
WORDPRESS N00BS
FILE UPLOADS
• Upload files outside of the webroot
• Check the mime-type
• file -i logo.png
logo.png: image/png; charset=b...
INFORMATION LEAKAGE
INFORMATION LEAKAGE
• Phpinfo()
• php.ini dispay_error = Off
• php.ini dispay_startup_error = Off
• php.ini error_reportin...
OVER SPECIFIC FEEDBACK
OVER SPECIFIC FEEDBACK
• Login forms messages
• Forgotten debug statements
• Server headers
• php.ini, expose_php = Off
• ...
SENSITIVE DATA EXPOSURE
All your data are belong to us
- NSA
SENSITIVE DATA EXPOSURE
• OWASP, top 10 2013, simply not encrypting data
• Only store the data you need
• MD5, SHA1 is not...
SENSITIVE DATA EXPOSURE
• Directories should be 750 or 755
• Files should be 644 or 640
• Locate directories that are 777 ...
BROKEN AUTHENTICATION
&
SESSION MANAGEMENT
BROKEN AUTHENTICATION &
SESSION MANAGEMENT
• #2 on OWASP top 10 2013
• Allows attackers to impersonate other
user currentl...
BROKEN AUTHENTICATION &
SESSION MANAGEMENT
• session_destoy()
session_unet()
• Remember me functions
• chrome://settings/p...
Cross Site Scripting
XSS
XSS
• 65% of websites are venerable to XSS
• 2 types of XXS
stored
reflected
• Steal sessionID from cookies
• Escape all f...
GOING FORWARD
GOING FORWARD
• 57% organizations provided some software security
training
• 40% fewer vulnerabilities
• Resolved issues 5...
GOING FORWARD
• 19 Extensions to Turn Google Chrome into Penetration
Testing tool
http://resources.infosecinstitute.com/19...
Securing your web apps now
Securing your web apps now
Securing your web apps now
Securing your web apps now
Securing your web apps now
Securing your web apps now
Securing your web apps now
Securing your web apps now
Securing your web apps now
Upcoming SlideShare
Loading in …5
×

Securing your web apps now

545 views
430 views

Published on

The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs.
Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
545
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing your web apps now

  1. 1. SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
  2. 2. WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
  3. 3. WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
  4. 4. WHY?
  5. 5. IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
  6. 6. IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
  7. 7. I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
  8. 8. Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
  9. 9. WORLD’S BIGGEST DATA BREACHES 2013
  10. 10. HOW? • More than one security layer
  11. 11. HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
  12. 12. VALIDATION
  13. 13. VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
  14. 14. Top 10 OWASP list SQL INJECTION
  15. 15. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
  16. 16. BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
  17. 17. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
  18. 18. Cracking password hashes SQL MAP
  19. 19. CODE INJECTION
  20. 20. CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
  21. 21. CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
  22. 22. OS INJECTION
  23. 23. OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
  24. 24. bring your own exploit FILE UPLOADS
  25. 25. Actually any PHP n00bs WORDPRESS N00BS
  26. 26. FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
  27. 27. INFORMATION LEAKAGE
  28. 28. INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
  29. 29. OVER SPECIFIC FEEDBACK
  30. 30. OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
  31. 31. SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
  32. 32. SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
  33. 33. SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
  34. 34. BROKEN AUTHENTICATION & SESSION MANAGEMENT
  35. 35. BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
  36. 36. BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
  37. 37. Cross Site Scripting XSS
  38. 38. XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
  39. 39. GOING FORWARD
  40. 40. GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
  41. 41. GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself

×