1.
Tobias Zander | @airbone42
OWASP Top 10

2.
Current state of security

3.
Open Web Application
Security Project

4.
The Top 10 Most
Critical Web
Application Security
Risks
Not just Vulnerabilities

5.
http://xkcd.com/327/

6.
Don‘t try this at home!
http://funfive.net/drop-database-license-plate/2670.html

7.
Prepared Statements
$stmt = $mysqli->prepare(
'UPDATE users
SET email = ?
WHERE id = 123'‚
);
$stmt->bind_param(
's',
$email
);

8.
DBA
$q = Doctrine_Query::create()
->update('Account')
->set('email', 'foo@bar.de')
->where(
'username LIKE ?',
$username
);
$username = 'A%';

9.
Time-based
SELECT IF(
SUBSTRING(
user_password, 1, 1
) = CHAR(65),
BENCHMARK(
5000000,
ENCODE(‘foo', ‘bar')
),
null
)
FROM users
WHERE user_id = 1;

10.
Injection
• Use prepared statements
• Or stored procedures
• Check for wildcards
www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

11.
eBay
https://twitter.com/kennwhite/status/470545973547397120/photo/1/large

12.
Online-Banking Newsletter
Sollte Ihr Kennwort Sonderzeichen
enthalten, bitten wir Sie, Ihr Kennwort zu
ändern. Durch die technische Umstellung
auf das neue Online-Banking werden nur
noch Kennwörter zugelassen, die
bestimmte Sonderzeichen erlauben. Die
zugelassenen Sonderzeichen im
Kennwort lauten: # ? * + - .

13.
Broken Authentication
• Don‘t limit password strength
• Force long and complex passwords
• Check error messages
• Prevent brute-force-attacks
www.owasp.org/index.php/Authentication_Cheat_Sheet

14.
Session Hijacking
Session ID: abcde
Mr. Evil

15.
Session Fixation
Mr. Evil
Link
Predefined Session ID

16.
Broken Session Management
session.use_trand_sid = Off
session.use_only_cookies = On
session.cookie_secure = On
session.cookie_httponly = On
session.hash_function = sha512

17.
Broken Session Management
• Don‘t expose session ids
• Probably bind sessions to IP
• Reduce Session-Lifetime
• Regenerate Session-Ids
www.owasp.org/index.php/Session_Management_Cheat_Sheet

18.
XSS
echo '<input
type="text"
name="foo"
value="' .
htmlspecialchars(
$string
ENT_QUOTES|
ENT_SUBSTITUTE|
ENT_DISALLOWED,
'UTF-8'
) .
'">';

19.
XSS
$value = '</script>';
echo json_encode(
$value
);

20.
XSS
• Escape output by context
– htmlspecialchars
– json_encode
– …
• Content-Security-Policy
• X-XSS-Protection
• Template engine

21.
Insecure Object Reference
<select>
<option value="2">
moderator
</option>
<option value="3">
editor
</option>
</select>

22.
Insecure Object Reference
<select>
<option value="random-ref-x">
moderator
</option>
<option value="random-ref-y">
editor
</option>
</select>

23.
Insecure Object Reference
• Validate user input
• Use indirect object references
• Check access permissions

24.
Security Misconfiguration
<Directory "/var/www">
AllowOverride All
</Directory>
memory_limit = 1024M
allow_url_fopen = On
allow_url_include = On
;open_basedir =

25.
Security Misconfiguration
<Directory "/var/www">
AllowOverride None
Options -Indexes
</Directory>
memory_limit = 128M
log_errors = On
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/app

26.
Security Misconfiguration
• Keep your system up-to-date
• Remove setup/deployment routines
• Disable exposure of sensitive data
• Review server settings
• github.com/ioerror/duraconf

27.
Fucking rainbow tables
http://edwardhotspur.wordpress.com/tag/devil-bunny/

28.
PHP 5.5
password_hash($password);
if (password_verify($password, $hash)) {
// Success!
} else {
// Failed :(
}

29.
SSDE - Password encryption
• Add a salt
• Use different salts
• Use a strong algorithm (NOT md5)
• Use password_hash in PHP 5.5
• github.com/ircmaxell/password_compat

30.
SSDE - PHP Exposure
expose_php Off
Remove
phpinfo();

31.
SSDE - Secure URLs
• Use TLS for all pages
• Use Secure Cookie Flag
• Keep sensitive data out of the URL

32.
class AdminController {
public function editAction() {
$this->model
->save($this->formData);
}
}

33.
Missing Function Level AC
class AdminController {
public function editAction() {
if (!$this->_isAllowed()) {
throw new Exception(
'insufficient privileges'
);
}
…

34.
Missing Function Level AC
• Standard should disallow all access
• Use roles to keep ACL simple
• ACL model should be very flexible
• Check privileges on each step

35.
class BankaccountController {
public function transferAction() {
if ($this->_isAllowed()) {
$this->transfer(
$amount,
$account
);
}
}
}

36.
Cross Site Request Forgery
Login / create session
Visitwebsite
Requestapp…
… through victim‘s browser
evil.com
sensitive.com

37.
CSRF
class BankaccountController {
public function transferAction() {
$this->validateToken();
if ($this->_isAllowed()) {
$this->transfer(
$amount,
$account
);
}
}

38.
Infected
profile
TOKEN
My profile

39.
Authenticate user

40.
CSRF
• Use One-Time-Token and secure it
• Authenticate user
–Credentials
–Captcha
www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet

41.
Known Vulnerabilities
• Review third party libraries
• Keep libraries up-to-date -
http://www.versioneye.com/
• Check:
– mailing lists
– boards
– news- and vendor-sites

42.
Redirects and Forwards

43.
Redirects and Forwards
$allowedDomains = array('good.com',
'better.com');
if (!in_array(
$url,
$allowedDomains
)) {
throw new Exception('invalid redirect');
}
$this->_redirectUrl($url);

44.
http://www.lolhome.com/funny-picture-620770644.html

45.
Improper Error Handling

46.
DoS

47.
Security by Obscurity

48.
Insecure File Uploads

49.
Malicious File
Execution

50.
Mail Header Injection

51.
Source Code
Revelation

52.
Hardcoded
Credentials

53.
Clickjacking

54.
Buffer Overflows

55.
XML External Entity

56.
Perfect Pixel Timing

57.
• OWASP Top 10
• CWE/SANS Top 25
• PCI DSS
• Zed Attack Proxy
• Metasploit
• WireShark
• BeEF
http://amzn.to/1vKNLqM

58.
Trust noone!
www.owasp.org security.stackexchange.com
http://www.glittercats.com/image/30189/cute-cats-wallpapers-colorful-wallpaper

59.
Tobias Zander | @airbone42
Questions?

60.
Tobias Zander | @airbone42
Thanks!