Even the simplest web application has so many vectors of attack, it's no wonder most people forget at least one. Web applications aren't stand-alone; they are built upon frameworks, upon platforms, upon core libraries, each of which could suffer from vulnerabilities you're not only unaware of, you're statistically unlikely to discover them all. Consider, for example, the recent OpenSSL "Heartbleed" Bug. We hear about security vulnerabilities every week, now it's time to experience them. Find out what the leading concerns are, and the not so common ones too, and experience live demonstrations of how these attacks play out. This presentation aims to arm you with the mindset, tools and resources to minimise the opportunities for attack, and the reduce the fallout when they succeed. From cross-site scripting and session hijacking to brute force and man-in-the-middle attacks, you're expected to cover all your bases so the bad guys can't use a single one.

1. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Web Application SecurityWeb Application Security
Winning When The Odds Are Against YouWinning When The Odds Are Against You
NewZealandPHPConference2014
Ben DechraiBen Dechrai
@bendechrai@bendechrai
#webappsec #phpnz14#webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435

2. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What Is WebWhat Is Web
Application Security?Application Security?

3. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

4. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What's Applicable to PHP
Developers?

5. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

6. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Where to Start?

7. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

8. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Top Ten Cheat Sheet
Injection Cross Site Scripting
Weak authentication
& session management
Insecure Direct
Object Reference
Cross Site
Request Forgery
Security
Misconfiguration
Insufficient
Cryptographic Storage
Failure to Restrict
URL access
Insufficient Transport
Layer Protection
Unvalidated Redirects
and Forwards

9. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Top Ten Cheat Sheet
Injection Cross Site Scripting
Weak authentication
& session management
Insecure Direct
Object Reference
Cross Site
Request Forgery
Security
Misconfiguration
Insufficient
Cryptographic Storage
Failure to Restrict
URL access
Insufficient Transport
Layer Protection
Unvalidated Redirects
and Forwards

10. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
DemoDemo

11. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What AreWhat Are
The Odds?The Odds?

12. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Solutions?

13. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Think like PHP...

14. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Not in PHP...

15. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Think LIKE PHP...

16. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
GET /index.html
<html>..</html>
GET /css/styles.css
GET /js/script.js
GET /images/logo.jpg
body { ... }
$(document).ready(...)
data:image/jpg;base64,/9j/4AAQSkZJRgA...

17. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
GET /index.php
<html>..</html>
PHP process
PHP returns
POST /login.php
PHP process
PHP returns<html>..</html>

18. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
POST /images.php/logo.jpg
<html>..</html>
PHP process
PHP returns
POST /images/logo.jpg
PHP process
PHP returns<html>..</html>
URL rewriting means anything
can be passed to PHP

19. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
visage.cto.to
POST /login
<html>..</html>
PHP process
PHP returns
POST /checkout PHP process
PHP returns<html>..</html>
POST /address/edit
{401}
POST /address/edit
{ 200 }
evil.com
POST /payment
<html>..</html>
PHP process
PHP returns
GET /confirmation PHP process
PHP returns<html>..</html>
PHP process
PHP returns
PHP process
PHP returns

20. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
PHP Ain't Clever
(hint, not many programming languages are!)
Data Data
Database
User Input
Files
Other sites via API
DatabaseBrowser Response
Other systemsSending emails

21. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
PHP Environment
● 1 page load = 1 PHP process
● Web server passes whole request to the PHP
process
● When a script ends, all data are lost

22. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Piecing Data
Together
$_GET $_POST
$_COOKIE $_FILES
$_REQUEST

23. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Request Basics
● $_REQUEST variables can come from
Environment, Post, Get, Cookie or Session
variables!
● Don't use them, specify the source
● Even then, don't trust $_POST, et al
● Consider all data harmful

24. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
● Treat all data as untrusted
● Only if it passed a whitelist, let it through
● Look for odd data entry points
– Did you know the filename of an uploaded
file is user generated input?
● Email addresses have fixed validation rules

25. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*
| "(?:[x01-x08x0bx0cx0e-x1fx21x23-x5bx5d-x7f]
| [x01-x09x0bx0cx0e-x7f])*")
@ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?
| [(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}
(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:
(?:[x01-x08x0bx0cx0e-x1fx21-x5ax53-x7f]
| [x01-x09x0bx0cx0e-x7f])+)
])

26. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
Some people, when confronted
with a problem, think, “I know, I’ll
use regular expressions.”
Now they have two problems.
— Jamie Zawinksi

27. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
filter_var($email, FILTER_VALIDATE_EMAIL);
(Or just send them an email)

28. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
● Names are a big topic
(see http://is.gd/validating_names)
● Who decides if a name is valid?
– Josè Smith
– La amonȝ
– Þórinn Eikinskjaldi
– Πηληϊάδεω χιλ οςἈ ῆ
– Federico del Sagrado Corazón de Jesús García
Lorca

29. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
● Avoid encoding for storage
● Keep valid user input intact
● Encode when used in an output stream
– HTML encode for screen
– URL encode for querystrings
– Escape for CSV output
● By keeping the original data, you can repurpose
for many outputs

30. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
User Generated
Content
User Generated
Content
Sanitize
HTML EMAIL
Sanitize
XML/JSON/CSV
Sanitize
UNKNOWN
FUTURE APP
Sanitize

31. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
filter_var($comment,
FILTER_SANITIZE_FULL_SPECIAL_CHARS);

32. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
Tokens
Username
Password
Token
SUBMIT
ABC123
ABC123

33. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
Referrers can be
easily forged;
don't rely on them

34. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Credits
● Security Camera image by Henning Mühlinghaus
● Conception image by Lynn (Gracie's mom)
● Piecing Data by José Manuel Ríos Valiente
References
● OWASP Top 10 Cheat Sheet

35. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Thank You!Thank You!
Questions?Questions?
Ben DechraiBen Dechrai
@bendechrai@bendechrai
NewZealandPHPConference2014