Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Web security

261 views

Published on

My presentation @ PHPConf Asia 2016

Published in: Software
  • Login to see the comments

Introduction to Web security

  1. 1. Introduction to Web Security
  2. 2. What is Web Security? Why Web Security?
  3. 3. Top 10 PHP application vulnerabilities 2016
  4. 4. Information Leakage app environment, user specific data • Restrict PHP information leakage • Configuration files – Configuration files should be in php not .ini, xml, etc – Secure App config variables by storing on server • Separate your back up files from root directory HTTP/1.x 200 OK Date: Sun, 21 Aug 2016 16:08:15 GMT Server: Apache X-Powered-By: PHP/5.5.26 ...
  5. 5. Man-in-the-Middle Attack A B
  6. 6. SSL How does HTTPS works? This presume User Accessing Secure Site Requesting Secure SSL connection from Website Host. Website Records Found. Going to the Host Web Server. Check DNS for IP address to find Web host Host responds with valid SSL certificate. Secure connection is established to transfer data WebHost.
  7. 7. Injection Attacks • Cross Site Scripting - XSS • SQL Injection • Code Injection • Command Injection • Log Injection • XML Injection
  8. 8. SQL Truncation Exploit Compromise user login • SELECT * FROM user WHERE username='admin ’ • Username = ‘admin x’ • $userdata = null; if (isPasswordCorrect($username, $password)) { $userdata = getUserDataByLogin($username); ... } SELECT username FROM users WHERE username = ? AND passhash = ? SELECT * FROM users WHERE username = ? Solution: – Mysql strict mode – Unique constraint column
  9. 9. But what if you find you have been hacked • Don’t panic • Check logs (error /access) • Check suspicious file names • Check cron jobs • search source code for keywords like: eval, base64_decode, wget, curl • take DB backup & search for keywords like “iframe, script,…” • Prepare yourself to reinstall your entire server
  10. 10. How to Prevent • Check OWASP • Use STRONG Password hash • Error Reporting – Prodcution – OFF – Development / Other – ON • Stay up-to-date – Framework – OS – 3rd party libraries – Read about new threats and best practice changes • Try to run vulnerabilities scanner
  11. 11. Thank You https://www.linkedin.com/in/jeyasel vi @jeyaselvir

×