Successfully reported this slideshow.

Owasp top 10

8

Share

Nov. 02, 2012
8 likes 12,921 views
Upcoming SlideShare
PHP WTF
PHP WTF
Loading in …3
×
1 of 63
1 of 63

Owasp top 10

Nov. 02, 2012
8 likes 12,921 views

8

Share

Download to read offline

Technology
Technology

Recommended

More Related Content

Similar to Owasp top 10

Php My Sql Security 2007
Aung Khant
Sql injection
Mehul Boghra
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
Top 10 Security Vulnerabilities (2006)
Susam Pal
Website Security
MODxpo
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
Let's talk Security
Dheeraj Joshi
Hackers versus Developers and Secure Web Programming
Akash Mahajan
Secure Software Engineering
Rohitha Liyanagama
Web Application Security with PHP
jikbal
Spa Secure Coding Guide
Geoffrey Vandiest
The top 10 security issues in web applications
Devnology
ieee
Radheshyam Dhakad
OWASP Top 10
Arthur Shvetsov
Cross Site Scripting ( XSS)
Amit Tyagi
Web security and OWASP
Isuru Samaraweera
Secure coding presentation Oct 3 2020
Moataz Kamel
Oh, WASP! Security Essentials for Web Apps
TechWell
WordPress Security Best Practices
Jason Yingling

More from markstory

Dependency injection in CakePHP
markstory
Safer, More Helpful CakePHP
markstory
CakePHP - The Road Ahead
markstory
Future of HTTP in CakePHP
markstory
CakePHP mistakes made 2015
markstory
New in cakephp3
markstory
CakePHP 3.0 and beyond
markstory
CakePHP mistakes made confoo 2015
markstory
CakePHP mistakes made
markstory
Performance and optimization CakeFest 2014
markstory
Road to CakePHP 3.0
markstory
Performance and optimization
markstory
CakePHP the yum & yuck
markstory
Simple search with elastic search
markstory
Making the most of 2.2
markstory
Intro to continuous integration
markstory
Evented applications with RabbitMQ and CakePHP
markstory
Ch ch-changes cake php2
markstory
PHPunit and you
markstory
Win at life with unit testing
markstory

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
The Victorian Internet: The Remarkable Story of the Telegraph and the Nineteenth Century's On-line Pioneers Tom Standage
(3.5/5)
Free
Uncommon Carriers John McPhee
(3.5/5)
Free
Understanding Media: The Extensions of Man Marshall McLuhan
(4/5)
Free
The Art of War Sun Tsu
(3/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free

Owasp top 10

  1. AVOIDING THE OWASP Top 10 security exploits Friday, 2 November, 12
  2. ME Illustrator turned developer Team Lead at FreshBooks Lead developer of CakePHP PHP developer for 7 years Friday, 2 November, 12
  3. SECURITY Friday, 2 November, 12
  4. SECURITY CONTINUUM ( unusable ) unrestricted Friday, 2 November, 12
  5. OWASP Open Web Application Security Project Friday, 2 November, 12
  6. OWASP TOP 10 Friday, 2 November, 12
  7. 1 Friday, 2 November, 12 SQL INJECTION ‘ OR 1=1 ‘--
  8. RISKS Permits query manipulation, and arbitrary SQL. Bad guys can re-write your queries. Friday, 2 November, 12
  9. SQL INJECTION EXAMPLE $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query); Friday, 2 November, 12
  10. USER INPUT $username = “root”; $password = “‘ OR 1 = 1 --”; Friday, 2 November, 12
  11. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --’”; Friday, 2 November, 12
  12. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --’”; Friday, 2 November, 12
  13. PREVENTION Use an ORM or Database abstraction layer that provides escaping. Doctrine, ZendTable, and CakePHP all do this. Use PDO and prepared statements. Never put user data into a query. Never use regular expressions, magic quotes, or addslashes() Friday, 2 November, 12
  14. EXAMPLE (PDO) $query = “SELECT * FROM user WHERE username = ? AND password = ?”; $stmt = $db->prepare($query); $stmt->bindValue($username); $stmt->bindValue($password); $result = $db->execute(); Friday, 2 November, 12
  15. 2 Friday, 2 November, 12 XSS <script>alert(‘cross site scripting’);</script>
  16. RISKS Allows bad guys to do things as the person viewing a page. Steal identities, passwords, credit cards, hijack pages and more. Friday, 2 November, 12
  17. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Friday, 2 November, 12
  18. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Friday, 2 November, 12
  19. You may be thinking, I can use regular expressions to fix this. Friday, 2 November, 12
  20. NO Friday, 2 November, 12
  21. PREVENTION Regular expressions and strip_tags leave you vulnerable. The only solution is output encoding. Friday, 2 November, 12
  22. EXAMPLE <p> <?php echo htmlentities( $user[‘bio’], ENT_QUOTES, ‘UTF-8’ ); ?> </p> Friday, 2 November, 12
  23. DANGERS Manually encoding is error prone, and you will make a mistake. Using a template library like Twig that provides auto- escaping reduces the chances of screwing up. Encoding is dependent on context. Friday, 2 November, 12
  24. 3 BROKEN AUTHENTICATION & SESSION MANAGEMENT Friday, 2 November, 12 /index.php?PHPSESSID=pwned
  25. RISKS Identity theft. Firesheep was an excellent example. Friday, 2 November, 12
  26. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Friday, 2 November, 12
  27. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Friday, 2 November, 12
  28. PREVENTION Rotate session identifiers upon login/logout Set the HttpOnly flag on session cookies. Use well tested / mature libraries for authentication. SSL is always a good idea. Friday, 2 November, 12
  29. 4 INSECURE DIRECT OBJECT Friday, 2 November, 12 REFERENCE
  30. RISKS Bad guys can access information they shouldn’t Bad guys can modify data they shouldn’t. Friday, 2 November, 12
  31. BROKEN PASSWORD UPDATE <form action=”/user/update” method=”post”> <input type=”hidden” name=”userid” value=”4654” /> <input type=”text” name=”new_password” /> <button type=”submit”>Save</button> </form> Friday, 2 November, 12
  32. PREVENTION Remember hidden inputs are not really hidden, and can be changed by users. Validate access to all things, don’t depend on things being hidden/invisible. If you need to refer to the current user, use session data not form inputs. Whitelist properties any form can update. Friday, 2 November, 12
  33. 5 Friday, 2 November, 12 CROSS SITE REQUEST FORGERY (CSRF)
  34. RISKS Evil websites can perform actions for users logged into your site. Side effects on GET can be performed via images or CSS files. Remember the Gmail contact hack. Friday, 2 November, 12
  35. CSRF EXAMPLE Your app Evil site Friday, 2 November, 12
  36. CSRF EXAMPLE Your app Evil site Login Friday, 2 November, 12
  37. CSRF EXAMPLE Your app Evil site Login Accidentally visit Friday, 2 November, 12
  38. CSRF EXAMPLE Your app Submit form for evil Evil site Login Accidentally visit Friday, 2 November, 12
  39. PREVENTION Add opaque expiring tokens to all forms. Requests missing tokens or containing invalid tokens should be rejected. Friday, 2 November, 12
  40. SAMPLE CSRF VALIDATION <?php if (!$this->validCsrfToken($data, ‘csrf’)) { throw new ForbiddenException(); } Friday, 2 November, 12
  41. 6 Friday, 2 November, 12 SECURITY MISCONFIGURATION
  42. RISKS Default settings can be insecure, and intended for development not production. Attackers can use misconfigured software to gain knowledge and access. Friday, 2 November, 12
  43. PREVENTION Know the tools you use, and configure them correctly. Keep up to date on vulnerabilities in the tools you use. Remove/disable any services/features you aren’t using. Friday, 2 November, 12
  44. 7 INSECURE CRYPTOGRAPHIC Friday, 2 November, 12 STORAGE md5(‘password’)
  45. RISKS Weak cryptographic storage can easily be cracked. Keys can be exposed with encrypted data. Backups can contain encrypted data & keys. Compromised passwords can be used to obtain information on other sites. Friday, 2 November, 12
  46. BAD PASSWORD HASHING $password; md5($password); sha1($password); Friday, 2 November, 12
  47. BAD PASSWORD HASHING $password; md5($password); sha1($password); Friday, 2 November, 12
  48. USE BCRYPT FOR PASSWORDS only you can prevent bad hashing Friday, 2 November, 12
  49. PREVENTION Use strong hashing/encryption. Use one way hashing for passwords. Never use symmetric encryption for passwords. Don’t collect data if you don’t need it. Keep keys separate from data. If you’re using symmetric encryption, be able to rotate keys easily. Friday, 2 November, 12
  50. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  51. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  52. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  53. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  54. USE MCRYPT // encrypt (rijndael) $value = mcrypt_encrypt( ‘rijndael-256’, $secretKey, $ccnumber,‘cbc’, $iv ); // decrypt $value = mcrypt_decrypt( ‘rijndael-256’, $secretKey, $encrypted,‘cbc’, $iv ); Friday, 2 November, 12
  55. 8 FAILURE TO RESTRICT URL Friday, 2 November, 12 ACCESS
  56. RISK Hidden things can easily be found. Creative people will eventually find your hidden URLs Security through obscurity is a terrible idea. Friday, 2 November, 12
  57. PREVENTION Check access to all urls both when you generate links and more importantly when handling requests. Don’t rely on things staying hidden. Friday, 2 November, 12
  58. 9 INSUFFICIENT TRANSPORT Friday, 2 November, 12 LAYER PROTECTION
  59. SSL/TLS Friday, 2 November, 12
  60. 10 UNVALIDATED REDIRECTS & Friday, 2 November, 12 FORWARDS
  61. RISKS Trusting user input for redirects opens phishing attacks. Breach of trust with your users. Friday, 2 November, 12
  62. PREVENTION Don’t trust user data when handling redirects. Friday, 2 November, 12
  63. QUESTIONS? Friday, 2 November, 12

×