Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
AVOIDING THE OWASP                             Top 10 security exploitsFriday, 2 November, 12
ME                  Illustrator turned developer                  Team Lead at FreshBooks                  Lead developer ...
SECURITYFriday, 2 November, 12
SECURITY CONTINUUM               (           unusable                                         )                           ...
OWASP                         Open Web Application Security ProjectFriday, 2 November, 12
OWASP TOP 10Friday, 2 November, 12
1Friday, 2 November, 12                         SQL INJECTION                           ‘ OR 1=1 ‘--
RISKS                  Permits query manipulation, and arbitrary SQL.                  Bad guys can re-write your queries....
SQL INJECTION EXAMPLE               $username = $_POST[‘username’];               $password = $_POST[‘password’];         ...
USER INPUT      $username = “root”;      $password = “‘ OR 1 = 1 --”;Friday, 2 November, 12
FINAL QUERY   $query = “SELECT * FROM user      WHERE username = ‘root’      AND password = ‘‘ OR 1 = 1 --’”;Friday, 2 Nov...
FINAL QUERY   $query = “SELECT * FROM user      WHERE username = ‘root’      AND password = ‘‘ OR 1 = 1 --’”;Friday, 2 Nov...
PREVENTION                  Use an ORM or Database abstraction layer that                  provides escaping. Doctrine, Ze...
EXAMPLE (PDO)                $query = “SELECT * FROM user                   WHERE username = ?                   AND passw...
2Friday, 2 November, 12                                            XSS                         <script>alert(‘cross site s...
RISKS                  Allows bad guys to do things as the person viewing a                  page.                  Steal ...
XSS EXAMPLE        <p>         <?php echo $user[‘bio’]; ?>        </p>Friday, 2 November, 12
XSS EXAMPLE        <p>         <?php echo $user[‘bio’]; ?>        </p>Friday, 2 November, 12
You may be thinking, I can use regular expressions                                 to fix this.Friday, 2 November, 12
NOFriday, 2 November, 12
PREVENTION                  Regular expressions and strip_tags leave you                  vulnerable.                  The...
EXAMPLE        <p>         <?php echo htmlentities(          $user[‘bio’],          ENT_QUOTES,          ‘UTF-8’         )...
DANGERS                  Manually encoding is error prone, and you will make                  a mistake.                  ...
3             BROKEN AUTHENTICATION                 & SESSION MANAGEMENTFriday, 2 November, 12                         /in...
RISKS                  Identity theft.                  Firesheep was an excellent example.Friday, 2 November, 12
SESSION FIXATION EXAMPLE   <?php   session_start();   if (isset($_GET[‘sessionid’]) {     session_id($_GET[‘sessionid’]); ...
SESSION FIXATION EXAMPLE   <?php   session_start();   if (isset($_GET[‘sessionid’]) {     session_id($_GET[‘sessionid’]); ...
PREVENTION                  Rotate session identifiers upon login/logout                  Set the HttpOnly flag on session c...
4                 INSECURE DIRECT OBJECTFriday, 2 November, 12                          REFERENCE
RISKS                  Bad guys can access information they shouldn’t                  Bad guys can modify data they shoul...
BROKEN PASSWORD UPDATE      <form action=”/user/update” method=”post”>       <input type=”hidden” name=”userid” value=”465...
PREVENTION                  Remember hidden inputs are not really hidden, and                  can be changed by users.   ...
5Friday, 2 November, 12                         CROSS SITE REQUEST                             FORGERY                    ...
RISKS                  Evil websites can perform actions for users logged                  into your site.                ...
CSRF EXAMPLE                  Your app                                            Evil siteFriday, 2 November, 12
CSRF EXAMPLE                  Your app                                                Evil site                         Lo...
CSRF EXAMPLE                  Your app                                                         Evil site                  ...
CSRF EXAMPLE                  Your app         Submit form for evil                                                       ...
PREVENTION                  Add opaque expiring tokens to all forms.                  Requests missing tokens or containin...
SAMPLE CSRF VALIDATION    <?php    if (!$this->validCsrfToken($data, ‘csrf’)) {      throw new ForbiddenException();    }F...
6Friday, 2 November, 12                             SECURITY                         MISCONFIGURATION
RISKS                  Default settings can be insecure, and intended for                  development not production.    ...
PREVENTION                  Know the tools you use, and configure them                  correctly.                  Keep up...
7             INSECURE CRYPTOGRAPHICFriday, 2 November, 12                       STORAGE                         md5(‘pass...
RISKS                  Weak cryptographic storage can easily be cracked.                  Keys can be exposed with encrypt...
BAD PASSWORD HASHING                  $password;                  md5($password);                  sha1($password);Friday,...
BAD PASSWORD HASHING                  $password;                  md5($password);                  sha1($password);Friday,...
USE BCRYPT FOR                           PASSWORDS                         only you can prevent bad hashingFriday, 2 Novem...
PREVENTION                  Use strong hashing/encryption.                  Use one way hashing for passwords. Never use  ...
BCRYPT IN PHP   // password hashing (bcrypt)   $hashed = crypt(    $pass,    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);   ...
BCRYPT IN PHP   // password hashing (bcrypt)   $hashed = crypt(    $pass,    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);   ...
BCRYPT IN PHP   // password hashing (bcrypt)   $hashed = crypt(    $pass,    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);   ...
BCRYPT IN PHP   // password hashing (bcrypt)   $hashed = crypt(    $pass,    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);   ...
USE MCRYPT  // encrypt (rijndael)  $value = mcrypt_encrypt(   ‘rijndael-256’,   $secretKey, $ccnumber,‘cbc’, $iv  );  // d...
8                  FAILURE TO RESTRICT URLFriday, 2 November, 12                              ACCESS
RISK                  Hidden things can easily be found.                  Creative people will eventually find your hidden ...
PREVENTION                  Check access to all urls both when you generate                  links and more importantly wh...
9              INSUFFICIENT TRANSPORTFriday, 2 November, 12                       LAYER PROTECTION
SSL/TLSFriday, 2 November, 12
10              UNVALIDATED REDIRECTS &Friday, 2 November, 12                      FORWARDS
RISKS                  Trusting user input for redirects opens phishing                  attacks.                  Breach ...
PREVENTION                  Don’t trust user data when handling redirects.Friday, 2 November, 12
QUESTIONS?Friday, 2 November, 12
Upcoming SlideShare
Loading in …5
×

Owasp top 10

10,919 views

Published on

Published in: Technology

Owasp top 10

  1. AVOIDING THE OWASP Top 10 security exploitsFriday, 2 November, 12
  2. ME Illustrator turned developer Team Lead at FreshBooks Lead developer of CakePHP PHP developer for 7 yearsFriday, 2 November, 12
  3. SECURITYFriday, 2 November, 12
  4. SECURITY CONTINUUM ( unusable ) unrestrictedFriday, 2 November, 12
  5. OWASP Open Web Application Security ProjectFriday, 2 November, 12
  6. OWASP TOP 10Friday, 2 November, 12
  7. 1Friday, 2 November, 12 SQL INJECTION ‘ OR 1=1 ‘--
  8. RISKS Permits query manipulation, and arbitrary SQL. Bad guys can re-write your queries.Friday, 2 November, 12
  9. SQL INJECTION EXAMPLE $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query);Friday, 2 November, 12
  10. USER INPUT $username = “root”; $password = “‘ OR 1 = 1 --”;Friday, 2 November, 12
  11. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --’”;Friday, 2 November, 12
  12. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --’”;Friday, 2 November, 12
  13. PREVENTION Use an ORM or Database abstraction layer that provides escaping. Doctrine, ZendTable, and CakePHP all do this. Use PDO and prepared statements. Never put user data into a query. Never use regular expressions, magic quotes, or addslashes()Friday, 2 November, 12
  14. EXAMPLE (PDO) $query = “SELECT * FROM user WHERE username = ? AND password = ?”; $stmt = $db->prepare($query); $stmt->bindValue($username); $stmt->bindValue($password); $result = $db->execute();Friday, 2 November, 12
  15. 2Friday, 2 November, 12 XSS <script>alert(‘cross site scripting’);</script>
  16. RISKS Allows bad guys to do things as the person viewing a page. Steal identities, passwords, credit cards, hijack pages and more.Friday, 2 November, 12
  17. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p>Friday, 2 November, 12
  18. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p>Friday, 2 November, 12
  19. You may be thinking, I can use regular expressions to fix this.Friday, 2 November, 12
  20. NOFriday, 2 November, 12
  21. PREVENTION Regular expressions and strip_tags leave you vulnerable. The only solution is output encoding.Friday, 2 November, 12
  22. EXAMPLE <p> <?php echo htmlentities( $user[‘bio’], ENT_QUOTES, ‘UTF-8’ ); ?> </p>Friday, 2 November, 12
  23. DANGERS Manually encoding is error prone, and you will make a mistake. Using a template library like Twig that provides auto- escaping reduces the chances of screwing up. Encoding is dependent on context.Friday, 2 November, 12
  24. 3 BROKEN AUTHENTICATION & SESSION MANAGEMENTFriday, 2 November, 12 /index.php?PHPSESSID=pwned
  25. RISKS Identity theft. Firesheep was an excellent example.Friday, 2 November, 12
  26. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); }Friday, 2 November, 12
  27. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); }Friday, 2 November, 12
  28. PREVENTION Rotate session identifiers upon login/logout Set the HttpOnly flag on session cookies. Use well tested / mature libraries for authentication. SSL is always a good idea.Friday, 2 November, 12
  29. 4 INSECURE DIRECT OBJECTFriday, 2 November, 12 REFERENCE
  30. RISKS Bad guys can access information they shouldn’t Bad guys can modify data they shouldn’t.Friday, 2 November, 12
  31. BROKEN PASSWORD UPDATE <form action=”/user/update” method=”post”> <input type=”hidden” name=”userid” value=”4654” /> <input type=”text” name=”new_password” /> <button type=”submit”>Save</button> </form>Friday, 2 November, 12
  32. PREVENTION Remember hidden inputs are not really hidden, and can be changed by users. Validate access to all things, don’t depend on things being hidden/invisible. If you need to refer to the current user, use session data not form inputs. Whitelist properties any form can update.Friday, 2 November, 12
  33. 5Friday, 2 November, 12 CROSS SITE REQUEST FORGERY (CSRF)
  34. RISKS Evil websites can perform actions for users logged into your site. Side effects on GET can be performed via images or CSS files. Remember the Gmail contact hack.Friday, 2 November, 12
  35. CSRF EXAMPLE Your app Evil siteFriday, 2 November, 12
  36. CSRF EXAMPLE Your app Evil site LoginFriday, 2 November, 12
  37. CSRF EXAMPLE Your app Evil site Login Accidentally visitFriday, 2 November, 12
  38. CSRF EXAMPLE Your app Submit form for evil Evil site Login Accidentally visitFriday, 2 November, 12
  39. PREVENTION Add opaque expiring tokens to all forms. Requests missing tokens or containing invalid tokens should be rejected.Friday, 2 November, 12
  40. SAMPLE CSRF VALIDATION <?php if (!$this->validCsrfToken($data, ‘csrf’)) { throw new ForbiddenException(); }Friday, 2 November, 12
  41. 6Friday, 2 November, 12 SECURITY MISCONFIGURATION
  42. RISKS Default settings can be insecure, and intended for development not production. Attackers can use misconfigured software to gain knowledge and access.Friday, 2 November, 12
  43. PREVENTION Know the tools you use, and configure them correctly. Keep up to date on vulnerabilities in the tools you use. Remove/disable any services/features you aren’t using.Friday, 2 November, 12
  44. 7 INSECURE CRYPTOGRAPHICFriday, 2 November, 12 STORAGE md5(‘password’)
  45. RISKS Weak cryptographic storage can easily be cracked. Keys can be exposed with encrypted data. Backups can contain encrypted data & keys. Compromised passwords can be used to obtain information on other sites.Friday, 2 November, 12
  46. BAD PASSWORD HASHING $password; md5($password); sha1($password);Friday, 2 November, 12
  47. BAD PASSWORD HASHING $password; md5($password); sha1($password);Friday, 2 November, 12
  48. USE BCRYPT FOR PASSWORDS only you can prevent bad hashingFriday, 2 November, 12
  49. PREVENTION Use strong hashing/encryption. Use one way hashing for passwords. Never use symmetric encryption for passwords. Don’t collect data if you don’t need it. Keep keys separate from data. If you’re using symmetric encryption, be able to rotate keys easily.Friday, 2 November, 12
  50. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHashFriday, 2 November, 12
  51. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHashFriday, 2 November, 12
  52. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHashFriday, 2 November, 12
  53. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHashFriday, 2 November, 12
  54. USE MCRYPT // encrypt (rijndael) $value = mcrypt_encrypt( ‘rijndael-256’, $secretKey, $ccnumber,‘cbc’, $iv ); // decrypt $value = mcrypt_decrypt( ‘rijndael-256’, $secretKey, $encrypted,‘cbc’, $iv );Friday, 2 November, 12
  55. 8 FAILURE TO RESTRICT URLFriday, 2 November, 12 ACCESS
  56. RISK Hidden things can easily be found. Creative people will eventually find your hidden URLs Security through obscurity is a terrible idea.Friday, 2 November, 12
  57. PREVENTION Check access to all urls both when you generate links and more importantly when handling requests. Don’t rely on things staying hidden.Friday, 2 November, 12
  58. 9 INSUFFICIENT TRANSPORTFriday, 2 November, 12 LAYER PROTECTION
  59. SSL/TLSFriday, 2 November, 12
  60. 10 UNVALIDATED REDIRECTS &Friday, 2 November, 12 FORWARDS
  61. RISKS Trusting user input for redirects opens phishing attacks. Breach of trust with your users.Friday, 2 November, 12
  62. PREVENTION Don’t trust user data when handling redirects.Friday, 2 November, 12
  63. QUESTIONS?Friday, 2 November, 12

×