Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Top 10 2013

7,198 views

Published on

A talk given at PHP conference argentina in 2013.

Published in: Technology
  • Be the first to comment

OWASP Top 10 2013

  1. 1. AVOIDING THE OWASP Top 10 security exploits Saturday, 5 October, 13
  2. 2. ME Illustrator turned developer PHP developer for 8 years Architect/Developer at FreshBooks Lead developer of CakePHP Saturday, 5 October, 13
  3. 3. SECURITY Saturday, 5 October, 13
  4. 4. SECURITY CONTINUUM ( )unusable unrestricted Saturday, 5 October, 13
  5. 5. OWASP Open Web Application Security Project Saturday, 5 October, 13
  6. 6. OWASP TOP 10 Saturday, 5 October, 13
  7. 7. INJECTION ‘ OR 1=1 ‘-- 1Saturday, 5 October, 13
  8. 8. RISKS Command - Permits arbitrary shell commands. SQL - Permits query manipulation, and arbitrary SQL. Bad guys can run arbitrary code/queries. Saturday, 5 October, 13
  9. 9. $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query); SQL INJECTION EXAMPLE Saturday, 5 October, 13
  10. 10. $username = “root”; $password = “‘ OR 1 = 1 --”; USER INPUT Saturday, 5 October, 13
  11. 11. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --”; Saturday, 5 October, 13
  12. 12. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --”; Saturday, 5 October, 13
  13. 13. PREVENTION Use an ORM or Database abstraction layer that provides escaping. Doctrine, ZendTable, and CakePHP all do this. Use PDO and prepared statements. Never interpolate user data into a query. Never use regular expressions, magic quotes, or addslashes() Saturday, 5 October, 13
  14. 14. EXAMPLE (PDO) $query = “SELECT * FROM user WHERE username = ? AND password = ?”; $stmt = $db->prepare($query); $stmt->bindValue($username); $stmt->bindValue($password); $result = $db->execute(); Saturday, 5 October, 13
  15. 15. COMMAND INJECTION $file = $_POST[‘file’]; $res = file_get_contents($file); echo $res; Saturday, 5 October, 13
  16. 16. $f = “../../../../../../etc/passwd”; USER INPUT Saturday, 5 October, 13
  17. 17. PREVENTION Escape and validate input. Check for .. Check for ; Ensure the realpath resolves to a file that is allowed. Saturday, 5 October, 13
  18. 18. 2BROKEN AUTHENTICATION & SESSION MANAGEMENT /index.php?PHPSESSID=pwned Saturday, 5 October, 13
  19. 19. RISKS Identity theft. Firesheep was an excellent example. Saturday, 5 October, 13
  20. 20. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Saturday, 5 October, 13
  21. 21. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Saturday, 5 October, 13
  22. 22. PREVENTION Rotate session identifiers upon login/logout Set the HttpOnly flag on session cookies. Use well tested / mature libraries for authentication. SSL is always a good idea. Saturday, 5 October, 13
  23. 23. 3XSS <script>alert(‘cross site scripting’);</script> Saturday, 5 October, 13
  24. 24. RISKS Allows bad guys to do things as the person viewing a page. Steal identities, passwords, credit cards, hijack pages and more. Saturday, 5 October, 13
  25. 25. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Saturday, 5 October, 13
  26. 26. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Saturday, 5 October, 13
  27. 27. I know, I can use regular expressions! Saturday, 5 October, 13
  28. 28. NO Saturday, 5 October, 13
  29. 29. PREVENTION Regular expressions and strip_tags leave you vulnerable. The only robust solution is output encoding. Saturday, 5 October, 13
  30. 30. EXAMPLE <p> <?php echo htmlentities( $user[‘bio’], ENT_QUOTES, ‘UTF-8’ ); ?> </p> Saturday, 5 October, 13
  31. 31. DANGERS Manually encoding is error prone, and you will make a mistake. Using a template library like Twig that provides auto- escaping reduces the chances of screwing up. Encoding is dependent on context. Saturday, 5 October, 13
  32. 32. 4INSECURE DIRECT OBJECT REFERENCE Saturday, 5 October, 13
  33. 33. RISKS Bad guys can access information they shouldn’t Bad guys can modify data they shouldn’t. Saturday, 5 October, 13
  34. 34. BROKEN PASSWORD UPDATE <form action=”/user/update” method=”post”> <input type=”hidden” name=”userid” value=”4654” /> <input type=”text” name=”new_password” /> <button type=”submit”>Save</button> </form> Saturday, 5 October, 13
  35. 35. PREVENTION Remember hidden inputs are not really hidden, and can be changed by users. Validate access to all things, don’t depend on things being hidden/invisible. If you need to refer to the current user, use session data not form inputs. Whitelist properties any form can update. Saturday, 5 October, 13
  36. 36. 5SECURITY MISCONFIGURATION Saturday, 5 October, 13
  37. 37. RISKS Default settings can be insecure, and intended for development not production. Attackers can use misconfigured software to gain knowledge and access. Saturday, 5 October, 13
  38. 38. PREVENTION Know the tools you use, and configure them correctly. Keep up to date on vulnerabilities in the tools you use. Remove/disable any services/features you aren’t using. Saturday, 5 October, 13
  39. 39. 6SENSITIVE DATA EXPOSURE 4012 8888 8888 1881 Saturday, 5 October, 13
  40. 40. RISKS Bad guys get credit cards, personal identification, passwords or health records. Your company could be fined or worse. Saturday, 5 October, 13
  41. 41. ASSESSING RISK Do you have sensitive data? Is it in plaintext? Any old/bad crypto in use? Missing SSL? Who can access sensitive data? Saturday, 5 October, 13
  42. 42. 7MISSING FUNCTION LEVEL ACCESS CONTROL Saturday, 5 October, 13
  43. 43. RISKS Anyone on the internet can request things. Missing access control could mean bad guys can do things they shouldn’t be able to. Saturday, 5 October, 13
  44. 44. PREVENTION No simple solutions sadly. Good automated tests help. Saturday, 5 October, 13
  45. 45. 8CROSS SITE REQUEST FORGERY (CSRF) Saturday, 5 October, 13
  46. 46. RISKS Evil websites can perform actions for users logged into your site. Side effects on GET can be performed via images or CSS files. Remember the Gmail contact hack. Saturday, 5 October, 13
  47. 47. CSRF EXAMPLE Your app Evil site Saturday, 5 October, 13
  48. 48. CSRF EXAMPLE Your app Evil site Login Saturday, 5 October, 13
  49. 49. CSRF EXAMPLE Your app Evil site Login Accidentally visit Saturday, 5 October, 13
  50. 50. CSRF EXAMPLE Your app Evil site Login Accidentally visit Submit form for evil Saturday, 5 October, 13
  51. 51. PREVENTION Add opaque expiring tokens to all forms. Requests missing tokens or containing invalid tokens should be rejected. Saturday, 5 October, 13
  52. 52. SAMPLE CSRFVALIDATION <?php if (!$this->validCsrfToken($data, ‘csrf’)) { throw new ForbiddenException(); } Saturday, 5 October, 13
  53. 53. 9USING COMPONENTS WITH KNOWNVULNERABILITIES CVE bingo Saturday, 5 October, 13
  54. 54. RISK Using old busted software can expose you to documented issues. CVE databases are filled with version numbers and matching exploits. Saturday, 5 October, 13
  55. 55. PREVENTION Do routine upgrades. Keep up to date with all your software. Read mailing lists and keep an eye out for security releases. Saturday, 5 October, 13
  56. 56. PREVENTION Several vulnerability databases around. https://cve.mitre.org/cve/ Saturday, 5 October, 13
  57. 57. 10UNVALIDATED REDIRECTS & FORWARDS Saturday, 5 October, 13
  58. 58. RISKS Trusting user input for redirects opens phishing attacks. Breach of trust with your users. Saturday, 5 October, 13
  59. 59. PREVENTION Don’t trust user data when handling redirects. Saturday, 5 October, 13
  60. 60. THANKYOU Saturday, 5 October, 13

×