SlideShare a Scribd company logo
AVOIDING THE OWASP
                             Top 10 security exploits




Friday, 2 November, 12
ME


                  Illustrator turned developer

                  Team Lead at FreshBooks

                  Lead developer of CakePHP

                  PHP developer for 7 years



Friday, 2 November, 12
SECURITY




Friday, 2 November, 12
SECURITY CONTINUUM




               (
           unusable
                                         )
                                       unrestricted




Friday, 2 November, 12
OWASP
                         Open Web Application Security Project




Friday, 2 November, 12
OWASP TOP 10




Friday, 2 November, 12
1
Friday, 2 November, 12
                         SQL INJECTION
                           ‘ OR 1=1 ‘--
RISKS



                  Permits query manipulation, and arbitrary SQL.

                  Bad guys can re-write your queries.




Friday, 2 November, 12
SQL INJECTION EXAMPLE

               $username = $_POST[‘username’];
               $password = $_POST[‘password’];

               $query = “SELECT * FROM user
                  WHERE username = ‘$username’
                  AND password = ‘$password’”;


               $user = $db->query($query);
Friday, 2 November, 12
USER INPUT

      $username = “root”;
      $password = “‘ OR 1 = 1 --”;




Friday, 2 November, 12
FINAL QUERY


   $query = “SELECT * FROM user
      WHERE username = ‘root’
      AND password = ‘‘ OR 1 = 1 --’”;




Friday, 2 November, 12
FINAL QUERY


   $query = “SELECT * FROM user
      WHERE username = ‘root’
      AND password = ‘‘ OR 1 = 1 --’”;




Friday, 2 November, 12
PREVENTION

                  Use an ORM or Database abstraction layer that
                  provides escaping. Doctrine, ZendTable, and
                  CakePHP all do this.

                  Use PDO and prepared statements.

                  Never put user data into a query.

                  Never use regular expressions, magic quotes, or
                  addslashes()


Friday, 2 November, 12
EXAMPLE (PDO)

                $query = “SELECT * FROM user
                   WHERE username = ?
                   AND password = ?”;

                $stmt = $db->prepare($query);
                $stmt->bindValue($username);
                $stmt->bindValue($password);
                $result = $db->execute();

Friday, 2 November, 12
2
Friday, 2 November, 12
                                            XSS
                         <script>alert(‘cross site scripting’);</script>
RISKS



                  Allows bad guys to do things as the person viewing a
                  page.

                  Steal identities, passwords, credit cards, hijack pages
                  and more.




Friday, 2 November, 12
XSS EXAMPLE



        <p>
         <?php echo $user[‘bio’]; ?>
        </p>




Friday, 2 November, 12
XSS EXAMPLE



        <p>
         <?php echo $user[‘bio’]; ?>
        </p>




Friday, 2 November, 12
You may be thinking, I can use regular expressions
                                 to fix this.




Friday, 2 November, 12
NO
Friday, 2 November, 12
PREVENTION



                  Regular expressions and strip_tags leave you
                  vulnerable.

                  The only solution is output encoding.




Friday, 2 November, 12
EXAMPLE

        <p>
         <?php echo htmlentities(
          $user[‘bio’],
          ENT_QUOTES,
          ‘UTF-8’
         ); ?>
        </p>


Friday, 2 November, 12
DANGERS


                  Manually encoding is error prone, and you will make
                  a mistake.

                  Using a template library like Twig that provides auto-
                  escaping reduces the chances of screwing up.

                  Encoding is dependent on context.



Friday, 2 November, 12
3             BROKEN AUTHENTICATION
                 & SESSION MANAGEMENT




Friday, 2 November, 12
                         /index.php?PHPSESSID=pwned
RISKS



                  Identity theft.

                  Firesheep was an excellent example.




Friday, 2 November, 12
SESSION FIXATION EXAMPLE

   <?php
   session_start();
   if (isset($_GET[‘sessionid’]) {
     session_id($_GET[‘sessionid’]);
   }




Friday, 2 November, 12
SESSION FIXATION EXAMPLE

   <?php
   session_start();
   if (isset($_GET[‘sessionid’]) {
     session_id($_GET[‘sessionid’]);
   }




Friday, 2 November, 12
PREVENTION


                  Rotate session identifiers upon login/logout

                  Set the HttpOnly flag on session cookies.

                  Use well tested / mature libraries for authentication.

                  SSL is always a good idea.



Friday, 2 November, 12
4                 INSECURE DIRECT OBJECT




Friday, 2 November, 12
                          REFERENCE
RISKS



                  Bad guys can access information they shouldn’t

                  Bad guys can modify data they shouldn’t.




Friday, 2 November, 12
BROKEN PASSWORD UPDATE

      <form action=”/user/update” method=”post”>
       <input type=”hidden” name=”userid” value=”4654” />
       <input type=”text” name=”new_password” />
       <button type=”submit”>Save</button>
      </form>




Friday, 2 November, 12
PREVENTION

                  Remember hidden inputs are not really hidden, and
                  can be changed by users.

                  Validate access to all things, don’t depend on things
                  being hidden/invisible.

                  If you need to refer to the current user, use session
                  data not form inputs.

                  Whitelist properties any form can update.


Friday, 2 November, 12
5
Friday, 2 November, 12
                         CROSS SITE REQUEST
                             FORGERY
                                (CSRF)
RISKS


                  Evil websites can perform actions for users logged
                  into your site.

                  Side effects on GET can be performed via images or
                  CSS files.

                  Remember the Gmail contact hack.



Friday, 2 November, 12
CSRF EXAMPLE


                  Your app


                                            Evil site




Friday, 2 November, 12
CSRF EXAMPLE


                  Your app


                                                Evil site

                         Login




Friday, 2 November, 12
CSRF EXAMPLE


                  Your app


                                                         Evil site

                         Login

                                    Accidentally visit

Friday, 2 November, 12
CSRF EXAMPLE


                  Your app         Submit form for evil


                                                          Evil site

                         Login

                                    Accidentally visit

Friday, 2 November, 12
PREVENTION



                  Add opaque expiring tokens to all forms.

                  Requests missing tokens or containing invalid tokens
                  should be rejected.




Friday, 2 November, 12
SAMPLE CSRF VALIDATION

    <?php
    if (!$this->validCsrfToken($data, ‘csrf’)) {
      throw new ForbiddenException();
    }




Friday, 2 November, 12
6
Friday, 2 November, 12
                             SECURITY
                         MISCONFIGURATION
RISKS



                  Default settings can be insecure, and intended for
                  development not production.

                  Attackers can use misconfigured software to gain
                  knowledge and access.




Friday, 2 November, 12
PREVENTION


                  Know the tools you use, and configure them
                  correctly.

                  Keep up to date on vulnerabilities in the tools you
                  use.

                  Remove/disable any services/features you aren’t using.



Friday, 2 November, 12
7             INSECURE CRYPTOGRAPHIC




Friday, 2 November, 12
                       STORAGE
                         md5(‘password’)
RISKS


                  Weak cryptographic storage can easily be cracked.

                  Keys can be exposed with encrypted data.

                  Backups can contain encrypted data & keys.

                  Compromised passwords can be used to obtain
                  information on other sites.



Friday, 2 November, 12
BAD PASSWORD HASHING



                  $password;

                  md5($password);

                  sha1($password);




Friday, 2 November, 12
BAD PASSWORD HASHING



                  $password;

                  md5($password);

                  sha1($password);




Friday, 2 November, 12
USE BCRYPT FOR
                           PASSWORDS
                         only you can prevent bad hashing




Friday, 2 November, 12
PREVENTION

                  Use strong hashing/encryption.

                  Use one way hashing for passwords. Never use
                  symmetric encryption for passwords.

                  Don’t collect data if you don’t need it.

                  Keep keys separate from data.

                  If you’re using symmetric encryption, be able to
                  rotate keys easily.

Friday, 2 November, 12
BCRYPT IN PHP

   // password hashing (bcrypt)
   $hashed = crypt(
    $pass,
    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);

   // compare later
   $hashed = crypt($plaintext, $storedHash);

   // check for match
   $hashed === $storedHash


Friday, 2 November, 12
BCRYPT IN PHP

   // password hashing (bcrypt)
   $hashed = crypt(
    $pass,
    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);

   // compare later
   $hashed = crypt($plaintext, $storedHash);

   // check for match
   $hashed === $storedHash


Friday, 2 November, 12
BCRYPT IN PHP

   // password hashing (bcrypt)
   $hashed = crypt(
    $pass,
    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);

   // compare later
   $hashed = crypt($plaintext, $storedHash);

   // check for match
   $hashed === $storedHash


Friday, 2 November, 12
BCRYPT IN PHP

   // password hashing (bcrypt)
   $hashed = crypt(
    $pass,
    ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’);

   // compare later
   $hashed = crypt($plaintext, $storedHash);

   // check for match
   $hashed === $storedHash


Friday, 2 November, 12
USE MCRYPT

  // encrypt (rijndael)
  $value = mcrypt_encrypt(
   ‘rijndael-256’,
   $secretKey, $ccnumber,‘cbc’, $iv
  );

  // decrypt
  $value = mcrypt_decrypt(
   ‘rijndael-256’,
   $secretKey, $encrypted,‘cbc’, $iv
  );

Friday, 2 November, 12
8                  FAILURE TO RESTRICT URL




Friday, 2 November, 12
                              ACCESS
RISK



                  Hidden things can easily be found.

                  Creative people will eventually find your hidden URLs

                  Security through obscurity is a terrible idea.




Friday, 2 November, 12
PREVENTION



                  Check access to all urls both when you generate
                  links and more importantly when handling requests.

                  Don’t rely on things staying hidden.




Friday, 2 November, 12
9              INSUFFICIENT TRANSPORT




Friday, 2 November, 12
                       LAYER PROTECTION
SSL/TLS
Friday, 2 November, 12
10              UNVALIDATED REDIRECTS &




Friday, 2 November, 12
                      FORWARDS
RISKS



                  Trusting user input for redirects opens phishing
                  attacks.

                  Breach of trust with your users.




Friday, 2 November, 12
PREVENTION




                  Don’t trust user data when handling redirects.




Friday, 2 November, 12
QUESTIONS?




Friday, 2 November, 12

More Related Content

What's hot

Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
Andy Dai
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville   Web Security 1012009 Barcamp Nashville   Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
2013 05-03 - HTML5 & JavaScript Security
2013 05-03 -  HTML5 & JavaScript Security2013 05-03 -  HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript Security
Johannes Hoppe
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
Sandro Zaccarini
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
Mattias Geniar
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
Sandro Zaccarini
 
Web Security
Web SecurityWeb Security
Web Security
Rene Churchill
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projects
Michelangelo van Dam
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
Francois Marier
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
Francois Marier
 
How to work with legacy code PHPers Rzeszow #2
How to work with legacy code PHPers Rzeszow #2How to work with legacy code PHPers Rzeszow #2
How to work with legacy code PHPers Rzeszow #2
Michał Kruczek
 
How to work with legacy code
How to work with legacy codeHow to work with legacy code
How to work with legacy code
Michał Kruczek
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
Michelangelo van Dam
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 

What's hot (20)

Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville   Web Security 1012009 Barcamp Nashville   Web Security 101
2009 Barcamp Nashville Web Security 101
 
2013 05-03 - HTML5 & JavaScript Security
2013 05-03 -  HTML5 & JavaScript Security2013 05-03 -  HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript Security
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
 
Web Security
Web SecurityWeb Security
Web Security
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projects
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
 
How to work with legacy code PHPers Rzeszow #2
How to work with legacy code PHPers Rzeszow #2How to work with legacy code PHPers Rzeszow #2
How to work with legacy code PHPers Rzeszow #2
 
How to work with legacy code
How to work with legacy codeHow to work with legacy code
How to work with legacy code
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 

Similar to Owasp top 10

Building Sencha Themes
Building Sencha ThemesBuilding Sencha Themes
Building Sencha Themes
Sencha
 
2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp
PHP Conference Argentina
 
Active Record Introduction - 3
Active Record Introduction - 3Active Record Introduction - 3
Active Record Introduction - 3
Blazing Cloud
 
Introduction to Twig
Introduction to TwigIntroduction to Twig
Introduction to Twig
markstory
 
Building Data Driven Products With Ruby - RubyConf 2012
Building Data Driven Products With Ruby - RubyConf 2012Building Data Driven Products With Ruby - RubyConf 2012
Building Data Driven Products With Ruby - RubyConf 2012
Ryan Weald
 
Macruby - RubyConf Presentation 2010
Macruby - RubyConf Presentation 2010Macruby - RubyConf Presentation 2010
Macruby - RubyConf Presentation 2010
Matt Aimonetti
 
PHP Server-side Breakout
PHP Server-side BreakoutPHP Server-side Breakout
PHP Server-side Breakout
Sencha
 
Modern HTML & CSS Coding: Speed, Semantics & Structure
Modern HTML & CSS Coding: Speed, Semantics & StructureModern HTML & CSS Coding: Speed, Semantics & Structure
Modern HTML & CSS Coding: Speed, Semantics & Structure
Raven Tools
 
YAML is the new Eval
YAML is the new EvalYAML is the new Eval
YAML is the new Eval
arnebrasseur
 
Writing Secure Plugins — WordCamp New York 2009
Writing Secure Plugins — WordCamp New York 2009Writing Secure Plugins — WordCamp New York 2009
Writing Secure Plugins — WordCamp New York 2009
Mark Jaquith
 

Similar to Owasp top 10 (10)

Building Sencha Themes
Building Sencha ThemesBuilding Sencha Themes
Building Sencha Themes
 
2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp2013 - Mark story - Avoiding the Owasp
2013 - Mark story - Avoiding the Owasp
 
Active Record Introduction - 3
Active Record Introduction - 3Active Record Introduction - 3
Active Record Introduction - 3
 
Introduction to Twig
Introduction to TwigIntroduction to Twig
Introduction to Twig
 
Building Data Driven Products With Ruby - RubyConf 2012
Building Data Driven Products With Ruby - RubyConf 2012Building Data Driven Products With Ruby - RubyConf 2012
Building Data Driven Products With Ruby - RubyConf 2012
 
Macruby - RubyConf Presentation 2010
Macruby - RubyConf Presentation 2010Macruby - RubyConf Presentation 2010
Macruby - RubyConf Presentation 2010
 
PHP Server-side Breakout
PHP Server-side BreakoutPHP Server-side Breakout
PHP Server-side Breakout
 
Modern HTML & CSS Coding: Speed, Semantics & Structure
Modern HTML & CSS Coding: Speed, Semantics & StructureModern HTML & CSS Coding: Speed, Semantics & Structure
Modern HTML & CSS Coding: Speed, Semantics & Structure
 
YAML is the new Eval
YAML is the new EvalYAML is the new Eval
YAML is the new Eval
 
Writing Secure Plugins — WordCamp New York 2009
Writing Secure Plugins — WordCamp New York 2009Writing Secure Plugins — WordCamp New York 2009
Writing Secure Plugins — WordCamp New York 2009
 

More from markstory

Dependency injection in CakePHP
Dependency injection in CakePHPDependency injection in CakePHP
Dependency injection in CakePHP
markstory
 
Safer, More Helpful CakePHP
Safer, More Helpful CakePHPSafer, More Helpful CakePHP
Safer, More Helpful CakePHP
markstory
 
CakePHP - The Road Ahead
CakePHP - The Road AheadCakePHP - The Road Ahead
CakePHP - The Road Ahead
markstory
 
Future of HTTP in CakePHP
Future of HTTP in CakePHPFuture of HTTP in CakePHP
Future of HTTP in CakePHP
markstory
 
CakePHP mistakes made 2015
CakePHP mistakes made 2015CakePHP mistakes made 2015
CakePHP mistakes made 2015
markstory
 
New in cakephp3
New in cakephp3New in cakephp3
New in cakephp3
markstory
 
PHP WTF
PHP WTFPHP WTF
PHP WTF
markstory
 
CakePHP 3.0 and beyond
CakePHP 3.0 and beyondCakePHP 3.0 and beyond
CakePHP 3.0 and beyond
markstory
 
CakePHP mistakes made confoo 2015
CakePHP mistakes made confoo 2015CakePHP mistakes made confoo 2015
CakePHP mistakes made confoo 2015
markstory
 
CakePHP mistakes made
CakePHP mistakes madeCakePHP mistakes made
CakePHP mistakes made
markstory
 
Performance and optimization CakeFest 2014
Performance and optimization CakeFest 2014Performance and optimization CakeFest 2014
Performance and optimization CakeFest 2014
markstory
 
Road to CakePHP 3.0
Road to CakePHP 3.0Road to CakePHP 3.0
Road to CakePHP 3.0
markstory
 
Performance and optimization
Performance and optimizationPerformance and optimization
Performance and optimization
markstory
 
CakePHP the yum & yuck
CakePHP the yum & yuckCakePHP the yum & yuck
CakePHP the yum & yuck
markstory
 
Simple search with elastic search
Simple search with elastic searchSimple search with elastic search
Simple search with elastic search
markstory
 
Intro to continuous integration
Intro to continuous integration Intro to continuous integration
Intro to continuous integration
markstory
 
Evented applications with RabbitMQ and CakePHP
Evented applications with RabbitMQ and CakePHPEvented applications with RabbitMQ and CakePHP
Evented applications with RabbitMQ and CakePHP
markstory
 
Ch ch-changes cake php2
Ch ch-changes cake php2Ch ch-changes cake php2
Ch ch-changes cake php2
markstory
 
PHPunit and you
PHPunit and youPHPunit and you
PHPunit and you
markstory
 
Win at life with unit testing
Win at life with unit testingWin at life with unit testing
Win at life with unit testing
markstory
 

More from markstory (20)

Dependency injection in CakePHP
Dependency injection in CakePHPDependency injection in CakePHP
Dependency injection in CakePHP
 
Safer, More Helpful CakePHP
Safer, More Helpful CakePHPSafer, More Helpful CakePHP
Safer, More Helpful CakePHP
 
CakePHP - The Road Ahead
CakePHP - The Road AheadCakePHP - The Road Ahead
CakePHP - The Road Ahead
 
Future of HTTP in CakePHP
Future of HTTP in CakePHPFuture of HTTP in CakePHP
Future of HTTP in CakePHP
 
CakePHP mistakes made 2015
CakePHP mistakes made 2015CakePHP mistakes made 2015
CakePHP mistakes made 2015
 
New in cakephp3
New in cakephp3New in cakephp3
New in cakephp3
 
PHP WTF
PHP WTFPHP WTF
PHP WTF
 
CakePHP 3.0 and beyond
CakePHP 3.0 and beyondCakePHP 3.0 and beyond
CakePHP 3.0 and beyond
 
CakePHP mistakes made confoo 2015
CakePHP mistakes made confoo 2015CakePHP mistakes made confoo 2015
CakePHP mistakes made confoo 2015
 
CakePHP mistakes made
CakePHP mistakes madeCakePHP mistakes made
CakePHP mistakes made
 
Performance and optimization CakeFest 2014
Performance and optimization CakeFest 2014Performance and optimization CakeFest 2014
Performance and optimization CakeFest 2014
 
Road to CakePHP 3.0
Road to CakePHP 3.0Road to CakePHP 3.0
Road to CakePHP 3.0
 
Performance and optimization
Performance and optimizationPerformance and optimization
Performance and optimization
 
CakePHP the yum & yuck
CakePHP the yum & yuckCakePHP the yum & yuck
CakePHP the yum & yuck
 
Simple search with elastic search
Simple search with elastic searchSimple search with elastic search
Simple search with elastic search
 
Intro to continuous integration
Intro to continuous integration Intro to continuous integration
Intro to continuous integration
 
Evented applications with RabbitMQ and CakePHP
Evented applications with RabbitMQ and CakePHPEvented applications with RabbitMQ and CakePHP
Evented applications with RabbitMQ and CakePHP
 
Ch ch-changes cake php2
Ch ch-changes cake php2Ch ch-changes cake php2
Ch ch-changes cake php2
 
PHPunit and you
PHPunit and youPHPunit and you
PHPunit and you
 
Win at life with unit testing
Win at life with unit testingWin at life with unit testing
Win at life with unit testing
 

Recently uploaded

CheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdfCheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdf
ssuser137992
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Required Documents for ISO 17021 Certification.PPT
Required Documents for ISO 17021 Certification.PPTRequired Documents for ISO 17021 Certification.PPT
Required Documents for ISO 17021 Certification.PPT
mithun772
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and ConsiderationsChoosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
webbyacad software
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Keynote : Presentation on SASE Technology
Keynote : Presentation on SASE TechnologyKeynote : Presentation on SASE Technology
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...
Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...
Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...
Snarky Security
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 

Recently uploaded (20)

CheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdfCheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdf
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Required Documents for ISO 17021 Certification.PPT
Required Documents for ISO 17021 Certification.PPTRequired Documents for ISO 17021 Certification.PPT
Required Documents for ISO 17021 Certification.PPT
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and ConsiderationsChoosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Keynote : Presentation on SASE Technology
Keynote : Presentation on SASE TechnologyKeynote : Presentation on SASE Technology
Keynote : Presentation on SASE Technology
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...
Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...
Welcome to Cyberbiosecurity. Because regular cybersecurity wasn't complicated...
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 

Owasp top 10

  • 1. AVOIDING THE OWASP Top 10 security exploits Friday, 2 November, 12
  • 2. ME Illustrator turned developer Team Lead at FreshBooks Lead developer of CakePHP PHP developer for 7 years Friday, 2 November, 12
  • 4. SECURITY CONTINUUM ( unusable ) unrestricted Friday, 2 November, 12
  • 5. OWASP Open Web Application Security Project Friday, 2 November, 12
  • 6. OWASP TOP 10 Friday, 2 November, 12
  • 7. 1 Friday, 2 November, 12 SQL INJECTION ‘ OR 1=1 ‘--
  • 8. RISKS Permits query manipulation, and arbitrary SQL. Bad guys can re-write your queries. Friday, 2 November, 12
  • 9. SQL INJECTION EXAMPLE $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query); Friday, 2 November, 12
  • 10. USER INPUT $username = “root”; $password = “‘ OR 1 = 1 --”; Friday, 2 November, 12
  • 11. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --’”; Friday, 2 November, 12
  • 12. FINAL QUERY $query = “SELECT * FROM user WHERE username = ‘root’ AND password = ‘‘ OR 1 = 1 --’”; Friday, 2 November, 12
  • 13. PREVENTION Use an ORM or Database abstraction layer that provides escaping. Doctrine, ZendTable, and CakePHP all do this. Use PDO and prepared statements. Never put user data into a query. Never use regular expressions, magic quotes, or addslashes() Friday, 2 November, 12
  • 14. EXAMPLE (PDO) $query = “SELECT * FROM user WHERE username = ? AND password = ?”; $stmt = $db->prepare($query); $stmt->bindValue($username); $stmt->bindValue($password); $result = $db->execute(); Friday, 2 November, 12
  • 15. 2 Friday, 2 November, 12 XSS <script>alert(‘cross site scripting’);</script>
  • 16. RISKS Allows bad guys to do things as the person viewing a page. Steal identities, passwords, credit cards, hijack pages and more. Friday, 2 November, 12
  • 17. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Friday, 2 November, 12
  • 18. XSS EXAMPLE <p> <?php echo $user[‘bio’]; ?> </p> Friday, 2 November, 12
  • 19. You may be thinking, I can use regular expressions to fix this. Friday, 2 November, 12
  • 21. PREVENTION Regular expressions and strip_tags leave you vulnerable. The only solution is output encoding. Friday, 2 November, 12
  • 22. EXAMPLE <p> <?php echo htmlentities( $user[‘bio’], ENT_QUOTES, ‘UTF-8’ ); ?> </p> Friday, 2 November, 12
  • 23. DANGERS Manually encoding is error prone, and you will make a mistake. Using a template library like Twig that provides auto- escaping reduces the chances of screwing up. Encoding is dependent on context. Friday, 2 November, 12
  • 24. 3 BROKEN AUTHENTICATION & SESSION MANAGEMENT Friday, 2 November, 12 /index.php?PHPSESSID=pwned
  • 25. RISKS Identity theft. Firesheep was an excellent example. Friday, 2 November, 12
  • 26. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Friday, 2 November, 12
  • 27. SESSION FIXATION EXAMPLE <?php session_start(); if (isset($_GET[‘sessionid’]) { session_id($_GET[‘sessionid’]); } Friday, 2 November, 12
  • 28. PREVENTION Rotate session identifiers upon login/logout Set the HttpOnly flag on session cookies. Use well tested / mature libraries for authentication. SSL is always a good idea. Friday, 2 November, 12
  • 29. 4 INSECURE DIRECT OBJECT Friday, 2 November, 12 REFERENCE
  • 30. RISKS Bad guys can access information they shouldn’t Bad guys can modify data they shouldn’t. Friday, 2 November, 12
  • 31. BROKEN PASSWORD UPDATE <form action=”/user/update” method=”post”> <input type=”hidden” name=”userid” value=”4654” /> <input type=”text” name=”new_password” /> <button type=”submit”>Save</button> </form> Friday, 2 November, 12
  • 32. PREVENTION Remember hidden inputs are not really hidden, and can be changed by users. Validate access to all things, don’t depend on things being hidden/invisible. If you need to refer to the current user, use session data not form inputs. Whitelist properties any form can update. Friday, 2 November, 12
  • 33. 5 Friday, 2 November, 12 CROSS SITE REQUEST FORGERY (CSRF)
  • 34. RISKS Evil websites can perform actions for users logged into your site. Side effects on GET can be performed via images or CSS files. Remember the Gmail contact hack. Friday, 2 November, 12
  • 35. CSRF EXAMPLE Your app Evil site Friday, 2 November, 12
  • 36. CSRF EXAMPLE Your app Evil site Login Friday, 2 November, 12
  • 37. CSRF EXAMPLE Your app Evil site Login Accidentally visit Friday, 2 November, 12
  • 38. CSRF EXAMPLE Your app Submit form for evil Evil site Login Accidentally visit Friday, 2 November, 12
  • 39. PREVENTION Add opaque expiring tokens to all forms. Requests missing tokens or containing invalid tokens should be rejected. Friday, 2 November, 12
  • 40. SAMPLE CSRF VALIDATION <?php if (!$this->validCsrfToken($data, ‘csrf’)) { throw new ForbiddenException(); } Friday, 2 November, 12
  • 41. 6 Friday, 2 November, 12 SECURITY MISCONFIGURATION
  • 42. RISKS Default settings can be insecure, and intended for development not production. Attackers can use misconfigured software to gain knowledge and access. Friday, 2 November, 12
  • 43. PREVENTION Know the tools you use, and configure them correctly. Keep up to date on vulnerabilities in the tools you use. Remove/disable any services/features you aren’t using. Friday, 2 November, 12
  • 44. 7 INSECURE CRYPTOGRAPHIC Friday, 2 November, 12 STORAGE md5(‘password’)
  • 45. RISKS Weak cryptographic storage can easily be cracked. Keys can be exposed with encrypted data. Backups can contain encrypted data & keys. Compromised passwords can be used to obtain information on other sites. Friday, 2 November, 12
  • 46. BAD PASSWORD HASHING $password; md5($password); sha1($password); Friday, 2 November, 12
  • 47. BAD PASSWORD HASHING $password; md5($password); sha1($password); Friday, 2 November, 12
  • 48. USE BCRYPT FOR PASSWORDS only you can prevent bad hashing Friday, 2 November, 12
  • 49. PREVENTION Use strong hashing/encryption. Use one way hashing for passwords. Never use symmetric encryption for passwords. Don’t collect data if you don’t need it. Keep keys separate from data. If you’re using symmetric encryption, be able to rotate keys easily. Friday, 2 November, 12
  • 50. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  • 51. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  • 52. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  • 53. BCRYPT IN PHP // password hashing (bcrypt) $hashed = crypt( $pass, ‘$2a$10$asdkbisloqi.fidsliz.df190.d9f40’); // compare later $hashed = crypt($plaintext, $storedHash); // check for match $hashed === $storedHash Friday, 2 November, 12
  • 54. USE MCRYPT // encrypt (rijndael) $value = mcrypt_encrypt( ‘rijndael-256’, $secretKey, $ccnumber,‘cbc’, $iv ); // decrypt $value = mcrypt_decrypt( ‘rijndael-256’, $secretKey, $encrypted,‘cbc’, $iv ); Friday, 2 November, 12
  • 55. 8 FAILURE TO RESTRICT URL Friday, 2 November, 12 ACCESS
  • 56. RISK Hidden things can easily be found. Creative people will eventually find your hidden URLs Security through obscurity is a terrible idea. Friday, 2 November, 12
  • 57. PREVENTION Check access to all urls both when you generate links and more importantly when handling requests. Don’t rely on things staying hidden. Friday, 2 November, 12
  • 58. 9 INSUFFICIENT TRANSPORT Friday, 2 November, 12 LAYER PROTECTION
  • 60. 10 UNVALIDATED REDIRECTS & Friday, 2 November, 12 FORWARDS
  • 61. RISKS Trusting user input for redirects opens phishing attacks. Breach of trust with your users. Friday, 2 November, 12
  • 62. PREVENTION Don’t trust user data when handling redirects. Friday, 2 November, 12