The document discusses web application security, highlighting risks like SQL injection, cross-site scripting (XSS), and session exploitation while providing strategies for prevention. It emphasizes the importance of input validation, parameterized queries, and proper session management to protect applications from vulnerabilities. Additionally, the author advocates for using well-supported frameworks and regular monitoring to ensure security.

1. Are you feeling secure – notes from the trenches Paul Lemon @anthonylime http://joind.in/3603

2. Introduction - I am a web developer and have been for 13 years - Former sound engineer to the obscure and poor - Technical Director at MadeByPi - I love what I do PHP / Java / Actionscript / Javascript / C# Wear a mean hairnet About me

3. “ The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction. Photo courtesy http://www.flickr.com/photos/katescars/

4. Introduction - Notes based on personal professional experience Over 20+ third party tests on our applications Development orientated Simple code examples – not production code. This presentation

5. Introduction Open Web Application Security Project Best resource for developers / analysts / testers https://www.owasp.org / OWASP

6. Introduction SQL Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards OWASP Top 10

7. Introduction SQL Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards OWASP Top 10

8. SQL Injection http://www.flickr.com/photos/andresrueda/2983149263/

9. Injection http://xkcd.com/327/

10. Injection http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('paul.lemon@gmail.com','hello',‘paul',’Paul Lemon'); Sample Code

11. Injection Confidential data can be disclosed The results of the query may not visible in the HTML Trial and error to iterate data in tables Execute long running queries Test for errors in page execution Vulnerable to inserts / updates / defacement How is it exploited

12. Injection Validation and Parameterised Query

13. Injection - Validate all input. Use PDO to create parameterised queries or Use a ORM or Database Library (not your own!) Set up your database permissions. Don’t expose your queries (logging etc) Code review Don’t be complacent How to prevent

14. Injection Validation is not just for the user’s benefit Cast to correct type i.e. intval / floatval / boolean Whitelist Input ranges - Reasonable minimums and maximums - Whitelist with regular expression - Blacklist with regular expression - Validate Email / Urls - Don’t rely on your model layer A quick note about validation

15. XSS http://www.flickr.com/photos/andresrueda/2983149263/

16. XSS http://someserver/script.php?name=<script>alert();</script> or http://bit.ly/lYMcHjkj Sample XSS

17. XSS http:// host/script.php?name=<script src='http://hacker/script.js' /> Sample XSS

18. XSS Potential Exploits - Theft of session cookies - Insertion of content / forms etc - Redirection to malicious sites - Insertion of trojan downloads / keyloggers etc.

19. XSS Varieties of XSS Persistent - data is stored in the database Nonpersistent - injected code is present in the URL/Request DOM Based - javascript executed in the page reads the request

20. XSS Trusted Not Trusted Posted Form Querystring Url Cookies HTTP Headers Web application Browser

21. XSS – Trust zones Trusted Not Trusted API Use HTTPS Treat as user input Web application

22. XSS – Trust zones Trusted Not Trusted Database Database may have been compromised Validation may have failed Escape all output Web application

23. XSS – Trust zones Trusted Not Trusted API Database Web application Browser

24. XSS – Trust zones Trusted Not Trusted API Database Your application should be modular too Web application Browser

25. XSS Escape all output ENT_QUOTES option is important – double and single quotes Page encoding is important If you need HTML output use HTML Purifier

26. XSS Escape all output – context is important

27. XSS ?name=<script>alert(&quot;hello&quot;);</script>& link=javascript:alert('hello') Escape all output – context is important

28. XSS ?name=<script>alert(&quot;hello&quot;);</script>& link=javascript:alert('hello') Escape all output – context is important

29. XSS

30. XSS Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default) Context is important to the escaping used - Image and Hyperlinks - Javascript blocks - CSS There is not a definitive solution for PHP https://www.owasp.org/index.php/ESAPI#tab=PHP  Preventing XSS

31. XSS Session cookie to use HTTPOnly in php.ini Or use PHP function session_set_cookie_params Cookies set as HTTPOnly

32. Session Exploits

33. Session Exploits Session Fixation Man in the middle attacks Overview

34. Session Exploits Allowing the session id to be passed on the querystring Url is sent via email to potential victim visit this url to the site http://localhost/?sessionid=1234 Victim logs in and this is attached to the session id Sender uses the original session id and gains access http://localhost/viewprofile?sessionid=1234 Session Fixation

35. Session Exploits Do not allow session id to be passed on the querystring Session Fixation – How to prevent

36. Session Exploits Where the attacker has access to the machine - First user notes down the session id on the computer - Second user logs in and this is attached to the session id - First user uses the original session id and gains access Session Fixation

37. Session Exploits Roll the session id when a user logs in You can change the session id more frequently… Session Fixation – How to prevent

38. Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Web application Username / Password

39. Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Ahoy! Web application Username / Password

40. Session Exploits Man in the middle attacks Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

41. Session Exploits - Login and authentication must always be over HTTPS Passwords are personal and confidential Users are not disciplined (Store your passwords securely SHA1 / Salt ) Man in the middle attacks

42. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

43. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

44. Session Exploits Authenticated session cookies should be delivered over SSL Use HTTPS only option on session cookie Use a separate domain if you can e.g. https://admin.yoursite/ Use a separate path for your session cookie Man in the middle attacks

45. Session Exploits Man in the middle attacks

46. Session Exploits Man in the middle attacks

47. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

48. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Curses! Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application

49. Session Exploits Man in the middle attacks Sometimes you cannot limit session to HTTPS Users can log in and see non-secure data in public pages There are still secure areas of the site Use two cookies Or make the user login again

50. Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Open Zone of Web application User visits a non-secure page Resource downloaded HTTP GET Session Id Extra Auth – Cookie SECURE Web application

51. Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Secure Zone of Web application User visits a non-secure page Response HTTP S GET/POST/PUT Session Id Extra Auth – Cookie SECURE Extra Auth – Cookie Web application

52. XSRF

53. XSRF – Sorry no time

54. Conclusions

55. Conclusions Get someone else to do the work

56. Conclusions Use a framework. I like symfony. Use a well supported platform / CMS Check their response to security issues If there is no solution – check again (and again) Get someone else to do the work

57. Conclusions - Expect there to be faults – test as much as you can. Expect there to be attacks – monitor your site Stay on top of your versions – PHP / MySQL etc Input validation is critical Code for quality / Unit tests / regression Code review Operate with least privilege Establish a build and deployment script Read OWASP Recommendations

58. XSS cheatlist: http://ha.ckers.org/xss.html OWASP: https://www.owasp.org/index.php/Main_Page HTML Purifier: http://htmlpurifier.org/ Context aware templates: http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html MadeByPi: http://www.madebypi.co.uk Conclusions Resources

59. Are you feeling secure – notes from the trenches Paul Lemon @anthonylime – paul.lemon@gmail.com http://joind.in/3603