Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security Update: Top Vulnerabilities

Eric Mann
October 24, 2019
Technology
0
120

Web Application Security Update: Top Vulnerabilities

The Open Web Application Security Project (OWASP) curates a list of the top ten security risks for web applications and how to mitigate them. The ever-changing world of web development created a challenge for the 2017 list, which needs to combine both existing approaches and modern trends in web development. This Talk will have a look at each item in the list from a PHP perspective, demonstrate what can go wrong, and make sure that this won’t happen in our web sites.

The Open Web Application Security Project (OWASP) curates a list of the top ten application security risks for web applications. It is a great place to start when developing a strong security stance for your application and team. Security is an ever-changing world and it's important to keep up to date with modern trends in mitigating vulnerabilities.

With the attendees, we will look at each item in the list, and show:
- How to detect the risk in your own code
- How to patch or prevent the risk
- Practical resources for taking further actions to protect your stack

Eric Mann

October 24, 2019
Tweet

More Decks by Eric Mann

See All by Eric Mann
Asynchronous Awesome
ericmann
0
98
WordPress, Meet AI
ericmann
0
27
Cooking with Credentials
ericmann
0
36
OWASP Top Ten in Review
ericmann
0
25
Monkeys in the Machine
ericmann
0
120
Asynchronous Awesome
ericmann
0
230
Evolution of PHP Security
ericmann
0
280
Asynchronous Awesome
ericmann
0
78
The Future of the Web is Low Tech
ericmann
0
19

Other Decks in Technology

See All in Technology
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.8k
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
450
オーナーシップを持つ領域を明確にする
konifar
13
3.2k
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
6
560
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
4
770
Azureの基本的な権限管理の勉強会
yhana
0
1.3k
Building Dashboards as a Hobby
egmc
0
300
アクセス制御にまつわる改善 / Improving access control
itkq
0
560
Cracking the KubeCon CfP
inductor
2
260
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
200

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
124
8.5k
A designer walks into a library…
pauljervisheath
200
23k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Designing for humans not robots
tammielis
248
25k
Design by the Numbers
sachag
274
18k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Producing Creativity
orderedlist
PRO
337
39k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k

Transcript

  1. Web Application Security Update: Top Vulnerabilities Eric Mann

  2. None

  3. ASR 1 - Injection

  4. The attacker's hostile data can trick the interpreter into executing

    unintended commands or accessing data without proper authorization.

  5. xkcd: Exploits of a Mom - https://xkcd.com/327/

  6. $db = new \PDO(...); $name = $_POST['name']; $sql = "SELECT

    * FROM users WHERE email='$name'"; foreach($db->query($sql) as $user) { // ... } curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'

  7. $db = new \PDO(...); $name = $_POST['name']; $sql = "SELECT

    * FROM users WHERE email=:email"; $statement = $db->prepare($sql); $params = [':email' => $name]; foreach($db->execute($statement, $params) as $user) { // ... } curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'

  8. function serve_file($filename) { header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"{$filename}\""); header("Content-Length: 11111");

    passthru("cat /home/uploads/" . $filename); exit(); } curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem

  9. function serve_file($filename) { // Sanitize the filename before it's used

    $sanitized = basename($filename); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"{$sanitized}\""); header("Content-Length: 11111"); $path = "/home/uploads/{$sanitized}"; passthru('cat ' . escapeshellarg($path)); exit(); } curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com cat /home/uploads/privkey.pem

  10. ASR 2 - Broken Authentication

  11. Application functions related to authentication and session management are often

    not implemented correctly...

  12. Client-side Sessions Don’t trust the user to store sensitive information

    Don’t trust information provided by the user Don’t store sensitive information with an untrusted party Don’t use cookies to store sensitive data (If you are using cookies, use secure cookies - but only store identifiers)

  13. Password Management Passwords should NEVER be stored in plaintext. Passwords

    should NEVER be stored with encryption. Passwords should ONLY be stored using one-way hashes. Try to avoid passwords in the first place...
  14. None

  15. (Full image slide. No text)

  16. Problems with JWT Leaking sensitive information The `none` algorithm is

    required by the spec Algorithm confusion - RSA vs HMAC Weak algorithms are allowed

  17. What you should do Only store session data on the

    server Ensure strong authentication protects user identities Lock down insecure algorithms and primitives Only use trusted third-party library implementations

  18. ASR 3 - Sensitive Data Exposure

  19. Many web applications do not adequately protect sensitive data, such

    as credit cards, tax IDs, and authentication credentials.

  20. Photo borrowed from Schneier on Security: https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

  21. Sensitive Data Retention What data do you retain? Why do

    you need this data in the first place? Who has access to the data? Where are backups stored? Who has access to the data via the backup system?

  22. Encoding is not encryption!

  23. function encodeString($str) { for ($i = 0; $i < 5;

    $i++) { $str = strrev(base64_encode($str)); } return $str; } function decodeString($str) { for ($i = 0; $i < 5; $i++) { $str = base64_decode(strrev($str)); } return $str; } encodeString('this is a secret'); QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP

  24. ASR 4 - XML External Entities

  25. Untrusted XML input containing a reference to an external entity

    is processed by a weakly configured XML parser ...

  26. <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name "php[tek]">]> <info> <author>Friend of

    &name;</author> <conference>&name;</conference> <event>&name; - 2019</event> </info> <!DOCTYPE vulnerable [<!ENTITY info SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]> <vulnerable> <config>&info;</config> </vulnerable>

  27. <!DOCTYPE bomb [ <!ENTITY x0 "BOOM!"> <!ENTITY x1 "&x0;&x0;"> <!ENTITY

    x2 "&x1;&x1;"> <!ENTITY x3 "&x2;&x2;"> <!ENTITY x4 "&x3;&x3;"> <!-- ... Repeat for entities from x5 through x98 --> <!ENTITY x99 "&x98;&x98;"> <!ENTITY bomb "&x99;&x99;"> ]> <vulnerable> <explosive>&bomb;</explosive> </vulnerable>

  28. $default = libxml_disable_entity_loader(true); $dom = new DOMDocument(); $dom->loadXML($xml); // Do

    things with XML // Restore the previous value libxml_disable_entity_loader($default); What you should do

  29. ASR 5 - Broken Access Control

  30. Restrictions on what authenticated users are allowed to do are

    not properly enforced.

  31. $app->post( '/profile', function ($request, $response, $args) { if (!isset($_SESSION['user_id']) ||

    !$this->users->get($_SESSION['user_id'])) { return $response->withRedirect('/?error=notloggedin'); } $userID = $request->getParam('user_id'); $fname = $request->getParam('fname'); $lname = $request->getParam('lname'); $email = $request->getParam('email'); // Retrieve the user's account from the database (via the app container) $user = $this->users->get(intval($userID)); $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING); $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING); $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL); $this->users->update($user); } );

  32. United Airlines experienced this vulnerability in their mobile app in

    2015 - https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//

  33. ASR 6 - Security Misconfiguration

  34. Secure settings should be defined, implemented, and maintained, as defaults

    are often insecure.

  35. PHP Settings Disable error display (display_errors) Disable remote includes (allow_url_fopen

    and allow_url_include) Set reasonable resource maximums (upload_max_filesize and memory_limit) Leverage the disable_functions directive to block dangerous functions: exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, eval, create_function

  36. Webserver Settings (Nginx / Apache / etc) Disable server tokens

    and signature disclosure Configure a static server name (don’t trust potentially malicious HOST headers) Disable directory traversal ALWAYS configure strong SSL certificates for secure access Return proper error codes

  37. Database (MySQL) Settings Set an appropriate bind-address Ensure users are

    configured from the correct host, not a % wildcard Limit user permissions on the database to just what the application needs

  38. ASR 7 - Cross-Site Scripting (XSS)

  39. An application takes untrusted data and sends it to a

    web browser without proper validation or escaping.

  40. <div id="results"> <span>Search results for: "<?php echo $data['s']; ?>"</span> <?php

    if ($results) : ?> <ul> <?php foreach( $results as $result ) : ?> <li><a href="<?php echo $result->href; ?>"> <?php echo $result->title; ?></a></li> <?php endforeach; ?> </ul> <?php else : ?> <span>No results for '<?php echo $data['s']; ?>'</span> <?php endif; ?> </div> <div id="results"> <span>Search results for: <script src="..."></script></span> <span>No results for '<script src="..."></script>'</span> </div>

  41. <?php $query = filter_var( $data['s'], FILTER_SANITIZE_STRING ); ?> <div id="results">

    <span>Search results for: "<?php echo $query; ?>"</span> <?php if ($results) : ?> <ul> <?php foreach( $results as $result ) : ?> <li><a href="<?php echo $result->href; ?>"><?php echo $result->title; ?></a></li> <?php endforeach; ?> </ul> <?php else : ?> <span>No results for '<?php echo $query ?>'</span> <?php endif; ?> </div> <div id="results"> <span>Search results for: ""</span> <span>No results for ''</span> </div>

  42. ASR 8 - Insecure Deserialization

  43. Languages’ native deserialization mechanisms can be repurposed for malicious effect

    when operating on untrusted data.

  44. class CartCache { $cache_file; $data = []; // ... /**

    * Automatically purge the cache file from disk to clean up */ public function __destruct() { $file = "/var/www/cache/tmp/carts/{$this->cache_file}"; if ($this->cleanup && file_exists($file)) { @unlink($file); } } } $data = unserialize($_GET['data']); https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i ndex.php";s:4:"data";a:0:{}}

  45. Do not pass untrusted user input to unserialize() regardless of

    the options value of allowed_classes.

  46. ASR 9 - Using Components with Known Vulnerabilities

  47. Applications using components with known vulnerabilities may undermine application defenses

    and enable a range of possible attacks and impacts.

  48. Audit Application Dependencies Monitor Composer-installed dependencies for outdated or vulnerable

    libraries Leverage unattended-upgrades to keep system packages up-to-date Audit the packages installed on your server - don’t install things you don’t need

  49. Custom error messages can help demonstrate when a security hole

    has been plugged. Or annoy those who were exploiting it in the first place...

  50. Audit Application Dependencies Monitor Composer-installed dependencies for outdated or vulnerable

    libraries Leverage unattended-upgrades to keep system packages up-to-date Audit the packages installed on your server - don’t install things you don’t need Only run current, supported versions of PHP!!!

  51. ASR 10 - Insufficient Logging & Monitoring

  52. Attackers rely on the lack of monitoring and timely response

    to achieve their goals without being detected.

  53. It’s Important to Track: What happened When it happened Where

    it happened (in terms of code and the IP of the server) To whom it happened What input triggered the event

  54. Event Classes Input Validation Errors Output Validation Errors Authentication Events

    Authorization (Access Control) Failures Application Errors Application Startup/Shutdown High-risk Operations

  55. Want to know more? Security Principles for PHP Applications Available

    online and in print through php[architect]

  56. Questions?

  57. Thank you [email protected] | 503.925.6266