Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking your PHP application

Hacking your PHP application

Evandro Mohr

June 07, 2019
Tweet

More Decks by Evandro Mohr

Other Decks in Technology

Transcript

  1. Hacking you PHP Application

    View Slide


  2. 2

    View Slide

  3. Key concepts
    3
    Confidentiality
    Integrity Availability

    View Slide

  4. Risks
    Are you aware?
    4

    View Slide

  5. 5
    ✓ Attacker must succeed once
    ✓ Attacker can choose the weakest spot
    ✓ Attacker can leverage zero-days
    ✓ Attacker can play dirty
    ✘ Defender must get it right all the time
    ✘ Defender must defend all places
    ✘ Defender can only defend against
    known attacks
    ✘ Defender needs to play by the rules
    Attackers have advantage over defenders

    View Slide

  6. 6
    Threat
    Agents
    Attack
    Vectors
    Security
    Controls
    Technical
    Impacts
    Business
    Impacts
    Security
    Weaknesses

    View Slide

  7. Where The Attacks Come From?
    7
    your office

    View Slide

  8. 1. Injection
    2. Broken Authentication
    3. Sensitive Data Exposure
    4. XML External Entities (XXE)
    5. Broken Access Control
    OWASP Top 10 Application Security Risks - 2017
    6. Security Misconfiguration
    7. Cross-Site Scripting (XSS)
    8. Insecure Deserialization
    9. Using Components with Known
    Vulnerabilities
    10. Insufficient Logging & Monitoring
    8

    View Slide

  9. Approaches
    9
    Can I play, Daddy? Bring ‘em on! I am Death
    incarnate!

    View Slide

  10. Apprentice
    10

    View Slide

  11. Wizard
    11

    View Slide

  12. Black Sorcerer
    12

    View Slide

  13. 13

    View Slide

  14. Security process is easy
    Keep Security Simple
    14

    View Slide

  15. Let’s review some concepts
    Filter inputs, Escape outputs Minimize attack surface area Least privilege
    Defense in depth Fail securely Avoid security by obscurity
    15

    View Slide

  16. thanks!
    Any questions?
    In-secure: https://github.com/EvandroMohr/in-secure
    Juice store: https://github.com/bkimminich/juice-shop
    WebGoat: https://github.com/WebGoat/WebGoat
    DVWA: https://github.com/ethicalhack3r/DVWA
    16

    View Slide