Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking your PHP application

Hacking your PHP application

Evandro Mohr

June 07, 2019
Tweet

More Decks by Evandro Mohr

Other Decks in Technology

Transcript

  1. Hacking you PHP Application

    View full-size slide

  2. Key concepts
    3
    Confidentiality
    Integrity Availability

    View full-size slide

  3. Risks
    Are you aware?
    4

    View full-size slide

  4. 5
    ✓ Attacker must succeed once
    ✓ Attacker can choose the weakest spot
    ✓ Attacker can leverage zero-days
    ✓ Attacker can play dirty
    ✘ Defender must get it right all the time
    ✘ Defender must defend all places
    ✘ Defender can only defend against
    known attacks
    ✘ Defender needs to play by the rules
    Attackers have advantage over defenders

    View full-size slide

  5. 6
    Threat
    Agents
    Attack
    Vectors
    Security
    Controls
    Technical
    Impacts
    Business
    Impacts
    Security
    Weaknesses

    View full-size slide

  6. Where The Attacks Come From?
    7
    your office

    View full-size slide

  7. 1. Injection
    2. Broken Authentication
    3. Sensitive Data Exposure
    4. XML External Entities (XXE)
    5. Broken Access Control
    OWASP Top 10 Application Security Risks - 2017
    6. Security Misconfiguration
    7. Cross-Site Scripting (XSS)
    8. Insecure Deserialization
    9. Using Components with Known
    Vulnerabilities
    10. Insufficient Logging & Monitoring
    8

    View full-size slide

  8. Approaches
    9
    Can I play, Daddy? Bring ‘em on! I am Death
    incarnate!

    View full-size slide

  9. Apprentice
    10

    View full-size slide

  10. Black Sorcerer
    12

    View full-size slide

  11. Security process is easy
    Keep Security Simple
    14

    View full-size slide

  12. Let’s review some concepts
    Filter inputs, Escape outputs Minimize attack surface area Least privilege
    Defense in depth Fail securely Avoid security by obscurity
    15

    View full-size slide

  13. thanks!
    Any questions?
    In-secure: https://github.com/EvandroMohr/in-secure
    Juice store: https://github.com/bkimminich/juice-shop
    WebGoat: https://github.com/WebGoat/WebGoat
    DVWA: https://github.com/ethicalhack3r/DVWA
    16

    View full-size slide