Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking your PHP application

Evandro Mohr
June 07, 2019
Technology
0
63

Hacking your PHP application

Evandro Mohr

June 07, 2019
Tweet

More Decks by Evandro Mohr

See All by Evandro Mohr
DevSecOps: Criando uma Cultura shift left
evandromohr
0
97
Trabalhando com Escopo Aberto
evandromohr
1
64
Event-driven architecture
evandromohr
0
87
DevSecOps: Delivering secure software at speed and scale of DevOps
evandromohr
0
160
Event-Driven Architecture
evandromohr
1
100

Other Decks in Technology

See All in Technology
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
120
MySQL and Vitess (and Kubernetes) at HubSpot
jfg956
0
140
ABEMAのRenderScript Intrinsics Replacement Toolkit 導入事例
takahana
0
250
Tech Dojo Introduction Of Monitoring
norimuraz
0
280
microCMS AI
microcms
0
390
時系列データをChatGPTで読み解いてみる【IoT-Tech Meetup】
soracom
PRO
0
600
これから始める継続的インテグレーション - GitHub Actions編
devops_vtj
0
150
2023.06.01_LangChain/Llamaindex/Whisperを使ったアプリケーション開発のまとめと展望
pharma_x_tech
0
180
Keynote: Kishore Gopalakrishna, StarTree - The Rise of Real-Time Analytics | RTA Summit 2023
startree
PRO
0
130
cgroup の歩き方 / TechFeed Experts Night #19
tenforward
0
230
AI in Action
charmichokshi
0
170
組織の立ち上げと体制変更の1年
tarappo
2
390

Featured

See All Featured
Robots, Beer and Maslow
schacon
154
7.5k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.5k
Ruby is Unlike a Banana
tanoku
93
9.7k
Statistics for Hackers
jakevdp
787
210k
No one is an island. Learnings from fostering a developers community.
thoeni
13
1.7k
Building Flexible Design Systems
yeseniaperezcruz
315
35k
[RailsConf 2023] Rails as a piece of cake
palkan
6
1.5k
Scaling GitHub
holman
453
140k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
A Philosophy of Restraint
colly
195
15k
YesSQL, Process and Tooling at Scale
rocio
158
13k

Transcript

  1. Hacking you PHP Application

    View Slide


  2. 2

    View Slide

  3. Key concepts
    3
    Confidentiality
    Integrity Availability

    View Slide

  4. Risks
    Are you aware?
    4

    View Slide

  5. 5
    ✓ Attacker must succeed once
    ✓ Attacker can choose the weakest spot
    ✓ Attacker can leverage zero-days
    ✓ Attacker can play dirty
    ✘ Defender must get it right all the time
    ✘ Defender must defend all places
    ✘ Defender can only defend against
    known attacks
    ✘ Defender needs to play by the rules
    Attackers have advantage over defenders

    View Slide

  6. 6
    Threat
    Agents
    Attack
    Vectors
    Security
    Controls
    Technical
    Impacts
    Business
    Impacts
    Security
    Weaknesses

    View Slide

  7. Where The Attacks Come From?
    7
    your office

    View Slide

  8. 1. Injection
    2. Broken Authentication
    3. Sensitive Data Exposure
    4. XML External Entities (XXE)
    5. Broken Access Control
    OWASP Top 10 Application Security Risks - 2017
    6. Security Misconfiguration
    7. Cross-Site Scripting (XSS)
    8. Insecure Deserialization
    9. Using Components with Known
    Vulnerabilities
    10. Insufficient Logging & Monitoring
    8

    View Slide

  9. Approaches
    9
    Can I play, Daddy? Bring ‘em on! I am Death
    incarnate!

    View Slide

  10. Apprentice
    10

    View Slide

  11. Wizard
    11

    View Slide

  12. Black Sorcerer
    12

    View Slide

  13. 13

    View Slide

  14. Security process is easy
    Keep Security Simple
    14

    View Slide

  15. Let’s review some concepts
    Filter inputs, Escape outputs Minimize attack surface area Least privilege
    Defense in depth Fail securely Avoid security by obscurity
    15

    View Slide

  16. thanks!
    Any questions?
    In-secure: https://github.com/EvandroMohr/in-secure
    Juice store: https://github.com/bkimminich/juice-shop
    WebGoat: https://github.com/WebGoat/WebGoat
    DVWA: https://github.com/ethicalhack3r/DVWA
    16

    View Slide