Hacking your PHP application

Transcript

1. Hacking you PHP Application

2. “ 2

3. Key concepts 3 Confidentiality Integrity Availability

4. Risks Are you aware? 4

5. 5 ✓ Attacker must succeed once ✓ Attacker can choose

   the weakest spot ✓ Attacker can leverage zero-days ✓ Attacker can play dirty ✘ Defender must get it right all the time ✘ Defender must defend all places ✘ Defender can only defend against known attacks ✘ Defender needs to play by the rules Attackers have advantage over defenders

6. 6 Threat Agents Attack Vectors Security Controls Technical Impacts Business

   Impacts Security Weaknesses

7. Where The Attacks Come From? 7 your office

8. 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4.

   XML External Entities (XXE) 5. Broken Access Control OWASP Top 10 Application Security Risks - 2017 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring 8

9. Approaches 9 Can I play, Daddy? Bring ‘em on! I

   am Death incarnate!

10. Apprentice 10

11. Wizard 11

12. Black Sorcerer 12

13. 13

14. Security process is easy Keep Security Simple 14

15. Let’s review some concepts Filter inputs, Escape outputs Minimize attack

    surface area Least privilege Defense in depth Fail securely Avoid security by obscurity 15

16. thanks! Any questions? In-secure: https://github.com/EvandroMohr/in-secure Juice store: https://github.com/bkimminich/juice-shop WebGoat: https://github.com/WebGoat/WebGoat

    DVWA: https://github.com/ethicalhack3r/DVWA 16