Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking your PHP application

Hacking your PHP application

5e6931750500ceff304695657dc84ef0?s=128

Evandro Mohr

June 07, 2019
Tweet

More Decks by Evandro Mohr

Other Decks in Technology

Transcript

  1. Hacking you PHP Application

  2. “ 2

  3. Key concepts 3 Confidentiality Integrity Availability

  4. Risks Are you aware? 4

  5. 5 ✓ Attacker must succeed once ✓ Attacker can choose

    the weakest spot ✓ Attacker can leverage zero-days ✓ Attacker can play dirty ✘ Defender must get it right all the time ✘ Defender must defend all places ✘ Defender can only defend against known attacks ✘ Defender needs to play by the rules Attackers have advantage over defenders
  6. 6 Threat Agents Attack Vectors Security Controls Technical Impacts Business

    Impacts Security Weaknesses
  7. Where The Attacks Come From? 7 your office

  8. 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4.

    XML External Entities (XXE) 5. Broken Access Control OWASP Top 10 Application Security Risks - 2017 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring 8
  9. Approaches 9 Can I play, Daddy? Bring ‘em on! I

    am Death incarnate!
  10. Apprentice 10

  11. Wizard 11

  12. Black Sorcerer 12

  13. 13

  14. Security process is easy Keep Security Simple 14

  15. Let’s review some concepts Filter inputs, Escape outputs Minimize attack

    surface area Least privilege Defense in depth Fail securely Avoid security by obscurity 15
  16. thanks! Any questions? In-secure: https://github.com/EvandroMohr/in-secure Juice store: https://github.com/bkimminich/juice-shop WebGoat: https://github.com/WebGoat/WebGoat

    DVWA: https://github.com/ethicalhack3r/DVWA 16