Security is one of the most important part of web applications. In this presentation, we discussed some common web security threats and how to secure our applications against them.
Working in Web Application development since last 10 years Twitter: @KapilSharmaInfo Personal Website: www.kapilsharma.info Blog: blog.kapilsharma.info Kapil Sharma PHP REBOOT 2
users. There is no money transaction on my app. I do not store any confidential information of users. Then why the hell someone hack my site. Kapil Sharma PHP REBOOT 4
but a common topic for all programming language. This session, in general, is applicable to any web application programming language, but our examples are in PHP. Kapil Sharma PHP REBOOT 6
easy. By default, it is ‘off’ since PHP 4.2 (We will shortly see why?) It convert all incoming data into global variables. For example http://www.example.com/page.php?abc=xyz If register_globals is ‘on’, PHP will create following variable $abc = “xyz”; Kapil Sharma PHP REBOOT 8
It might make development easy but it is not free. Biggest disadvantage, we never know from where variable data is coming. In previous example, we can say if data came from GET/POST, cookie, or HTML Form etc. Kapil Sharma PHP REBOOT 9 Cont..
is a security threat (We will see it shortly) It is not recommended to use ‘register_globals’ and it was turned-off by default in php.ini since PHP version 4.2 As replacement, use another more specific global variables like $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, $_ENV, $_REQUEST Kapil Sharma PHP REBOOT 10
PHP, aimed to make PHP easier for programmers. It is not a security threat in itself. A programmer must make a mistake before it become security threat. Lets check with an example. Kapil Sharma PHP REBOOT 11
code? If (isAdminUser()) { $admin = true; } if ($admin) { //load admin panel. } Kapil Sharma PHP REBOOT 12 $admin = true; $admin = false; NEVER TAKE A DECISION BASED ON A VARIABLE WHICH MIGHT NOT BE INITIALIZED. http://www.example.com/admin.php?admin=1 Register globals will generate following variable for this code $admin = 1; Which, after PHP’s internal type casting, will be: $admin = true;
companies use the OWASP Top Ten and ensure that their partners do the same. U.S. Defense Information Systems Agency lists OWASP Top Ten as part of the Defense Information Technology Security Certification and Accreditation (C & A) Process (DITSCAP) The Payment Card Industry (PCI) standards has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. Kapil Sharma PHP REBOOT 14
awareness document for web application security. It is list of the ten Most Critical Web Application Security Risks And for each Risk it provides: A description Example vulnerabilities Example attacks Guidance on how to avoid References to OWASP and other related resources Kapil Sharma PHP REBOOT 15
to allow user to set filter on data. Such application use dynamic SQL queries, driven by user input. SQL Injection need two mistakes from developer: A failure to filter data (Filter Input) and Failure to escape data Kapil Sharma PHP REBOOT 18
syntax. Check the manual that corresponds to your MySQL version for the right syntax to use near 'WHERE username = ''' AND password = 'a0b339d7c… Kapil Sharma PHP REBOOT 22
Broken Authentication and Session Management if: Password not hashed/encrypted in database. No wrong password limit (Brute Force attack) Session id exposed in URL No session timeout. Session id vulnerable to session fixation. Kapil Sharma PHP REBOOT 26
back at www.mybank.com. User login to another site at www.hacker.com. Code <h1>Hi innocent user</h1> Check image below <img src="www.mybank.com/transfer?to=hacker&amount=1000 0&remark=hacked"> Kapil Sharma PHP REBOOT 36
= Mistake Mistake = Security vulnerability The KISS principle states that most systems work best if they are kept simple rather than made complicated. (source: wikipedia) Keep It Short and Simple. Keep It Simple and Straightforward. Kapil Sharma PHP REBOOT 40
Remote = Browser, Database, Web Services. Getting CC info -> SSL Display again for verification -> SSL, Strip1234-XXXX-XXXX-4321 Always know and keep track of sensitive data. Kapil Sharma PHP REBOOT 44
if yes. Escape it Htmlentities Zend Framework. Zend_View’s escape $this->escape($userInput) Symfony/twig escape all the data by default. Laravel 4/blade {{{ raw }}}, {{escaped}} Yii CHtml::encode(strip_tags()) Kapil Sharma PHP REBOOT 48