Web Application Security

Transcript

1. phpreboot.github.io, phpreboot.com Kapil Sharma 1 Web Application Security Developer’s Professional

   Responsibility

2. 2 phpreboot.github.io, phpreboot.com Kapil Sharma Introduction Kapil Sharma Technical Architect

   Ansh Systems Pvt. Ltd. 11+ Years experience in Web App Development Twitter: kapilsharmainfo Facebook: kapilsharmainfo Linkedin: kapilsharmainfo github: kapilsharma Blog: blog.kapilsharma.info Slides: speakerdeck.com/ kapilsharma

3. 3 phpreboot.github.io, phpreboot.com Kapil Sharma Web Applications Important factors Performance

   Security Maintainability Scalability Reliability

4. 4 phpreboot.github.io, phpreboot.com Kapil Sharma

5. 5 phpreboot.github.io, phpreboot.com Kapil Sharma Why Me? Small Apps Few

   Users No Money Transaction No thing Confidential Then why will someone hack my website?

6. 6 phpreboot.github.io, phpreboot.com Kapil Sharma Why people hacks?

7. 7 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Open Web Application Security

   Project

8. 8 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 OWASP Project

   Awareness document for web application security Represent top 10 web application security flaws

9. 9 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 SQL Injection

   (OS) Command Injection LDAP Injection Script/File Injection Happens when we use data sent from outside Never Trust User Input Golden Rule Injection

10. 10 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Injection sql

    = "SELECT * FROM user WHERE user_id=" + userId; $sql = 'SELECT * FROM user WHERE user_id=' . $userId; userid = 10 OR 1=1 SELECT * FROM user WHERE user_id = '1' OR 1=1

11. 11 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Injection Securing

    Injection Never trust user input Defence in Depth Know your data Prepared Statements Stored Procedures User ORM Libraries

12. 12 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Injection Broken

    Authentication & Session Mgmt Custom Auth/Session Mgmt. Password not hashed in database Exposed Session ID (in URL) No Wrong password limit (Brute Force) Allowing weak passwords No session timeout Session Hijacking/Fixation Avoid Remember me

13. phpreboot.github.io, phpreboot.com Kapil Sharma 13 http:// web.com/
 <script>doc ument.cooki e=“sessioni

    d=abcd”</ script? http:// web.com/ <meta http- equiv=Set- Cookiecontent =“sessionid=a bcd"> Session Hijacking

14. 14 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Cross Site

    Scripting (XSS) Broken Authentication & Session Mgmt Injection Attacker inject Client side script Victim visit the page Script executes

15. Filter Input - Escape Output 15 phpreboot.github.io, phpreboot.com Kapil Sharma

    OWASP Top 10 Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection

16. 16 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Insecure Direct

    Object Reference Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection When: Dev expose internal object <select name=“choosecreditcard”> </select> <option value=“35">XXXXXXXXXXXX6002</option> <option value="19">XXXXXXXXXXXX1101</option> Validation & Authorization

17. 17 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Security Misconfiguration

    Insecure Direct Object Reference Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection Vulnerable if Out of date software Unnecessary services enabled Default Account/PW enabled Security Settings Stack Trace

18. Injection Broken Authentication & Session Mgmt Cross Site Scripting (XSS)

    Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure 18 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10

19. Sensitive Data Exposure 19 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top

    10 Banking Information Credit card numbers Account numbers Health information Personal Info (DOB, SSN) User account/passwords Middle man

20. 20 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Missing Function

    Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure Direct Object Reference Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection Having multiple roles Access Control List

21. Injection Broken Authentication & Session Mgmt Cross Site Scripting (XSS)

    Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery 21 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10

22. Cross Site Request Forgery 22 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP

    Top 10

23. Cross Site Request Forgery 23 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP

    Top 10 XSS: Hacker trick user as server CSFR: Hacker trick server as valid user

24. Cross Site Request Forgery 24 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP

    Top 10 User login to my bank.com Open hacker.site in another tab <h1>Hi innocent user</h1> Check image below <img src=“www.bank.com/transfer? to=hacker&amount =1000&remark=hacked" />

25. 25 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP Top 10 Components with

    known Vulnerabilities Cross Site Request Forgery (CSRF) Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure Direct Object Reference Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection

26. 26 phpreboot.github.io, phpreboot.com Kapil Sharma ` Components with known Vulnerabilities

    Cross Site Request Forgery (CSRF) Missing Function Level Access Control Sensitive Data Exposure Security Misconfigur Insecure Direct Obje Cross Site Scripting Broken Authenticatio Injection X.Y.Z Major Minor Patch https://security.sensiolabs.org OWASP Top 10

27. Unvalidated Redirect & Forwards 27 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP

    Top 10 Components with known Vulnerabilities Cross Site Request Forgery (CSRF) Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure Direct Object Reference Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection

28. Unvalidated Redirect & Forwards 28 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP

    Top 10 https://example.com/redirect? http://hacker.com http://example.com/boringpage? fwd=admin.php Avoid Redirect & Forward If used, don’t include parameter If included, validate them

29. Unvalidated Redirect & Forwards 29 phpreboot.github.io, phpreboot.com Kapil Sharma OWASP

    Top 10 Components with known Vulnerabilities Cross Site Request Forgery (CSRF) Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure Direct Object Reference Cross Site Scripting (XSS) Broken Authentication & Session Mgmt Injection

30. 30 phpreboot.github.io, phpreboot.com Kapil Sharma