Beyond the Basics security with php tek 2013 Thursday, May 16, 2013 

As a whole, PHP fails at security no security-focused center tek 2013 Thursday, May 16, 2013 

It’s time to move beyond... complex applications require complex solutions tek 2013 Thursday, May 16, 2013 

App security is complex threat, attack surface, defense in depth, least privilege, two-factor, identity, authorization, spoofing, disclosure, poisoning, enumeration, injection, fixation, vulnerability... tek 2013 Thursday, May 16, 2013 

Look back Cross-Site Scripting SQL Injection Cross-Site Request Forgeries I tek 2013 Thursday, May 16, 2013 

OWASP Top 10 I A1 - Injection A2 - Cross-Site Scripting A3 - Broken Authentication/Session Management A4 - Insecure Direct Object References A5 - Cross-Site Request Forgery A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer A10 - Unvalidated Redirects and Forwards 2010 Edition tek 2013 Thursday, May 16, 2013 

Cross-Site Scripting I http://mysite.com/query= Reflective Passive DOM injection Still relevant strip_tags, htmlentities tek 2013 Thursday, May 16, 2013 

Cross-Site Scripting I test’); // not filtered htmlentities($_GET[‘query’]); ?> tek 2013 Thursday, May 16, 2013 

SQL Injection I “update users set admin = “.$_GET[‘admin’] Too easy to do wrong Blind versus Known Validation Whitelist prepared statements,escaping tek 2013 Thursday, May 16, 2013 

SQL Injection I prepare(‘select title from posts where name = :name’); $stmt->bindParam(‘name’, $name, PDO::PARAM_STR); $stmt->execute(); ?> http://php.net/pdo tek 2013 Thursday, May 16, 2013 

CSRF I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user trust Referrer check Replay attacks tokens, idempotent requests tek 2013 Thursday, May 16, 2013 

Look forward XML Injection Mass Assignment Session Hijacking Password Storage Upload Handling I tek 2013 Thursday, May 16, 2013 

XML Injection I ]> &foo; Inject content Expanded by default libxml_disable_entity_loader tek 2013 Thursday, May 16, 2013 

XML Injection I ]> &three; XML “bomb” Denial of Service libxml_disable_entity_loader tek 2013 Thursday, May 16, 2013 

Mass Assignment I values($_POST); ?> Spotlighted in Rails Tricky to track Laravel has “fillable” & “guarded” filter, restrict tek 2013 Thursday, May 16, 2013 

Session Hijacking I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking Encrypted sessions Lock to IP session_set_save_handler tek 2013 Thursday, May 16, 2013 

Session Hijacking I tek 2013 Thursday, May 16, 2013 

Password Storage I md5(“don’t do this”); sha1(“or this”); Hashing != Encryption Strong (or random) salts Bcrypt all the things ircmaxell/password_compat password_hash(“use this”, PASSWORD_BCRYPT, array(‘cost’=>7,‘salt’=>‘th1si5my54lt’)); tek 2013 Thursday, May 16, 2013 

Upload Handling I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict extensions/mime types Validate filename Secure location Block dangerous files move_uploaded_file tek 2013 Thursday, May 16, 2013 

OWASP & Risk I 2013 Edition +D : What’s next for Developers +V : What’s next for Validators +O : What’s next for Organizations +R : Notes about Risk tek 2013 Thursday, May 16, 2013 

OWASP Top 10 I A1 - Injection A2 - Broken Authentication/Session Management A3 - Cross-Site Scripting A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards 2013 Edition tek 2013 Thursday, May 16, 2013 

Risk I Exploitability Prevalence Detectability Impact + tek 2013 Thursday, May 16, 2013 

“Push left” minimize risk, integrate early encourage secure software development tek 2013 Thursday, May 16, 2013 

Questions? @enygma https://joind.in/8149 tek 2013 Thursday, May 16, 2013