OWASP 301: Infrastructure-Based Security Eric Mann 

ASR 3 - Sensitive Data Exposure 

Many web applications do not adequately protect sensitive data, such as credit cards, tax IDs, and authentication credentials. 

Photo borrowed from Schneier on Security: https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html 

Sensitive Data Retention What data do you retain? Why do you need this data in the first place? Who has access to the data? Where are backups stored? Who has access to the data via the backup system? 

Encoding is not encryption! 

function encodeString($str) { for ($i = 0; $i < 5; $i++) { $str = strrev(base64_encode($str)); } return $str; } function decodeString($str) { for ($i = 0; $i < 5; $i++) { $str = base64_decode(strrev($str)); } return $str; } encodeString('this is a secret'); QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP 

ASR 5 - Broken Access Control 

Restrictions on what authenticated users are allowed to do are not properly enforced. 

$app->post( '/profile', function ($request, $response, $args) { if (!isset($_SESSION['user_id']) || !$this->users->get($_SESSION['user_id'])) { return $response->withRedirect('/?error=notloggedin'); } $userID = $request->getParam('user_id'); $fname = $request->getParam('fname'); $lname = $request->getParam('lname'); $email = $request->getParam('email'); // Retrieve the user's account from the database (via the app container) $user = $this->users->get(intval($userID)); $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING); $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING); $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL); $this->users->update($user); } ); 

United Airlines experienced this vulnerability in their mobile app in 2015 - https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability// 

ASR 6 - Security Misconfiguration 

Secure settings should be defined, implemented, and maintained, as defaults are often insecure. 

PHP Settings Disable error display (display_errors) Disable remote includes (allow_url_fopen and allow_url_include) Set reasonable resource maximums (upload_max_filesize and memory_limit) Leverage the disable_functions directive to block dangerous functions: exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, eval, create_function 

Webserver Settings (Nginx / Apache / etc) Disable server tokens and signature disclosure Configure a static server name (don’t trust potentially malicious HOST headers) Disable directory traversal ALWAYS configure strong SSL certificates for secure access Return proper error codes 

Database (MySQL) Settings Set an appropriate bind-address Ensure users are configured from the correct host, not a % wildcard Limit user permissions on the database to just what the application needs 

ASR 9 - Using Components with Known Vulnerabilities 

Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. 

Audit Application Dependencies Monitor Composer-installed dependencies for outdated or vulnerable libraries Leverage unattended-upgrades to keep system packages up-to-date Audit the packages installed on your server - don’t install things you don’t need 

Custom error messages can help demonstrate when a security hole has been plugged. Or annoy those who were exploiting it in the first place... 

Audit Application Dependencies Monitor Composer-installed dependencies for outdated or vulnerable libraries Leverage unattended-upgrades to keep system packages up-to-date Audit the packages installed on your server - don’t install things you don’t need Only run current, supported versions of PHP!!! 

ASR 10 - Insufficient Logging & Monitoring 

Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. 

It’s Important to Track: What happened When it happened Where it happened (in terms of code and the IP of the server) To whom it happened What input triggered the event 

Event Classes Input Validation Errors Output Validation Errors Authentication Events Authorization (Access Control) Failures Application Errors Application Startup/Shutdown High-risk Operations 

(Full image slide. No text) 

Questions? 

Thank you [email protected] | 503.925.6266