Hacking your PHP application

Slide 1

Slide 1 text

Hacking you PHP Application

Slide 2

Slide 2 text

“ 2

Slide 3

Slide 3 text

Key concepts 3 Conﬁdentiality Integrity Availability

Slide 4

Slide 4 text

Risks Are you aware? 4

Slide 5

Slide 5 text

5 ✓ Attacker must succeed once ✓ Attacker can choose the weakest spot ✓ Attacker can leverage zero-days ✓ Attacker can play dirty ✘ Defender must get it right all the time ✘ Defender must defend all places ✘ Defender can only defend against known attacks ✘ Defender needs to play by the rules Attackers have advantage over defenders

Slide 6

Slide 6 text

6 Threat Agents Attack Vectors Security Controls Technical Impacts Business Impacts Security Weaknesses

Slide 7

Slide 7 text

Where The Attacks Come From? 7 your ofﬁce

Slide 8

Slide 8 text

1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control OWASP Top 10 Application Security Risks - 2017 6. Security Misconﬁguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufﬁcient Logging & Monitoring 8

Slide 9

Slide 9 text

Approaches 9 Can I play, Daddy? Bring ‘em on! I am Death incarnate!

Slide 10

Slide 10 text

Apprentice 10

Slide 11

Slide 11 text

Wizard 11

Slide 12

Slide 12 text

Black Sorcerer 12

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Security process is easy Keep Security Simple 14

Slide 15

Slide 15 text

Let’s review some concepts Filter inputs, Escape outputs Minimize attack surface area Least privilege Defense in depth Fail securely Avoid security by obscurity 15

Slide 16

Slide 16 text

thanks! Any questions? In-secure: https://github.com/EvandroMohr/in-secure Juice store: https://github.com/bkimminich/juice-shop WebGoat: https://github.com/WebGoat/WebGoat DVWA: https://github.com/ethicalhack3r/DVWA 16