Tweet
Tweet

Slide 1

Slide 1 text

Beyond the Basics security with php confoo 2013 Wednesday, February 27, 2013

Slide 2

Slide 2 text

As a whole, PHP fails at security no security-focused center confoo 2013 Wednesday, February 27, 2013

Slide 3

Slide 3 text

It’s time to move beyond... complex applications require complex solutions confoo 2013 Wednesday, February 27, 2013

Slide 4

Slide 4 text

App security is complex confoo 2013 threat, attack surface, defense in depth, least privilege, two-factor, identity, authorization, spoofing, disclosure, poisoning, enumeration, injection, fixation, vulnerability... Wednesday, February 27, 2013

Slide 5

Slide 5 text

Look back Cross-Site Scripting SQL Injection Cross-Site Request Forgeries confoo 2013 I Wednesday, February 27, 2013

Slide 6

Slide 6 text

OWASP Top 10 confoo 2013 I A1 - Injection A2 - Cross-Site Scripting A3 - Broken Authentication/Session Management A4 - Insecure Direct Object References A5 - Cross-Site Request Forgery A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer A10 - Unvalidated Redirects and Forwards 2010 Edition Wednesday, February 27, 2013

Slide 7

Slide 7 text

Cross-Site Scripting confoo 2013 I http://mysite.com/query= strip_tags, htmlentities Wednesday, February 27, 2013

Slide 8

Slide 8 text

Cross-Site Scripting confoo 2013 I http://mysite.com/query= Reflective strip_tags, htmlentities Wednesday, February 27, 2013

Slide 9

Slide 9 text

Cross-Site Scripting confoo 2013 I http://mysite.com/query= Reflective Passive strip_tags, htmlentities Wednesday, February 27, 2013

Slide 10

Slide 10 text

Cross-Site Scripting confoo 2013 I http://mysite.com/query= Reflective Passive DOM injection strip_tags, htmlentities Wednesday, February 27, 2013

Slide 11

Slide 11 text

Cross-Site Scripting confoo 2013 I http://mysite.com/query= Reflective Passive DOM injection Still relevant strip_tags, htmlentities Wednesday, February 27, 2013

Slide 12

Slide 12 text

SQL Injection confoo 2013 I “update users set admin = “.$_GET[‘admin’] prepared statements,escaping Wednesday, February 27, 2013

Slide 13

Slide 13 text

SQL Injection confoo 2013 I “update users set admin = “.$_GET[‘admin’] Too easy to do wrong prepared statements,escaping Wednesday, February 27, 2013

Slide 14

Slide 14 text

SQL Injection confoo 2013 I “update users set admin = “.$_GET[‘admin’] Too easy to do wrong Blind versus Known prepared statements,escaping Wednesday, February 27, 2013

Slide 15

Slide 15 text

SQL Injection confoo 2013 I “update users set admin = “.$_GET[‘admin’] Too easy to do wrong Blind versus Known Validation prepared statements,escaping Wednesday, February 27, 2013

Slide 16

Slide 16 text

SQL Injection confoo 2013 I “update users set admin = “.$_GET[‘admin’] Too easy to do wrong Blind versus Known Validation Whitelist prepared statements,escaping Wednesday, February 27, 2013

Slide 17

Slide 17 text

CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 tokens, idempotent requests Wednesday, February 27, 2013

Slide 18

Slide 18 text

CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens tokens, idempotent requests Wednesday, February 27, 2013

Slide 19

Slide 19 text

CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user trust tokens, idempotent requests Wednesday, February 27, 2013

Slide 20

Slide 20 text

CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user trust Referrer check tokens, idempotent requests Wednesday, February 27, 2013

Slide 21

Slide 21 text

CSRF confoo 2013 I GET /transfer?from=123&to=456&amt=100000 Tokens Exploit of user trust Referrer check Replay attacks tokens, idempotent requests Wednesday, February 27, 2013

Slide 22

Slide 22 text

Look forward XML Injection Mass Assignment Session Hijacking Password Storage Upload Handling confoo 2013 I Wednesday, February 27, 2013

Slide 23

Slide 23 text

XML Injection confoo 2013 I ]> &foo; libxml_disable_entity_loader Wednesday, February 27, 2013

Slide 24

Slide 24 text

XML Injection confoo 2013 I ]> &foo; Inject content libxml_disable_entity_loader Wednesday, February 27, 2013

Slide 25

Slide 25 text

XML Injection confoo 2013 I ]> &foo; Inject content Expanded by default libxml_disable_entity_loader Wednesday, February 27, 2013

Slide 26

Slide 26 text

XML Injection confoo 2013 I ]> &three; libxml_disable_entity_loader Wednesday, February 27, 2013

Slide 27

Slide 27 text

XML Injection confoo 2013 I ]> &three; XML “bomb” libxml_disable_entity_loader Wednesday, February 27, 2013

Slide 28

Slide 28 text

XML Injection confoo 2013 I ]> &three; XML “bomb” Denial of Service libxml_disable_entity_loader Wednesday, February 27, 2013

Slide 29

Slide 29 text

Mass Assignment confoo 2013 I values($_POST); ?> filter, restrict Wednesday, February 27, 2013

Slide 30

Slide 30 text

Mass Assignment confoo 2013 I values($_POST); ?> Spotlighted in Rails filter, restrict Wednesday, February 27, 2013

Slide 31

Slide 31 text

Mass Assignment confoo 2013 I values($_POST); ?> Spotlighted in Rails Tricky to track filter, restrict Wednesday, February 27, 2013

Slide 32

Slide 32 text

Mass Assignment confoo 2013 I values($_POST); ?> Spotlighted in Rails Tricky to track Laravel has “fillable” & “guarded” filter, restrict Wednesday, February 27, 2013

Slide 33

Slide 33 text

Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 session_set_save_handler Wednesday, February 27, 2013

Slide 34

Slide 34 text

Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation session_set_save_handler Wednesday, February 27, 2013

Slide 35

Slide 35 text

Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking session_set_save_handler Wednesday, February 27, 2013

Slide 36

Slide 36 text

Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking Encrypted sessions session_set_save_handler Wednesday, February 27, 2013

Slide 37

Slide 37 text

Session Hijacking confoo 2013 I PHPSESSID=56fc3e2c96dc3030b11722caf474da81 Fixation Sidejacking Encrypted sessions Lock to IP session_set_save_handler Wednesday, February 27, 2013

Slide 38

Slide 38 text

Password Storage confoo 2013 I md5(“don’t do this”); sha1(“or this”); Hashing != Encryption Strong (or random) salts Bcrypt all the things ircmaxell/password_compat password_hash(“use this”, PASSWORD_BCRYPT, array(‘cost’=>7,‘salt’=>‘th1si5my54lt’)); Wednesday, February 27, 2013

Slide 39

Slide 39 text

Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” move_uploaded_file Wednesday, February 27, 2013

Slide 40

Slide 40 text

Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict extensions/mime types move_uploaded_file Wednesday, February 27, 2013

Slide 41

Slide 41 text

Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict extensions/mime types Validate filename move_uploaded_file Wednesday, February 27, 2013

Slide 42

Slide 42 text

Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict extensions/mime types Validate filename Secure location move_uploaded_file Wednesday, February 27, 2013

Slide 43

Slide 43 text

Upload Handling confoo 2013 I content-disposition: form-data; name=”file1”; filename=”../../../etc/passwd” Restrict extensions/mime types Validate filename Secure location Block dangerous files move_uploaded_file Wednesday, February 27, 2013

Slide 44

Slide 44 text

OWASP & Risk confoo 2013 I Wednesday, February 27, 2013

Slide 45

Slide 45 text

OWASP & Risk confoo 2013 I 2013 Edition Wednesday, February 27, 2013

Slide 46

Slide 46 text

OWASP & Risk confoo 2013 I 2013 Edition +D : What’s next for Developers Wednesday, February 27, 2013

Slide 47

Slide 47 text

OWASP & Risk confoo 2013 I 2013 Edition +D : What’s next for Developers +V : What’s next for Validators Wednesday, February 27, 2013

Slide 48

Slide 48 text

OWASP & Risk confoo 2013 I 2013 Edition +D : What’s next for Developers +V : What’s next for Validators +O : What’s next for Organizations Wednesday, February 27, 2013

Slide 49

Slide 49 text

OWASP & Risk confoo 2013 I 2013 Edition +D : What’s next for Developers +V : What’s next for Validators +O : What’s next for Organizations +R : Notes about Risk Wednesday, February 27, 2013

Slide 50

Slide 50 text

OWASP Top 10 confoo 2013 I A1 - Injection A2 - Broken Authentication/Session Management A3 - Cross-Site Scripting A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards 2013 Edition Wednesday, February 27, 2013

Slide 51

Slide 51 text

Risk confoo 2013 I Wednesday, February 27, 2013

Slide 52

Slide 52 text

Risk confoo 2013 I Exploitability Wednesday, February 27, 2013

Slide 53

Slide 53 text

Risk confoo 2013 I Exploitability Prevalence Wednesday, February 27, 2013

Slide 54

Slide 54 text

Risk confoo 2013 I Exploitability Prevalence Detectability Wednesday, February 27, 2013

Slide 55

Slide 55 text

Risk confoo 2013 I Exploitability Prevalence Detectability Impact Wednesday, February 27, 2013

Slide 56

Slide 56 text

Risk confoo 2013 I Exploitability Prevalence Detectability Impact + Wednesday, February 27, 2013

Slide 57

Slide 57 text

“Push left” encourage secure software development confoo 2013 Wednesday, February 27, 2013

Slide 58

Slide 58 text

Questions? @enygma confoo 2013 https://joind.in/7956 Wednesday, February 27, 2013