Application Security Lochemem Bruno Michael 

Simple test What does the code in the image evaluate to? A) Undefined B) Object {name: ‘Michael’, major: ‘APT’} Why? const user = { name: ‘Michael’, major: ‘APT’ } function getUser() { return user; } 

What is Application Security? Application security encompasses a genealogy of techniques used to prevent and fix flaws in applications. 

Common Security Threats Sensitive data exposure Injection Broken authentication Broken Access Control 

Injection 

How it happens Untrusted data is sent to an interpreter as part of a command or query. A) SQL injection B) Request parameter injection //do not do this function dbFn(\PDO $pdo, string $stdId) : IO { return IO::return($pdo) ->map(function ($pdo) use ($stdId) { $stmt = $pdo->query(‘ SELECT student_name, student_id FROM students WHERE student_id = $stdId ’) ... }) } //do not do this either function inputfn() : string { //state monad return State::of(‘php://input’) ->flatMap(‘file_get_contents’); } 

How to guard against it A) Write prepared SQL statements B) Avoid ORMs which are non-prepared statement compatible C) Escape query and input parameters D) Use LIMIT in SQL queries to prevent mass data leakage function dbFn(\PDO $pdo, string $stdId) : IO { return IO::return($pdo) ->map(function ($pdo) use ($stdId) { $stmt = $pdo->query(‘ SELECT student_name, student_id FROM students WHERE student_id = :stdId ’); $stmt->bind(‘:stdId’, $stdId, \PDO::PARAM_STR); ... }) } function inputfn() : string { //state monad return State::of(‘php://input’) ->map(‘file_get_contents’) ->flatMap( function ($input) { return array_map( function ($str) { return htmlentities($str, ENT_QUOTES); }, $input ); } ); } 

Broken Authentication 

Potential weaknesses Broken authentication exists in situations where the attackers can use credential stuffing and password cracking techniques. A) Well known passwords are generally accepted (admin, password etc) B) Passwords are weakly hashed or stored in plain text C) Knowledge based answers are used for credential recovery 

How to guard against it A) Use modern secure hashing algorithms for passwords B) Implement weak password checks C) Consider using OAuth D) Log authentication errors function passwordHash(string $password) : string { return password_hash( $password, PASSWORD_BCRYPT, [‘cost’ => 12] ); } function passwordVerify( string $hash, string $password ) : bool { return password_verify($hash, $password); } function isPasswordLongEnough(string $password) : bool { return mb_strlen($password, ‘utf-8’) > 12 ? true : false; } function passwordIsAlphanumeric(string $password) : bool { return preg_match(‘/[0-9a-za-z]+/’, $password) ? true : false; } 

Sensitive Data Exposure 

What is sensitive data? Sensitive data is anything whose significance warrants concealment. Encipherment keys, passwords, and API keys are considered sensitive. 

How to prevent this A) Use modern, secure cryptographic algorithms B) Classify data as either processed, transmitted or stored C) Hide sensitive data from viewers D) Use SSL\TLS //Keys.php class Keys { const APP_TOKEN = ‘app token’; const APP_SECRET = ‘app secret’; } //API request function search(API $service, string $param) : IO { return IO::return($param) ->map( function ($param) use ($service) { return $service ->searchFor($param) ->keys(Keys::APP_TOKEN, Keys::APP_SECRET); } ) ... } 

Broken Access Control 

Manifestations A) Easily modifiable URLs, app state, and HTML B) Easy account privilege elevation C) CORS misconfiguration D) Easy access to privileged data pages 

How to prevent this A) Deny access to private resources B) Disable web server directory listing C) Use Rate limiting APIs D) Never publically cache data served from protected pages E) Domain access control //public API’s only header(‘Access-Control-Allow-Origin: *’); //private APIs only header(‘Access-Control-Allow-Origin: https://your-site’); //caching for private content header(‘Cache-control: no-cache must-revalidate’); //.htaccess file Options -Indexes 

Other Security Threats - Cross Site Scripting (XSS) - Using components with known vulnerabilities - Insufficient Logging and Monitoring Information obtained from OWASP 

Contact Lochemem Bruno Michael [email protected] https://githshowcase.com/ ace411 https://github.com/ace411