The attacker's hostile data can
trick the interpreter into
executing unintended
commands or accessing data
without proper authorization.
Slide 4
Slide 4 text
xkcd: Exploits of a Mom - https://xkcd.com/327/
Slide 5
Slide 5 text
$db = new \PDO(...);
$name = $_POST['name'];
$sql = "SELECT * FROM users WHERE email='$name'";
foreach($db->query($sql) as $user) {
// ...
}
curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'
Slide 6
Slide 6 text
$db = new \PDO(...);
$name = $_POST['name'];
$sql = "SELECT * FROM users WHERE email=:email";
$statement = $db->prepare($sql);
$params = [':email' => $name];
foreach($db->execute($statement, $params) as $user) {
// ...
}
curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'
function serve_file($filename) {
// Sanitize the filename before it's used
$sanitized = basename($filename);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"{$sanitized}\"");
header("Content-Length: 11111");
$path = "/home/uploads/{$sanitized}";
passthru('cat ' . escapeshellarg($path));
exit();
}
curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
cat /home/uploads/privkey.pem
Slide 9
Slide 9 text
ASR 2 - Broken
Authentication
Slide 10
Slide 10 text
Application functions related
to authentication and session
management are often not
implemented correctly...
Slide 11
Slide 11 text
Client-side Sessions
Don’t trust the user to store sensitive information
Don’t trust information provided by the user
Don’t store sensitive information with an untrusted party
Don’t use cookies to store sensitive data
(If you are using cookies, use secure cookies - but only store identifiers)
Slide 12
Slide 12 text
Password Management
Passwords should NEVER be stored in plaintext.
Passwords should NEVER be stored with encryption.
Passwords should ONLY be stored using one-way hashes.
Try to avoid passwords in the first place...
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
(Full image slide. No text)
Slide 15
Slide 15 text
Problems with JWT
Leaking sensitive information
The `none` algorithm is required by the spec
Algorithm confusion - RSA vs HMAC
Weak algorithms are allowed
Slide 16
Slide 16 text
What you should do
Only store session data on the server
Ensure strong authentication protects user identities
Lock down insecure algorithms and primitives
Only use trusted third-party library implementations
Slide 17
Slide 17 text
ASR 4 - XML External
Entities
Slide 18
Slide 18 text
Untrusted XML input
containing a reference to an
external entity is processed by
a weakly configured XML
parser ...
Slide 19
Slide 19 text
]>
Friend of &name;
&name;
&name; - 2019
]>
&info;
Slide 20
Slide 20 text
]>
&bomb;
Slide 21
Slide 21 text
$default = libxml_disable_entity_loader(true);
$dom = new DOMDocument();
$dom->loadXML($xml);
// Do things with XML
// Restore the previous value
libxml_disable_entity_loader($default);
What you should do
Slide 22
Slide 22 text
ASR 7 - Cross-Site
Scripting (XSS)
Slide 23
Slide 23 text
An application takes
untrusted data and sends it to
a web browser without
proper validation or escaping.
Languages’ native
deserialization mechanisms
can be repurposed for
malicious effect when
operating on untrusted data.
Slide 28
Slide 28 text
class CartCache {
$cache_file;
$data = [];
// ...
/**
* Automatically purge the cache file from disk to clean up
*/
public function __destruct() {
$file = "/var/www/cache/tmp/carts/{$this->cache_file}";
if ($this->cleanup && file_exists($file)) {
@unlink($file);
}
}
}
$data = unserialize($_GET['data']);
https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i
ndex.php";s:4:"data";a:0:{}}
Slide 29
Slide 29 text
Do not pass untrusted user
input to unserialize()
regardless of the options
value of allowed_classes.