Slide 1

Slide 1 text

Tuesday, February 12, 13

Slide 2

Slide 2 text

Web Application Security Nashville PHP User Group, 12 February 2013 Jason Orendorff Tuesday, February 12, 13

Slide 3

Slide 3 text

Tuesday, February 12, 13

Slide 4

Slide 4 text

Top four 2 Tuesday, February 12, 13

Slide 5

Slide 5 text

How I think about security Top four 1 2 Tuesday, February 12, 13

Slide 6

Slide 6 text

What is security? Tuesday, February 12, 13

Slide 7

Slide 7 text

A system is secure if What is security? Tuesday, February 12, 13

Slide 8

Slide 8 text

attackers can’t exploit it to make bad stuff happen. A system is secure if What is security? Tuesday, February 12, 13

Slide 9

Slide 9 text

Tuesday, February 12, 13

Slide 10

Slide 10 text

Tuesday, February 12, 13

Slide 11

Slide 11 text

Tuesday, February 12, 13

Slide 12

Slide 12 text

Tuesday, February 12, 13

Slide 13

Slide 13 text

Tuesday, February 12, 13

Slide 14

Slide 14 text

features Tuesday, February 12, 13

Slide 15

Slide 15 text

features security Tuesday, February 12, 13

Slide 16

Slide 16 text

Tuesday, February 12, 13

Slide 17

Slide 17 text

A system is secure if attackers can’t exploit it to make bad stuff happen. Tuesday, February 12, 13

Slide 18

Slide 18 text

A system is secure if attackers can’t exploit it to make bad stuff happen. Tuesday, February 12, 13

Slide 19

Slide 19 text

(exercise) Tuesday, February 12, 13

Slide 20

Slide 20 text

Security risks Tuesday, February 12, 13

Slide 21

Slide 21 text

• denial of service Security risks Tuesday, February 12, 13

Slide 22

Slide 22 text

• denial of service • loss of control of servers Security risks Tuesday, February 12, 13

Slide 23

Slide 23 text

• denial of service • loss of control of servers • data loss Security risks Tuesday, February 12, 13

Slide 24

Slide 24 text

• denial of service • loss of control of servers • data loss • theft of goods or services by attackers Security risks Tuesday, February 12, 13

Slide 25

Slide 25 text

• denial of service • loss of control of servers • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) Security risks Tuesday, February 12, 13

Slide 26

Slide 26 text

• denial of service • loss of control of servers • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) • attackers impersonating users Security risks Tuesday, February 12, 13

Slide 27

Slide 27 text

• immediate financial loss (fraud, theft, lost productivity) • unhappy customers • damage to reputation • contractual trouble (service-level agreements) • regulatory trouble (privacy & auditing requirements) Business risks Tuesday, February 12, 13

Slide 28

Slide 28 text

• denial of service • loss of control of servers • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) • attackers impersonating users Security risks Tuesday, February 12, 13

Slide 29

Slide 29 text

• immediate financial loss (fraud, theft, lost productivity) • unhappy customers • damage to reputation • contractual trouble (service-level agreements) • regulatory trouble (privacy & auditing requirements) Business risks Tuesday, February 12, 13

Slide 30

Slide 30 text

• Slide body Photo by Pliketi Plok: flickr.com/photos/colinica Tuesday, February 12, 13

Slide 31

Slide 31 text

• Slide body Slide title Photo by Pliketi Plok: flickr.com/photos/colinica Tuesday, February 12, 13

Slide 32

Slide 32 text

Tuesday, February 12, 13

Slide 33

Slide 33 text

• Do you have a list of all the servers you’re running? Tuesday, February 12, 13

Slide 34

Slide 34 text

• Do you have a list of all the servers you’re running? • Do you know what third-party software is running on them? Tuesday, February 12, 13

Slide 35

Slide 35 text

• Do you have a list of all the servers you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? Tuesday, February 12, 13

Slide 36

Slide 36 text

• Do you have a list of all the servers you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? • Do you have a plan for updating that software? Tuesday, February 12, 13

Slide 37

Slide 37 text

• Do you have a list of all the servers you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? • Do you have a plan for updating that software? • Would the answer still be yes even if a key employee quit tomorrow? Tuesday, February 12, 13

Slide 38

Slide 38 text

Tuesday, February 12, 13

Slide 39

Slide 39 text

Tuesday, February 12, 13

Slide 40

Slide 40 text

Tuesday, February 12, 13

Slide 41

Slide 41 text

The web is not secure by default. Tuesday, February 12, 13

Slide 42

Slide 42 text

Top four Tuesday, February 12, 13

Slide 43

Slide 43 text

4 Tuesday, February 12, 13

Slide 44

Slide 44 text

4 Insecure direct object references Tuesday, February 12, 13

Slide 45

Slide 45 text

4 Direct object reference attacks – illustrated Tuesday, February 12, 13

Slide 46

Slide 46 text

4 Direct object reference attacks – illustrated front page Tuesday, February 12, 13

Slide 47

Slide 47 text

4 Direct object reference attacks – mitigated Who are you? (authentication) Tuesday, February 12, 13

Slide 48

Slide 48 text

4 Direct object reference attacks – mitigated Are you allowed here? (authorization) Tuesday, February 12, 13

Slide 49

Slide 49 text

3 Tuesday, February 12, 13

Slide 50

Slide 50 text

3 Broken authentication & session management Tuesday, February 12, 13

Slide 51

Slide 51 text

3 Broken authentication – examples Tuesday, February 12, 13

Slide 52

Slide 52 text

3 Broken authentication – examples • Passwords sent in the clear Tuesday, February 12, 13

Slide 53

Slide 53 text

3 Broken authentication – examples • Passwords sent in the clear • Passwords stored in the clear Tuesday, February 12, 13

Slide 54

Slide 54 text

3 Broken authentication – examples • Passwords sent in the clear • Passwords stored in the clear • Session IDs exposed Tuesday, February 12, 13

Slide 55

Slide 55 text

1 Broken authentication – mitigated Tuesday, February 12, 13

Slide 56

Slide 56 text

1 Broken authentication – mitigated ...or don’t have passwords Tuesday, February 12, 13

Slide 57

Slide 57 text

2 Tuesday, February 12, 13

Slide 58

Slide 58 text

2 Cross-site scripting Tuesday, February 12, 13

Slide 59

Slide 59 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Tuesday, February 12, 13

Slide 60

Slide 60 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Tuesday, February 12, 13

Slide 61

Slide 61 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Tuesday, February 12, 13

Slide 62

Slide 62 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Tuesday, February 12, 13

Slide 63

Slide 63 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Tuesday, February 12, 13

Slide 64

Slide 64 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Tuesday, February 12, 13

Slide 65

Slide 65 text

2 Cross-site scripting – illustrated Web server Database User’s browser Attacker Other server Tuesday, February 12, 13

Slide 66

Slide 66 text

2 Cross-site scripting – mitigated badly = preg_replace("/ Tuesday, February 12, 13

Slide 67

Slide 67 text

2 Cross-site scripting – mitigated badly = preg_replace("/<\s*script/", "", $comment) ?> Tuesday, February 12, 13

Slide 68

Slide 68 text

2 Cross-site scripting – mitigated badly = preg_replace("/<\s*script/i", "", $comment) ?> Tuesday, February 12, 13

Slide 69

Slide 69 text

2 Cross-site scripting – mitigated badly Tuesday, February 12, 13

Slide 70

Slide 70 text

2 Cross-site scripting – mitigated badly Tuesday, February 12, 13

Slide 71

Slide 71 text

2 Cross-site scripting – mitigated Tuesday, February 12, 13

Slide 72

Slide 72 text

2 Cross-site scripting – mitigated • Use Twig. Tuesday, February 12, 13

Slide 73

Slide 73 text

2 Cross-site scripting – mitigated • Use Twig. • Use Markdown. Tuesday, February 12, 13

Slide 74

Slide 74 text

1 Tuesday, February 12, 13

Slide 75

Slide 75 text

1 Injection Tuesday, February 12, 13

Slide 76

Slide 76 text

1 Injection attacks – illustrated $sql = "SELECT id FROM users WHERE " + "username = '" + $username + "' " + "AND password = '" + $password + "'"; Tuesday, February 12, 13

Slide 77

Slide 77 text

1 Injection attacks – illustrated SELECT id FROM users WHERE username = 'jason' AND password = 'Laurel' Tuesday, February 12, 13

Slide 78

Slide 78 text

1 Injection attacks – illustrated SELECT id FROM users WHERE username = 'ben'--' AND password = 'whatever' Tuesday, February 12, 13

Slide 79

Slide 79 text

1 Injection attacks – illustrated SELECT id FROM users WHERE username = 'ben'--' AND password = 'whatever' Tuesday, February 12, 13

Slide 80

Slide 80 text

1 Injection attacks – illustrated Tuesday, February 12, 13

Slide 81

Slide 81 text

1 Injection attacks – mitigated Tuesday, February 12, 13

Slide 82

Slide 82 text

1 Injection attacks – mitigated • Use ORM Tuesday, February 12, 13

Slide 83

Slide 83 text

1 Injection attacks – mitigated • Use ORM • Use positional parameters Tuesday, February 12, 13

Slide 84

Slide 84 text

Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object References 3 4 Tuesday, February 12, 13

Slide 85

Slide 85 text

Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object References 3 4 Use third-party ORM Tuesday, February 12, 13

Slide 86

Slide 86 text

Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object References 3 4 Use third-party templates/formatting Use third-party ORM Tuesday, February 12, 13

Slide 87

Slide 87 text

Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object References 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Tuesday, February 12, 13

Slide 88

Slide 88 text

Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object References 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Tuesday, February 12, 13

Slide 89

Slide 89 text

5 Bonus round! Tuesday, February 12, 13

Slide 90

Slide 90 text

5 Cross-site request forgery Bonus round! Tuesday, February 12, 13

Slide 91

Slide 91 text

Injection Cross-site scripting 1 2 Broken authentication Insecure direct object references 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Cross-site request forgery (CSRF) 5 Tuesday, February 12, 13

Slide 92

Slide 92 text

Injection Cross-site scripting 1 2 Broken authentication Insecure direct object references 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Cross-site request forgery (CSRF) 5 Use third-party form validation Tuesday, February 12, 13

Slide 93

Slide 93 text

Please, make a plan to keep your servers patched. Thanks. Tuesday, February 12, 13