• composer install • run App\Console\Installer::postInstall $ composer create-project cakephp/app cakefest2023 Installing... … Do you want to remove the existing VCS (.git, .svn..) history? [Y,n]? ←Y $ cd cakefest # get to the latest version $ composer require cakephp/cakephp:5.x-dev cakephp/chronos:3.x-dev {skeleton} 8
enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. #1 35
database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text. • 1. Escape template variables • 2. Enforce HTTPS • 3. Encrypt data before save • 4. Use Python #2 ? 39
common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. #3 41
in the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); • 1. Use the ORM properly • 2. Use CSP headers • 3. Filter input • 4. Use ChatGPT to build all your SQL queries
the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); • 1. Use the ORM properly • 2. Use CSP headers • 3. Filter input • 4. Use ChatGPT to build all your SQL queries
include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? • 1. Use stronger password algorithm • 2. Remove the feature completely • 3. Add sound and videos • 4. Use MongoDB
include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? • 1. Use stronger password algorithm • 2. Remove the feature completely • 3. Add sound and videos • 4. Use MongoDB
detailed error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" • 1. Ensure we provide no details about underlying stack • 2. Update to the latest version always • 3. Add security headers • 4. Say you are using another framework
error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" • 1. Ensure we provide no details about underlying stack • 2. Update to the latest version always • 3. Add security headers • 4. Say you are using another framework
same privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" • 1. Always use secure libraries • 2. Validate, track patch dependencies • 3. Don't use Composer • 4. Use NodeJS
privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" • 1. Always use secure libraries • 2. Validate, track patch dependencies • 3. Don't use Composer • 4. Use NodeJS
lists of known passwords, is a common attack. "Password1" • 1. Rotate passwords every 3 days • 2. Rotate passwords every 7 days • 3. Use MFA (Multi Factor Authentication) • 4. Encrypt passwords with at least 8096 bits
of known passwords, is a common attack. "Password1" • 1. Rotate passwords every 3 days • 2. Rotate passwords every 7 days • 3. Use MFA (Multi Factor Authentication) • 4. Encrypt passwords with at least 8096 bits
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources. #8 56
routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" • 1. Remove external dependencies not needed • 2. Install packages from trusted sources only • 3. Remove all packages, copy everything to your plugins folder
set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" • 1. Remove external dependencies not needed • 2. Install packages from trusted sources only • 3. Remove all packages, copy everything to your plugins folder
Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test. Detecting and responding to breaches is critical. #9 59
a breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. • 1. Add logs to relevant/sensitive actions in the site • 2. Add logs to suspicious activityin the site • 3. Add logs to all actions on the site • 4. Add logs to all actions on the site, including all mouse x,y change events
breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. • 1. Add logs to relevant/sensitive actions in the site • 2. Add logs to suspicious activityin the site • 3. Add logs to all actions on the site • 4. Add logs to all actions on the site, including all mouse x,y change events
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). #10 62
can access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ • 1. Use a deny list and strong regular expressions to validate domains • 2. Sanitize all target IP addresses • 3. Validate target domains with a positive allow list • 4. Block all traffic using a firewall
access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ • 1. Use a deny list and strong regular expressions to validate domains • 2. Sanitize all target IP addresses • 3. Validate target domains with a positive allow list • 4. Block all traffic using a firewall