OWASP Top 10 2013

AVOIDING THE OWASP
Top 10 security exploits
Saturday, 5 October, 13

ME
Illustrator turned developer
PHP developer for 8 years
Architect/Developer at FreshBooks
Lead developer of CakePHP

SECURITY

SECURITY CONTINUUM
( )unusable unrestricted

OWASP
Open Web Application Security Project

OWASP TOP 10

INJECTION
‘ OR 1=1 ‘--
1Saturday, 5 October, 13

RISKS
Command - Permits arbitrary shell commands.
SQL - Permits query manipulation, and arbitrary SQL.
Bad guys can run arbitrary code/queries.

$username = $_POST[‘username’];
$password = $_POST[‘password’];
$query = “SELECT * FROM user
WHERE username = ‘$username’
AND password = ‘$password’”;
$user = $db->query($query);
SQL INJECTION EXAMPLE

$username = “root”;
$password = “‘ OR 1 = 1 --”;
USER INPUT

FINAL QUERY
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;

PREVENTION
Use an ORM or Database abstraction layer that
provides escaping. Doctrine, ZendTable, and
CakePHP all do this.
Use PDO and prepared statements.
Never interpolate user data into a query.
Never use regular expressions, magic quotes, or
addslashes()

EXAMPLE (PDO)
WHERE username = ?
AND password = ?”;
$stmt = $db->prepare($query);
$stmt->bindValue($username);
$stmt->bindValue($password);
$result = $db->execute();

COMMAND INJECTION
$file = $_POST[‘file’];
$res = file_get_contents($file);
echo $res;

$f = “../../../../../../etc/passwd”;
USER INPUT

PREVENTION
Escape and validate input.
Check for ..
Check for ;
Ensure the realpath resolves to a ﬁle that is allowed.

2BROKEN AUTHENTICATION
& SESSION MANAGEMENT
/index.php?PHPSESSID=pwned

RISKS
Identity theft.
Firesheep was an excellent example.

SESSION FIXATION EXAMPLE
<?php
session_start();
if (isset($_GET[‘sessionid’]) {
session_id($_GET[‘sessionid’]);
}

PREVENTION
Rotate session identiﬁers upon login/logout
Set the HttpOnly ﬂag on session cookies.
Use well tested / mature libraries for authentication.
SSL is always a good idea.

3XSS
<script>alert(‘cross site scripting’);</script>

RISKS
Allows bad guys to do things as the person viewing a
page.
Steal identities, passwords, credit cards, hijack pages
and more.

XSS EXAMPLE
<p>
<?php echo $user[‘bio’]; ?>
</p>

I know, I can use regular expressions!

PREVENTION
Regular expressions and strip_tags leave you
vulnerable.
The only robust solution is output encoding.

EXAMPLE
<p>
<?php echo htmlentities(
$user[‘bio’],
ENT_QUOTES,
‘UTF-8’
); ?>
</p>

DANGERS
Manually encoding is error prone, and you will make
a mistake.
Using a template library like Twig that provides auto-
escaping reduces the chances of screwing up.
Encoding is dependent on context.

4INSECURE DIRECT OBJECT
REFERENCE

RISKS
Bad guys can access information they shouldn’t
Bad guys can modify data they shouldn’t.

BROKEN PASSWORD UPDATE
<form action=”/user/update” method=”post”>
<input type=”hidden” name=”userid” value=”4654” />
<input type=”text” name=”new_password” />
<button type=”submit”>Save</button>
</form>

PREVENTION
Remember hidden inputs are not really hidden, and
can be changed by users.
Validate access to all things, don’t depend on things
being hidden/invisible.
If you need to refer to the current user, use session
data not form inputs.
Whitelist properties any form can update.

5SECURITY
MISCONFIGURATION

RISKS
Default settings can be insecure, and intended for
development not production.
Attackers can use misconﬁgured software to gain
knowledge and access.

PREVENTION
Know the tools you use, and conﬁgure them
correctly.
Keep up to date on vulnerabilities in the tools you
use.
Remove/disable any services/features you aren’t using.

6SENSITIVE DATA EXPOSURE
4012 8888 8888 1881

RISKS
Bad guys get credit cards, personal identiﬁcation,
passwords or health records.
Your company could be ﬁned or worse.

ASSESSING RISK
Do you have sensitive data?
Is it in plaintext?
Any old/bad crypto in use?
Missing SSL?
Who can access sensitive data?

7MISSING FUNCTION LEVEL
ACCESS CONTROL

RISKS
Anyone on the internet can request things.
Missing access control could mean bad guys can do
things they shouldn’t be able to.

PREVENTION
No simple solutions sadly.
Good automated tests help.

8CROSS SITE REQUEST
FORGERY
(CSRF)

RISKS
Evil websites can perform actions for users logged
into your site.
Side effects on GET can be performed via images or
CSS ﬁles.
Remember the Gmail contact hack.

CSRF EXAMPLE
Your app
Evil site

CSRF EXAMPLE
Your app
Evil site
Login

CSRF EXAMPLE
Your app
Evil site
Login
Accidentally visit

CSRF EXAMPLE
Your app
Evil site
Login
Accidentally visit
Submit form for evil

PREVENTION
Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens
should be rejected.

SAMPLE CSRFVALIDATION
<?php
if (!$this->validCsrfToken($data, ‘csrf’)) {
throw new ForbiddenException();
}

9USING COMPONENTS WITH
KNOWNVULNERABILITIES
CVE bingo

RISK
Using old busted software can expose you to
documented issues.
CVE databases are ﬁlled with version numbers and
matching exploits.

PREVENTION
Do routine upgrades. Keep up to date with all your
software.
Read mailing lists and keep an eye out for security
releases.

PREVENTION
Several vulnerability databases around.
https://cve.mitre.org/cve/

10UNVALIDATED REDIRECTS &
FORWARDS

RISKS
Trusting user input for redirects opens phishing
attacks.
Breach of trust with your users.

PREVENTION
Don’t trust user data when handling redirects.

THANKYOU

OWASP Top 10 2013

Related slideshows

More Related Content

OWASP Top 10 2013