OWASP Top 10 2013
- 8. RISKS
Command - Permits arbitrary shell commands.
SQL - Permits query manipulation, and arbitrary SQL.
Bad guys can run arbitrary code/queries.
Saturday, 5 October, 13
- 9. $username = $_POST[‘username’];
$password = $_POST[‘password’];
$query = “SELECT * FROM user
WHERE username = ‘$username’
AND password = ‘$password’”;
$user = $db->query($query);
SQL INJECTION EXAMPLE
Saturday, 5 October, 13
- 11. FINAL QUERY
$query = “SELECT * FROM user
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;
Saturday, 5 October, 13
- 12. FINAL QUERY
$query = “SELECT * FROM user
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;
Saturday, 5 October, 13
- 13. PREVENTION
Use an ORM or Database abstraction layer that
provides escaping. Doctrine, ZendTable, and
CakePHP all do this.
Use PDO and prepared statements.
Never interpolate user data into a query.
Never use regular expressions, magic quotes, or
addslashes()
Saturday, 5 October, 13
- 14. EXAMPLE (PDO)
$query = “SELECT * FROM user
WHERE username = ?
AND password = ?”;
$stmt = $db->prepare($query);
$stmt->bindValue($username);
$stmt->bindValue($password);
$result = $db->execute();
Saturday, 5 October, 13
- 22. PREVENTION
Rotate session identifiers upon login/logout
Set the HttpOnly flag on session cookies.
Use well tested / mature libraries for authentication.
SSL is always a good idea.
Saturday, 5 October, 13
- 24. RISKS
Allows bad guys to do things as the person viewing a
page.
Steal identities, passwords, credit cards, hijack pages
and more.
Saturday, 5 October, 13
- 27. I know, I can use regular expressions!
Saturday, 5 October, 13
- 31. DANGERS
Manually encoding is error prone, and you will make
a mistake.
Using a template library like Twig that provides auto-
escaping reduces the chances of screwing up.
Encoding is dependent on context.
Saturday, 5 October, 13
- 33. RISKS
Bad guys can access information they shouldn’t
Bad guys can modify data they shouldn’t.
Saturday, 5 October, 13
- 34. BROKEN PASSWORD UPDATE
<form action=”/user/update” method=”post”>
<input type=”hidden” name=”userid” value=”4654” />
<input type=”text” name=”new_password” />
<button type=”submit”>Save</button>
</form>
Saturday, 5 October, 13
- 35. PREVENTION
Remember hidden inputs are not really hidden, and
can be changed by users.
Validate access to all things, don’t depend on things
being hidden/invisible.
If you need to refer to the current user, use session
data not form inputs.
Whitelist properties any form can update.
Saturday, 5 October, 13
- 37. RISKS
Default settings can be insecure, and intended for
development not production.
Attackers can use misconfigured software to gain
knowledge and access.
Saturday, 5 October, 13
- 38. PREVENTION
Know the tools you use, and configure them
correctly.
Keep up to date on vulnerabilities in the tools you
use.
Remove/disable any services/features you aren’t using.
Saturday, 5 October, 13
- 40. RISKS
Bad guys get credit cards, personal identification,
passwords or health records.
Your company could be fined or worse.
Saturday, 5 October, 13
- 41. ASSESSING RISK
Do you have sensitive data?
Is it in plaintext?
Any old/bad crypto in use?
Missing SSL?
Who can access sensitive data?
Saturday, 5 October, 13
- 43. RISKS
Anyone on the internet can request things.
Missing access control could mean bad guys can do
things they shouldn’t be able to.
Saturday, 5 October, 13
- 46. RISKS
Evil websites can perform actions for users logged
into your site.
Side effects on GET can be performed via images or
CSS files.
Remember the Gmail contact hack.
Saturday, 5 October, 13
- 51. PREVENTION
Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens
should be rejected.
Saturday, 5 October, 13
- 54. RISK
Using old busted software can expose you to
documented issues.
CVE databases are filled with version numbers and
matching exploits.
Saturday, 5 October, 13
- 55. PREVENTION
Do routine upgrades. Keep up to date with all your
software.
Read mailing lists and keep an eye out for security
releases.
Saturday, 5 October, 13