OWASP Top 10 at International PHP Conference 2014 in Berlin
•
1 like•2,040 views
With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right. Every 3 years, the open web application security project (OWASP) releases a new Top 10 vulnerabilities, this talk will walk you through 2013s list. I'll present you the possible attack scenarios and how you can protect against them. In addition we'll look at more security issues which are not part of the Top 10, but that you should definitely keep in mind.
Report
Share
OWASP Top 10 at International PHP Conference 2014 in Berlin
- 1. Tobias Zander | @airbone42 OWASP Top 10
- 3. Current state of security
- 4. Open Web Application Security Project
- 5. The Top 10 Most Critical Web Application Security Risks Not just Vulnerabilities
- 8. Don‘t try this at home! http://funfive.net/drop-database-license-plate/2670.html
- 9. Prepared Statements $stmt = $mysqli->prepare( 'UPDATE users SET email = ? WHERE id = 123'‚ ); $stmt->bind_param( 's', $email );
- 10. DBA $q = Doctrine_Query::create() ->update('Account') ->set('email', 'foo@bar.de') ->where( 'username LIKE ?', $username ); $username = 'A%';
- 11. Time-based SELECT IF( SUBSTRING( user_password, 1, 1 ) = CHAR(65), BENCHMARK( 5000000, ENCODE(‘foo', ‘bar') ), null ) FROM users WHERE user_id = 1;
- 12. Injection • Use prepared statements • Or stored procedures • Check for wildcards www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
- 14. Online-Banking Newsletter Sollte Ihr Kennwort Sonderzeichen enthalten, bitten wir Sie, Ihr Kennwort zu ändern. Durch die technische Umstellung auf das neue Online-Banking werden nur noch Kennwörter zugelassen, die bestimmte Sonderzeichen erlauben. Die zugelassenen Sonderzeichen im Kennwort lauten: # ? * + - .
- 15. Broken Authentication • Don‘t limit password strength • Force long and complex passwords • Check error messages • Prevent brute-force-attacks www.owasp.org/index.php/Authentication_Cheat_Sheet
- 16. Session Hijacking Session ID: abcde Mr. Evil
- 17. Session Fixation Mr. Evil Link Predefined Session ID
- 18. Broken Session Management session.use_trand_sid = Off session.use_only_cookies = On session.cookie_secure = On session.cookie_httponly = On session.hash_function = sha512
- 19. Broken Session Management • Don‘t expose session ids • Probably bind sessions to IP • Reduce Session-Lifetime • Regenerate Session-Ids www.owasp.org/index.php/Session_Management_Cheat_Sheet
- 22. XSS $value = '</script>'; echo json_encode( $value );
- 24. XSS • Escape output by context – htmlspecialchars – json_encode – … • Content-Security-Policy • X-XSS-Protection • Template engine
- 25. Insecure Object Reference <select> <option value="2"> moderator </option> <option value="3"> editor </option> </select>
- 26. Insecure Object Reference <select> <option value="random-ref-x"> moderator </option> <option value="random-ref-y"> editor </option> </select>
- 27. Insecure Object Reference • Validate user input • Use indirect object references • Check access permissions
- 28. Security Misconfiguration <Directory "/var/www"> AllowOverride All </Directory> memory_limit = 1024M allow_url_fopen = On allow_url_include = On ;open_basedir =
- 29. Security Misconfiguration <Directory "/var/www"> AllowOverride None Options -Indexes </Directory> memory_limit = 128M log_errors = On allow_url_fopen = Off allow_url_include = Off open_basedir = /var/www/app
- 30. Security Misconfiguration • Keep your system up-to-date • Remove setup/deployment routines • Disable exposure of sensitive data • Review server settings • github.com/ioerror/duraconf
- 32. PHP 5.5 password_hash($password); if (password_verify($password, $hash)) { // Success! } else { // Failed :( }
- 33. SSDE - Password encryption • Add a salt • Use different salts • Use a strong algorithm (NOT md5) • Use password_hash in PHP 5.5 • github.com/ircmaxell/password_compat
- 34. SSDE - PHP Exposure expose_php Off Remove phpinfo();
- 35. SSDE - Secure URLs • Use TLS for all pages • Use Secure Cookie Flag • Keep sensitive data out of the URL
- 36. class AdminController { public function editAction() { $this->model ->save($this->formData); } }
- 37. Missing Function Level AC class AdminController { public function editAction() { if (!$this->_isAllowed()) { throw new Exception( 'insufficient privileges' ); } …
- 38. Missing Function Level AC • Standard should disallow all access • Use roles to keep ACL simple • ACL model should be very flexible • Check privileges on each step
- 39. class BankaccountController { public function transferAction() { if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } } }
- 40. Cross Site Request Forgery Login / create session Visitwebsite Requestapp… … through victim‘s browser evil.com sensitive.com
- 41. CSRF class BankaccountController { public function transferAction() { $this->validateToken(); if ($this->_isAllowed()) { $this->transfer( $amount, $account ); } }
- 44. CSRF • Use One-Time-Token and secure it • Authenticate user –Credentials –Captcha www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet
- 47. Known Vulnerabilities • Review third party libraries • Keep libraries up-to-date - http://www.versioneye.com/ • Check: – mailing lists – boards – news- and vendor-sites
- 49. Redirects and Forwards $allowedDomains = array('good.com', 'better.com'); if (!in_array( $url, $allowedDomains )) { throw new Exception('invalid redirect'); } $this->_redirectUrl($url);
- 52. DoS
- 59. Clickjacking
- 60. Buffer Overflows
- 63. • OWASP Top 10 • CWE/SANS Top 25 • PCI DSS • Zed Attack Proxy • Metasploit • WireShark • BeEF http://amzn.to/1vKNLqM
- 65. Tobias Zander | @airbone42 Questions?
- 66. Tobias Zander | @airbone42 Thanks!