Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Introduction to Application Penetration Testing
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Workshop 3 Web Application Security Li Weichao March
NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.
OWASP Zed Attack Proxy Project Lead
The OWASP Way Understanding the OWASP Vision and the Top Ten.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.
Deconstructing API Security
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Web Application Security
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
WEB APPLICATION TESTING
Vulnerability Chaining Every Low Issue Has its big impact
Penetration Testing following OWASP
Hub architecture Security.
PHP: Security issues FdSc Module 109 Server side scripting and
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security

Ryan Dewhurst Projects Experience BSc Ethical Hacking for Computer Security Security RandomStorm Hobbyist Security Researcher ethicalhack3r.co.uk Contribute to Open Source security related tools DevBug

Aims of this talk Briefly show how you can test your own apps. Introduction to the OWASP Top

Why bother with security? Open Web Application Security Project (OWASP) Secure code is better quality code. Your or your employer’s reputation. Compliance (PCI,DPA,HIPAA). The right thing to do, users trust you with their data.

Open Web Application Security Project (OWASP) “The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software.” Top 10 Risks Testing Guide Code Review Guide WIKI Security Cheat Sheets Open Source Tools (ZAP, WebGoat....) Local Chapter Meetings (one in Newcastle soon!) A lot more!

OWASP TOP 10 Risks 2010 ■A1: InjectionA1: Injection ■A2: Cross-Site Scripting (XSS)e Scripting (XSS) ■A3: Broken Authentication and Session ManagementA3: Broken ement ■A4: Insecure Direct Object ReferencesA4: Insecure Direct Object References ■A5: Cross-Site Request Forgery (CSRF)A5 ■A6: Security MisconfigurationMisconfiguration ■A7: Insecure Cryptographic StorageA7: Insecure Crypto ■A8: Failure to Restrict URL Accesst URL Access ■A9: Insufficient Transport Layer ProtectionA9: Insufficient Transp ■A10: Unvalidated Redirects and ForwardsRedirects and Forwards

A1: Injection SQL, XPath, LDAP, OS Commands... mysql_query(‘SELECT pass FROM users WHERE userid =’. $_GET[‘id’]); SELECT pass FROM users WHERE userid = 1 OR 1=1 -- Prevention: Proper use of prepared statements and stored procedures.

A2: Cross-Site Scripting (XSS) Mainly JavaScript & HTML. echo(‘ Username: ’. $_GET[‘name’]. ‘ ’); Prevention: Escape all untrusted data. Proper input validation. Username: window.location = ‘evil.com’ echo(‘ Username: ’. htmlentities($_GET[‘name’]). ‘ ’);

A2: Cross-Site Scripting (XSS) Zazzle.co.uk still vulnerable. Reported in January. alert(1);

A3: Broken Authentication and Session Management Passwords properly hashed and salted in the database? Weak change password functionality? Sessions in the URL? Sessions sent over SSL? Prevention: Hash & salt passwords stored in the database. Ensure sensitive data is sent over SSL. Test all authentication functionality.

A4: Insecure Direct Object References Prevention: Check authorisation on each request

A5: Cross-Site Request Forgery (CSRF) Prevention: Use anti CSRF tokens in the URL. Perform actions on behalf of authenticated user Frameworks will normally do this for you. (Symfony, CodeIgniter >= ) 243&token=yt5y5hu

A6: Security Misconfiguration Prevention: All software up to date? (OS, PHP, MySQL) Unnecessary features disabled? Software configured properly? Default files/folders removed? (documentation) Server hardening. Update software. Configure software.

A6: Security Misconfiguration Apparently it is not a misconfiguration according to Apache. It is there purposely according to them. I would advise to disable it in your Apache configs.

A7: Insecure Cryptographic Storage Prevention: Offsite backups? Data backups properly encrypted? Strong encryption algorithm used? (AES) Secure key used for decryption? Keys properly protected.

A8: Failure to Restrict URL Access Prevention: Check authorisation on every page.

A9: Insufficient Transport Layer Protection Prevention: Ensure all sensitive data is sent over SSL. Valid SSL certificate. Add ‘secure’ flag to cookies. SSL used when sensitive is data sent to the server? SSL properly implemented/configured? Cookies have the ‘secure’ flag? HTTPS downgrade-able to HTTP?

A10: Unvalidated Redirects and Forwards Prevention: Warn user when being redirected off site. Validate redirects. redirect?returnurl= redirect?returnurl= EA.com still vulnerable. Reported in October 2011.

How to test your own applications.

OWASP Testing Methodology PassiveActive Configuration ManagementBusiness LogicAuthenticationAuthoris ationSession ManagementData ValidationDenial of ServiceWeb ServicesAjax Testing Browse application Understand application logic Information Gathering Use a HTTP Proxy (ZAP, Burp)

Black Box Testing Arachni Web Application Scanner OWASP ZAP Manual Interaction Tools/TechniquesPros Less effective than white box Cons Emulates a ‘real’ attacker* *real attackers are not limited by time or scope Less time than white box (cheaper)

Post Interpreted (black box)

White Box Testing Tools/TechniquesPros More effective than black box Cons More thorough test More time than black box (more expensive) RIPS Static Code Analysis Manual Source Code Review Tester needs to be able to read code GNU Grep

Pre Interpreted (white box)

Demo: RIPS Static Code Analysis (white box tool) /Users/ryan/Sites/Sites/jobfinder/

What you really need! Black & White box testing within your Software Development Life Cycle (SDLC). Microsoft Security Development Lifecycle (SDL)

Summary OWASP Top 10 is useful but not extensive list. OWASP has lots of other great resources, including an up and coming Newcastle chapter! It is easy and free to do basic testing of your own apps. Build security into your development process.

“You'll never reach zero security vulnerabilities” - Michael Howard (Software Security Expert, Microsoft)

Further Reading

Questions?