Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Published byMerry Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security."— Presentation transcript:

1 Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security

2 Ryan Dewhurst aka @ethicalhack3r Projects Experience BSc Ethical Hacking for Computer Security Security Engineer @ RandomStorm Hobbyist Security Researcher Blogger @ ethicalhack3r.co.uk Contribute to Open Source security related tools DevBug

3 Aims of this talk Briefly show how you can test your own apps. Introduction to the OWASP Top 10 2010.

4 Why bother with security? Open Web Application Security Project (OWASP) Secure code is better quality code. Your or your employer’s reputation. Compliance (PCI,DPA,HIPAA). The right thing to do, users trust you with their data.

5 Open Web Application Security Project (OWASP) “The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software.” Top 10 Risks Testing Guide Code Review Guide WIKI Security Cheat Sheets Open Source Tools (ZAP, WebGoat....) Local Chapter Meetings (one in Newcastle soon!) A lot more! https://www.owasp.org/index.php/Main_Page

6 OWASP TOP 10 Risks 2010 ■A1: InjectionA1: Injection ■A2: Cross-Site Scripting (XSS)e Scripting (XSS) ■A3: Broken Authentication and Session ManagementA3: Broken ement ■A4: Insecure Direct Object ReferencesA4: Insecure Direct Object References ■A5: Cross-Site Request Forgery (CSRF)A5 ■A6: Security MisconfigurationMisconfiguration ■A7: Insecure Cryptographic StorageA7: Insecure Crypto ■A8: Failure to Restrict URL Accesst URL Access ■A9: Insufficient Transport Layer ProtectionA9: Insufficient Transp ■A10: Unvalidated Redirects and ForwardsRedirects and Forwards https://www.owasp.org/index.php/Top_10_2010-Main

7 A1: Injection SQL, XPath, LDAP, OS Commands... mysql_query(‘SELECT pass FROM users WHERE userid =’. $_GET[‘id’]); SELECT pass FROM users WHERE userid = 1 OR 1=1 -- Prevention: Proper use of prepared statements and stored procedures. http://php.net/manual/en/pdo.prepared-statements.php

8 A2: Cross-Site Scripting (XSS) Mainly JavaScript & HTML. echo(‘ Username: ’. $_GET[‘name’]. ‘ ’); Prevention: Escape all untrusted data. Proper input validation. Username: window.location = ‘evil.com’ echo(‘ Username: ’. htmlentities($_GET[‘name’]). ‘ ’);

9 A2: Cross-Site Scripting (XSS) Zazzle.co.uk still vulnerable. Reported in January. http://www.zazzle.co.uk/pd/realviewpopup?url=http://www.zazzle.co.uk/pd/realviewpopup?url= alert(1);

10 A3: Broken Authentication and Session Management Passwords properly hashed and salted in the database? Weak change password functionality? Sessions in the URL? Sessions sent over SSL? Prevention: Hash & salt passwords stored in the database. Ensure sensitive data is sent over SSL. Test all authentication functionality.

11 A4: Insecure Direct Object References http://www.bank.com/accounts/account.phphttp://www.bank.com/accounts/account.php?userid=123456 Prevention: Check authorisation on each request. http://www.bank.com/accounts/account.phphttp://www.bank.com/accounts/account.php?userid=123457 http://www.facebook.com/photos/album.phphttp://www.facebook.com/photos/album.php?album_id=1234 http://www.facebook.com/photos/album.phphttp://www.facebook.com/photos/album.php?album_id=1235

12 A5: Cross-Site Request Forgery (CSRF) Prevention: Use anti CSRF tokens in the URL. Perform actions on behalf of authenticated user. http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243 243 Frameworks will normally do this for you. (Symfony, CodeIgniter >= 2.0...) http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243 243&token=yt5y5hu

13 A6: Security Misconfiguration Prevention: All software up to date? (OS, PHP, MySQL) Unnecessary features disabled? Software configured properly? Default files/folders removed? (documentation) Server hardening. Update software. Configure software.

14 A6: Security Misconfiguration http://www.apache.org/server-status Apparently it is not a misconfiguration according to Apache. It is there purposely according to them. I would advise to disable it in your Apache configs.

15 A7: Insecure Cryptographic Storage Prevention: Offsite backups? Data backups properly encrypted? Strong encryption algorithm used? (AES) Secure key used for decryption? Keys properly protected.

16 A8: Failure to Restrict URL Access Prevention: Check authorisation on every page. http://www.example.com/admin/add_user.php http://www.example.com/admin/edit_user.php

17 A9: Insufficient Transport Layer Protection Prevention: Ensure all sensitive data is sent over SSL. Valid SSL certificate. Add ‘secure’ flag to cookies. SSL used when sensitive is data sent to the server? SSL properly implemented/configured? Cookies have the ‘secure’ flag? HTTPS downgrade-able to HTTP?

18 A10: Unvalidated Redirects and Forwards Prevention: Warn user when being redirected off site. Validate redirects. https://www.ea.com/uk/profile/remote- redirect?returnurl=http://https://www.ea.com/uk/profile/remote- redirect?returnurl=http://www.ethicalhack3r.co.uk/ EA.com still vulnerable. Reported in October 2011.

19 How to test your own applications.

20 OWASP Testing Methodology PassiveActive Configuration ManagementBusiness LogicAuthenticationAuthoris ationSession ManagementData ValidationDenial of ServiceWeb ServicesAjax Testing Browse application Understand application logic Information Gathering Use a HTTP Proxy (ZAP, Burp)

21 Black Box Testing Arachni Web Application Scanner OWASP ZAP Manual Interaction Tools/TechniquesPros Less effective than white box Cons Emulates a ‘real’ attacker* *real attackers are not limited by time or scope Less time than white box (cheaper)

22 Post Interpreted (black box)

23 White Box Testing Tools/TechniquesPros More effective than black box Cons More thorough test More time than black box (more expensive) RIPS Static Code Analysis Manual Source Code Review Tester needs to be able to read code GNU Grep

24 Pre Interpreted (white box)

25 Demo: RIPS Static Code Analysis (white box tool) http://127.0.0.1/~ryan/Sites/rips-0.51/ /Users/ryan/Sites/Sites/jobfinder/

26 What you really need! Black & White box testing within your Software Development Life Cycle (SDLC). Microsoft Security Development Lifecycle (SDL) http://www.microsoft.com/security/sdl/default.aspx

27 Summary OWASP Top 10 is useful but not extensive list. OWASP has lots of other great resources, including an up and coming Newcastle chapter! It is easy and free to do basic testing of your own apps. Build security into your development process.

28 “You'll never reach zero security vulnerabilities” - Michael Howard (Software Security Expert, Microsoft)

29 Further Reading https://www.owasp.org/index.php/Main_Page http://arachni-scanner.com/ http://rips-scanner.sourceforge.net/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet http://www.youtube.com/watch?v=FYfMZx2hy_8

30 Questions? http://twitter.com/ethicalhack3r www.ethicalhack3r.co.uk

Download ppt "Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google