Web Application Security: Winning When The Odds Are Against You

===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You

Web Application SecurityWeb Application SecurityWinning When The Odds Are Against YouWinning When The Odds Are Against You

Ben DechraiBen Dechrai@bendechrai@bendechrai

#webappsec #phpnz14 #webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435

What Is Web What Is Web Application Security?Application Security?

What's Applicable to PHP Developers?

Where to Start?

Top Ten Cheat Sheet

Injection Cross Site Scripting

Weak authentication& session management

Insecure DirectObject Reference

Cross SiteRequest Forgery

SecurityMisconfiguration

InsufficientCryptographic Storage

Failure to RestrictURL access

Insufficient TransportLayer Protection

Unvalidated Redirectsand Forwards

Top Ten Cheat Sheet

Injection Cross Site Scripting

Weak authentication& session management

Insecure DirectObject Reference

Cross SiteRequest Forgery

SecurityMisconfiguration

InsufficientCryptographic Storage

Failure to RestrictURL access

Insufficient TransportLayer Protection

Unvalidated Redirectsand Forwards

DemoDemo

What Are What Are The Odds?The Odds?

Solutions?

Think like PHP...

Not in PHP...

Think LIKE PHP...

GET /index.html

GET /css/styles.css

GET /js/script.js

GET /images/logo.jpg

body { ... }

$(document).ready(...)

data:image/jpg;base64,/9j/4AAQSkZJRgA...

GET /index.php

PHP process

PHP returns

POST /login.phpPHP process

PHP returns<html>..</html>

POST /images.php/logo.jpg

PHP process

PHP returns

POST /images/logo.jpgPHP process

URL rewriting means anythingcan be passed to PHP

Cross-Site Request Forgeries

visage.cto.to

POST /login

PHP processPHP returns

POST /checkout PHP processPHP returns<html>..</html>

POST /address/edit

{ 200 }

evil.com

POST /payment

PHP processPHP returns

GET /confirmation PHP process

PHP process

PHP returns

PHP process

PHP returns

PHP Ain't Clever(hint, not many programming languages are!)

Data Data

Database

User Input

Other sites via APIDatabaseBrowser Response

Other systemsSending emails

PHP Environment

● 1 page load = 1 PHP process● Web server passes whole request to the PHP

process● When a script ends, all data are lost

Piecing Data Together

$_GET $_POST

$_COOKIE $_FILES

$_REQUEST

Request Basics

● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables!

● Don't use them, specify the source● Even then, don't trust $_POST, et al● Consider all data harmful

Whitelist All Incoming Data

● Treat all data as untrusted● Only if it passed a whitelist, let it through● Look for odd data entry points

– Did you know the filename of an uploaded file is user generated input?

● Email addresses have fixed validation rules

(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*

| "(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]

| \\[\x01-\x09\x0b\x0c\x0e-\x7f])*")

@ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

| \[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}

(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:

(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]

| \\[\x01-\x09\x0b\x0c\x0e-\x7f])+)

Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.”

Now they have two problems.

— Jamie Zawinksi

filter_var($email, FILTER_VALIDATE_EMAIL);

(Or just send them an email)

● Names are a big topic(see http://is.gd/validating_names)

● Who decides if a name is valid?

– Josè Smith– La amonȝ– Þórinn Eikinskjaldi– Πηληϊάδεω χιλ οςἈ ῆ– Federico del Sagrado Corazón de Jesús García

Encode on Output

● Avoid encoding for storage● Keep valid user input intact● Encode when used in an output stream

– HTML encode for screen– URL encode for querystrings– Escape for CSV output

● By keeping the original data, you can repurpose for many outputs

Encode on Output

User GeneratedContent

Sanitize

HTML EMAIL

Sanitize

XML/JSON/CSV

Sanitize

UNKNOWNFUTURE APP

Sanitize

Encode on Output

filter_var($comment,

FILTER_SANITIZE_FULL_SPECIAL_CHARS);

Tokens

Username

Password

SUBMIT

ABC123

Referrers can be easily forged;

don't rely on them

Credits

● Security Camera image by Henning Mühlinghaus

● Conception image by Lynn (Gracie's mom)

● Piecing Data by José Manuel Ríos Valiente

References

● OWASP Top 10 Cheat Sheet

Thank You!Thank You!Questions?Questions?

Ben DechraiBen Dechrai@bendechrai@bendechrai

Web Application Security: Winning When The Odds Are Against You

Internet

Web Application Security: Winning When The Odds Are Against You

Odds Of Winning Online Slots

Against All Odds: Winning A Millage In an Uncertain ... Presentations/Against All... · Against All Odds: Winning A Millage In an Uncertain Environment Presented by: Kojo A. Quartey,

Odds Against Tomorrow Script

Against the Odds - Jasmitila Duran

Compassion Against All Odds

Overview Odds Pot Odds Outs Probability to Hit an Out Odds Against Hitting Your Hand Implied Odds Reverse Implied Odds Putting It Together

Odds Against Us

Against All Odds Catalogue

SURVIVING AGAINST THE ODDS · Surviving Against the Odds 1 SURVIVING AGAINST THE ODDS Sandra NIESSEN ... unclear whether that meaning system was thriving, whether and how it might

Against All Odds overcoming the obstacles

Against All Odds - Ceylon Tobacco Company

Lesson 9 - Against All Odds

Against all odds presentation (updated)

Resilience against all odds - UNHCR

AGAINST ALL ODDS - sk.cmha.ca · AGAINST ALL ODDS Annual Report 2008-2009 Canadian Mental Health Association (Saskatchewan Division) Inc

The Odds Against Us

Against All Odds - Amazon Web Servicescontent.connectwithkids.com.s3.amazonaws.com/.../Against-All-Odds... · RESOURCE GUIDE Against All Odds Resiliency Fact Sheet Parent Tip Sheet

EPISODE 15: AGAINST-ALL-ODDS 101

Accelerators V1.0 - Betting against the odds