View
5
Download
1
Category
Tags:
Preview:
DESCRIPTION
This talk is designed for people interested in the concepts of web application security but maybe have never been involved with it before or on the other side of the coin i.e. developers. Using Open Source frameworks and tools we discuss an approach to a couple of well known vulnerabilities and demonstrate how these can be fixed well (and not so well). The talk also give the audience a "take away" in the form of further exercises that can be done in order to learn more about the security side of web applications and PHP in particular.
Citation preview
Web Application Security: PHP
Thomas Mackenzie
$ whois spiderlabs.tom
Copyright Trustwave 2011 Confidential
Tom Mackenzie
• Web Application Security
• @tmacuk
• http://www.tmacuk.co.uk
• http://www.upsploit.com
• Podcast
PUBOTD
Copyright Trustwave 2011 Confidential
About SpiderLabs ®
Pentesting
Incident Response Application
Security
Research & Development
Security Conferences
Global Security Report
Copyright Trustwave 2011 Confidential
About SpiderLabs®
• Formed in 2005 to serve a growing need for deep technical professional services within Trustwave’s client base.
• SpiderLabs is the advanced security team at Trustwave.
• SpiderLabs provides thought leadership to the entire Trustwave organisation and our clients.
• In 2009 and 2010, Trustwave’s SpiderLabs responded to over 400 incidents and performed nearly 4,500 penetrations tests for organisations in over 50 different countries.
Featured Speakers at:
Introduction
Copyright Trustwave 2011 Confidential
Expectations
• PHP
• Code and Security
• Live Demos
• Best Practices
• DIY
PUBOTD
DVWA – Damn Vulnerable Web App
Copyright Trustwave 2011 Confidential
About DVWA
• Ryan Dewhurst - @ethicalhack3r
• Damn Vulnerable?
• Security Levels
• PHP & MySQL / PostgreSQL
• http://code.google.com/p/dvwa/
PUBOTD
Copyright Trustwave 2011 Confidential
About DVWA
• How can you help?— Open Source— Contributors
• Fork
• Ideas!
• Ideas?
PUBOTD
Live Demo
Best Practices
Copyright Trustwave 2011 Confidential
OWASP
• Books
• Cheat Sheets
• People
• Events
• Projects
PUBOTD
Copyright Trustwave 2011 Confidential
Intercepting Proxies
• Burp Suite / BS Pro
• ZAP
• ParosPUBOTD
Live Demo
Links
Copyright Trustwave 2011 Confidential
Links
• http://www.dvwa.co.uk
• http://www.owasp.org
• http://portswigger.net/burp/
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• http://www.parosproxy.org/
• https://www.owasp.org/index.php/OWASP_Testing_Project
• http://mdsec.net/wahh/
• http://blog.spiderlabs.com
• https://www.trustwave.com/apppentest.php
Copyright Trustwave 2011 Confidential
SpiderLabs Research Reports
WHID Report
Global Security Report
Copyright Trustwave 2011 Confidential
Contact
• tmackenzie@trustwave.com
• http://www.tmacuk.co.uk
Recommended