Upload
ctoforhire
View
333
Download
0
Embed Size (px)
DESCRIPTION
Even the simplest web application has so many vectors of attack, it's no wonder most people forget at least one. Web applications aren't stand-alone; they are built upon frameworks, upon platforms, upon core libraries, each of which could suffer from vulnerabilities you're not only unaware of, you're statistically unlikely to discover them all. Consider, for example, the recent OpenSSL "Heartbleed" Bug. We hear about security vulnerabilities every week, now it's time to experience them. Find out what the leading concerns are, and the not so common ones too, and experience live demonstrations of how these attacks play out. This presentation aims to arm you with the mindset, tools and resources to minimise the opportunities for attack, and the reduce the fallout when they succeed. From cross-site scripting and session hijacking to brute force and man-in-the-middle attacks, you're expected to cover all your bases so the bad guys can't use a single one.
Citation preview
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Web Application SecurityWeb Application SecurityWinning When The Odds Are Against YouWinning When The Odds Are Against You
New
Zea
land
PH
P C
onfe
renc
e 20
14
Ben DechraiBen Dechrai@bendechrai@bendechrai
#webappsec #phpnz14 #webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What Is Web What Is Web Application Security?Application Security?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What's Applicable to PHP Developers?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Where to Start?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Top Ten Cheat Sheet
Injection Cross Site Scripting
Weak authentication& session management
Insecure DirectObject Reference
Cross SiteRequest Forgery
SecurityMisconfiguration
InsufficientCryptographic Storage
Failure to RestrictURL access
Insufficient TransportLayer Protection
Unvalidated Redirectsand Forwards
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Top Ten Cheat Sheet
Injection Cross Site Scripting
Weak authentication& session management
Insecure DirectObject Reference
Cross SiteRequest Forgery
SecurityMisconfiguration
InsufficientCryptographic Storage
Failure to RestrictURL access
Insufficient TransportLayer Protection
Unvalidated Redirectsand Forwards
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
DemoDemo
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
What Are What Are The Odds?The Odds?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Solutions?
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Think like PHP...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Not in PHP...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Think LIKE PHP...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
GET /index.html
<html>..</html>
GET /css/styles.css
GET /js/script.js
GET /images/logo.jpg
body { ... }
$(document).ready(...)
data:image/jpg;base64,/9j/4AAQSkZJRgA...
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
GET /index.php
<html>..</html>
PHP process
PHP returns
POST /login.phpPHP process
PHP returns<html>..</html>
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
HTTP
POST /images.php/logo.jpg
<html>..</html>
PHP process
PHP returns
POST /images/logo.jpgPHP process
PHP returns<html>..</html>
URL rewriting means anythingcan be passed to PHP
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
visage.cto.to
POST /login
<html>..</html>
PHP processPHP returns
POST /checkout PHP processPHP returns<html>..</html>
POST /address/edit
{401}
POST /address/edit
{ 200 }
evil.com
POST /payment
<html>..</html>
PHP processPHP returns
GET /confirmation PHP process
PHP returns<html>..</html>
PHP process
PHP returns
PHP process
PHP returns
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
PHP Ain't Clever(hint, not many programming languages are!)
Data Data
Database
User Input
Files
Other sites via APIDatabaseBrowser Response
Other systemsSending emails
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
PHP Environment
● 1 page load = 1 PHP process● Web server passes whole request to the PHP
process● When a script ends, all data are lost
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Piecing Data Together
$_GET $_POST
$_COOKIE $_FILES
$_REQUEST
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Request Basics
● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables!
● Don't use them, specify the source● Even then, don't trust $_POST, et al● Consider all data harmful
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
● Treat all data as untrusted● Only if it passed a whitelist, let it through● Look for odd data entry points
– Did you know the filename of an uploaded file is user generated input?
● Email addresses have fixed validation rules
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*
| "(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]
| \\[\x01-\x09\x0b\x0c\x0e-\x7f])*")
@ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?
| \[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}
(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:
(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]
| \\[\x01-\x09\x0b\x0c\x0e-\x7f])+)
\])
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.”
Now they have two problems.
— Jamie Zawinksi
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
filter_var($email, FILTER_VALIDATE_EMAIL);
(Or just send them an email)
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Whitelist All Incoming Data
● Names are a big topic(see http://is.gd/validating_names)
● Who decides if a name is valid?
– Josè Smith– La amonȝ– Þórinn Eikinskjaldi– Πηληϊάδεω χιλ οςἈ ῆ– Federico del Sagrado Corazón de Jesús García
Lorca
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
● Avoid encoding for storage● Keep valid user input intact● Encode when used in an output stream
– HTML encode for screen– URL encode for querystrings– Escape for CSV output
● By keeping the original data, you can repurpose for many outputs
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
User GeneratedContent
User GeneratedContent
Sanitize
HTML EMAIL
Sanitize
XML/JSON/CSV
Sanitize
UNKNOWNFUTURE APP
Sanitize
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Encode on Output
filter_var($comment,
FILTER_SANITIZE_FULL_SPECIAL_CHARS);
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
Tokens
Username
Password
Token
SUBMIT
ABC123
ABC123
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Cross-Site Request Forgeries
Referrers can be easily forged;
don't rely on them
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Credits
● Security Camera image by Henning Mühlinghaus
● Conception image by Lynn (Gracie's mom)
● Piecing Data by José Manuel Ríos Valiente
References
● OWASP Top 10 Cheat Sheet
===Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Thank You!Thank You!Questions?Questions?
Ben DechraiBen Dechrai@bendechrai@bendechrai
New
Zea
land
PH
P C
onf
eren
ce 2
014