2. Who are you and why are you in my house? Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a few that some do TL;DR https://github.com/dragonmantank NWO-PUG 2 September 20, 2011
3. The Parts of Security It’s more than just a username/password NWO-PUG 3 September 20, 2011
4. What is Secure Programming? Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 4 https://www.owasp.org/index.php/Secure_Coding_Principles
12. A Bit More Real Life NWO-PUG 12 September 20, 2011
13. Protecting against SQL Injection Use PDO and prepared statements NWO-PUG 13 September 20, 2011
14. Command Injection When your script calls an external program, users can run code NWO-PUG 14 September 20, 2011
15. Protecting against Command Injection If allowing the user to specify commands, use escapeshellcmd() If allowing the user to specify arguments, use escapeshellarg() NWO-PUG 15 September 20, 2011
16. HTML/Script Injection HTML Injection: When user input is used to create new markup that the application did not expect Script Injection: When user input is used to add new scripting to a page NWO-PUG 16 September 20, 2011
18. Protecting against HTML/Script Injection Decide if you really need to take HTML input If you do: Use an HTML cleaner like Tidy or htmLawed Create a whitelist of allowed tags If you don’t: Use htmlentities()/htmlspecialchars() NWO-PUG 18 September 20, 2011
23. What is it? Insecure storing of credentials Session IDs exposed via URL Session fixation attacks September 20, 2011 NWO-PUG 23
24. Storing Credentials Hash with a salt using the hash() command Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not recommended for secure hashing If you have to use the raw data, encrypt using mcrypt() Use AES256 (RIJNDAEL 256) NWO-PUG 24 September 20, 2011
25. Session IDs in URL Commonly used when cookies can’t be enabled Make sure the following is set in your php.ini: session.use_trans_id = 0 session.use_only_cookies = 1 NWO-PUG 25 September 20, 2011
26. Session Fixation What happens if your users don’t log out? Use sessions to detect login status NWO-PUG 26 September 20, 2011
28. What is it? Making sure that what the user is accessing they have access to. Should be handled by checking authorization when accessed, or mapping This is not an injection attack, but a logic attack September 20, 2011 NWO-PUG 28
30. How to Avoid Always check to make sure the user has authorization to access the resource Map variables/whitelist to make it harder NWO-PUG 30 September 20, 2011
31. Cross Site Request Forgery Or CSRF Attacks NWO-PUG 31 September 20, 2011
32. What is it? When unauthorized commands are sent to and from a trusted website In days gone by, this would be done with Referral checking, but don’t trust referrer information September 20, 2011 NWO-PUG 32
33. An example – Bank Transfer A bank transfer is done via $_GET variables User is authenticated but not logged out NWO-PUG 33 September 20, 2011
34. How to avoid this Include a hidden element in the form with a one-time value NWO-PUG 34 September 20, 2011
36. Beyond the scope of programming Check for server hardening guidelines for your OS Password rotation practices Understanding your settings Keep your stack up to date! September 20, 2011 NWO-PUG 36
38. More of a logic problem Encrypting data in the database, but leaving it unencrypted during output Using unsalted hashes September 20, 2011 NWO-PUG 38
39. How to avoid this Like when storing credentials, use a salt whenever hashing information Only decrypt data when it is needed NWO-PUG 39 September 20, 2011
41. What is it? When users can gain access to parts of the application just through URL manipulation When the app doesn’t check authorization properly September 20, 2011 NWO-PUG 41
42. Security through Obscurity Don’t trust that just because a user doesn’t know a URL, they can’t get to it Fuzzers can find all kinds of things, especially if the app is common NWO-PUG 42 September 20, 2011
43. How to avoid this ALWAYS check authorization. The extra CPU cycles are worth it. NWO-PUG 43 September 20, 2011
45. Not using SSL when you should If your data is sensitive, use SSL Are your logins behind SSL? There isn’t really an excuse. You can get an SSL cert for $9/year. September 20, 2011 NWO-PUG 45
49. Attacking from Multiple Fronts Attackers will employ many different vectors in an attack HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions Script injection can lead to Session hijacking September 20, 2011 NWO-PUG 49
50. Remember… Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 50 https://www.owasp.org/index.php/Secure_Coding_Principles