SlideShare uma empresa Scribd logo

Web application security

Transferir como PPTX, PDF
Kapil Sharma
Kapil Sharma

Web application security in PHP

Software
1 de 50
Web Application Security PHP REBOOT Kapil Sharma PHP REBOOT 1
Introduction Kapil Sharma Technical Architect, Eastern Enterprise (DBA Ansh Systems) Working in Web Application development since last 10 years Twitter: @KapilSharmaInfo Personal Website: www.kapilsharma.info Blog: blog.kapilsharma.info Kapil Sharma PHP REBOOT 2
Web Application Important factors for Web Application Performance Maintainability Scalability Reliability Security (Probably most important, still most ignored by developers) Kapil Sharma PHP REBOOT 3
Why me? My web application is small. I have few users. There is no money transaction on my app. I do not store any confidential information of users. Then why the hell someone hack my site. Kapil Sharma PHP REBOOT 4
Kapil Sharma PHP REBOOT 5
Web Application Security Web Application security is not language specific but a common topic for all programming language. This session, in general, is applicable to any web application programming language, but our examples are in PHP. Kapil Sharma PHP REBOOT 6
PHP Features To make development easier, PHP provide many features. One of the feature that attracted more attention, from security point of view, is ‘register_globals’ Kapil Sharma PHP REBOOT 7
register_globals: What is it? Supposed to make PHP application development easy. By default, it is ‘off’ since PHP 4.2 (We will shortly see why?) It convert all incoming data into global variables. For example http://www.example.com/page.php?abc=xyz If register_globals is ‘on’, PHP will create following variable $abc = “xyz”; Kapil Sharma PHP REBOOT 8
Register globals: Disadvantages Having all incoming data converted into variables. It might make development easy but it is not free. Biggest disadvantage, we never know from where variable data is coming. In previous example, we can say if data came from GET/POST, cookie, or HTML Form etc. Kapil Sharma PHP REBOOT 9 Cont..
Register globals: Disadvantages Along with that, for ignorant programmers, it is a security threat (We will see it shortly) It is not recommended to use ‘register_globals’ and it was turned-off by default in php.ini since PHP version 4.2 As replacement, use another more specific global variables like $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, $_ENV, $_REQUEST Kapil Sharma PHP REBOOT 10
Register globals: security issue ‘register_globals’ was a feature enhancement in PHP, aimed to make PHP easier for programmers. It is not a security threat in itself. A programmer must make a mistake before it become security threat. Lets check with an example. Kapil Sharma PHP REBOOT 11
Register globals: security issue Is there any problem in this code? If (isAdminUser()) { $admin = true; } if ($admin) { //load admin panel. } Kapil Sharma PHP REBOOT 12 $admin = true; $admin = false; NEVER TAKE A DECISION BASED ON A VARIABLE WHICH MIGHT NOT BE INITIALIZED. http://www.example.com/admin.php?admin=1 Register globals will generate following variable for this code $admin = 1; Which, after PHP’s internal type casting, will be: $admin = true;
OWAPS Open Web Application Security Project. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. Kapil Sharma PHP REBOOT 13
OWAPS: Recommendation U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. U.S. Defense Information Systems Agency lists OWASP Top Ten as part of the Defense Information Technology Security Certification and Accreditation (C & A) Process (DITSCAP) The Payment Card Industry (PCI) standards has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. Kapil Sharma PHP REBOOT 14
OWASP Top Ten The OWASP Top Ten is a powerful awareness document for web application security. It is list of the ten Most Critical Web Application Security Risks And for each Risk it provides: A description Example vulnerabilities Example attacks Guidance on how to avoid References to OWASP and other related resources Kapil Sharma PHP REBOOT 15
OWASP Top 10 (in 2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Kapil Sharma PHP REBOOT 16
A1: Injection SQL Injection is one of most common injection but there are more injection possible. Kapil Sharma PHP REBOOT 17 LDAP Injection NoSQL Injection File Injection (OS) Command Injection
SQL Injection In data driven web application, it is common to allow user to set filter on data. Such application use dynamic SQL queries, driven by user input. SQL Injection need two mistakes from developer: A failure to filter data (Filter Input) and Failure to escape data Kapil Sharma PHP REBOOT 18
SQL Injection example (Basic) $sql = "SELECT * FROM Users WHERE user_id = " . $userID; userId = 10 OR 1=1 SELECT * FROM Users WHERE user_id = 10 OR 1=1 Kapil Sharma PHP REBOOT 19
SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; Kapil Sharma PHP REBOOT 20
SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = ' SELECT count(*) FROM users WHERE username = ''' AND password = '<md5 hash>' Kapil Sharma PHP REBOOT 21
SQL Injection example You have an error in your SQL syntax. Check the manual that corresponds to your MySQL version for the right syntax to use near 'WHERE username = ''' AND password = 'a0b339d7c… Kapil Sharma PHP REBOOT 22
SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = kapil' or 'a' = 'a' -- Kapil Sharma PHP REBOOT 23
SQL Injection protection Filter data Escape data mysqli_real_escape_string Prepared statements (prefer PDO) ORM Doctrine Propel Eloquent Kapil Sharma PHP REBOOT 24
A2: Broken Authentication and Session Management What is Authentication? Session? Cookie? Kapil Sharma PHP REBOOT 25
A2: Broken Authentication and Session Management You are vulnerable to Broken Authentication and Session Management if: Password not hashed/encrypted in database. No wrong password limit (Brute Force attack) Session id exposed in URL No session timeout. Session id vulnerable to session fixation. Kapil Sharma PHP REBOOT 26
Session Hijecking http://website.kom/ <script>document.c ookie=”sessionid=ab cd”;</script> http://website.kon/ <meta http- equiv=Set-Cookie content=”sessionid= abcd”> Kapil Sharma PHP REBOOT 27
Securing Session with PHP http://php.net/manual/en/session.security.php Kapil Sharma PHP REBOOT 28
Securing Session with PHP static protected function preventHijacking() { if(!isset($_SESSION['IpAddress']) || !isset($_SESSION['userAgent'])) return false; if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) return false; if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) return false; return true; } Kapil Sharma PHP REBOOT 29
Authentication Use proven and opensource component/bundle/module/library Zend Framework: Zend_Auth & Zend_Acl Synfony: Security Component Laravel: IlluminateAuth (Security) Aura: Aura.Auth Cake PHP: AuthComponent Code Igniter: TankAuth (3rd party) Kapil Sharma PHP REBOOT 30
A3: Cross Site Scripting (XSS) Kapil Sharma PHP REBOOT 31
XSS Types Persistent Non-Persistent Kapil Sharma PHP REBOOT 32
Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://mysite.com/">Click to Download</a>"; Kapil Sharma PHP REBOOT 33
Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://mysite.com/">Click to Download</a>"; index.php?name=<script>windo w.onload = function() {var link=document.getElementsByT agName("a");link[0].href="http: //attacker.com/";}</script> Kapil Sharma PHP REBOOT 34 Escape output
Cross Site Request Forgery (CSRF) In XSS, hacker trick user playing is real server. In CSRF, hacker trick server playing as real end user. Kapil Sharma PHP REBOOT 35
Cross Site Request Forgery (CSRF) Example User login to his back at www.mybank.com. User login to another site at www.hacker.com. Code <h1>Hi innocent user</h1> Check image below <img src="www.mybank.com/transfer?to=hacker&amount=1000 0&remark=hacked"> Kapil Sharma PHP REBOOT 36
Preventing CSRF Always use post for forms. Always check referrer. Synchronize Token Secret and unique token <input type="hidden" name="csrftoken" value=“Random unique value"> Validate that token at server side. Kapil Sharma PHP REBOOT 37
Security best practices If we remember few best practices, we could be safe against most of the security threats. Lets go through these best practices. Kapil Sharma PHP REBOOT 38
Error reporting Property Development Production error_reporting E_ALL | E_STRICT E_ALL | E_STRICT display_errors On Off log_errors Off/On On error_log Error log path Error log path Kapil Sharma PHP REBOOT 39
KISS (Keep It Simple, Stupid) Flashy, hard to read code = Mistake Mistake = Security vulnerability The KISS principle states that most systems work best if they are kept simple rather than made complicated. (source: wikipedia) Keep It Short and Simple. Keep It Simple and Straightforward. Kapil Sharma PHP REBOOT 40
DRY (Don’t Repeat Yourself) Major refactoring principle: Don’t Repeat Yourself. Kapil Sharma PHP REBOOT 41
Defense in depth Well known principle among security professionals. Always have a backup plan. Kapil Sharma PHP REBOOT 42
Least Privileges Identify what privileges a user will need to perform his task. Never give more then needed privileges. Kapil Sharma PHP REBOOT 43
Minimal Data Exposure Data exposure to remotes must be minimal. Remote = Browser, Database, Web Services. Getting CC info -> SSL Display again for verification -> SSL, Strip1234-XXXX-XXXX-4321 Always know and keep track of sensitive data. Kapil Sharma PHP REBOOT 44
Track Data Keep track of Data: What the data is? Where the Data is? From where the Data is coming? Where the Data is going? Kapil Sharma PHP REBOOT 45
Filter Input Save CSRF, Injection, Session Hijacking etc. Consider data from Session and database as input. Never correct invalid data. Consider data is invalid until you proved it is valid. Kapil Sharma PHP REBOOT 46
Filter Input (Core PHP) filter_input($type, $variable_name[,$filter[,$options]]) ZF: Zend_Filter_Input, Zend_Filter Symfony: Allow YAML, Annotation, XML and PHP filters. Kapil Sharma PHP REBOOT 47
Escape Output Identify output, is it entered by user? Escape if yes. Escape it Htmlentities Zend Framework. Zend_View’s escape $this->escape($userInput) Symfony/twig escape all the data by default. Laravel 4/blade {{{ raw }}}, {{escaped}} Yii CHtml::encode(strip_tags()) Kapil Sharma PHP REBOOT 48
Conclusion: Never forget about Proper error reporting Proper php.ini settings KISS DRY Defense in Depth Least priviledges Minimal Data Exposure Track Data Filter Input Escape Output Kapil Sharma PHP REBOOT 49
Kapil Sharma PHP REBOOT 50

Recomendados

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 

Recomendados

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 

Mais conteúdo relacionado

Mais procurados

Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 

Mais procurados (20)

Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Security testing
Security testingSecurity testing
Security testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
System hacking
System hackingSystem hacking
System hacking
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Network security
Network securityNetwork security
Network security
 

Destaque

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Latest Trends in Web Application Security
Latest Trends in Web Application SecurityLatest Trends in Web Application Security
Latest Trends in Web Application SecurityCloudflare
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 

Destaque (8)

Web Security
Web SecurityWeb Security
Web Security
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Latest Trends in Web Application Security
Latest Trends in Web Application SecurityLatest Trends in Web Application Security
Latest Trends in Web Application Security
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 

Semelhante a Web application security

[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Developing on the aloashbei platform
Developing on the aloashbei platformDeveloping on the aloashbei platform
Developing on the aloashbei platformpycharmer
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaivibrantuser
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Frédéric Harper
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
PHP and MySQL : Server Side Scripting For Web Development
PHP and MySQL : Server Side Scripting For Web DevelopmentPHP and MySQL : Server Side Scripting For Web Development
PHP and MySQL : Server Side Scripting For Web DevelopmentEdureka!
 
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Muhamad Al Imran
 
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Muhamad Al Imran
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyManageIQ
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroSteven Pignataro
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensJackson F. de A. Mafra
 

Semelhante a Web application security (20)

[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Developing on the aloashbei platform
Developing on the aloashbei platformDeveloping on the aloashbei platform
Developing on the aloashbei platform
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Api Design
Api DesignApi Design
Api Design
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
secure php
secure phpsecure php
secure php
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
PHP and MySQL : Server Side Scripting For Web Development
PHP and MySQL : Server Side Scripting For Web DevelopmentPHP and MySQL : Server Side Scripting For Web Development
PHP and MySQL : Server Side Scripting For Web Development
 
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
Php i basic chapter 3 (syahir chaer's conflicted copy 2013-04-22)
 
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
Php i basic chapter 3 (afifah rosli's conflicted copy 2013-04-23)
 
Php i basic chapter 3
Php i basic chapter 3Php i basic chapter 3
Php i basic chapter 3
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John Hardy
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit Happens
 

Último

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 

Último (20)

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 

Web application security

  • 1. Web Application Security PHP REBOOT Kapil Sharma PHP REBOOT 1
  • 2. Introduction Kapil Sharma Technical Architect, Eastern Enterprise (DBA Ansh Systems) Working in Web Application development since last 10 years Twitter: @KapilSharmaInfo Personal Website: www.kapilsharma.info Blog: blog.kapilsharma.info Kapil Sharma PHP REBOOT 2
  • 3. Web Application Important factors for Web Application Performance Maintainability Scalability Reliability Security (Probably most important, still most ignored by developers) Kapil Sharma PHP REBOOT 3
  • 4. Why me? My web application is small. I have few users. There is no money transaction on my app. I do not store any confidential information of users. Then why the hell someone hack my site. Kapil Sharma PHP REBOOT 4
  • 5. Kapil Sharma PHP REBOOT 5
  • 6. Web Application Security Web Application security is not language specific but a common topic for all programming language. This session, in general, is applicable to any web application programming language, but our examples are in PHP. Kapil Sharma PHP REBOOT 6
  • 7. PHP Features To make development easier, PHP provide many features. One of the feature that attracted more attention, from security point of view, is ‘register_globals’ Kapil Sharma PHP REBOOT 7
  • 8. register_globals: What is it? Supposed to make PHP application development easy. By default, it is ‘off’ since PHP 4.2 (We will shortly see why?) It convert all incoming data into global variables. For example http://www.example.com/page.php?abc=xyz If register_globals is ‘on’, PHP will create following variable $abc = “xyz”; Kapil Sharma PHP REBOOT 8
  • 9. Register globals: Disadvantages Having all incoming data converted into variables. It might make development easy but it is not free. Biggest disadvantage, we never know from where variable data is coming. In previous example, we can say if data came from GET/POST, cookie, or HTML Form etc. Kapil Sharma PHP REBOOT 9 Cont..
  • 10. Register globals: Disadvantages Along with that, for ignorant programmers, it is a security threat (We will see it shortly) It is not recommended to use ‘register_globals’ and it was turned-off by default in php.ini since PHP version 4.2 As replacement, use another more specific global variables like $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, $_ENV, $_REQUEST Kapil Sharma PHP REBOOT 10
  • 11. Register globals: security issue ‘register_globals’ was a feature enhancement in PHP, aimed to make PHP easier for programmers. It is not a security threat in itself. A programmer must make a mistake before it become security threat. Lets check with an example. Kapil Sharma PHP REBOOT 11
  • 12. Register globals: security issue Is there any problem in this code? If (isAdminUser()) { $admin = true; } if ($admin) { //load admin panel. } Kapil Sharma PHP REBOOT 12 $admin = true; $admin = false; NEVER TAKE A DECISION BASED ON A VARIABLE WHICH MIGHT NOT BE INITIALIZED. http://www.example.com/admin.php?admin=1 Register globals will generate following variable for this code $admin = 1; Which, after PHP’s internal type casting, will be: $admin = true;
  • 13. OWAPS Open Web Application Security Project. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. Kapil Sharma PHP REBOOT 13
  • 14. OWAPS: Recommendation U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. U.S. Defense Information Systems Agency lists OWASP Top Ten as part of the Defense Information Technology Security Certification and Accreditation (C & A) Process (DITSCAP) The Payment Card Industry (PCI) standards has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. Kapil Sharma PHP REBOOT 14
  • 15. OWASP Top Ten The OWASP Top Ten is a powerful awareness document for web application security. It is list of the ten Most Critical Web Application Security Risks And for each Risk it provides: A description Example vulnerabilities Example attacks Guidance on how to avoid References to OWASP and other related resources Kapil Sharma PHP REBOOT 15
  • 16. OWASP Top 10 (in 2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Kapil Sharma PHP REBOOT 16
  • 17. A1: Injection SQL Injection is one of most common injection but there are more injection possible. Kapil Sharma PHP REBOOT 17 LDAP Injection NoSQL Injection File Injection (OS) Command Injection
  • 18. SQL Injection In data driven web application, it is common to allow user to set filter on data. Such application use dynamic SQL queries, driven by user input. SQL Injection need two mistakes from developer: A failure to filter data (Filter Input) and Failure to escape data Kapil Sharma PHP REBOOT 18
  • 19. SQL Injection example (Basic) $sql = "SELECT * FROM Users WHERE user_id = " . $userID; userId = 10 OR 1=1 SELECT * FROM Users WHERE user_id = 10 OR 1=1 Kapil Sharma PHP REBOOT 19
  • 20. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; Kapil Sharma PHP REBOOT 20
  • 21. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = ' SELECT count(*) FROM users WHERE username = ''' AND password = '<md5 hash>' Kapil Sharma PHP REBOOT 21
  • 22. SQL Injection example You have an error in your SQL syntax. Check the manual that corresponds to your MySQL version for the right syntax to use near 'WHERE username = ''' AND password = 'a0b339d7c… Kapil Sharma PHP REBOOT 22
  • 23. SQL Injection example <?PHP $password_hash = md5($_POST['password']); $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '$password_hash' "; mysql_query($sql) or exit(mysql_error) Username = kapil' or 'a' = 'a' -- Kapil Sharma PHP REBOOT 23
  • 24. SQL Injection protection Filter data Escape data mysqli_real_escape_string Prepared statements (prefer PDO) ORM Doctrine Propel Eloquent Kapil Sharma PHP REBOOT 24
  • 25. A2: Broken Authentication and Session Management What is Authentication? Session? Cookie? Kapil Sharma PHP REBOOT 25
  • 26. A2: Broken Authentication and Session Management You are vulnerable to Broken Authentication and Session Management if: Password not hashed/encrypted in database. No wrong password limit (Brute Force attack) Session id exposed in URL No session timeout. Session id vulnerable to session fixation. Kapil Sharma PHP REBOOT 26
  • 28. Securing Session with PHP http://php.net/manual/en/session.security.php Kapil Sharma PHP REBOOT 28
  • 29. Securing Session with PHP static protected function preventHijacking() { if(!isset($_SESSION['IpAddress']) || !isset($_SESSION['userAgent'])) return false; if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) return false; if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) return false; return true; } Kapil Sharma PHP REBOOT 29
  • 30. Authentication Use proven and opensource component/bundle/module/library Zend Framework: Zend_Auth & Zend_Acl Synfony: Security Component Laravel: IlluminateAuth (Security) Aura: Aura.Auth Cake PHP: AuthComponent Code Igniter: TankAuth (3rd party) Kapil Sharma PHP REBOOT 30
  • 31. A3: Cross Site Scripting (XSS) Kapil Sharma PHP REBOOT 31
  • 33. Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://mysite.com/">Click to Download</a>"; Kapil Sharma PHP REBOOT 33
  • 34. Non-Persistent XSS attack example $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://mysite.com/">Click to Download</a>"; index.php?name=<script>windo w.onload = function() {var link=document.getElementsByT agName("a");link[0].href="http: //attacker.com/";}</script> Kapil Sharma PHP REBOOT 34 Escape output
  • 35. Cross Site Request Forgery (CSRF) In XSS, hacker trick user playing is real server. In CSRF, hacker trick server playing as real end user. Kapil Sharma PHP REBOOT 35
  • 36. Cross Site Request Forgery (CSRF) Example User login to his back at www.mybank.com. User login to another site at www.hacker.com. Code <h1>Hi innocent user</h1> Check image below <img src="www.mybank.com/transfer?to=hacker&amount=1000 0&remark=hacked"> Kapil Sharma PHP REBOOT 36
  • 37. Preventing CSRF Always use post for forms. Always check referrer. Synchronize Token Secret and unique token <input type="hidden" name="csrftoken" value=“Random unique value"> Validate that token at server side. Kapil Sharma PHP REBOOT 37
  • 38. Security best practices If we remember few best practices, we could be safe against most of the security threats. Lets go through these best practices. Kapil Sharma PHP REBOOT 38
  • 39. Error reporting Property Development Production error_reporting E_ALL | E_STRICT E_ALL | E_STRICT display_errors On Off log_errors Off/On On error_log Error log path Error log path Kapil Sharma PHP REBOOT 39
  • 40. KISS (Keep It Simple, Stupid) Flashy, hard to read code = Mistake Mistake = Security vulnerability The KISS principle states that most systems work best if they are kept simple rather than made complicated. (source: wikipedia) Keep It Short and Simple. Keep It Simple and Straightforward. Kapil Sharma PHP REBOOT 40
  • 41. DRY (Don’t Repeat Yourself) Major refactoring principle: Don’t Repeat Yourself. Kapil Sharma PHP REBOOT 41
  • 42. Defense in depth Well known principle among security professionals. Always have a backup plan. Kapil Sharma PHP REBOOT 42
  • 43. Least Privileges Identify what privileges a user will need to perform his task. Never give more then needed privileges. Kapil Sharma PHP REBOOT 43
  • 44. Minimal Data Exposure Data exposure to remotes must be minimal. Remote = Browser, Database, Web Services. Getting CC info -> SSL Display again for verification -> SSL, Strip1234-XXXX-XXXX-4321 Always know and keep track of sensitive data. Kapil Sharma PHP REBOOT 44
  • 45. Track Data Keep track of Data: What the data is? Where the Data is? From where the Data is coming? Where the Data is going? Kapil Sharma PHP REBOOT 45
  • 46. Filter Input Save CSRF, Injection, Session Hijacking etc. Consider data from Session and database as input. Never correct invalid data. Consider data is invalid until you proved it is valid. Kapil Sharma PHP REBOOT 46
  • 47. Filter Input (Core PHP) filter_input($type, $variable_name[,$filter[,$options]]) ZF: Zend_Filter_Input, Zend_Filter Symfony: Allow YAML, Annotation, XML and PHP filters. Kapil Sharma PHP REBOOT 47
  • 48. Escape Output Identify output, is it entered by user? Escape if yes. Escape it Htmlentities Zend Framework. Zend_View’s escape $this->escape($userInput) Symfony/twig escape all the data by default. Laravel 4/blade {{{ raw }}}, {{escaped}} Yii CHtml::encode(strip_tags()) Kapil Sharma PHP REBOOT 48
  • 49. Conclusion: Never forget about Proper error reporting Proper php.ini settings KISS DRY Defense in Depth Least priviledges Minimal Data Exposure Track Data Filter Input Escape Output Kapil Sharma PHP REBOOT 49
  • 50. Kapil Sharma PHP REBOOT 50

Notas do Editor

  1. PHP 4.2 released on 6/Sept/2002
  2. Hand coming of hole example.
  3. Hand coming of hole example. Session fixation = session hijacking
  4. http://php.net/manual/en/session.security.php
  5. http://php.net/manual/en/session.security.php
  6. http://php.net/manual/en/session.security.php
  7. Type: INPUT_GET/POST/COOKIE/SERVER/ENV FILTER_VALIDATE_EMAIL/INT/IP/URL
  8. Smarty by default escape data.