SlideShare une entreprise Scribd logo

2014 06-05-mozilla-afup

Sebastien Gioria
Sebastien Gioria

Meeting OWASP /AFUP du 5 Juin 2014

Technologie
1  sur  56
Télécharger pour lire hors ligne
AFUP/MOZILLA/OWASP     Mee/ng  @Mozilla  Paris   5th  June  2014Sébas&en  Gioria   Sebas/en.Gioria@owasp.org   Chapter  Leader  &  Evangelist  OWASP  France OWASP,  the   Life,the  Universe   and  the   ElePHPhants  
2
http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
Agenda • Applica/on  Security  :   – where  we  are  (no  bullshit)   – where  we  are  (hopefully)  going  ?   • Open  Web  Applica/on  Security  Project  ?   • Major  projects  you  can  use 4
Why  Applica/on  Security  ? 5 4
Why  Applica/on  Security  ? 5 4 Your Application has been Hacked
Why  Applica/on  Security  ? 5 4 Your Application has been Hacked YES
Why  Applica/on  Security  ? 5 4 Your Application has been Hacked NO YES
Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
Why  Applica/on  Security  ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
First  form  in  PHP 6
First  form  in  PHP 6
First  form  in  PHP 6 <?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;   !    mail(  "yourname@example.com",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );   ?>
7
7
7
How  to  create  a  login  page  in  PHP   and  Mysql 8
9
9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
10
10
10
Game  Over.... • Did  you  have  VoIP  Phone  ?     ! • Did  you  have  IP  Router  /  Broadband  box    ?     ! • Did  you  have  smartphone  ?   ! • Did  you  have  customers  /  partners  over   Internet  ? 11
Anything  else  ?   12
We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  agacks   v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica/on  Security  ?   Age  of  An/virus Age  of     Network  Security Age  of     Applica/on   Security 13
14 (c)  Verizon  2014
14 (c)  Verizon  2014
14 (c)  Verizon  2014
14 (c)  Verizon  2014
Who  win  ?   15 (c) WhiteHatSecurity 2013
Vulnerabili/es  ?   16 (c)  WhiteHatSecurity  2013
Mission  Driven Nonprofit  |  World  Wide  |  Unbiased   ! OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 17
Community  Driven 30,000  Mail  List  Par/cipants   200  Ac/ve  Chapters  in  70  countries     1600+  Members,  56  Corporate  Supporters     What  is  OWASP 18
200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 19
Quality  Resources 200+  Projects   15,000+  downloads  of  tools,  documenta/on   What  is  OWASP 20
Documenta&on ToolsCode 50% 10% 40% Quality  Resources 21
Security  Lifecycle 22
Security  Resources 23
 NEWS   A  BLOG   A  PODCAST   MEMBERSHIPS   MAILING  LISTS   A  NEWSLETTER   APPLE  APP  STORE   VIDEO  TUTORIALS   TRAINING  SESSIONS   SOCIAL  NETWORKING 24
OWASP  Projects 25
OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues
OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
Developer  Cheat  Sheets   § PHP  Security  Cheat  Sheet   § OWASP  Top  Ten  Cheat  Sheet   § Authen/ca/on  Cheat  Sheet   § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat   Sheet   § Cryptographic  Storage  Cheat  Sheet   § Input  Valida/on  Cheat  Sheet   § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet   § DOM  based  XSS  Preven/on  Cheat  Sheet   § Forgot  Password  Cheat  Sheet   § Query  Parameteriza&on  Cheat  Sheet   § SQL  Injec&on  Preven&on  Cheat  Sheet   § Session  Management  Cheat  Sheet   § HTML5  Security  Cheat  Sheet   § Transport  Layer  Protec/on  Cheat  Sheet   § Web  Service  Security  Cheat  Sheet   § Logging  Cheat  Sheet   § JAAS  Cheat  Sheet Mobile  Cheat  Sheets   § IOS  Developer  Cheat  Sheet   § Mobile  Jailbreaking  Cheat  Sheet   Drax  Cheat  Sheets   § Access  Control  Cheat  Sheet   § REST  Security  Cheat  Sheet   § Abridged  XSS  Preven/on  Cheat  Sheet   § Password  Storage  Cheat  Sheet   § Secure  Coding  Cheat  Sheet   § Threat  Modeling  Cheat  Sheet   § Clickjacking  Cheat  Sheet   § Virtual  Patching  Cheat  Sheet   § Secure  SDLC  Cheat  Sheet   § Web  Applica/on  Security  Tes/ng  Cheat   Sheet   § Applica/on  Security  Architecture  Cheat   Sheet Cheat  Sheets 27
Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org   Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons   ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
Project Leader: Abbas Naderi, Abbas.Naderi@owasp.org Purpose:  OWASP  PHP  Security  Project  is  an  effort   by   a   group   of   PHP   developers   in   securing   PHP   web   applica/ons,   using   a   collec&on   of   decoupled  flexible  secure  PHP  libraries,  as  well   as  a  collec&on  of  PHP  tools.   OWASP  PHP  Security  Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  Applica/ons  and  Web  Services   Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &   valida/on  of  proper  security  controls   Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web   applica/ons   ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project   hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project   hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
Zed  Agack  Proxy Project  Leader:  Simon  Bennegs  (aka  Psiinon),  psiinon@gmail.com   Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in   web  applica/ons.   Last  Release:  ZAP  2.3.1  (21  May  2014)   ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
Intended   to   help   soxware   developers   and   their   clients   nego/ate   important   contractual  terms  and  condi/ons  related  to  the  security  of  the  soxware  to  be   developed  or  delivered.   CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently   have  drama/cally  different  views  on  what  has  actually  been  agreed  to.     OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   par/es  can  make  informed  decisions  about  how  to  proceed.   hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The  OWASP  Secure  Soxware     Contract  Annex 32
Dates • RSSIA  Bordeaux  :  20  Juin   – HeartBleed  revisited     • AppSec  Europe  2014  -­‐  Cambridge  :   ! ! ! ! ! • Java  User  Groupe  Lille  &  Paris     – Secure  Coding  for  Java    a  la  rentrée  2014   • Club  27001  /Paris  -­‐  25  Septembre  2014   –Présenta/on  de  la  norme  ISO  27034 33
Soutenir  l’OWASP • Différentes  solu/ons  :     – Membre  Individuel  :  50  $   – Membre  Entreprise  :  5000  $   – Dona/on  Libre   • Soutenir  uniquement    le  chapitre  France  :   – Single  Mee/ng  supporter     • Nous  offrir  une  salle  de  mee/ng  !     • Par/ciper  par  un  talk  ou  autre  !     • Dona/on  simple     – Local  Chapter  supporter  :     • 500  $  à  2000  $   34
License 35 @SPoint   ! sebas/en.gioria@owasp.org

Recommandé

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 

Recommandé

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
OWASP
OWASPOWASP
OWASPPen Testeronyguy
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingPatrycja Wegrzynowicz
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EEPatrycja Wegrzynowicz
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 

Contenu connexe

Tendances

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingPatrycja Wegrzynowicz
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EEPatrycja Wegrzynowicz
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 

Tendances (18)

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OWASP
OWASPOWASP
OWASP
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability Management
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session Hijacking
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
WAFEC
WAFECWAFEC
WAFEC
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EE
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
 

Similaire à 2014 06-05-mozilla-afup

OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]Olivier Dony
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)ElínAnna Jónasdóttir
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Olivier Dony
 

Similaire à 2014 06-05-mozilla-afup (20)

2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de Noel
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
 

Plus de Sebastien Gioria

2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer campSebastien Gioria
 
Securing your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSecuring your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSebastien Gioria
 
La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015Sebastien Gioria
 
Sécurité des applications mobiles
Sécurité des applications mobilesSécurité des applications mobiles
Sécurité des applications mobilesSebastien Gioria
 
Securite des Applications dans le Cloud
Securite des Applications dans le CloudSecurite des Applications dans le Cloud
Securite des Applications dans le CloudSebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 

Plus de Sebastien Gioria (7)

La Sécurité des CMS ?
La Sécurité des CMS ? La Sécurité des CMS ?
La Sécurité des CMS ?
 
2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer camp
 
Securing your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSecuring your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FR
 
La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015
 
Sécurité des applications mobiles
Sécurité des applications mobilesSécurité des applications mobiles
Sécurité des applications mobiles
 
Securite des Applications dans le Cloud
Securite des Applications dans le CloudSecurite des Applications dans le Cloud
Securite des Applications dans le Cloud
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 

Dernier

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Dernier (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

2014 06-05-mozilla-afup

  • 1. AFUP/MOZILLA/OWASP     Mee/ng  @Mozilla  Paris   5th  June  2014Sébas&en  Gioria   Sebas/en.Gioria@owasp.org   Chapter  Leader  &  Evangelist  OWASP  France OWASP,  the   Life,the  Universe   and  the   ElePHPhants  
  • 2. 2
  • 3. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
  • 4. Agenda • Applica/on  Security  :   – where  we  are  (no  bullshit)   – where  we  are  (hopefully)  going  ?   • Open  Web  Applica/on  Security  Project  ?   • Major  projects  you  can  use 4
  • 6. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked
  • 7. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked YES
  • 8. Why  Applica/on  Security  ? 5 4 Your Application has been Hacked NO YES
  • 9. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
  • 10. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
  • 11. Why  Applica/on  Security  ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  • 12. Why  Applica/on  Security  ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  • 13. Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
  • 14. Why  Applica/on  Security  ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
  • 15. First  form  in  PHP 6
  • 16. First  form  in  PHP 6
  • 17. First  form  in  PHP 6 <?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;   !    mail(  "yourname@example.com",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );   ?>
  • 18. 7
  • 19. 7
  • 20. 7
  • 21. How  to  create  a  login  page  in  PHP   and  Mysql 8
  • 22. 9
  • 23. 9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
  • 24. 10
  • 25. 10
  • 26. 10
  • 27. Game  Over.... • Did  you  have  VoIP  Phone  ?     ! • Did  you  have  IP  Router  /  Broadband  box    ?     ! • Did  you  have  smartphone  ?   ! • Did  you  have  customers  /  partners  over   Internet  ? 11
  • 29. We  are  living  in  a  Digital  environment,  in  a  Connected  World v Most  of  websites  vulnerable  to  agacks   v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica/on  Security  ?   Age  of  An/virus Age  of     Network  Security Age  of     Applica/on   Security 13
  • 34. Who  win  ?   15 (c) WhiteHatSecurity 2013
  • 35. Vulnerabili/es  ?   16 (c)  WhiteHatSecurity  2013
  • 36. Mission  Driven Nonprofit  |  World  Wide  |  Unbiased   ! OWASP  does  not  endorse  or  recommend   commercial  products  or  services What  is  OWASP 17
  • 37. Community  Driven 30,000  Mail  List  Par/cipants   200  Ac/ve  Chapters  in  70  countries     1600+  Members,  56  Corporate  Supporters     What  is  OWASP 18
  • 38. 200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders Around  the  World 19
  • 39. Quality  Resources 200+  Projects   15,000+  downloads  of  tools,  documenta/on   What  is  OWASP 20
  • 43.  NEWS   A  BLOG   A  PODCAST   MEMBERSHIPS   MAILING  LISTS   A  NEWSLETTER   APPLE  APP  STORE   VIDEO  TUTORIALS   TRAINING  SESSIONS   SOCIAL  NETWORKING 24
  • 45. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues
  • 46. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
  • 47. OWASP  Top10  2013 26 A1:  Injec&on A2:  Viola&on  de   Ges&on   d’authen&fica&on  et  de   session A3:  Cross  Site  Scrip&ng   (XSS) A4:Référence  directe   non  sécurisée  à  un   objet A5:  Mauvaise   configura&on  sécurité   A6  :  Exposi&on  de   données  sensibles A8:  Cross  Site  Request   Forgery  (CSRF)   A10:    Redirec&ons    et   transferts  non  validés A7:  Manque  de   contrôle  d’accès   fonc&onnel A9:  U&lisa&on  de   composants  avec  des   vulnérabilités  connues ex-­‐A9(transport  non  sécurisé)  +   A7(Stockage  crypto)
  • 48. Developer  Cheat  Sheets   § PHP  Security  Cheat  Sheet   § OWASP  Top  Ten  Cheat  Sheet   § Authen/ca/on  Cheat  Sheet   § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat   Sheet   § Cryptographic  Storage  Cheat  Sheet   § Input  Valida/on  Cheat  Sheet   § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet   § DOM  based  XSS  Preven/on  Cheat  Sheet   § Forgot  Password  Cheat  Sheet   § Query  Parameteriza&on  Cheat  Sheet   § SQL  Injec&on  Preven&on  Cheat  Sheet   § Session  Management  Cheat  Sheet   § HTML5  Security  Cheat  Sheet   § Transport  Layer  Protec/on  Cheat  Sheet   § Web  Service  Security  Cheat  Sheet   § Logging  Cheat  Sheet   § JAAS  Cheat  Sheet Mobile  Cheat  Sheets   § IOS  Developer  Cheat  Sheet   § Mobile  Jailbreaking  Cheat  Sheet   Drax  Cheat  Sheets   § Access  Control  Cheat  Sheet   § REST  Security  Cheat  Sheet   § Abridged  XSS  Preven/on  Cheat  Sheet   § Password  Storage  Cheat  Sheet   § Secure  Coding  Cheat  Sheet   § Threat  Modeling  Cheat  Sheet   § Clickjacking  Cheat  Sheet   § Virtual  Patching  Cheat  Sheet   § Secure  SDLC  Cheat  Sheet   § Web  Applica/on  Security  Tes/ng  Cheat   Sheet   § Applica/on  Security  Architecture  Cheat   Sheet Cheat  Sheets 27
  • 49. Project  Leader:  Chris  Schmidt,  Chris.Schmidt@owasp.org   Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that   makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons   ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise  Security  API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
  • 50. Project Leader: Abbas Naderi, Abbas.Naderi@owasp.org Purpose:  OWASP  PHP  Security  Project  is  an  effort   by   a   group   of   PHP   developers   in   securing   PHP   web   applica/ons,   using   a   collec&on   of   decoupled  flexible  secure  PHP  libraries,  as  well   as  a  collec&on  of  PHP  tools.   OWASP  PHP  Security  Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
  • 51. Development   Guide:   comprehensive   manual   for   designing,   developing   and   deploying  secure  Web  Applica/ons  and  Web  Services   Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &   valida/on  of  proper  security  controls   Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web   applica/ons   ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project   hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project   hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
  • 52. Zed  Agack  Proxy Project  Leader:  Simon  Bennegs  (aka  Psiinon),  psiinon@gmail.com   Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well   as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in   web  applica/ons.   Last  Release:  ZAP  2.3.1  (21  May  2014)   ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
  • 53. Intended   to   help   soxware   developers   and   their   clients   nego/ate   important   contractual  terms  and  condi/ons  related  to  the  security  of  the  soxware  to  be   developed  or  delivered.   CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently   have  drama/cally  different  views  on  what  has  actually  been  agreed  to.     OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both   par/es  can  make  informed  decisions  about  how  to  proceed.   hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The  OWASP  Secure  Soxware     Contract  Annex 32
  • 54. Dates • RSSIA  Bordeaux  :  20  Juin   – HeartBleed  revisited     • AppSec  Europe  2014  -­‐  Cambridge  :   ! ! ! ! ! • Java  User  Groupe  Lille  &  Paris     – Secure  Coding  for  Java    a  la  rentrée  2014   • Club  27001  /Paris  -­‐  25  Septembre  2014   –Présenta/on  de  la  norme  ISO  27034 33
  • 55. Soutenir  l’OWASP • Différentes  solu/ons  :     – Membre  Individuel  :  50  $   – Membre  Entreprise  :  5000  $   – Dona/on  Libre   • Soutenir  uniquement    le  chapitre  France  :   – Single  Mee/ng  supporter     • Nous  offrir  une  salle  de  mee/ng  !     • Par/ciper  par  un  talk  ou  autre  !     • Dona/on  simple     – Local  Chapter  supporter  :     • 500  $  à  2000  $   34