With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right.
Every 3 years, the open web application security project (OWASP) releases a new Top 10 vulnerabilities, this talk will walk you through 2013s list.
I'll present you the possible attack scenarios and how you can protect against them.
In addition we'll look at more security issues which are not part of the Top 10, but that you should definitely keep in mind.
14. Online-Banking Newsletter
Sollte Ihr Kennwort Sonderzeichen
enthalten, bitten wir Sie, Ihr Kennwort zu
ändern. Durch die technische Umstellung
auf das neue Online-Banking werden nur
noch Kennwörter zugelassen, die
bestimmte Sonderzeichen erlauben. Die
zugelassenen Sonderzeichen im
Kennwort lauten: # ? * + - .
15. Broken Authentication
• Don‘t limit password strength
• Force long and complex passwords
• Check error messages
• Prevent brute-force-attacks
www.owasp.org/index.php/Authentication_Cheat_Sheet
30. Security Misconfiguration
• Keep your system up-to-date
• Remove setup/deployment routines
• Disable exposure of sensitive data
• Review server settings
• github.com/ioerror/duraconf
33. SSDE - Password encryption
• Add a salt
• Use different salts
• Use a strong algorithm (NOT md5)
• Use password_hash in PHP 5.5
• github.com/ircmaxell/password_compat
34. SSDE - PHP Exposure
expose_php Off
Remove
phpinfo();
35. SSDE - Secure URLs
• Use TLS for all pages
• Use Secure Cookie Flag
• Keep sensitive data out of the URL
37. Missing Function Level AC
class AdminController {
public function editAction() {
if (!$this->_isAllowed()) {
throw new Exception(
'insufficient privileges'
);
}
…
38. Missing Function Level AC
• Standard should disallow all access
• Use roles to keep ACL simple
• ACL model should be very flexible
• Check privileges on each step