Web security involves protecting websites and web applications from various cyber threats. The document outlines the top 10 PHP application vulnerabilities in 2016, including information leakage, man-in-the-middle attacks, injection attacks, and SQL truncation exploits. It provides tips for preventing vulnerabilities such as checking error logs, updating software regularly, and using strong password hashing. The key is to stay vigilant by monitoring logs and source code for signs of intrusion and preparing to reinstall systems if needed.

1. Introduction to Web Security

2. What is Web Security?
Why Web Security?

3. Top 10 PHP application vulnerabilities 2016

4. Information Leakage
app environment, user specific data
• Restrict PHP information leakage
• Configuration files
– Configuration files should be in php not .ini, xml, etc
– Secure App config variables by storing on server
• Separate your back up files from root directory
HTTP/1.x 200 OK
Date: Sun, 21 Aug 2016 16:08:15 GMT
Server: Apache
X-Powered-By: PHP/5.5.26
...

5. Man-in-the-Middle Attack
A B

6. SSL
How does HTTPS works?
This presume
User Accessing Secure Site
Requesting Secure
SSL connection from
Website Host.
Website Records Found.
Going to the Host Web Server.
Check DNS for IP address to
find Web host
Host responds with
valid SSL certificate.
Secure connection is
established to transfer data
WebHost.

7. Injection Attacks
• Cross Site Scripting - XSS
• SQL Injection
• Code Injection
• Command Injection
• Log Injection
• XML Injection

8. SQL Truncation Exploit
Compromise user login
• SELECT * FROM user WHERE username='admin ’
• Username = ‘admin x’
• $userdata = null;
if (isPasswordCorrect($username, $password)) {
$userdata = getUserDataByLogin($username); ... }
SELECT username FROM users WHERE username = ? AND
passhash = ?
SELECT * FROM users WHERE username = ?
Solution:
– Mysql strict mode
– Unique constraint column

9. But what if you find you have been
hacked
• Don’t panic
• Check logs (error /access)
• Check suspicious file names
• Check cron jobs
• search source code for keywords like: eval,
base64_decode, wget, curl
• take DB backup & search for keywords like
“iframe, script,…”
• Prepare yourself to reinstall your entire server

10. How to Prevent
• Check OWASP
• Use STRONG Password hash
• Error Reporting
– Prodcution – OFF
– Development / Other – ON
• Stay up-to-date
– Framework
– OS
– 3rd party libraries
– Read about new threats and best practice changes
• Try to run vulnerabilities scanner

11. Thank You
https://www.linkedin.com/in/jeyasel
vi
@jeyaselvir