SlideShare a Scribd company logo

Scared Straight: Mitigating OWASP Top 10 with PHP

John Kary
John Kary

Overview of OWASP and its Top 10 Security Vulnerabilities. Strategies for protecting against common web application security vulnerabilities. Presented at the January 2011 KU Web Developers meeting.

Technology
1 of 196
SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP
DISCLAIMER
DISCLAIMER • I am NOT a “security expert"
DISCLAIMER • I am NOT a “security expert" • But I know a little about web security
DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials
DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials • I don’t know everything
ASSUMPTIONS
ASSUMPTIONS • This is an introduction-level talk
ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous
ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns
ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns • Again, I don’t know everything
TALK STRUCTURE
TALK STRUCTURE • What is the risk?
TALK STRUCTURE • What is the risk? • Typical Impact
TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited?
TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited? • How to prevent it when using PHP?
OWASP http://www.owasp.org
O W A S P
Open Web Application Security Project
OWASP • Non-profit focused on improving security of application software • Focused on awareness of risks and education on mitigating those risks • Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated
http://www.owasp.org
OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation
INJECTION
INJECTION SI T? I Tricking an application into unintended HAT W commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection
CT INJECTION PA IM IC AL Technical Impact: SEVERE T YP Entire database read or modified Access files on the filesystem Uses a program's elevated privileges to carry out unauthorized execution
LO I TE D? INJECTION P T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
T I T? INJECTION EN R EV P TO HOW
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services
T I T? INJECTION EN R EV P TO OW SYSTEM LEVEL KU IT H D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U
T I T? INJECTION EN R EV P TO HOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE
T I T? INJECTION EN R EV P TO HOW HTML Injection
T I T? INJECTION EN R EV P TO SQL Injection - Prepared Statements HOW
T I T? INJECTION EN R EV P TO HOW SQL Injection Source: http://xkcd.com/327/
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database Delivered to all visitors just by visiting the page
CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP
CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site
CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T I HOW Source: Dave Wichers OWASP Top 10 Presentation
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ??? MEH
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
BROKEN AUTHENTICATION AND SESSION MANAGEMENT
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless”
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to...
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link
BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Rely on strong authentication and session management controls Integrate Shibboleth into your application
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Storage Default config stores sessions in a global temp directory
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handling HOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPS HOW NEVER deliver unencrypted network traffic when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js
INSECURE DIGITAL OBJECT REFERENCES
INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?
INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP
INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object
INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SI HOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access
INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TO HOW
INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TO HOW
CROSS SITE REQUEST FORGERY (CSRF)
CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application
CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways...
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Generate token and store in user's session Source: http://shiflett.org/articles/cross-site-request-forgeries
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Use token in POST form Source: http://shiflett.org/articles/cross-site-request-forgeries
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Validate when POST received Source: http://shiflett.org/articles/cross-site-request-forgeries
SECURITY MISCONFIGURATION
SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W
SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W From the Operating System up through Apache All PHP extensions All installed libraries on the server
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen
SECURITY MISCONFIGURATION I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list
SECURITY MISCONFIGURATION T I T? EN R EV P TO OW KU IT H D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
INSECURE CRYPTOGRAPHIC STORAGE
INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data
INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data Database data Log files Backup files Password files
INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE
INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE Attacker accesses or modifies confidential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press
INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts: T YP SEVERE High risk of... significant financial loss legal liability public distrust harm ...if this data is disclosed
INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit confidential data over unencrypted means
FAILURE TO RESTRICT URL ACCESS
FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pages W Public users could access your admin functionality
FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP
FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control DOESN’T WORK
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html DOESN’T WORK
FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW
FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads
FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!
INSUFFICIENT TRANSPORT LAYER PROTECTION
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications
INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP
INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP Expose users’ confidential data Account theft
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU? HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store confidential data in our secure Oracle database
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source
UNVALIDATED REDIRECTS AND FORWARDS
UNVALIDATED REDIRECTS AND FORWARDS SI T? I HAT W URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common
UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE IC T YP Install malware Phishing site Bypass authorization controls
UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TO HOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters
UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TO HOW
Questions?
My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guide http://www.owasp.org/index.php/OWASP_Testing_Project
Sources OWASP Sources: - OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS> - OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet> - OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide> - OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project> - OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http:// owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx> - OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet> Links: - Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/ - Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html Software: - HTMLPurifier <http://htmlpurifier.org/> - KeePass <http://keepass.info/> - KeePassX <http://www.keepassx.org/> - WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project> Photos: http://www.flickr.com/photos/mrbenn/2337943659/ http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.edu http://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting

Recommended

SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
Ids 008 buffer overflow
Ids 008 buffer overflowIds 008 buffer overflow
Ids 008 buffer overflowjyoti_lakhani
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 

Recommended

SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
Ids 008 buffer overflow
Ids 008 buffer overflowIds 008 buffer overflow
Ids 008 buffer overflowjyoti_lakhani
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversAmiga Utomo
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersKislaychd
 
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Codemotion
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks Ajay Ohri
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

More Related Content

Similar to Scared Straight: Mitigating OWASP Top 10 with PHP

PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversAmiga Utomo
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersKislaychd
 
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Codemotion
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks Ajay Ohri
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 

Similar to Scared Straight: Mitigating OWASP Top 10 with PHP (20)

PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W university
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database servers
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database Servers
 
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheet
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Scared Straight: Mitigating OWASP Top 10 with PHP

  • 1. SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP
  • 3. DISCLAIMER • I am NOT a “security expert"
  • 4. DISCLAIMER • I am NOT a “security expert" • But I know a little about web security
  • 5. DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials
  • 6. DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials • I don’t know everything
  • 8. ASSUMPTIONS • This is an introduction-level talk
  • 9. ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous
  • 10. ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns
  • 11. ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns • Again, I don’t know everything
  • 13. TALK STRUCTURE • What is the risk?
  • 14. TALK STRUCTURE • What is the risk? • Typical Impact
  • 15. TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited?
  • 16. TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited? • How to prevent it when using PHP?
  • 20. OWASP • Non-profit focused on improving security of application software • Focused on awareness of risks and education on mitigating those risks • Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated
  • 22. OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation
  • 24. INJECTION SI T? I Tricking an application into unintended HAT W commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection
  • 25. CT INJECTION PA IM IC AL Technical Impact: SEVERE T YP Entire database read or modified Access files on the filesystem Uses a program's elevated privileges to carry out unauthorized execution
  • 26. LO I TE D? INJECTION P T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 27. T I T? INJECTION EN R EV P TO HOW
  • 28. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL
  • 29. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts
  • 30. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts
  • 31. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors
  • 32. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution
  • 33. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine
  • 34. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services
  • 35. T I T? INJECTION EN R EV P TO OW SYSTEM LEVEL KU IT H D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U
  • 36. T I T? INJECTION EN R EV P TO HOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE
  • 37. T I T? INJECTION EN R EV P TO HOW HTML Injection
  • 38. T I T? INJECTION EN R EV P TO SQL Injection - Prepared Statements HOW
  • 39. T I T? INJECTION EN R EV P TO HOW SQL Injection Source: http://xkcd.com/327/
  • 41. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser
  • 42. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit
  • 43. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code
  • 44. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit
  • 45. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database
  • 46. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database Delivered to all visitors just by visiting the page
  • 47. CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP
  • 48. CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site
  • 49. CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T I HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 50. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser
  • 51. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW
  • 52. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW
  • 53. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods
  • 54. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
  • 55. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
  • 56. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW
  • 57. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
  • 58. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
  • 59. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
  • 60. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ??? MEH
  • 61. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
  • 62. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
  • 64. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented
  • 65. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless”
  • 66. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request
  • 67. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID
  • 68. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID
  • 69. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?
  • 70. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP
  • 71. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to...
  • 72. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password
  • 73. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info
  • 74. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link
  • 75. BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 76. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Rely on strong authentication and session management controls Integrate Shibboleth into your application
  • 77. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Storage Default config stores sessions in a global temp directory
  • 78. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization
  • 79. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handling HOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)
  • 80. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPS HOW NEVER deliver unencrypted network traffic when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js
  • 82. INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?
  • 83. INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP
  • 84. INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object
  • 85. INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SI HOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access
  • 86. INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TO HOW
  • 87. INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TO HOW
  • 88. CROSS SITE REQUEST FORGERY (CSRF)
  • 89. CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application
  • 90. CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic
  • 91. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP
  • 92. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application?
  • 93. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?
  • 94. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?
  • 95. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?
  • 96. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?
  • 97. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
  • 98. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
  • 99. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete
  • 100. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST
  • 101. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways...
  • 102. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly
  • 103. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)
  • 104. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features
  • 105. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request
  • 106. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Generate token and store in user's session Source: http://shiflett.org/articles/cross-site-request-forgeries
  • 107. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Use token in POST form Source: http://shiflett.org/articles/cross-site-request-forgeries
  • 108. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Validate when POST received Source: http://shiflett.org/articles/cross-site-request-forgeries
  • 110. SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W
  • 111. SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W From the Operating System up through Apache All PHP extensions All installed libraries on the server
  • 112. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP
  • 113. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch
  • 114. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server
  • 115. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server
  • 116. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen
  • 117. SECURITY MISCONFIGURATION I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 118. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW
  • 119. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list
  • 120. SECURITY MISCONFIGURATION T I T? EN R EV P TO OW KU IT H D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U
  • 121. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
  • 122. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
  • 124. INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data
  • 125. INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data Database data Log files Backup files Password files
  • 126. INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  • 127. INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  • 128. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE
  • 129. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE Attacker accesses or modifies confidential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press
  • 130. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts: T YP SEVERE High risk of... significant financial loss legal liability public distrust harm ...if this data is disclosed
  • 131. INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 132. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW
  • 133. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored
  • 134. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html
  • 135. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm
  • 136. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit confidential data over unencrypted means
  • 137. FAILURE TO RESTRICT URL ACCESS
  • 138. FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pages W Public users could access your admin functionality
  • 139. FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP
  • 140. FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions
  • 141. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile
  • 142. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control
  • 143. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control DOESN’T WORK
  • 144. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html
  • 145. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html DOESN’T WORK
  • 146. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW
  • 147. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads
  • 148. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!
  • 149. INSUFFICIENT TRANSPORT LAYER PROTECTION
  • 150. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W
  • 151. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W
  • 152. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols
  • 153. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data
  • 154. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent
  • 155. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:
  • 156. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user
  • 157. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases
  • 158. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues
  • 159. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications
  • 160. INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP
  • 161. INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP Expose users’ confidential data Account theft
  • 162. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
  • 163. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU? HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  • 164. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
  • 165. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application...
  • 166. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
  • 167. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email?
  • 168. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database?
  • 169. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?
  • 170. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
  • 171. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you...
  • 172. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues?
  • 173. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?
  • 174. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?
  • 175. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data
  • 176. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database
  • 177. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info
  • 178. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
  • 179. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
  • 180. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data
  • 181. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?
  • 182. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store confidential data in our secure Oracle database
  • 183. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
  • 184. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
  • 185. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/
  • 186. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
  • 187. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source
  • 188. UNVALIDATED REDIRECTS AND FORWARDS
  • 189. UNVALIDATED REDIRECTS AND FORWARDS SI T? I HAT W URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common
  • 190. UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE IC T YP Install malware Phishing site Bypass authorization controls
  • 191. UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 192. UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TO HOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters
  • 193. UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TO HOW
  • 195. My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guide http://www.owasp.org/index.php/OWASP_Testing_Project
  • 196. Sources OWASP Sources: - OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS> - OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet> - OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide> - OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project> - OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http:// owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx> - OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet> Links: - Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/ - Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html Software: - HTMLPurifier <http://htmlpurifier.org/> - KeePass <http://keepass.info/> - KeePassX <http://www.keepassx.org/> - WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project> Photos: http://www.flickr.com/photos/mrbenn/2337943659/ http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.edu http://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting