OWASP, PHP, life and universe
2 likes•2,496 views
The document discusses a meeting at Mozilla Paris on June 5th 2014 about application security. It begins with an introduction of Sebastien Gioria from OWASP who will be presenting. The agenda includes discussing the current state and future of application security, as well as an overview of the Open Web Application Security Project (OWASP) and major projects. It then discusses why application security is important given the prevalence of digital services and connected devices that can be hacked. Statistics are presented on the most common vulnerabilities and who the "winners" are in cyber attacks. An overview of OWASP is provided, including its mission, community involvement, resources and projects. The 10 most critical web application security risks or "OWASP Top 10
![First
form
in
PHP
6
<?php
$email
=
$_REQUEST['email']
;
$message
=
$_REQUEST['message']
;
!
mail(
"yourname@example.com",
"Feedback
Form
Results",
$message,
"From:
$email"
);
header(
"Loca/on:
hgp://www.example.com/thankyou.html"
);
?>](https://image.slidesharecdn.com/2014-06-05-mozilla-afup-140605130458-phpapp02/85/OWASP-PHP-life-and-universe-17-320.jpg)
![9
<?php !
define('DB_HOST', 'localhost'); !
define('DB_NAME', 'practice');!
define('DB_USER','root'); !
define('DB_PASSWORD','');!
!
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); !
$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); !
/* $ID = $_POST['user']; $Password = $_POST['pass']; */!
!
function SignIn() {!
! session_start(); //starting the session for user profile page!
! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text !
! { !
! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'")
or die(mysql_error());!
! $row = mysql_fetch_array($query) or die(mysql_error());!
! !
! ! if(!empty($row['userName']) AND !empty($row['pass'])) !
! ! {!
! ! $_SESSION['userName'] = $row['pass']; !
! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";!
! ! } else { !
! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";!
! ! } !
! } !
} !
!
if(isset($_POST['submit'])) !
{!
SignIn(); !
} ?>!](https://image.slidesharecdn.com/2014-06-05-mozilla-afup-140605130458-phpapp02/85/OWASP-PHP-life-and-universe-23-320.jpg)
OWASP, PHP, life and universe
- 1. AFUP/MOZILLA/OWASP Mee/ng @Mozilla Paris 5th June 2014Sébas&en Gioria Sebas/[email protected] Chapter Leader & Evangelist OWASP France OWASP, the Life,the Universe and the ElePHPhants
- 2. 2
- 3. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life.
- 4. Agenda • Applica/on Security : – where we are (no bullshit) – where we are (hopefully) going ? • Open Web Applica/on Security Project ? • Major projects you can use 4
- 5. Why Applica/on Security ? 5 4
- 6. Why Applica/on Security ? 5 4 Your Application has been Hacked
- 7. Why Applica/on Security ? 5 4 Your Application has been Hacked YES
- 8. Why Applica/on Security ? 5 4 Your Application has been Hacked NO YES
- 9. Why Applica/on Security ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked NO YES
- 10. Why Applica/on Security ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO YES
- 11. Why Applica/on Security ? 5 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
- 12. Why Applica/on Security ? 5 ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
- 13. Why Applica/on Security ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES
- 14. Why Applica/on Security ? 5 My Application will be hacked ! ! Let Me take you on the right way 4 Your Application will be Hacked ;) Your Application has been Hacked YES NO NO YES Next Step
- 15. First form in PHP 6
- 16. First form in PHP 6
- 17. First form in PHP 6 <?php $email = $_REQUEST['email'] ; $message = $_REQUEST['message'] ; ! mail( "[email protected]", "Feedback Form Results", $message, "From: $email" ); header( "Loca/on: hgp://www.example.com/thankyou.html" ); ?>
- 18. 7
- 19. 7
- 20. 7
- 21. How to create a login page in PHP and Mysql 8
- 22. 9
- 23. 9 <?php ! define('DB_HOST', 'localhost'); ! define('DB_NAME', 'practice');! define('DB_USER','root'); ! define('DB_PASSWORD','');! ! $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); ! $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); ! /* $ID = $_POST['user']; $Password = $_POST['pass']; */! ! function SignIn() {! ! session_start(); //starting the session for user profile page! ! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text ! ! { ! ! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());! ! $row = mysql_fetch_array($query) or die(mysql_error());! ! ! ! ! if(!empty($row['userName']) AND !empty($row['pass'])) ! ! ! {! ! ! $_SESSION['userName'] = $row['pass']; ! ! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } ! ! if(isset($_POST['submit'])) ! {! SignIn(); ! } ?>!
- 24. 10
- 25. 10
- 26. 10
- 27. Game Over.... • Did you have VoIP Phone ? ! • Did you have IP Router / Broadband box ? ! • Did you have smartphone ? ! • Did you have customers / partners over Internet ? 11
- 28. Anything else ? 12
- 29. We are living in a Digital environment, in a Connected World v Most of websites vulnerable to agacks v Important % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...) Why Applica/on Security ? Age of An/virus Age of Network Security Age of Applica/on Security 13
- 34. Who win ? 15 (c) WhiteHatSecurity 2013
- 35. Vulnerabili/es ? 16 (c) WhiteHatSecurity 2013
- 36. Mission Driven Nonprofit | World Wide | Unbiased ! OWASP does not endorse or recommend commercial products or services What is OWASP 17
- 37. Community Driven 30,000 Mail List Par/cipants 200 Ac/ve Chapters in 70 countries 1600+ Members, 56 Corporate Supporters What is OWASP 18
- 38. 200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders Around the World 19
- 39. Quality Resources 200+ Projects 15,000+ downloads of tools, documenta/on What is OWASP 20
- 43. NEWS A BLOG A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER APPLE APP STORE VIDEO TUTORIALS TRAINING SESSIONS SOCIAL NETWORKING 24
- 45. OWASP Top10 2013 26 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A10: Redirec&ons et transferts non validés A7: Manque de contrôle d’accès fonc&onnel A9: U&lisa&on de composants avec des vulnérabilités connues
- 46. OWASP Top10 2013 26 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A10: Redirec&ons et transferts non validés A7: Manque de contrôle d’accès fonc&onnel A9: U&lisa&on de composants avec des vulnérabilités connues ex-‐A9(transport non sécurisé) + A7(Stockage crypto)
- 47. OWASP Top10 2013 26 A1: Injec&on A2: Viola&on de Ges&on d’authen&fica&on et de session A3: Cross Site Scrip&ng (XSS) A4:Référence directe non sécurisée à un objet A5: Mauvaise configura&on sécurité A6 : Exposi&on de données sensibles A8: Cross Site Request Forgery (CSRF) A10: Redirec&ons et transferts non validés A7: Manque de contrôle d’accès fonc&onnel A9: U&lisa&on de composants avec des vulnérabilités connues ex-‐A9(transport non sécurisé) + A7(Stockage crypto)
- 48. Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen/ca/on Cheat Sheet § Cross-‐Site Request Forgery (CSRF) Preven&on Cheat Sheet § Cryptographic Storage Cheat Sheet § Input Valida/on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven/on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec/on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Drax Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven/on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica/on Security Tes/ng Cheat Sheet § Applica/on Security Architecture Cheat Sheet Cheat Sheets 27
- 49. Project Leader: Chris Schmidt, [email protected] Purpose: A free, open source, web applica/on security control library that makes it easier for programmers to write lower-‐risk applica/ons ! ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Enterprise Security API 28 PHP Version : https://code.google.com/p/ owasp-esapi-php/
- 50. Project Leader: Abbas Naderi, [email protected] Purpose: OWASP PHP Security Project is an effort by a group of PHP developers in securing PHP web applica/ons, using a collec&on of decoupled flexible secure PHP libraries, as well as a collec&on of PHP tools. OWASP PHP Security Project 29 hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
- 51. Development Guide: comprehensive manual for designing, developing and deploying secure Web Applica/ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili/es & valida/on of proper security controls Tes/ng Guide: understand the what, why, when, where, and how of tes/ng web applica/ons ! ! hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project Guides 30
- 52. Zed Agack Proxy Project Leader: Simon Bennegs (aka Psiinon), [email protected] Purpose: The Zed Agack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili/es manually in web applica/ons. Last Release: ZAP 2.3.1 (21 May 2014) ! ! ! ! ! ! ! ! ! ! hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
- 53. Intended to help soxware developers and their clients nego/ate important contractual terms and condi/ons related to the security of the soxware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par/es frequently have drama/cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par/es can make informed decisions about how to proceed. hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex The OWASP Secure Soxware Contract Annex 32
- 54. Dates • RSSIA Bordeaux : 20 Juin – HeartBleed revisited • AppSec Europe 2014 -‐ Cambridge : ! ! ! ! ! • Java User Groupe Lille & Paris – Secure Coding for Java a la rentrée 2014 • Club 27001 /Paris -‐ 25 Septembre 2014 –Présenta/on de la norme ISO 27034 33
- 55. Soutenir l’OWASP • Différentes solu/ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona/on Libre • Soutenir uniquement le chapitre France : – Single Mee/ng supporter • Nous offrir une salle de mee/ng ! • Par/ciper par un talk ou autre ! • Dona/on simple – Local Chapter supporter : • 500 $ à 2000 $ 34