Securing your web apps now
Download as PPTX, PDF1 like832 views
The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs. Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.
![CODE INJECTION
• Eval() === Evil
$var = 1;
$newvalue = isset($_GET['id']) ? $_GET['id'] : 0;
eval('$var = ' . $newvalue . ';');
echo $var;
• PHP manual warns you against using
eval()](https://image.slidesharecdn.com/securingyourwebappsnow-131007042931-phpapp02/85/Securing-your-web-apps-now-28-320.jpg)
![OS INJECTION
• Statements executed directly on the OS
• Don’t use system()
• system('nslookup ' . $_POST['host']);
• 'google.com; rm -RF /var/www’
• Download any script with wget
• Validate file_get_contents()](https://image.slidesharecdn.com/securingyourwebappsnow-131007042931-phpapp02/85/Securing-your-web-apps-now-31-320.jpg)
More Related Content
What's hot (20)
Viewers also liked (6)
Similar to Securing your web apps now (20)
Recently uploaded (20)
Securing your web apps now
- 1. SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
- 2. WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
- 3. WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
- 4. WHY?
- 5. IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
- 6. IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
- 7. I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
- 8. Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
- 13. HOW? • More than one security layer
- 17. HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
- 18. VALIDATION
- 19. VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
- 20. Top 10 OWASP list SQL INJECTION
- 21. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
- 22. BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
- 23. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
- 24. Cracking password hashes SQL MAP
- 27. CODE INJECTION
- 28. CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
- 29. CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
- 30. OS INJECTION
- 31. OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
- 32. bring your own exploit FILE UPLOADS
- 33. Actually any PHP n00bs WORDPRESS N00BS
- 34. FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
- 36. INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
- 38. OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
- 39. SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
- 40. SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
- 41. SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
- 43. BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
- 44. BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
- 46. XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
- 47. GOING FORWARD
- 48. GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
- 50. GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself