Chris Tankersley, profile picture
Uploaded byChris Tankersley
PPTX, PDF2,802 views

PHP Security Tips

This document summarizes a presentation on PHP security given to the NWO-PUG group. The presentation covers the most common web application attacks like injection, cross-site scripting, insecure authentication, and how to prevent them following secure coding principles. It discusses the OWASP Top 10 security risks and how to avoid each one through input validation, output encoding, authorization checking, secure session handling and encryption. The presentation emphasizes defense in depth and that attackers may combine different vulnerabilities.

Downloaded 125 times
PHP SecurityE-mail: chris@ctankersley.comTwitter: @dragonmantankIdenti.ca: dragonmantankSeptember 20, 2011NWO-PUG 1
Who are you and why are you in my house?Chris TankersleyDoing PHP for 8 YearsLots of projects no one uses, and a few that some doTL;DR https://github.com/dragonmantankNWO-PUG 2September 20, 2011
The Parts of SecurityIt’s more than just a username/passwordNWO-PUG 3September 20, 2011
What is Secure Programming?Minimizing Attack SurfaceEstablishing Secure DefaultsPrinciple of Least PrivilegeDefense in DepthFail SecurelyDon’t Trust Services or UsersSeparation of DutiesAvoid Security through ObscurityKeep Security SimpleFix Security Issues CorrectlySeptember 20, 2011NWO-PUG 4https://www.owasp.org/index.php/Secure_Coding_Principles
Most Common AttacksAnd how to avoid themNWO-PUG 5September 20, 2011
OWASP Top 10InjectionCross-Site ScriptingBroken Authentication and Session ManagementInsecure Direct Object ReferencesCross-Site Request ForgerySecurity MisconfigurationInsecure Cryptographic StorageFailure To Restrict URL AccessInsufficient Transport Layer ProtectionUnvalidated Redirects and ForwardsNWO-PUG 6https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectSeptember 20, 2011
InjectionNWO-PUG 7September 20, 2011
What is Injection?When a user or service corrupts a command due to improper validation of inputSeptember 20, 2011NWO-PUG 8
Many Shapes and SizesSQL InjectionCommand InjectionHTML InjectionSeptember 20, 2011NWO-PUG 9
Protecting against Injections AttacksFilter user inputEscape anything not hard-codedIgnore $_REQUESTNWO-PUG 10September 20, 2011
SQL InjectionNWO-PUG 11September 20, 2011
A Bit More Real LifeNWO-PUG 12September 20, 2011
Protecting against SQL InjectionUse PDO and prepared statementsNWO-PUG 13September 20, 2011
Command InjectionWhen your script calls an external program, users can run codeNWO-PUG 14September 20, 2011
Protecting against Command InjectionIf allowing the user to specify commands, use escapeshellcmd()If allowing the user to specify arguments, use escapeshellarg()NWO-PUG 15September 20, 2011
HTML/Script InjectionHTML Injection: When user input is used to create new markup that the application did not expectScript Injection: When user input is used to add new scripting to a pageNWO-PUG 16September 20, 2011
HTML/Script InjectionNWO-PUG 17September 20, 2011
Protecting against HTML/Script InjectionDecide if you really need to take HTML inputIf you do:Use an HTML cleaner like Tidy or htmLawedCreate a whitelist of allowed tagsIf you don’t:Use htmlentities()/htmlspecialchars()NWO-PUG 18September 20, 2011
Cross Site ScriptingOr XSSNWO-PUG 19September 20, 2011
What is it?When a user injects a script into a page or extra JS into a command to send information to another siteSeptember 20, 2011NWO-PUG 20
How to avoid XSS?Since this is an injection attack, use the same steps as a HTML/Script injectionNWO-PUG 21September 20, 2011
Broken Authentication and Session ManagementNWO-PUG 22September 20, 2011
What is it?Insecure storing of credentialsSession IDs exposed via URLSession fixation attacksSeptember 20, 2011NWO-PUG 23
Storing CredentialsHash with a salt using the hash() commandDo not use md5 or sha1, use at least sha256md5 and sha1 are broken and not recommended for secure hashingIf you have to use the raw data, encrypt using mcrypt() Use AES256 (RIJNDAEL 256)NWO-PUG 24September 20, 2011
Session IDs in URLCommonly used when cookies can’t be enabledMake sure the following is set in your php.ini:session.use_trans_id = 0session.use_only_cookies = 1NWO-PUG 25September 20, 2011
Session FixationWhat happens if your users don’t log out?Use sessions to detect login statusNWO-PUG 26September 20, 2011
Insecure Direct Object ReferencesNWO-PUG 27September 20, 2011
What is it?Making sure that what the user is accessing they have access to.Should be handled by checking authorization when accessed, or mappingThis is not an injection attack, but a logic attackSeptember 20, 2011NWO-PUG 28
An ExampleNWO-PUG 29September 20, 2011
How to AvoidAlways check to make sure the user has authorization to access the resourceMap variables/whitelist to make it harderNWO-PUG 30September 20, 2011
Cross Site Request ForgeryOr CSRF AttacksNWO-PUG 31September 20, 2011
What is it?When unauthorized commands are sent to and from a trusted websiteIn days gone by, this would be done with Referral checking, but don’t trust referrer informationSeptember 20, 2011NWO-PUG 32
An example – Bank TransferA bank transfer is done via $_GET variablesUser is authenticated but not logged outNWO-PUG 33September 20, 2011
How to avoid thisInclude a hidden element in the form with a one-time valueNWO-PUG 34September 20, 2011
Security MisconfigurationNWO-PUG 35September 20, 2011
Beyond the scope of programmingCheck for server hardening guidelines for your OSPassword rotation practicesUnderstanding your settingsKeep your stack up to date!September 20, 2011NWO-PUG 36
Insecure Cryptographic StorageNWO-PUG 37September 20, 2011
More of a logic problemEncrypting data in the database, but leaving it unencrypted during outputUsing unsalted hashesSeptember 20, 2011NWO-PUG 38
How to avoid thisLike when storing credentials, use a salt whenever hashing informationOnly decrypt data when it is neededNWO-PUG 39September 20, 2011
Failure to Restrict URL AccessNWO-PUG 40September 20, 2011
What is it?When users can gain access to parts of the application just through URL manipulationWhen the app doesn’t check authorization properlySeptember 20, 2011NWO-PUG 41
Security through ObscurityDon’t trust that just because a user doesn’t know a URL, they can’t get to itFuzzers can find all kinds of things, especially if the app is commonNWO-PUG 42September 20, 2011
How to avoid thisALWAYS check authorization. The extra CPU cycles are worth it.NWO-PUG 43September 20, 2011
Insufficient Transport Layer ProtectionNWO-PUG 44September 20, 2011
Not using SSL when you shouldIf your data is sensitive, use SSLAre your logins behind SSL?There isn’t really an excuse. You can get an SSL cert for $9/year. September 20, 2011NWO-PUG 45
Unvalidated Redirects and ForwardsNWO-PUG 46September 20, 2011
What is it?When an app doesn’t properly validate that the redirect destination is validSeptember 20, 2011NWO-PUG 47
Putting it TogetherNWO-PUG 48September 20, 2011
Attacking from Multiple FrontsAttackers will employ many different vectors in an attackHTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actionsScript injection can lead to Session hijacking September 20, 2011NWO-PUG 49
Remember…Minimizing Attack SurfaceEstablishing Secure DefaultsPrinciple of Least PrivilegeDefense in DepthFail SecurelyDon’t Trust Services or UsersSeparation of DutiesAvoid Security through ObscurityKeep Security SimpleFix Security Issues CorrectlySeptember 20, 2011NWO-PUG 50https://www.owasp.org/index.php/Secure_Coding_Principles
Questions?September 20, 2011NWO-PUG 51

More Related Content

PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PPS
Security In .Net Framework
byRamakanta Behera
 
PPTX
Web application attacks
byhruth
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
PDF
2013 OWASP Top 10
bybilcorry
 
PDF
Secure code
byddeogun
 
PDF
Web Security 101
byMichael Peters
 
Owasp top 10_openwest_2019
bySean Jackson
 
Security In .Net Framework
byRamakanta Behera
 
Web application attacks
byhruth
 
Common Web Application Attacks
byAhmed Sherif
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
2013 OWASP Top 10
bybilcorry
 
Secure code
byddeogun
 
Web Security 101
byMichael Peters
 

What's hot

PPTX
.NET Security Topics
byShawn Gorrell
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PDF
S8-Session Managment
byzakieh alizadeh
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Analysis of web application penetration testing
byEngr Md Yusuf Miah
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PPT
Secure Web Applications Ver0.01
byVasan Ramadoss
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PDF
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
ODP
XSS
byHrishikesh Mishra
 
PDF
OWASPTop 10
byInnoTech
 
PPTX
Secure programming with php
byMohmad Feroz
 
PPTX
Web application attack Presentation
byKhoa Nguyen
 
PPTX
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
byDakiry
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
PPTX
Web Security Attacks
bySajid Hasan
 
PDF
Pentesting RESTful webservices
byMohammed A. Imran
 
PPTX
Secure Code Warrior - Local storage
bySecure Code Warrior
 
ODP
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
.NET Security Topics
byShawn Gorrell
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
S8-Session Managment
byzakieh alizadeh
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Analysis of web application penetration testing
byEngr Md Yusuf Miah
 
Owasp top 10 2013
byEdouard de Lansalut
 
Secure Web Applications Ver0.01
byVasan Ramadoss
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
XSS
byHrishikesh Mishra
 
OWASPTop 10
byInnoTech
 
Secure programming with php
byMohmad Feroz
 
Web application attack Presentation
byKhoa Nguyen
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
byDakiry
 
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
Web Security Attacks
bySajid Hasan
 
Pentesting RESTful webservices
byMohammed A. Imran
 
Secure Code Warrior - Local storage
bySecure Code Warrior
 
Top 10 Web Security Vulnerabilities
byCarol McDonald
 

Viewers also liked

PDF
Il lavoro delle donne nel settore turismo
byFormazioneTurismo
 
PPS
Gimnazjum Szesciokolowe
byguest86d246
 
PPT
SchoolTripRA
bySheffield West City Learning Centre
 
PPT
Tag You’re it! Creating Cross Curricular Teams from Scratch
byccpc
 
PPS
Bankomat
byEnes Tabudic
 
PPTX
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
bycba0004
 
PPTX
Rq
byChetan Dev
 
PDF
Indo Japan Trade & Investment Bulletine - January-2013
byCorporate Professionals
 
PPTX
Prezentare Soft Expert
bySoft Expert SRL
 
PPT
отличницы
byPereznatnova
 
PPTX
sGen Club 4thExhibition SmartRetail Cardtumbler
bySe Ran Kim
 
TXT
Playrlic
byAnshu Mehra
 
PDF
Bach duet 802
byjoansoco
 
ODP
Diapositiva 3
byAarón Carballo
 
DOC
Suresh p resume c4 latest
bysuresh kumar
 
PPTX
Evaluation
byVickie Louise
 
PPTX
Lingkaran
bySilvia Andriani
 
DOC
αθλητικα ποδοσφαιρο
byBasilis Drosos
 
PPTX
Evaluation Question 2
byoliviagodd
 
PPT
Métodos anticonceptivos
byErika Barajas Leyva
 
Il lavoro delle donne nel settore turismo
byFormazioneTurismo
 
Gimnazjum Szesciokolowe
byguest86d246
 
SchoolTripRA
bySheffield West City Learning Centre
 
Tag You’re it! Creating Cross Curricular Teams from Scratch
byccpc
 
Bankomat
byEnes Tabudic
 
Faktor penentangan musyrikin quraisy terhadap dakwah rasulullah saw
bycba0004
 
Rq
byChetan Dev
 
Indo Japan Trade & Investment Bulletine - January-2013
byCorporate Professionals
 
Prezentare Soft Expert
bySoft Expert SRL
 
отличницы
byPereznatnova
 
sGen Club 4thExhibition SmartRetail Cardtumbler
bySe Ran Kim
 
Playrlic
byAnshu Mehra
 
Bach duet 802
byjoansoco
 
Diapositiva 3
byAarón Carballo
 
Suresh p resume c4 latest
bysuresh kumar
 
Evaluation
byVickie Louise
 
Lingkaran
bySilvia Andriani
 
αθλητικα ποδοσφαιρο
byBasilis Drosos
 
Evaluation Question 2
byoliviagodd
 
Métodos anticonceptivos
byErika Barajas Leyva
 

Similar to PHP Security Tips

PDF
The Security Code Review Guide
byNicola Pietroluongo
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PPTX
Building a Simple Python-Based Website Vulnerability Scanner
byBoston Institute of Analytics
 
PPTX
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
byM Nadeem Qazi
 
PPTX
Building a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
PPTX
Exploiting HTML Injection: A Comprehensive Proof of Concept
byBoston Institute of Analytics
 
PDF
Building Secure Apps in the Cloud
byAtlassian
 
PPTX
Owasp Top 10 Vulnerabilities List
byVamsi K
 
PPTX
Web Security: Login Bypass, SQLi, CSRF & XSS.pptx
bySahilGupta752945
 
PPTX
Web API Security
byStefaan
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
Module 12 (web application vulnerabilities)
byWail Hassan
 
PPT
OWASP: Building Secure Web Apps
bymlogvinov
 
PPTX
Advanced SQL Injection
byJoe McCray
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Webhooks
byStudy Section
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
PPTX
The curious case of mobile app security.pptx
byAnkit Giri
 
PPTX
Reverse Engineering .NET and Java
byJoe Kuemerle
 
The Security Code Review Guide
byNicola Pietroluongo
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
API Security Best Practices and Guidelines
byWSO2
 
Building a Simple Python-Based Website Vulnerability Scanner
byBoston Institute of Analytics
 
Phishing Seminar By M Nadeem Qazi(MnQazi) pptx
byM Nadeem Qazi
 
Building a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
Exploiting HTML Injection: A Comprehensive Proof of Concept
byBoston Institute of Analytics
 
Building Secure Apps in the Cloud
byAtlassian
 
Owasp Top 10 Vulnerabilities List
byVamsi K
 
Web Security: Login Bypass, SQLi, CSRF & XSS.pptx
bySahilGupta752945
 
Web API Security
byStefaan
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
Module 12 (web application vulnerabilities)
byWail Hassan
 
OWASP: Building Secure Web Apps
bymlogvinov
 
Advanced SQL Injection
byJoe McCray
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Webhooks
byStudy Section
 
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
The curious case of mobile app security.pptx
byAnkit Giri
 
Reverse Engineering .NET and Java
byJoe Kuemerle
 

More from Chris Tankersley

PDF
8 Rules for Better Applications - PHP Tek 2025
byChris Tankersley
 
PDF
The Art of API Design - PHP Tek 2025, Chris Tankersley
byChris Tankersley
 
PDF
Docker is Dead: Long Live Containers
byChris Tankersley
 
PDF
Bend time to your will with git
byChris Tankersley
 
PDF
Using PHP Functions! (Not those functions, Google Cloud Functions)
byChris Tankersley
 
PDF
Dead Simple APIs with OpenAPI
byChris Tankersley
 
PDF
Killer Docker Workflows for Development
byChris Tankersley
 
PDF
You Got Async in my PHP!
byChris Tankersley
 
ODP
Docker for Developers - PHP Detroit 2018
byChris Tankersley
 
ODP
Docker for Developers
byChris Tankersley
 
ODP
They are Watching You
byChris Tankersley
 
ODP
BASHing at the CLI - Midwest PHP 2018
byChris Tankersley
 
PDF
You Were Lied To About Optimization
byChris Tankersley
 
ODP
Docker for PHP Developers - php[world] 2017
byChris Tankersley
 
ODP
Docker for PHP Developers - Madison PHP 2017
byChris Tankersley
 
ODP
Docker for Developers - php[tek] 2017
byChris Tankersley
 
ODP
Why Docker? Dayton PHP, April 2017
byChris Tankersley
 
PPTX
OOP Is More Then Cars and Dogs - Midwest PHP 2017
byChris Tankersley
 
PPTX
From Docker to Production - SunshinePHP 2017
byChris Tankersley
 
PPTX
Docker for Developers - Sunshine PHP
byChris Tankersley
 
8 Rules for Better Applications - PHP Tek 2025
byChris Tankersley
 
The Art of API Design - PHP Tek 2025, Chris Tankersley
byChris Tankersley
 
Docker is Dead: Long Live Containers
byChris Tankersley
 
Bend time to your will with git
byChris Tankersley
 
Using PHP Functions! (Not those functions, Google Cloud Functions)
byChris Tankersley
 
Dead Simple APIs with OpenAPI
byChris Tankersley
 
Killer Docker Workflows for Development
byChris Tankersley
 
You Got Async in my PHP!
byChris Tankersley
 
Docker for Developers - PHP Detroit 2018
byChris Tankersley
 
Docker for Developers
byChris Tankersley
 
They are Watching You
byChris Tankersley
 
BASHing at the CLI - Midwest PHP 2018
byChris Tankersley
 
You Were Lied To About Optimization
byChris Tankersley
 
Docker for PHP Developers - php[world] 2017
byChris Tankersley
 
Docker for PHP Developers - Madison PHP 2017
byChris Tankersley
 
Docker for Developers - php[tek] 2017
byChris Tankersley
 
Why Docker? Dayton PHP, April 2017
byChris Tankersley
 
OOP Is More Then Cars and Dogs - Midwest PHP 2017
byChris Tankersley
 
From Docker to Production - SunshinePHP 2017
byChris Tankersley
 
Docker for Developers - Sunshine PHP
byChris Tankersley
 

Recently uploaded

PDF
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
PDF
A PROJECT ON EVOLUTION OF DNA FINGERPRINTING AND ITS TECHNOLOGY
bychandrakalasahu568
 
PPTX
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
PDF
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
PDF
“Multimodal Enterprise-scale Applications in the Generative AI Era,” a Presen...
byEdge AI and Vision Alliance
 
PDF
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
PDF
Dr. PANKAJ DHUSSA The near side of the Moon By NASA's Lunar Reconnaissance Or...
byDr. PANKAJ DHUSSA
 
PDF
Certificate of Completion For Getting Started With Azure
byNeel Patel
 
PDF
Ultimate B2B Travel API Integration for Skyrocket Bookings
byanishadivaha
 
PDF
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
PDF
Dr. PANKAJ DHUSSA NASA 2025 INTERNATIONAL OBSERVE THE MOON NIGHT
byDr. PANKAJ DHUSSA
 
PPTX
Unit 1- Strategies to AVOID ErrorsBias.pptx
byapurvshimpi02
 
PPTX
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
PPTX
hackathon[1][1].pptx Cost-Effective Detection of LV Line Breakage
byvivekpunde6
 
PDF
Uber Clone Future Mobility and Transportation.pdf
byV3cube
 
PDF
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
PDF
What Are AI Agentic Workflows? Unlock the Power of AI Agents in 2025!
byTeleglobal International
 
PDF
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
PDF
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
A PROJECT ON EVOLUTION OF DNA FINGERPRINTING AND ITS TECHNOLOGY
bychandrakalasahu568
 
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 
“Multimodal Enterprise-scale Applications in the Generative AI Era,” a Presen...
byEdge AI and Vision Alliance
 
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
Dr. PANKAJ DHUSSA The near side of the Moon By NASA's Lunar Reconnaissance Or...
byDr. PANKAJ DHUSSA
 
Certificate of Completion For Getting Started With Azure
byNeel Patel
 
Ultimate B2B Travel API Integration for Skyrocket Bookings
byanishadivaha
 
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
Dr. PANKAJ DHUSSA NASA 2025 INTERNATIONAL OBSERVE THE MOON NIGHT
byDr. PANKAJ DHUSSA
 
Unit 1- Strategies to AVOID ErrorsBias.pptx
byapurvshimpi02
 
sap 2016-09-14_PP_MRPType_VB_Blogged.pptx
byAmira Jemi
 
hackathon[1][1].pptx Cost-Effective Detection of LV Line Breakage
byvivekpunde6
 
Uber Clone Future Mobility and Transportation.pdf
byV3cube
 
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
What Are AI Agentic Workflows? Unlock the Power of AI Agents in 2025!
byTeleglobal International
 
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 

PHP Security Tips

  • 1.
    PHP SecurityE-mail: chris@ctankersley.comTwitter:@dragonmantankIdenti.ca: dragonmantankSeptember 20, 2011NWO-PUG 1
  • 2.
    Who are youand why are you in my house?Chris TankersleyDoing PHP for 8 YearsLots of projects no one uses, and a few that some doTL;DR https://github.com/dragonmantankNWO-PUG 2September 20, 2011
  • 3.
    The Parts ofSecurityIt’s more than just a username/passwordNWO-PUG 3September 20, 2011
  • 4.
    What is SecureProgramming?Minimizing Attack SurfaceEstablishing Secure DefaultsPrinciple of Least PrivilegeDefense in DepthFail SecurelyDon’t Trust Services or UsersSeparation of DutiesAvoid Security through ObscurityKeep Security SimpleFix Security Issues CorrectlySeptember 20, 2011NWO-PUG 4https://www.owasp.org/index.php/Secure_Coding_Principles
  • 5.
    Most Common AttacksAndhow to avoid themNWO-PUG 5September 20, 2011
  • 6.
    OWASP Top 10InjectionCross-SiteScriptingBroken Authentication and Session ManagementInsecure Direct Object ReferencesCross-Site Request ForgerySecurity MisconfigurationInsecure Cryptographic StorageFailure To Restrict URL AccessInsufficient Transport Layer ProtectionUnvalidated Redirects and ForwardsNWO-PUG 6https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectSeptember 20, 2011
  • 7.
  • 8.
    What is Injection?Whena user or service corrupts a command due to improper validation of inputSeptember 20, 2011NWO-PUG 8
  • 9.
    Many Shapes andSizesSQL InjectionCommand InjectionHTML InjectionSeptember 20, 2011NWO-PUG 9
  • 10.
    Protecting against InjectionsAttacksFilter user inputEscape anything not hard-codedIgnore $_REQUESTNWO-PUG 10September 20, 2011
  • 11.
  • 12.
    A Bit MoreReal LifeNWO-PUG 12September 20, 2011
  • 13.
    Protecting against SQLInjectionUse PDO and prepared statementsNWO-PUG 13September 20, 2011
  • 14.
    Command InjectionWhen yourscript calls an external program, users can run codeNWO-PUG 14September 20, 2011
  • 15.
    Protecting against CommandInjectionIf allowing the user to specify commands, use escapeshellcmd()If allowing the user to specify arguments, use escapeshellarg()NWO-PUG 15September 20, 2011
  • 16.
    HTML/Script InjectionHTML Injection:When user input is used to create new markup that the application did not expectScript Injection: When user input is used to add new scripting to a pageNWO-PUG 16September 20, 2011
  • 17.
  • 18.
    Protecting against HTML/ScriptInjectionDecide if you really need to take HTML inputIf you do:Use an HTML cleaner like Tidy or htmLawedCreate a whitelist of allowed tagsIf you don’t:Use htmlentities()/htmlspecialchars()NWO-PUG 18September 20, 2011
  • 19.
    Cross Site ScriptingOrXSSNWO-PUG 19September 20, 2011
  • 20.
    What is it?Whena user injects a script into a page or extra JS into a command to send information to another siteSeptember 20, 2011NWO-PUG 20
  • 21.
    How to avoidXSS?Since this is an injection attack, use the same steps as a HTML/Script injectionNWO-PUG 21September 20, 2011
  • 22.
    Broken Authentication andSession ManagementNWO-PUG 22September 20, 2011
  • 23.
    What is it?Insecurestoring of credentialsSession IDs exposed via URLSession fixation attacksSeptember 20, 2011NWO-PUG 23
  • 24.
    Storing CredentialsHash witha salt using the hash() commandDo not use md5 or sha1, use at least sha256md5 and sha1 are broken and not recommended for secure hashingIf you have to use the raw data, encrypt using mcrypt() Use AES256 (RIJNDAEL 256)NWO-PUG 24September 20, 2011
  • 25.
    Session IDs inURLCommonly used when cookies can’t be enabledMake sure the following is set in your php.ini:session.use_trans_id = 0session.use_only_cookies = 1NWO-PUG 25September 20, 2011
  • 26.
    Session FixationWhat happensif your users don’t log out?Use sessions to detect login statusNWO-PUG 26September 20, 2011
  • 27.
    Insecure Direct ObjectReferencesNWO-PUG 27September 20, 2011
  • 28.
    What is it?Makingsure that what the user is accessing they have access to.Should be handled by checking authorization when accessed, or mappingThis is not an injection attack, but a logic attackSeptember 20, 2011NWO-PUG 28
  • 29.
  • 30.
    How to AvoidAlwayscheck to make sure the user has authorization to access the resourceMap variables/whitelist to make it harderNWO-PUG 30September 20, 2011
  • 31.
    Cross Site RequestForgeryOr CSRF AttacksNWO-PUG 31September 20, 2011
  • 32.
    What is it?Whenunauthorized commands are sent to and from a trusted websiteIn days gone by, this would be done with Referral checking, but don’t trust referrer informationSeptember 20, 2011NWO-PUG 32
  • 33.
    An example –Bank TransferA bank transfer is done via $_GET variablesUser is authenticated but not logged outNWO-PUG 33September 20, 2011
  • 34.
    How to avoidthisInclude a hidden element in the form with a one-time valueNWO-PUG 34September 20, 2011
  • 35.
  • 36.
    Beyond the scopeof programmingCheck for server hardening guidelines for your OSPassword rotation practicesUnderstanding your settingsKeep your stack up to date!September 20, 2011NWO-PUG 36
  • 37.
  • 38.
    More of alogic problemEncrypting data in the database, but leaving it unencrypted during outputUsing unsalted hashesSeptember 20, 2011NWO-PUG 38
  • 39.
    How to avoidthisLike when storing credentials, use a salt whenever hashing informationOnly decrypt data when it is neededNWO-PUG 39September 20, 2011
  • 40.
    Failure to RestrictURL AccessNWO-PUG 40September 20, 2011
  • 41.
    What is it?Whenusers can gain access to parts of the application just through URL manipulationWhen the app doesn’t check authorization properlySeptember 20, 2011NWO-PUG 41
  • 42.
    Security through ObscurityDon’ttrust that just because a user doesn’t know a URL, they can’t get to itFuzzers can find all kinds of things, especially if the app is commonNWO-PUG 42September 20, 2011
  • 43.
    How to avoidthisALWAYS check authorization. The extra CPU cycles are worth it.NWO-PUG 43September 20, 2011
  • 44.
    Insufficient Transport LayerProtectionNWO-PUG 44September 20, 2011
  • 45.
    Not using SSLwhen you shouldIf your data is sensitive, use SSLAre your logins behind SSL?There isn’t really an excuse. You can get an SSL cert for $9/year. September 20, 2011NWO-PUG 45
  • 46.
    Unvalidated Redirects andForwardsNWO-PUG 46September 20, 2011
  • 47.
    What is it?Whenan app doesn’t properly validate that the redirect destination is validSeptember 20, 2011NWO-PUG 47
  • 48.
    Putting it TogetherNWO-PUG48September 20, 2011
  • 49.
    Attacking from MultipleFrontsAttackers will employ many different vectors in an attackHTML injection can take advantage of a Broken Auth system and use XSS or URL restrictions to force users to do unintended actionsScript injection can lead to Session hijacking September 20, 2011NWO-PUG 49
  • 50.
    Remember…Minimizing Attack SurfaceEstablishingSecure DefaultsPrinciple of Least PrivilegeDefense in DepthFail SecurelyDon’t Trust Services or UsersSeparation of DutiesAvoid Security through ObscurityKeep Security SimpleFix Security Issues CorrectlySeptember 20, 2011NWO-PUG 50https://www.owasp.org/index.php/Secure_Coding_Principles
  • 51.