5. SQL injections
● Creating queries by string concatenation is “the
wrong way”
● MySQL don't do multiple queries.
● Let DB do validation - use parametrized queries
● ORM frameworks lift the burden
● It is easy to forget to validate inline SQL somewhere
7. XSS
● Escape HTML/JS/XML special characters on
output
● Vulnerability can exist on client side (JS).
● It can get hairy with JS, AJAX, JSONP etc ...
8. CSRF
<img src=”http://www.bank.lv/pay?to=kristaps&amount=100” />
● Third party unauthorized request to web site
● Include unique token into each response and
validate on request.
● Never update data with GET
9. Storing passwords
● Do not expose DB / other credentials
● MD5 is too “cheap”. SHA1 is not “expensive
enough”
● Make hash functions slow.
● Multiple iterations
● Bcrypt
10. Authorization vs Authentication
Autentication: authenticating user credentials.
Usually done once per session.
Authorization: checks that user is authorized to
do particular action.
Must be done on every request.
11. Session fixation
● Session cookie stealing / guessing
● Initialize sessions
● Tie sessions to IP address / User Agent
● Expire / invalidate sessions.
17. One .php file as one script
PHP engine has no “application” concept.
Class files, configuration files, etc should not be
executable …
...everything that is not .php by default is dumped
as plaintext in browser
18. include and require accepts URLs as
parameters
Remote code injection made dead easy
If you disable remote_url_fopen, you cannot open
any URL
(without CURL)
19. All these settings should be disabled by default
On most hosting servers they are not
21. TLS (SSL)
● Public-Private key infrastructure
● Server verification and data encryption
● Ultimate trust to Certificate Authorities (CA)
● Don't use self-signed certificates. Roll out your
own CA .
22. Secure / insecure protocols
● HTTP sends all information in plaintext
● So does FTP/IMAP/POP3/STMP
● Use HTTPS / SFTP / IMAPs / POP3s / STMP
over TLS
● DNS is built on trust. DNSSEC is not (yet)
working.
23. [D]DoS
● DoS – “million” requests from one client
● DDoS – “zillion” requests from “million” clients
● Handle DoS at firewall level.
● Try to survive DDoS at router level.
24. Shared hosting
● Easy, fast, secure – pick two
● “Jail” each site
● Selinux / AppArmor to rescue
● IDS / mod_security is slow
● Test backups.
25. Real life 100% secure system
Slide intentionally left blank
27. Passwords
Passwords are like underwear.
You don't share them and you change them often.
KeepassX
28. Think
● Don't use plaintext protocols over open WiFi
● Secure your home router
● Check URLs and filenames
● Malware doesn't expose itself anymore
● Botnet
● Information stealing
● Avoid buggy and insecure software (flash and
acrobat reader).
30. Handling incidents
● Not all hackers all bad
● Preserve evidence
● Presume that attacker obtained maximum
information.
● System is compromised
● Eliminate attack vectors
● Offline backups help.
32. Futher reading
● www.owasp.org – knowledge
● www.cert.lv – Latvia netsecurity team
Books
● Stealing the Network: How to Own the Box by
R. Russel – hacking “fiction” book.
● Art of Deception by Kevin Mitnick – hacker
“memoirs”