SlideShare ist ein Scribd-Unternehmen logo

Securing your web apps now

Als PPTX, PDF herunterladen
Stephan Steynfaardt
Stephan Steynfaardt

The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs. Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.

Technologie
1 von 50
SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
WHY?
IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
WORLD’S BIGGEST DATA BREACHES 2013
HOW? • More than one security layer
HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
VALIDATION
VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
Top 10 OWASP list SQL INJECTION
SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
Cracking password hashes SQL MAP
CODE INJECTION
CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
OS INJECTION
OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
bring your own exploit FILE UPLOADS
Actually any PHP n00bs WORDPRESS N00BS
FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
INFORMATION LEAKAGE
INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
OVER SPECIFIC FEEDBACK
OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
BROKEN AUTHENTICATION & SESSION MANAGEMENT
BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
Cross Site Scripting XSS
XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
GOING FORWARD
GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself

Empfohlen

The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
Marko Heijnen
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Web app development with Flask
Web app development with FlaskWeb app development with Flask
Web app development with Flask
Jasim Muhammed
 
Async Web and Python
Async Web and PythonAsync Web and Python
Async Web and Python
Jasim Muhammed
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 

Empfohlen

The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
Marko Heijnen
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Web app development with Flask
Web app development with FlaskWeb app development with Flask
Web app development with Flask
Jasim Muhammed
 
Async Web and Python
Async Web and PythonAsync Web and Python
Async Web and Python
Jasim Muhammed
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and security
WP Pittsburgh Meetup Group
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
PowerShell for SharePoint Admins
PowerShell for SharePoint AdminsPowerShell for SharePoint Admins
PowerShell for SharePoint Admins
Rick Taylor
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
Robert Vidal
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsSP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
Michael Blumenthal (Microsoft MVP)
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
 
PowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersPowerShell for SharePoint Developers
PowerShell for SharePoint Developers
Boulos Dib
 
Secure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedSecure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensed
Henry Been
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
PowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsPowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administrators
Ravikanth Chaganti
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
panagenda
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Edition
panagenda
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
Joe Slowik
 
V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017
Vladan Laxa
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDays
ru_Parallels
 
Perfect workflow with vagrant
Perfect workflow with vagrantPerfect workflow with vagrant
Perfect workflow with vagrant
Stephan Steynfaardt
 
The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...
Brian Solis
 

Weitere ähnliche Inhalte

Was ist angesagt?

PowerShell for SharePoint Admins
PowerShell for SharePoint AdminsPowerShell for SharePoint Admins
PowerShell for SharePoint Admins
Rick Taylor
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
panagenda
 

Was ist angesagt? (20)

Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and security
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
PowerShell for SharePoint Admins
PowerShell for SharePoint AdminsPowerShell for SharePoint Admins
PowerShell for SharePoint Admins
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsSP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
 
PowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersPowerShell for SharePoint Developers
PowerShell for SharePoint Developers
 
Secure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedSecure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensed
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
PowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsPowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administrators
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Edition
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
 
V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDays
 

Andere mochten auch

Andere mochten auch (6)

Perfect workflow with vagrant
Perfect workflow with vagrantPerfect workflow with vagrant
Perfect workflow with vagrant
 
The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...
 
Open Source Creativity
Open Source CreativityOpen Source Creativity
Open Source Creativity
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Ähnlich wie Securing your web apps now

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 

Ähnlich wie Securing your web apps now (20)

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices Simplified
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
How to Secure Your WordPress Site
How to Secure Your WordPress SiteHow to Secure Your WordPress Site
How to Secure Your WordPress Site
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPress
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Securing your web apps now

  • 1. SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
  • 2. WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
  • 3. WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
  • 5. IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
  • 6. IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
  • 7. I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
  • 8. Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
  • 10.
  • 11.
  • 12.
  • 13. HOW? • More than one security layer
  • 14.
  • 15.
  • 16.
  • 17. HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
  • 19. VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
  • 20. Top 10 OWASP list SQL INJECTION
  • 21. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
  • 22. BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
  • 23. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
  • 25.
  • 26.
  • 28. CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
  • 29. CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
  • 31. OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
  • 32. bring your own exploit FILE UPLOADS
  • 33. Actually any PHP n00bs WORDPRESS N00BS
  • 34. FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
  • 36. INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
  • 38. OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
  • 39. SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
  • 40. SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
  • 41. SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
  • 43. BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
  • 44. BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
  • 46. XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
  • 48. GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
  • 49.
  • 50. GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself