SlideShare a Scribd company logo

Web Application Security: Winning When The Odds Are Against You

B
bendechrai

The document discusses web application security, emphasizing the importance of winnowing risks despite challenges. It outlines key security issues such as injection attacks, cross-site scripting, and inadequate session management, and suggests strategies for PHP developers to mitigate these risks through whitelisting and data encoding. The content serves as a guide for enhancing web application security and is based on a presentation at the New Zealand PHP Conference 2014.

Internet
Related topics:
Website Security Overview Web Application Security
1 of 35
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Web Application SecurityWeb Application Security Winning When The Odds Are Against YouWinning When The Odds Are Against You NewZealandPHPConference2014 Ben DechraiBen Dechrai @bendechrai@bendechrai #webappsec #phpnz14#webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You What Is WebWhat Is Web Application Security?Application Security?
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You What's Applicable to PHP Developers?
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Where to Start?
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Top Ten Cheat Sheet Injection Cross Site Scripting Weak authentication & session management Insecure Direct Object Reference Cross Site Request Forgery Security Misconfiguration Insufficient Cryptographic Storage Failure to Restrict URL access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Top Ten Cheat Sheet Injection Cross Site Scripting Weak authentication & session management Insecure Direct Object Reference Cross Site Request Forgery Security Misconfiguration Insufficient Cryptographic Storage Failure to Restrict URL access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You DemoDemo
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You What AreWhat Are The Odds?The Odds?
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Solutions?
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Think like PHP...
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Not in PHP...
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Think LIKE PHP...
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You HTTP GET /index.html <html>..</html> GET /css/styles.css GET /js/script.js GET /images/logo.jpg body { ... } $(document).ready(...) data:image/jpg;base64,/9j/4AAQSkZJRgA...
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You HTTP GET /index.php <html>..</html> PHP process PHP returns POST /login.php PHP process PHP returns<html>..</html>
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You HTTP POST /images.php/logo.jpg <html>..</html> PHP process PHP returns POST /images/logo.jpg PHP process PHP returns<html>..</html> URL rewriting means anything can be passed to PHP
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Cross-Site Request Forgeries visage.cto.to POST /login <html>..</html> PHP process PHP returns POST /checkout PHP process PHP returns<html>..</html> POST /address/edit {401} POST /address/edit { 200 } evil.com POST /payment <html>..</html> PHP process PHP returns GET /confirmation PHP process PHP returns<html>..</html> PHP process PHP returns PHP process PHP returns
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You PHP Ain't Clever (hint, not many programming languages are!) Data Data Database User Input Files Other sites via API DatabaseBrowser Response Other systemsSending emails
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You PHP Environment ● 1 page load = 1 PHP process ● Web server passes whole request to the PHP process ● When a script ends, all data are lost
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Piecing Data Together $_GET $_POST $_COOKIE $_FILES $_REQUEST
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Request Basics ● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables! ● Don't use them, specify the source ● Even then, don't trust $_POST, et al ● Consider all data harmful
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data ● Treat all data as untrusted ● Only if it passed a whitelist, let it through ● Look for odd data entry points – Did you know the filename of an uploaded file is user generated input? ● Email addresses have fixed validation rules
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)* | "(?:[x01-x08x0bx0cx0e-x1fx21x23-x5bx5d-x7f] | [x01-x09x0bx0cx0e-x7f])*") @ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])? | [(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3} (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]: (?:[x01-x08x0bx0cx0e-x1fx21-x5ax53-x7f] | [x01-x09x0bx0cx0e-x7f])+) ])
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.” Now they have two problems. — Jamie Zawinksi
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data filter_var($email, FILTER_VALIDATE_EMAIL); (Or just send them an email)
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data ● Names are a big topic (see http://is.gd/validating_names) ● Who decides if a name is valid? – Josè Smith – La amonȝ – Þórinn Eikinskjaldi – Πηληϊάδεω χιλ οςἈ ῆ – Federico del Sagrado Corazón de Jesús García Lorca
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Encode on Output ● Avoid encoding for storage ● Keep valid user input intact ● Encode when used in an output stream – HTML encode for screen – URL encode for querystrings – Escape for CSV output ● By keeping the original data, you can repurpose for many outputs
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Encode on Output User Generated Content User Generated Content Sanitize HTML EMAIL Sanitize XML/JSON/CSV Sanitize UNKNOWN FUTURE APP Sanitize
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Encode on Output filter_var($comment, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Cross-Site Request Forgeries Tokens Username Password Token SUBMIT ABC123 ABC123
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Cross-Site Request Forgeries Referrers can be easily forged; don't rely on them
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Credits ● Security Camera image by Henning Mühlinghaus ● Conception image by Lynn (Gracie's mom) ● Piecing Data by José Manuel Ríos Valiente References ● OWASP Top 10 Cheat Sheet
Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Thank You!Thank You! Questions?Questions? Ben DechraiBen Dechrai @bendechrai@bendechrai NewZealandPHPConference2014

More Related Content

PDF
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
PDF
Web Security 101
Brent Shaffer
 
PDF
Securing WordPress
Shawn Hooper
 
ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PPTX
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
PPT
Web Hacking
Information Technology
 
PPTX
04. xss and encoding
Eoin Keary
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
Web Security 101
Brent Shaffer
 
Securing WordPress
Shawn Hooper
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Web Hacking
Information Technology
 
04. xss and encoding
Eoin Keary
 
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 

What's hot (20)

PDF
Browser Horror Stories
EC-Council
 
PPT
PHPUG Presentation
Damon Cortesi
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
PDF
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
KEY
Advanced CSRF and Stateless Anti-CSRF
johnwilander
 
PPTX
WordPress Security Tips
Catch Themes
 
PPT
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
PPTX
Elegant Rest Design Webinar
Stormpath
 
PPTX
2013 michael coates-javaone
Michael Coates
 
PPTX
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PDF
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
PDF
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
PPTX
REST API Design for JAX-RS And Jersey
Stormpath
 
PDF
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
PDF
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
Browser Horror Stories
EC-Council
 
PHPUG Presentation
Damon Cortesi
 
Securing Your WordPress Website - WordCamp GC 2011
Vlad Lasky
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Advanced CSRF and Stateless Anti-CSRF
johnwilander
 
WordPress Security Tips
Catch Themes
 
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Elegant Rest Design Webinar
Stormpath
 
2013 michael coates-javaone
Michael Coates
 
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
REST API Design for JAX-RS And Jersey
Stormpath
 
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
Ad

Similar to Web Application Security: Winning When The Odds Are Against You (20)

PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
ODP
My app is secure... I think
Wim Godden
 
PPT
Starwest 2008
Caleb Sima
 
PPT
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
 
PPT
Phpnw security-20111009
Paul Lemon
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Web Application Security with PHP
jikbal
 
PDF
Become a Security Ninja
Paul Gilzow
 
PPTX
Steve Kosten - Exploiting common web application vulnerabilities
Trish McGinity, CCSK
 
PDF
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
PPTX
Believe It Or Not SSL Attacks
Akash Mahajan
 
PPT
Jan 2008 Allup
llangit
 
PDF
Securing Your BBC Identity
Marc Littlemore
 
PPTX
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
PDF
Secure input and output handling - ViennaPHP
Anna Völkl
 
PPTX
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
PPTX
Widespread security flaws in web application development 2015
mahchiev
 
PDF
Devbeat Conference - Developer First Security
Michael Coates
 
PDF
Online Security and Privacy Issues
ebusinessmantra
 
PPT
Security 101
George V. Reilly
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
My app is secure... I think
Wim Godden
 
Starwest 2008
Caleb Sima
 
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
 
Phpnw security-20111009
Paul Lemon
 
Hacking Client Side Insecurities
amiable_indian
 
Web Application Security with PHP
jikbal
 
Become a Security Ninja
Paul Gilzow
 
Steve Kosten - Exploiting common web application vulnerabilities
Trish McGinity, CCSK
 
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
Believe It Or Not SSL Attacks
Akash Mahajan
 
Jan 2008 Allup
llangit
 
Securing Your BBC Identity
Marc Littlemore
 
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
Secure input and output handling - ViennaPHP
Anna Völkl
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
Widespread security flaws in web application development 2015
mahchiev
 
Devbeat Conference - Developer First Security
Michael Coates
 
Online Security and Privacy Issues
ebusinessmantra
 
Security 101
George V. Reilly
 
Ad

Recently uploaded (20)

PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
DOC
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
artificial intelligence overview of it and more
yafotin445
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Funds Management Learning Material for Beg
NKKumar16
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
Database Information System - Management Information System
faizhossain3
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Introduction to the IoT system, how the IoT system works
TinBinh
 

Web Application Security: Winning When The Odds Are Against You

  • 1. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Web Application SecurityWeb Application Security Winning When The Odds Are Against YouWinning When The Odds Are Against You NewZealandPHPConference2014 Ben DechraiBen Dechrai @bendechrai@bendechrai #webappsec #phpnz14#webappsec #phpnz14 https://joind.in/talk/view/11435https://joind.in/talk/view/11435
  • 2. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You What Is WebWhat Is Web Application Security?Application Security?
  • 3. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
  • 4. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You What's Applicable to PHP Developers?
  • 5. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
  • 6. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Where to Start?
  • 7. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You
  • 8. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Top Ten Cheat Sheet Injection Cross Site Scripting Weak authentication & session management Insecure Direct Object Reference Cross Site Request Forgery Security Misconfiguration Insufficient Cryptographic Storage Failure to Restrict URL access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards
  • 9. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Top Ten Cheat Sheet Injection Cross Site Scripting Weak authentication & session management Insecure Direct Object Reference Cross Site Request Forgery Security Misconfiguration Insufficient Cryptographic Storage Failure to Restrict URL access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards
  • 10. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You DemoDemo
  • 11. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You What AreWhat Are The Odds?The Odds?
  • 12. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Solutions?
  • 13. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Think like PHP...
  • 14. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Not in PHP...
  • 15. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Think LIKE PHP...
  • 16. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You HTTP GET /index.html <html>..</html> GET /css/styles.css GET /js/script.js GET /images/logo.jpg body { ... } $(document).ready(...) data:image/jpg;base64,/9j/4AAQSkZJRgA...
  • 17. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You HTTP GET /index.php <html>..</html> PHP process PHP returns POST /login.php PHP process PHP returns<html>..</html>
  • 18. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You HTTP POST /images.php/logo.jpg <html>..</html> PHP process PHP returns POST /images/logo.jpg PHP process PHP returns<html>..</html> URL rewriting means anything can be passed to PHP
  • 19. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Cross-Site Request Forgeries visage.cto.to POST /login <html>..</html> PHP process PHP returns POST /checkout PHP process PHP returns<html>..</html> POST /address/edit {401} POST /address/edit { 200 } evil.com POST /payment <html>..</html> PHP process PHP returns GET /confirmation PHP process PHP returns<html>..</html> PHP process PHP returns PHP process PHP returns
  • 20. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You PHP Ain't Clever (hint, not many programming languages are!) Data Data Database User Input Files Other sites via API DatabaseBrowser Response Other systemsSending emails
  • 21. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You PHP Environment ● 1 page load = 1 PHP process ● Web server passes whole request to the PHP process ● When a script ends, all data are lost
  • 22. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Piecing Data Together $_GET $_POST $_COOKIE $_FILES $_REQUEST
  • 23. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Request Basics ● $_REQUEST variables can come from Environment, Post, Get, Cookie or Session variables! ● Don't use them, specify the source ● Even then, don't trust $_POST, et al ● Consider all data harmful
  • 24. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data ● Treat all data as untrusted ● Only if it passed a whitelist, let it through ● Look for odd data entry points – Did you know the filename of an uploaded file is user generated input? ● Email addresses have fixed validation rules
  • 25. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)* | "(?:[x01-x08x0bx0cx0e-x1fx21x23-x5bx5d-x7f] | [x01-x09x0bx0cx0e-x7f])*") @ (?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])? | [(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3} (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]: (?:[x01-x08x0bx0cx0e-x1fx21-x5ax53-x7f] | [x01-x09x0bx0cx0e-x7f])+) ])
  • 26. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data Some people, when confronted with a problem, think, “I know, I’ll use regular expressions.” Now they have two problems. — Jamie Zawinksi
  • 27. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data filter_var($email, FILTER_VALIDATE_EMAIL); (Or just send them an email)
  • 28. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Whitelist All Incoming Data ● Names are a big topic (see http://is.gd/validating_names) ● Who decides if a name is valid? – Josè Smith – La amonȝ – Þórinn Eikinskjaldi – Πηληϊάδεω χιλ οςἈ ῆ – Federico del Sagrado Corazón de Jesús García Lorca
  • 29. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Encode on Output ● Avoid encoding for storage ● Keep valid user input intact ● Encode when used in an output stream – HTML encode for screen – URL encode for querystrings – Escape for CSV output ● By keeping the original data, you can repurpose for many outputs
  • 30. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Encode on Output User Generated Content User Generated Content Sanitize HTML EMAIL Sanitize XML/JSON/CSV Sanitize UNKNOWN FUTURE APP Sanitize
  • 31. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Encode on Output filter_var($comment, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
  • 32. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Cross-Site Request Forgeries Tokens Username Password Token SUBMIT ABC123 ABC123
  • 33. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Cross-Site Request Forgeries Referrers can be easily forged; don't rely on them
  • 34. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Credits ● Security Camera image by Henning Mühlinghaus ● Conception image by Lynn (Gracie's mom) ● Piecing Data by José Manuel Ríos Valiente References ● OWASP Top 10 Cheat Sheet
  • 35. Web Application Security: Winning When The Odds Are Against YouWeb Application Security: Winning When The Odds Are Against You Thank You!Thank You! Questions?Questions? Ben DechraiBen Dechrai @bendechrai@bendechrai NewZealandPHPConference2014