SlideShare a Scribd company logo

Scared Straight: Mitigating OWASP Top 10 with PHP

John Kary, profile picture
John Kary

The document discusses mitigating web application security vulnerabilities as outlined by the OWASP Top 10, focusing on PHP applications. It covers various attacks such as injection flaws, cross-site scripting (XSS), and broken authentication, emphasizing risks, impacts, and preventive measures. The document serves as an introductory guide for individuals familiar with PHP and aware of potential security vulnerabilities.

Technology
1 of 196
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP
DISCLAIMER
DISCLAIMER • I am NOT a “security expert"
DISCLAIMER • I am NOT a “security expert" • But I know a little about web security
DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials
DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials • I don’t know everything
ASSUMPTIONS
ASSUMPTIONS • This is an introduction-level talk
ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous
ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns
ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns • Again, I don’t know everything
TALK STRUCTURE
TALK STRUCTURE • What is the risk?
TALK STRUCTURE • What is the risk? • Typical Impact
TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited?
TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited? • How to prevent it when using PHP?
OWASP http://www.owasp.org
O W A S P
Open Web Application Security Project
OWASP • Non-profit focused on improving security of application software • Focused on awareness of risks and education on mitigating those risks • Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated
http://www.owasp.org
OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation
INJECTION
INJECTION SI T? I Tricking an application into unintended HAT W commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection
CT INJECTION PA IM IC AL Technical Impact: SEVERE T YP Entire database read or modified Access files on the filesystem Uses a program's elevated privileges to carry out unauthorized execution
LO I TE D? INJECTION P T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
T I T? INJECTION EN R EV P TO HOW
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine
T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services
T I T? INJECTION EN R EV P TO OW SYSTEM LEVEL KU IT H D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U
T I T? INJECTION EN R EV P TO HOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE
T I T? INJECTION EN R EV P TO HOW HTML Injection
T I T? INJECTION EN R EV P TO SQL Injection - Prepared Statements HOW
T I T? INJECTION EN R EV P TO HOW SQL Injection Source: http://xkcd.com/327/
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database
CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database Delivered to all visitors just by visiting the page
CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP
CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site
CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T I HOW Source: Dave Wichers OWASP Top 10 Presentation
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ??? MEH
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
BROKEN AUTHENTICATION AND SESSION MANAGEMENT
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless”
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID
BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to...
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info
BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link
BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Rely on strong authentication and session management controls Integrate Shibboleth into your application
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Storage Default config stores sessions in a global temp directory
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handling HOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)
BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPS HOW NEVER deliver unencrypted network traffic when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js
INSECURE DIGITAL OBJECT REFERENCES
INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?
INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP
INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object
INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SI HOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access
INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TO HOW
INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TO HOW
CROSS SITE REQUEST FORGERY (CSRF)
CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application
CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?
CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete
CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways...
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Generate token and store in user's session Source: http://shiflett.org/articles/cross-site-request-forgeries
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Use token in POST form Source: http://shiflett.org/articles/cross-site-request-forgeries
CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Validate when POST received Source: http://shiflett.org/articles/cross-site-request-forgeries
SECURITY MISCONFIGURATION
SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W
SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W From the Operating System up through Apache All PHP extensions All installed libraries on the server
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server
SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen
SECURITY MISCONFIGURATION I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list
SECURITY MISCONFIGURATION T I T? EN R EV P TO OW KU IT H D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
INSECURE CRYPTOGRAPHIC STORAGE
INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data
INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data Database data Log files Backup files Password files
INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE
INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE Attacker accesses or modifies confidential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press
INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts: T YP SEVERE High risk of... significant financial loss legal liability public distrust harm ...if this data is disclosed
INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm
INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit confidential data over unencrypted means
FAILURE TO RESTRICT URL ACCESS
FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pages W Public users could access your admin functionality
FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP
FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control DOESN’T WORK
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html
FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html DOESN’T WORK
FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW
FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads
FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!
INSUFFICIENT TRANSPORT LAYER PROTECTION
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues
INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications
INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP
INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP Expose users’ confidential data Account theft
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU? HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you...
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?
INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store confidential data in our secure Oracle database
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source
UNVALIDATED REDIRECTS AND FORWARDS
UNVALIDATED REDIRECTS AND FORWARDS SI T? I HAT W URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common
UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE IC T YP Install malware Phishing site Bypass authorization controls
UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TO HOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters
UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TO HOW
Questions?
My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guide http://www.owasp.org/index.php/OWASP_Testing_Project
Sources OWASP Sources: - OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS> - OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet> - OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide> - OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project> - OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http:// owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx> - OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet> Links: - Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/ - Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html Software: - HTMLPurifier <http://htmlpurifier.org/> - KeePass <http://keepass.info/> - KeePassX <http://www.keepassx.org/> - WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project> Photos: http://www.flickr.com/photos/mrbenn/2337943659/ http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.edu http://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting

More Related Content

KEY
SecTor - The Search For Intelligent Life
Ed Bellis
 
KEY
Metricon 6 That's So Meta
Ed Bellis
 
PPSX
Ids 008 buffer overflow
jyoti_lakhani
 
PPTX
Web and Mobile Application Security
Prateek Jain
 
PDF
Android Camp 2011 @ Silicon India
Avinash Birnale
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
PDF
2013 OWASP Top 10
bilcorry
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
SecTor - The Search For Intelligent Life
Ed Bellis
 
Metricon 6 That's So Meta
Ed Bellis
 
Ids 008 buffer overflow
jyoti_lakhani
 
Web and Mobile Application Security
Prateek Jain
 
Android Camp 2011 @ Silicon India
Avinash Birnale
 
Web application vulnerability assessment
Ravikumar Paghdal
 
2013 OWASP Top 10
bilcorry
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 

Similar to Scared Straight: Mitigating OWASP Top 10 with PHP (20)

PDF
Web Application Security
Siarhei Barysiuk
 
PPT
Web application security
Vikas Thange
 
PPT
Web application security
Vikas Thange
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
PPTX
Hardening Enterprise Apache
guestd9aa5
 
PDF
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
KEY
Do it-yourself-audits
Johann-Peter Hartmann
 
PPTX
Web Application Security Session for Web Developers
Krishna Srikanth Manda
 
PPTX
Sd mexico
GeneXus
 
PDF
Unit 08: Security for Web Applications
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
PPTX
NCompass Live: IT Security for Libraries
Christa Porter
 
PPTX
NCompass Live: IT Security for Libraries
Nebraska Library Commission
 
DOCX
supraja technologies material for secure coding
Sri Latha
 
PPTX
Web application
Eve_Srithong
 
PDF
Web Application Security with PHP
jikbal
 
PPTX
Best practices of web app security (samvel gevorgyan)
ClubHack
 
PPTX
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
PPTX
State of the information security nation
SensePost
 
PPT
Information security
Sathyanarayana Panduranga
 
PPTX
F5 - BigIP ASM introduction
Jimmy Saigon
 
Web Application Security
Siarhei Barysiuk
 
Web application security
Vikas Thange
 
Web application security
Vikas Thange
 
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Hardening Enterprise Apache
guestd9aa5
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
Do it-yourself-audits
Johann-Peter Hartmann
 
Web Application Security Session for Web Developers
Krishna Srikanth Manda
 
Sd mexico
GeneXus
 
Unit 08: Security for Web Applications
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
NCompass Live: IT Security for Libraries
Christa Porter
 
NCompass Live: IT Security for Libraries
Nebraska Library Commission
 
supraja technologies material for secure coding
Sri Latha
 
Web application
Eve_Srithong
 
Web Application Security with PHP
jikbal
 
Best practices of web app security (samvel gevorgyan)
ClubHack
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
State of the information security nation
SensePost
 
Information security
Sathyanarayana Panduranga
 
F5 - BigIP ASM introduction
Jimmy Saigon
 
Ad

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
KodekX | Application Modernization Development
KodekX
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
Ad

Scared Straight: Mitigating OWASP Top 10 with PHP

  • 1. SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP
  • 3. DISCLAIMER • I am NOT a “security expert"
  • 4. DISCLAIMER • I am NOT a “security expert" • But I know a little about web security
  • 5. DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials
  • 6. DISCLAIMER • I am NOT a “security expert" • But I know a little about web security • Taken SANS DEV422: Defending Web Application Security Essentials • I don’t know everything
  • 8. ASSUMPTIONS • This is an introduction-level talk
  • 9. ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous
  • 10. ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns
  • 11. ASSUMPTIONS • This is an introduction-level talk • You know enough PHP to be dangerous • You’ve heard of some security vulns • Again, I don’t know everything
  • 13. TALK STRUCTURE • What is the risk?
  • 14. TALK STRUCTURE • What is the risk? • Typical Impact
  • 15. TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited?
  • 16. TALK STRUCTURE • What is the risk? • Typical Impact • How is it exploited? • How to prevent it when using PHP?
  • 20. OWASP • Non-profit focused on improving security of application software • Focused on awareness of risks and education on mitigating those risks • Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated
  • 22. OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation
  • 24. INJECTION SI T? I Tricking an application into unintended HAT W commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection
  • 25. CT INJECTION PA IM IC AL Technical Impact: SEVERE T YP Entire database read or modified Access files on the filesystem Uses a program's elevated privileges to carry out unauthorized execution
  • 26. LO I TE D? INJECTION P T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 27. T I T? INJECTION EN R EV P TO HOW
  • 28. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL
  • 29. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts
  • 30. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts
  • 31. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors
  • 32. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution
  • 33. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine
  • 34. T I T? INJECTION EN R EV P TO HOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services
  • 35. T I T? INJECTION EN R EV P TO OW SYSTEM LEVEL KU IT H D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U
  • 36. T I T? INJECTION EN R EV P TO HOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE
  • 37. T I T? INJECTION EN R EV P TO HOW HTML Injection
  • 38. T I T? INJECTION EN R EV P TO SQL Injection - Prepared Statements HOW
  • 39. T I T? INJECTION EN R EV P TO HOW SQL Injection Source: http://xkcd.com/327/
  • 41. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser
  • 42. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit
  • 43. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code
  • 44. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit
  • 45. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database
  • 46. CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to an W H innocent user's browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database Delivered to all visitors just by visiting the page
  • 47. CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP
  • 48. CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE IC T YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site
  • 49. CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T I HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 50. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser
  • 51. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO HOW
  • 52. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW
  • 53. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods
  • 54. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
  • 55. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter Input HOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
  • 56. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW
  • 57. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
  • 58. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
  • 59. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ???
  • 60. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW htmlentities() ??? MEH
  • 61. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
  • 62. CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape Output HOW http://htmlpurifier.org/
  • 64. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented
  • 65. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless”
  • 66. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request
  • 67. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID
  • 68. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID
  • 69. BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions are W improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?
  • 70. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP
  • 71. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to...
  • 72. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password
  • 73. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info
  • 74. BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE I T YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link
  • 75. BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 76. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Rely on strong authentication and session management controls Integrate Shibboleth into your application
  • 77. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Storage Default config stores sessions in a global temp directory
  • 78. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO HOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization
  • 79. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handling HOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)
  • 80. BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPS HOW NEVER deliver unencrypted network traffic when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js
  • 82. INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?
  • 83. INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP
  • 84. INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE IC T YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object
  • 85. INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SI HOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access
  • 86. INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TO HOW
  • 87. INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TO HOW
  • 88. CROSS SITE REQUEST FORGERY (CSRF)
  • 89. CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application
  • 90. CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victim's browser is tricked into issuing a W command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic
  • 91. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP
  • 92. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application?
  • 93. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?
  • 94. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?
  • 95. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?
  • 96. CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE IC T YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?
  • 97. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
  • 98. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
  • 99. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete
  • 100. CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SI HOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST
  • 101. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways...
  • 102. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly
  • 103. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)
  • 104. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features
  • 105. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request
  • 106. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Generate token and store in user's session Source: http://shiflett.org/articles/cross-site-request-forgeries
  • 107. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Use token in POST form Source: http://shiflett.org/articles/cross-site-request-forgeries
  • 108. CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TO HOW Implement a CSRF Token Validate when POST received Source: http://shiflett.org/articles/cross-site-request-forgeries
  • 110. SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W
  • 111. SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundation W From the Operating System up through Apache All PHP extensions All installed libraries on the server
  • 112. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP
  • 113. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch
  • 114. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server
  • 115. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server
  • 116. SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE IC T YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen
  • 117. SECURITY MISCONFIGURATION I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 118. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW
  • 119. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list
  • 120. SECURITY MISCONFIGURATION T I T? EN R EV P TO OW KU IT H D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U
  • 121. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
  • 122. SECURITY MISCONFIGURATION T I T? EN R EV P TO HOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
  • 124. INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data
  • 125. INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HAT W confidential data Database data Log files Backup files Password files
  • 126. INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  • 127. INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU? W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  • 128. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE
  • 129. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact: T YP SEVERE Attacker accesses or modifies confidential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press
  • 130. INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts: T YP SEVERE High risk of... significant financial loss legal liability public distrust harm ...if this data is disclosed
  • 131. INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 132. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW
  • 133. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored
  • 134. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html
  • 135. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm
  • 136. INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TO HOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit confidential data over unencrypted means
  • 137. FAILURE TO RESTRICT URL ACCESS
  • 138. FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pages W Public users could access your admin functionality
  • 139. FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP
  • 140. FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE IC T YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions
  • 141. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile
  • 142. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control
  • 143. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Presentation Layer Access Control DOESN’T WORK
  • 144. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html
  • 145. FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SI HOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html DOESN’T WORK
  • 146. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW
  • 147. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads
  • 148. FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every page HOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!
  • 149. INSUFFICIENT TRANSPORT LAYER PROTECTION
  • 150. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W
  • 151. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W
  • 152. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols
  • 153. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data
  • 154. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent
  • 155. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:
  • 156. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user
  • 157. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases
  • 158. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues
  • 159. INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications
  • 160. INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP
  • 161. INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE IC T YP Expose users’ confidential data Account theft
  • 162. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
  • 163. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU? HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
  • 164. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
  • 165. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application...
  • 166. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data?
  • 167. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email?
  • 168. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database?
  • 169. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Does your application... Use confidential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?
  • 170. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW
  • 171. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you...
  • 172. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues?
  • 173. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?
  • 174. INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SI HOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?
  • 175. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data
  • 176. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database
  • 177. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info
  • 178. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
  • 179. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
  • 180. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data
  • 181. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?
  • 182. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store confidential data in our secure Oracle database
  • 183. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
  • 184. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Require HTTPS on all secure pages
  • 185. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/
  • 186. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
  • 187. INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TO HOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source
  • 188. UNVALIDATED REDIRECTS AND FORWARDS
  • 189. UNVALIDATED REDIRECTS AND FORWARDS SI T? I HAT W URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common
  • 190. UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE IC T YP Install malware Phishing site Bypass authorization controls
  • 191. UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SI HOW Source: Dave Wichers OWASP Top 10 Presentation
  • 192. UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TO HOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters
  • 193. UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TO HOW
  • 195. My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guide http://www.owasp.org/index.php/OWASP_Testing_Project
  • 196. Sources OWASP Sources: - OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS> - OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet> - OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide> - OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project> - OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http:// owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx> - OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet> Links: - Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/ - Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html Software: - HTMLPurifier <http://htmlpurifier.org/> - KeePass <http://keepass.info/> - KeePassX <http://www.keepassx.org/> - WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project> Photos: http://www.flickr.com/photos/mrbenn/2337943659/ http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.edu http://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting