SlideShare una empresa de Scribd logo

Php security

Descargar como PPTX, PDF
Akash Mahajan
Akash Mahajan

A different look at what PHP developers should be looking at. Not in terms of security but in terms of the data flow of the web application. The concepts of security are tied into that itself.

Tecnología
1 de 14
PHP Security Akash Mahajan | akashm.com That Web Application Security Guy
This talk isn’t about security This is about data in the web applications How does it flow Where does it come from? Where does it end up? This is about configuration of web applications Do files requires some special permissions? Why does your upload folder have 0777? @makash | akashm.com - That Web Application Security Guy
Web Apps look like this – 3 tier @makash | akashm.com - That Web Application Security Guy
Data View of A Web App in Use @makash | akashm.com - That Web Application Security Guy Web Client controls everything that it has received as part of the request. Web Server ,[object Object]
HTTP Protocol
PHP Interpreter
Trusted Code running on the serverData Store Untrusted Data
Data you can’t trust Good data for a login page Username – foo Password – bar Bad data for a login page Username – foo’ OR 1=1;-- Password – bar’ OR 1=1;-- Good data for a comment This is a nice comment Bad data for a comment This is an XSS</textarea><script>alert(document.cookie);</script> @makash | akashm.com - That Web Application Security Guy
Data you need to protect Clear text passwords for a username email@example.com Password is 123456 Data thief steals the entire database and has reusable account details http://somebank.cxm/account-details.php?id=1234 Did you check that only user with id 1234 can see this? What if the attacker stole the session cookie of user with id 1234 @makash | akashm.com - That Web Application Security Guy
Where all is data coming from GET Requests AJAX Requests POST Requests HTML Form Data Cookies Stored with values HTTP Headers File Uploads External data sources @makash | akashm.com - That Web Application Security Guy
Job of your trusted code Trusted code should remain trusted. Based on the validation we can classify data as tainted/bad or un-tainted/good. Only after that the data which is good data for the application should be processed. @makash | akashm.com - That Web Application Security Guy
I am a developer, not a hacker Agreed you are not a person bent on breaking the app, but Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS Data from the browser getting stored in the database Injecting SQL in such requests which are sent to the database is SQL Injection. Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF @makash | akashm.com - That Web Application Security Guy
What are we protecting? @makash | akashm.com - That Web Application Security Guy
Again, what are we protecting? We are protecting the web application. From all kinds of injections From unauthorized requests which originate at the user end We are protecting the user information, users have entrusted us with. We are protecting the underlying server and the connected database from malicious commands which come through our trusted code. @makash | akashm.com - That Web Application Security Guy

Recomendados

Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing sitegaurav jain
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecuritySrivigneshwar R Prasad
 
Cloud security monitoring
Cloud security monitoringCloud security monitoring
Cloud security monitoringGabe Akisanmi
 
Open APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the CloudOpen APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the CloudCA API Management
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 

Recomendados

Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing sitegaurav jain
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecuritySrivigneshwar R Prasad
 
Cloud security monitoring
Cloud security monitoringCloud security monitoring
Cloud security monitoringGabe Akisanmi
 
Open APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the CloudOpen APIs: Security for Mobile and the Cloud
Open APIs: Security for Mobile and the CloudCA API Management
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior
 
Site opsys
Site opsysSite opsys
Site opsysThomas George
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Secure coding checklist
Secure coding checklistSecure coding checklist
Secure coding checklistPrabhanshu Saraswat
 
Api security
Api security Api security
Api security teodorcotruta
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnSandro Zaccarini
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscationSandro Zaccarini
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013rjsmelo
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
A Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security EducationA Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security Educationchunkybacon
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 

Más contenido relacionado

La actualidad más candente

Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 

La actualidad más candente (11)

Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Site opsys
Site opsysSite opsys
Site opsys
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Secure coding checklist
Secure coding checklistSecure coding checklist
Secure coding checklist
 
Api security
Api security Api security
Api security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 

Destacado

How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnSandro Zaccarini
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscationSandro Zaccarini
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013rjsmelo
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
A Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security EducationA Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security Educationchunkybacon
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Mark Niebergall
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersAjith Chandran
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De SouzaQA or the Highway
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 

Destacado (20)

How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013PHP and Application Security - OWASP Road Show 2013
PHP and Application Security - OWASP Road Show 2013
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
A Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security EducationA Simple Laboratory Environment for Real World Offensive Security Education
A Simple Laboratory Environment for Real World Offensive Security Education
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
 
Web application security
Web application securityWeb application security
Web application security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Nikto
NiktoNikto
Nikto
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De Souza
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 

Similar a Php security

Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Tips for web security
Tips for web securityTips for web security
Tips for web securitykareowebtech
 
Tips for web security
Tips for web securityTips for web security
Tips for web securitykareowebtech
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology EssayPamela Wright
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACSecure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACIRJET Journal
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionAustina Francis
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank HackCaleb Sima
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 

Similar a Php security (20)

Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Tips for web security
Tips for web securityTips for web security
Tips for web security
 
Application Security
Application SecurityApplication Security
Application Security
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACSecure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank Hack
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 

Más de Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+dataAkash Mahajan
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesAkash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 

Más de Akash Mahajan (13)

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Startups Security
Startups SecurityStartups Security
Startups Security
 

Último

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Último (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Php security

  • 1. PHP Security Akash Mahajan | akashm.com That Web Application Security Guy
  • 2. This talk isn’t about security This is about data in the web applications How does it flow Where does it come from? Where does it end up? This is about configuration of web applications Do files requires some special permissions? Why does your upload folder have 0777? @makash | akashm.com - That Web Application Security Guy
  • 3. Web Apps look like this – 3 tier @makash | akashm.com - That Web Application Security Guy
  • 4.
  • 7. Trusted Code running on the serverData Store Untrusted Data
  • 8. Data you can’t trust Good data for a login page Username – foo Password – bar Bad data for a login page Username – foo’ OR 1=1;-- Password – bar’ OR 1=1;-- Good data for a comment This is a nice comment Bad data for a comment This is an XSS</textarea><script>alert(document.cookie);</script> @makash | akashm.com - That Web Application Security Guy
  • 9. Data you need to protect Clear text passwords for a username email@example.com Password is 123456 Data thief steals the entire database and has reusable account details http://somebank.cxm/account-details.php?id=1234 Did you check that only user with id 1234 can see this? What if the attacker stole the session cookie of user with id 1234 @makash | akashm.com - That Web Application Security Guy
  • 10. Where all is data coming from GET Requests AJAX Requests POST Requests HTML Form Data Cookies Stored with values HTTP Headers File Uploads External data sources @makash | akashm.com - That Web Application Security Guy
  • 11. Job of your trusted code Trusted code should remain trusted. Based on the validation we can classify data as tainted/bad or un-tainted/good. Only after that the data which is good data for the application should be processed. @makash | akashm.com - That Web Application Security Guy
  • 12. I am a developer, not a hacker Agreed you are not a person bent on breaking the app, but Data from requests which is displayed in the browser passes through your trusted code. Injecting HTML/JS is XSS Data from the browser getting stored in the database Injecting SQL in such requests which are sent to the database is SQL Injection. Data stored in cookies which are used for authentication can be hijacked by an evil web page. Un-authorized requests on the behalf of your web app user is CSRF @makash | akashm.com - That Web Application Security Guy
  • 13. What are we protecting? @makash | akashm.com - That Web Application Security Guy
  • 14. Again, what are we protecting? We are protecting the web application. From all kinds of injections From unauthorized requests which originate at the user end We are protecting the user information, users have entrusted us with. We are protecting the underlying server and the connected database from malicious commands which come through our trusted code. @makash | akashm.com - That Web Application Security Guy
  • 15. What about configuration Assume your web application allows users to upload pictures Then there are 3 image formats used – jpg, png, gif The filename of the image is also untrusted data. Files can have an extension which makes it look like an image Images can have code embedded which can execute if requested using a GET @makash | akashm.com - That Web Application Security Guy
  • 16. What about configuration All your web server needs is write permission for the user it is running as. This is because files are uploaded to a temp directory where can’t be called for execution It is your PHP code which copies them to a folder inside document root Why does the upload folder have execute permissions? Your web application needs to connect to the database. But why does the connection code need to be inside the document root? @makash | akashm.com - That Web Application Security Guy
  • 17. Questions? Any questions About me Akash Mahajan ( google me ) That Web Application Security Guy null Founder and Bangalore Chapter Lead (http://null.co.in) Web Security Consultant @makash on Twitter || http://akashm.com Presentations : http://www.slideshare.net/akashm @makash | akashm.com - That Web Application Security Guy