SlideShare una empresa de Scribd logo

Securing your web apps now

Descargar como PPTX, PDF
Stephan Steynfaardt
Stephan Steynfaardt

The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs. Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.

Tecnología
1 de 50
SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
WHY?
IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
WORLD’S BIGGEST DATA BREACHES 2013
HOW? • More than one security layer
HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
VALIDATION
VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
Top 10 OWASP list SQL INJECTION
SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
Cracking password hashes SQL MAP
CODE INJECTION
CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
OS INJECTION
OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
bring your own exploit FILE UPLOADS
Actually any PHP n00bs WORDPRESS N00BS
FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
INFORMATION LEAKAGE
INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
OVER SPECIFIC FEEDBACK
OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
BROKEN AUTHENTICATION & SESSION MANAGEMENT
BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
Cross Site Scripting XSS
XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
GOING FORWARD
GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself

Recomendados

The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hackedMarko Heijnen
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Web app development with Flask
Web app development with FlaskWeb app development with Flask
Web app development with FlaskJasim Muhammed
 
Async Web and Python
Async Web and PythonAsync Web and Python
Async Web and PythonJasim Muhammed
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 

Recomendados

The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hackedMarko Heijnen
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Web app development with Flask
Web app development with FlaskWeb app development with Flask
Web app development with FlaskJasim Muhammed
 
Async Web and Python
Async Web and PythonAsync Web and Python
Async Web and PythonJasim Muhammed
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and securityWP Pittsburgh Meetup Group
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
PowerShell for SharePoint Admins
PowerShell for SharePoint AdminsPowerShell for SharePoint Admins
PowerShell for SharePoint AdminsRick Taylor
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsSP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsMichael Blumenthal (Microsoft MVP)
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
 
PowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersPowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersBoulos Dib
 
Secure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedSecure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedHenry Been
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
PowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsPowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsRavikanth Chaganti
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Editionpanagenda
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_supportJoe Slowik
 
V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017Vladan Laxa
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysru_Parallels
 
Perfect workflow with vagrant
Perfect workflow with vagrantPerfect workflow with vagrant
Perfect workflow with vagrantStephan Steynfaardt
 
The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...Brian Solis
 

Más contenido relacionado

La actualidad más candente

Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and securityWP Pittsburgh Meetup Group
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
PowerShell for SharePoint Admins
PowerShell for SharePoint AdminsPowerShell for SharePoint Admins
PowerShell for SharePoint AdminsRick Taylor
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsSP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsMichael Blumenthal (Microsoft MVP)
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
 
PowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersPowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersBoulos Dib
 
Secure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedSecure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedHenry Been
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
PowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsPowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsRavikanth Chaganti
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Editionpanagenda
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_supportJoe Slowik
 
V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017Vladan Laxa
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysru_Parallels
 

La actualidad más candente (20)

Getting started with wordpress hosting and security
Getting started with wordpress hosting and securityGetting started with wordpress hosting and security
Getting started with wordpress hosting and security
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
PowerShell for SharePoint Admins
PowerShell for SharePoint AdminsPowerShell for SharePoint Admins
PowerShell for SharePoint Admins
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and AdministratorsSP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
SP24S053 Introduction to PowerShell for SharePoint Developers and Administrators
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
 
PowerShell for SharePoint Developers
PowerShell for SharePoint DevelopersPowerShell for SharePoint Developers
PowerShell for SharePoint Developers
 
Secure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensedSecure deployments keeping your application secrets private - condensed
Secure deployments keeping your application secrets private - condensed
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
PowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administratorsPowerShell for sharepoint 2010 administrators
PowerShell for sharepoint 2010 administrators
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Edition
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
 
V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017V sphere automation_vlaxa_2017
V sphere automation_vlaxa_2017
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDays
 

Destacado

The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...Brian Solis
 
Open Source Creativity
Open Source CreativityOpen Source Creativity
Open Source CreativitySara Cannon
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 

Destacado (6)

Perfect workflow with vagrant
Perfect workflow with vagrantPerfect workflow with vagrant
Perfect workflow with vagrant
 
The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...
 
Open Source Creativity
Open Source CreativityOpen Source Creativity
Open Source Creativity
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Similar a Securing your web apps now

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016Colin Charles
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Colin Charles
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedBlogVault Inc
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
How to Secure Your WordPress Site
How to Secure Your WordPress SiteHow to Secure Your WordPress Site
How to Secure Your WordPress SiteQBurst
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Andi Rustandi Djunaedi
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPressryanduff
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 

Similar a Securing your web apps now (20)

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices Simplified
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
How to Secure Your WordPress Site
How to Secure Your WordPress SiteHow to Secure Your WordPress Site
How to Secure Your WordPress Site
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPress
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 

Securing your web apps now

  • 1. SECURING YOUR WEB APPS NOW TIPS TO MAKE YOUR SITE LESS HACKABLE
  • 2. WHO? • Stephan Steynfaardt • Solutions Architect & Tech Lead • CISSP certified • White hat penetration testing • @ssteynfaardt
  • 3. WHAT? • Validation • SQL injection • OS injection • Code injection • File upload • Information leakage • Broken Authentication & Session Management • XSS
  • 5. IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER
  • 6. IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.
  • 7. I don’t even trust the panda ANY 4 YEAR OLD WITH AN INTERNET CONNECTION
  • 8. Nothing to do with SSL WEB APPLICATIONS TESTED BY OWASP
  • 10.
  • 11.
  • 12.
  • 13. HOW? • More than one security layer
  • 14.
  • 15.
  • 16.
  • 17. HOW? • More than one security layer • Validate • Escape • Bind SQL • Least privileges • Generic error exceptions messages • Don't display error messages
  • 19. VALIDATION • Client side validation is useless • Whitelisting acceptance criteria • Typecast your variables • Never trust any data • RespectValidation
  • 20. Top 10 OWASP list SQL INJECTION
  • 21. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter
  • 22. BIND PARAMETER $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age));
  • 23. SQL INJECTION • Don't use quotes – You only need to miss one • Always bind your parameter • Only allow SQL privileges required • SQL MAP
  • 25.
  • 26.
  • 28. CODE INJECTION • Eval() === Evil $var = 1; $newvalue = isset($_GET['id']) ? $_GET['id'] : 0; eval('$var = ' . $newvalue . ';'); echo $var; • PHP manual warns you against using eval()
  • 29. CODE INJECTION • Don’t use preg_replace() with /e • PHP 5.5 deprecated /e • Dynamic function injection, don’t call it from the URL • local.php?file=some_file.log
  • 31. OS INJECTION • Statements executed directly on the OS • Don’t use system() • system('nslookup ' . $_POST['host']); • 'google.com; rm -RF /var/www’ • Download any script with wget • Validate file_get_contents()
  • 32. bring your own exploit FILE UPLOADS
  • 33. Actually any PHP n00bs WORDPRESS N00BS
  • 34. FILE UPLOADS • Upload files outside of the webroot • Check the mime-type • file -i logo.png logo.png: image/png; charset=binary • file –i evil_file.png evil_file.png: text/plain; charset=us-ascii • Rename file • Move to desired location
  • 36. INFORMATION LEAKAGE • Phpinfo() • php.ini dispay_error = Off • php.ini dispay_startup_error = Off • php.ini error_reporting = E_ALL & ~E_DEPRICATED • php.ini html_errors = Off • php.ini log_error = On Always log your errors to a file
  • 38. OVER SPECIFIC FEEDBACK • Login forms messages • Forgotten debug statements • Server headers • php.ini, expose_php = Off • httpd.conf, Server Tokens Full | OS | Minor |Major | prod • modSecurity
  • 39. SENSITIVE DATA EXPOSURE All your data are belong to us - NSA
  • 40. SENSITIVE DATA EXPOSURE • OWASP, top 10 2013, simply not encrypting data • Only store the data you need • MD5, SHA1 is not for passwords • Passwords are easy to guess • Bcrypt is for passwords ircmaxwell/password-compat zendframework/zend-crypt • PHP 5.5 password_hash() • cost, more rounds = better security but more time/performance penalty
  • 41. SENSITIVE DATA EXPOSURE • Directories should be 750 or 755 • Files should be 644 or 640 • Locate directories that are 777 on your server: $ sudo find /var/www/ -type d -perm -002 • Locate files that are 777 on your server: $ sudo find /var/www/ -type f -perm -002 • User should own the web directory • Group should be the apache user
  • 43. BROKEN AUTHENTICATION & SESSION MANAGEMENT • #2 on OWASP top 10 2013 • Allows attackers to impersonate other user currently logged in. • Don’t display the sessionID in the URL • Hidden fields – isAdmin • Remove the session cookie when done • Regenerate sessionID's after login
  • 44. BROKEN AUTHENTICATION & SESSION MANAGEMENT • session_destoy() session_unet() • Remember me functions • chrome://settings/passwords •
  • 46. XSS • 65% of websites are venerable to XSS • 2 types of XXS stored reflected • Steal sessionID from cookies • Escape all form input – htmlspecialhars() • ezyang/htmlpurifier, escape_html • cookies HTML Only • document.write hidden iframe
  • 48. GOING FORWARD • 57% organizations provided some software security training • 40% fewer vulnerabilities • Resolved issues 59% faster • owasp.org • https://security.sensiolabs.org/
  • 49.
  • 50. GOING FORWARD • 19 Extensions to Turn Google Chrome into Penetration Testing tool http://resources.infosecinstitute.com/19-extensions-to-turn- google-chrome-into-penetration-testing-tool/ • PHP security manual http://php.net/manual/en/security.php • Code reviews • Try it yourself