The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs.
Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.
19. VALIDATION
• Client side validation is useless
• Whitelisting acceptance criteria
• Typecast your variables
• Never trust any data
• RespectValidation
29. CODE INJECTION
• Don’t use preg_replace() with /e
• PHP 5.5 deprecated /e
• Dynamic function injection, don’t
call it from the URL
• local.php?file=some_file.log
31. OS INJECTION
• Statements executed directly on the OS
• Don’t use system()
• system('nslookup ' . $_POST['host']);
• 'google.com; rm -RF /var/www’
• Download any script with wget
• Validate file_get_contents()
36. INFORMATION LEAKAGE
• Phpinfo()
• php.ini dispay_error = Off
• php.ini dispay_startup_error = Off
• php.ini error_reporting = E_ALL & ~E_DEPRICATED
• php.ini html_errors = Off
• php.ini log_error = On
Always log your errors to a file
38. OVER SPECIFIC FEEDBACK
• Login forms messages
• Forgotten debug statements
• Server headers
• php.ini, expose_php = Off
• httpd.conf, Server Tokens
Full | OS | Minor |Major | prod
• modSecurity
40. SENSITIVE DATA EXPOSURE
• OWASP, top 10 2013, simply not encrypting data
• Only store the data you need
• MD5, SHA1 is not for passwords
• Passwords are easy to guess
• Bcrypt is for passwords
ircmaxwell/password-compat zendframework/zend-crypt
• PHP 5.5
password_hash()
• cost, more rounds = better security but more
time/performance penalty
41. SENSITIVE DATA EXPOSURE
• Directories should be 750 or 755
• Files should be 644 or 640
• Locate directories that are 777 on your server:
$ sudo find /var/www/ -type d -perm -002
• Locate files that are 777 on your server:
$ sudo find /var/www/ -type f -perm -002
• User should own the web directory
• Group should be the apache user
43. BROKEN AUTHENTICATION &
SESSION MANAGEMENT
• #2 on OWASP top 10 2013
• Allows attackers to impersonate other
user currently logged in.
• Don’t display the sessionID in the URL
• Hidden fields – isAdmin
• Remove the session cookie when done
• Regenerate sessionID's after login
46. XSS
• 65% of websites are venerable to XSS
• 2 types of XXS
stored
reflected
• Steal sessionID from cookies
• Escape all form input – htmlspecialhars()
• ezyang/htmlpurifier, escape_html
• cookies HTML Only
• document.write hidden iframe