[Php Camp]Owasp Php Top5+Csrf
-
Upload
bipin-upadhyay -
Category
Education
-
view
3.098 -
download
1
description
Transcript of [Php Camp]Owasp Php Top5+Csrf
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP PHP Top 5plus CSRF
Bipin Upadhyay, Satyam Computers
http://projectbee.org/
[PHPCamp] OWASP PHP Top 5 + CSRF
The first matrix I designed was quite
naturally, perfect. It was a work of art.
Flawless. Sublime. A triumph only equaled by
its monumental failure.
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5– The Boring 3– The Exciting 2– CSRF
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5– The Boring 3– The Exciting 2– CSRF
[PHPCamp] OWASP PHP Top 5 + CSRF
Who Am I?
I am SpiderMan
Apart from that, I:– Work for Satyam Computers,– work as PHP Lead,– currently working on OpenSocial,– also work on App Sec, and– am also a part of OWASP Bangalore Chapter.
I can be pinged @:– Om-[AT]-Projectbee-[Dot]-org, &– http://projectbee.org/
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5 – Intro & Mitigation– The Boring 3– The Exciting 2– CSRF
[PHPCamp] OWASP PHP Top 5 + CSRF
Network Sec. versus App Sec.
Ports
Firewall/IDS/IPS
80
443
0
65535
Web ServerAttacker
[PHPCamp] OWASP PHP Top 5 + CSRF
Network Sec. versus App Sec…
Ports
Firewall/NATed IP
0
65535Malicious OR Compromised Web Server
Victim
[PHPCamp] OWASP PHP Top 5 + CSRF
How serious is the matter!
90% of web applications have serious vulnerabilities –Gartner Group
78% of attacks are at the web application level –Symantec
XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre
Every 8-9/10 sites vulnerable to XSS –WASC
[PHPCamp] OWASP PHP Top 5 + CSRF
Scary Cracks
Credit Cards & Google
Google.com UTF-7 XSS Vulnerability
Yamanner
“Samy is my Hero” OR Samy Worm
GMail CSRF Vulnerability
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP
A free and open community focused on improving App Security
Guides, tools, etc. freely available for use
OWASP PHP TOP 5 is a list of top 5 PHP vulnerabilities
YOU can start your own project and/or contribute too
[PHPCamp] OWASP PHP Top 5 + CSRF
Agenda
Introduction AppSecurity
– Why?– OWASP
OWASP PHP Top 5 – Intro & Mitigation– The Boring 3– The Exciting 2– CSRF
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP Top 5
The Boring Trio – P1. Remote Code Execution– P4. PHP Configurations– P5. File System Attacks
The Exciting Duo – P3. SQL Injection Attacks– P2. XSS (Cross Site Scripting)
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP Top 5
The Boring Trio – P1. Remote Code Execution– P4. PHP Configurations– P5. File System Attacks
Arguably, a little outdated
They don’t excite me enough to talk here
Read yourself :D
[PHPCamp] OWASP PHP Top 5 + CSRF
OWASP Top 5
The Exciting Duo – P3. SQL Injection Attacks– P2. XSS (Cross Site Scripting)
Injection Attacks also regarded as A2 in OWASP Top 10
XSS stands A1 in OWASP Top 10
The femme-fatale attacks
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Intro
Unsanitized data entering databases, can be executed as an SQL query
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Intro
Unsanitized data entering databases, can be executed as an SQL query
Source: http://xkcd.com
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Intro
Demo
[PHPCamp] OWASP PHP Top 5 + CSRF
P3. SQL Injections – Mitigation
Validate data; prefer whitelisting
Use PDO, if possible; OR
Use parameterized queries – MySqli or PEAR packages; OR
Use mysql_real_escape_string
Turn OFF magic_quotes_gpc
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Intro
OWASP Top - 10 2007 #1
Any type of user input that is reflected back to the user without being purified.
Input can be HTML, CSS, or Javascript
Three kinds – Reflective, Persistent, & DOM Based XSS
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Intro
XSS attacks include, but not limited to:– Cookie Theft & Session Hijacking– Site Defacement & Phishing– Key logging– History Theft– Port Scanning– CSRF & Web Worms– DoS-ing– … limited only by imagination
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Intro
Reflective XSS Demo
Stored XSS Demo
[PHPCamp] OWASP PHP Top 5 + CSRF
P2. XSS – Mitigation
Proper encoding can avoid most problems
Input Encoding– prefer UTF-8 and ISO-8859-1– refer http://ha.ckers.org/charsets.html
Output Encoding– avoid rich html input from user– decimal encode input – htmlspecialchars(), htmlentities()– refer OWASP_Encoding_Project
Use HTMLPurifier to allow white listed HTML
[PHPCamp] OWASP PHP Top 5 + CSRF
CSRF – Intro
Also called Unauthorized Requests.
The server is punished/exploited for trusting the user.
CSRF is, arguably, more dangerous than XSS.
Doesn’t necessarily require javascript.
OWASP Top - 10 2007 #5, (also called the Sleeping Giant)
[PHPCamp] OWASP PHP Top 5 + CSRF
CSRF – Intro
GET-CSRF Demo
POST-CSRF Demo
[PHPCamp] OWASP PHP Top 5 + CSRF
CSRF – Mitigation
Identify points to protect; not all are equally important
Use nonces – one time tokens
Embed nonces in URL, or forms
[PHPCamp] OWASP PHP Top 5 + CSRF
Purification algo
Sanitize anything that comes from the user.
Order of purification is equally important
[PHPCamp] OWASP PHP Top 5 + CSRF
About Satyam
PHP– Satyam’s PHP Unit is actively involved in consulting and
developing PHP Based Web Applications– Also competent in smooth migration from existing infrastructure
to PHP based solutions– A well defined stack of tools, e.g. PHPUnit, Phing, Propel, Xinc,
etc., being used by developers for streamlined development
OpenSocial– Early adopters of OpenSocial– Dedicated team of Java & PHP developers working on
OpenSocial– Currently helping a Social Network, with 10 million registered
user base, become OpenSocial complaint
[PHPCamp] OWASP PHP Top 5 + CSRF
String.fromCharCode(84,104,97,110,107,32,89,111,117,33)
i.e., Thank You!
[PHPCamp] OWASP PHP Top 5 + CSRF
Thank You
Got Queries? Kindly raise your hands.