Web application security
-
Upload
ciaran-rooney -
Category
Technology
-
view
7 -
download
1
description
Transcript of Web application security
Web Application Security: PHP
Thomas Mackenzie
$ whois spiderlabs.tom
Copyright Trustwave 2011 Confidential
Tom Mackenzie
• Web Application Security
• @tmacuk
• http://www.tmacuk.co.uk
• http://www.upsploit.com
• Podcast
PUBOTD
Copyright Trustwave 2011 Confidential
About SpiderLabs ®
Pentesting
Incident Response Application
Security
Research & Development
Security Conferences
Global Security Report
Copyright Trustwave 2011 Confidential
About SpiderLabs®
• Formed in 2005 to serve a growing need for deep technical professional services within Trustwave’s client base.
• SpiderLabs is the advanced security team at Trustwave.
• SpiderLabs provides thought leadership to the entire Trustwave organisation and our clients.
• In 2009 and 2010, Trustwave’s SpiderLabs responded to over 400 incidents and performed nearly 4,500 penetrations tests for organisations in over 50 different countries.
Featured Speakers at:
Introduction
Copyright Trustwave 2011 Confidential
Expectations
• PHP
• Code and Security
• Live Demos
• Best Practices
• DIY
PUBOTD
DVWA – Damn Vulnerable Web App
Copyright Trustwave 2011 Confidential
About DVWA
• Ryan Dewhurst - @ethicalhack3r
• Damn Vulnerable?
• Security Levels
• PHP & MySQL / PostgreSQL
• http://code.google.com/p/dvwa/
PUBOTD
Copyright Trustwave 2011 Confidential
About DVWA
• How can you help?— Open Source— Contributors
• Fork
• Ideas!
• Ideas?
PUBOTD
Live Demo
Best Practices
Copyright Trustwave 2011 Confidential
OWASP
• Books
• Cheat Sheets
• People
• Events
• Projects
PUBOTD
Copyright Trustwave 2011 Confidential
Intercepting Proxies
• Burp Suite / BS Pro
• ZAP
• ParosPUBOTD
Live Demo
Links
Copyright Trustwave 2011 Confidential
Links
• http://www.dvwa.co.uk
• http://www.owasp.org
• http://portswigger.net/burp/
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• http://www.parosproxy.org/
• https://www.owasp.org/index.php/OWASP_Testing_Project
• http://mdsec.net/wahh/
• http://blog.spiderlabs.com
• https://www.trustwave.com/apppentest.php
Copyright Trustwave 2011 Confidential
SpiderLabs Research Reports
WHID Report
Global Security Report
Copyright Trustwave 2011 Confidential
Contact
• http://www.tmacuk.co.uk