Follow this topic:@rjsmelo, #owasp, #php, #appsec
OWASP TOP 10 for PHP programmers
RICARDO MELO
Presented at #PHPLX 11 September 2013
@rjsmelo 2
RICARDO MELO
CTO @ DRI PHP, Mysql, Linux and lots of other OSS
ZCE, RHCE, LPI 3, ITIL, etc +10 years building (and breaking) things
@rjsmelo 3
About
14 Year old academic spin-off Pragmatic OSS Orientation PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc.
Crafters, Integrators
Always looking for software developers Yes, right now!
1999 - 2013 DRI. Some Rights Reserved.
4
Outline
OWASP OWASP TOP 10 What's Next Conclusions
1999 - 2013 DRI. Some Rights Reserved.
5
What is OWASP?
Open Web Application Security Project World wide non-for-profit Focus on security improvement and awareness
Very active community Lots of projects (you can start yours)
1999 - 2013 DRI. Some Rights Reserved.
6
What is OWASP TOP 10
The name is The Top 10 Most Critical Web Application Risks
The focus is awareness Released 2003, 2004, 2007, 2010 and 2013
https://www.owasp.org/index.php/Top_10_2013
1999 - 2013 DRI. Some Rights Reserved.
7
Risk ?
Thread Agent Attack Vectors Weakness Prevalence
Weakness Detectability
Technical Impacts
Business Impacts
Application Specific
EASY WIDESPREAD EASY SEVERE Application / Business Specific
AVERAGE COMMON AVERAGE MODERATE
DIFFICULT UNCOMMON DIFFICULT MINOR
1999 - 2013 DRI. Some Rights Reserved.
8
OWASP TOP 10 - 2013
A1 Injection A2 Broken Authentication and Session Management
A3 Cross-site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
1999 - 2013 DRI. Some Rights Reserved.
9
A1 - Injection
Occurs when untrusted data is sent directly to the interpreter!
Not only SQL: NoSQL, Ldap, OS, XML, Xpath!
Never, NEVER trust ANY input!
1999 - 2013 DRI. Some Rights Reserved.
10
A1 Injection Examples - SQL