+ All Categories
Transcript
Page 1: Securing your web apps now

SECURING YOUR WEB APPS NOWTIPS TO MAKE YOUR SITE LESS HACKABLE

Page 2: Securing your web apps now

WHO?• Stephan Steynfaardt

• Solutions Architect & Tech Lead

• CISSP certified

• White hat penetration testing

• @ssteynfaardt

Page 3: Securing your web apps now

WHAT?• Validation

• SQL injection

• OS injection

• Code injection

• File upload

• Information leakage

• Broken Authentication & Session Management

• XSS

Page 4: Securing your web apps now

WHY?

Page 5: Securing your web apps now

IT NEEDS TO BE EASY ENOUGH FOR ANYBODY, EVEN MY MOTHER

Page 6: Securing your web apps now

IT’S NOT JUST OUR MOTHERS VISITING WEBSITES.

Page 7: Securing your web apps now

I don’t even trust the panda

ANY 4 YEAR OLD WITH AN INTERNET CONNECTION

Page 8: Securing your web apps now

Nothing to do with SSL

WEB APPLICATIONS TESTED BY OWASP

Page 9: Securing your web apps now

WORLD’S BIGGEST DATA BREACHES

2013

Page 10: Securing your web apps now
Page 11: Securing your web apps now
Page 12: Securing your web apps now
Page 13: Securing your web apps now

HOW?• More than one security layer

Page 14: Securing your web apps now
Page 15: Securing your web apps now
Page 16: Securing your web apps now
Page 17: Securing your web apps now

HOW?• More than one security layer• Validate• Escape• Bind SQL• Least privileges• Generic error exceptions

messages• Don't display error messages

Page 18: Securing your web apps now

VALIDATION

Page 19: Securing your web apps now

VALIDATION• Client side validation is useless

• Whitelisting acceptance criteria

• Typecast your variables

• Never trust any data

• Respect\Validation

Page 20: Securing your web apps now

Top 10 OWASP list

SQL INJECTION

Page 21: Securing your web apps now

SQL INJECTION• Don't use quotes – You only need to

miss one

• Always bind your parameter

Page 22: Securing your web apps now

BIND PARAMETER

$sql = "SELECT * FROM users WHERE name=:name and age=:age";

$stmt = $db->prepare($sql);

$stmt->execute(array(":name" => $name, ":age" => $age));

Page 23: Securing your web apps now

SQL INJECTION• Don't use quotes – You only need to

miss one

• Always bind your parameter

• Only allow SQL privileges required

• SQL MAP

Page 24: Securing your web apps now

Cracking password hashes

SQL MAP

Page 25: Securing your web apps now
Page 26: Securing your web apps now
Page 27: Securing your web apps now

CODE INJECTION

Page 28: Securing your web apps now

CODE INJECTION• Eval() === Evil

$var = 1;

$newvalue = isset($_GET['id']) ? $_GET['id'] : 0;

eval('$var = ' . $newvalue . ';');

echo $var;

• PHP manual warns you against using eval()

Page 29: Securing your web apps now

CODE INJECTION• Don’t use preg_replace() with /e

• PHP 5.5 deprecated /e

• Dynamic function injection, don’t call it from the URL

• local.php?file=some_file.log

Page 30: Securing your web apps now

OS INJECTION

Page 31: Securing your web apps now

OS INJECTION• Statements executed directly on the OS

• Don’t use system()

• system('nslookup ' . $_POST['host']);

• 'google.com; rm -RF /var/www’

• Download any script with wget

• Validate file_get_contents()

Page 32: Securing your web apps now

bring your own exploit

FILE UPLOADS

Page 33: Securing your web apps now

Actually any PHP n00bs

WORDPRESS N00BS

Page 34: Securing your web apps now

FILE UPLOADS• Upload files outside of the webroot

• Check the mime-type

• file -i logo.pnglogo.png: image/png; charset=binary

• file –i evil_file.png evil_file.png: text/plain; charset=us-ascii

• Rename file

• Move to desired location

Page 35: Securing your web apps now

INFORMATION LEAKAGE

Page 36: Securing your web apps now

INFORMATION LEAKAGE• Phpinfo()

• php.ini dispay_error = Off

• php.ini dispay_startup_error = Off

• php.ini error_reporting = E_ALL & ~E_DEPRICATED

• php.ini html_errors = Off

• php.ini log_error = On Always log your errors to a file

Page 37: Securing your web apps now

OVER SPECIFIC FEEDBACK

Page 38: Securing your web apps now

OVER SPECIFIC FEEDBACK• Login forms messages

• Forgotten debug statements

• Server headers

• php.ini, expose_php = Off

• httpd.conf, Server Tokens Full | OS | Minor |Major | prod

• modSecurity

Page 39: Securing your web apps now

SENSITIVE DATA EXPOSURE

All your data are belong to us- NSA

Page 40: Securing your web apps now

SENSITIVE DATA EXPOSURE• OWASP, top 10 2013, simply not encrypting data

• Only store the data you need

• MD5, SHA1 is not for passwords

• Passwords are easy to guess

• Bcrypt is for passwordsircmaxwell/password-compat zendframework/zend-crypt

• PHP 5.5password_hash()

• cost, more rounds = better security but more time/performance penalty

Page 41: Securing your web apps now

SENSITIVE DATA EXPOSURE• Directories should be 750 or 755

• Files should be 644 or 640

• Locate directories that are 777 on your server:$ sudo find /var/www/ -type d -perm -002

• Locate files that are 777 on your server:$ sudo find /var/www/ -type f -perm -002

• User should own the web directory

• Group should be the apache user

Page 42: Securing your web apps now

BROKEN AUTHENTICATION & SESSION MANAGEMENT

Page 43: Securing your web apps now

BROKEN AUTHENTICATION & SESSION MANAGEMENT

• #2 on OWASP top 10 2013

• Allows attackers to impersonate other user currently logged in.

• Don’t display the sessionID in the URL

• Hidden fields – isAdmin

• Remove the session cookie when done

• Regenerate sessionID's after login

Page 44: Securing your web apps now

BROKEN AUTHENTICATION & SESSION MANAGEMENT

• session_destoy()session_unet()

• Remember me functions

• chrome://settings/passwords

Page 45: Securing your web apps now

Cross Site Scripting

XSS

Page 46: Securing your web apps now

XSS• 65% of websites are venerable to XSS

• 2 types of XXSstoredreflected

• Steal sessionID from cookies

• Escape all form input – htmlspecialhars()

• ezyang/htmlpurifier, escape_html

• cookies HTML Only

• document.write hidden iframe

Page 47: Securing your web apps now

GOING FORWARD

Page 48: Securing your web apps now

GOING FORWARD• 57% organizations provided some software security

training

• 40% fewer vulnerabilities

• Resolved issues 59% faster

• owasp.org

• https://security.sensiolabs.org/

Page 49: Securing your web apps now
Page 50: Securing your web apps now

GOING FORWARD• 19 Extensions to Turn Google Chrome into Penetration

Testing toolhttp://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/

• PHP security manualhttp://php.net/manual/en/security.php

• Code reviews

• Try it yourself


Top Related