Notes on my OWASP talk

OWASP & YOU: the notes

SQLi, SQLi everywhere… https://github.com/search?q=extension%3Aphp%20mysql_query%20%24_GET&source=cc

Libraries

Check out the Symfony security book: http://symfony.com/doc/current/book/security.html

Symfony has components for role-based access control, hashing, secure cookies, etc.

phpass — flexible password hashing: http://www.openwall.com/phpass/

owasp 2013

Pretty much the same as 2011, but reordered on prevalence.

https://www.owasp.org/index.php/Top_10_2013-Top_10

moar XSS

Here’s a fun one, doesn’t even require quotes or a script tag:

 <img src=x onerror=prompt(document.cookie)>

DOM-based: watch JS usage of GET parameters / fragments.

broken auth

  • Session fixation, PHPSESSID
    • short answer: generate NEW session after successful auth

There are good use cases for allowing PHPSESSID in the URL, but make sure that this scenario can’t happen: 1. I send you a link to a page 2. You log in. 3. Now I can use my cookie / session ID to be logged in as well.

misconfiguration

  • Require email confirmation if not to start using the account, at least within the first day.

testing ssl configurations

Chrome and Safari are fickle about showing the padlock, will hide it if a single piece of content is loaded over HTTP. See .

Check your SSL cert install with https://www.ssllabs.com/ssltest/analyze.html. At the very least you should prevent BEAST and CRIME, and disable older and weaker SSL ciphers. They’ll provide links in their report.

security is a moving target

you’re not going to get 100%

because no one gets 100%

  • It’s not a moral failing.
  • Even the big guys (Google, Facebook, GitHub) have problems.

you’re cool!

  • The fact that you’re attending a series on security puts you a level above Joe Average Developer.
  • BUT
  • You’re not an expert.
  • And that’s OK. It’s OK to admit you don’t know. Ask questions. Do your best. Keep learning.

the attacks that slip through are gonna seem unfair

  • Seriously, XSS in the HTTP referer header?
  • SQLi on the login box?

just one thing to do:

  • Red, green, refactor.

ask for help — put up a responsible disclosure page

  • Make a page like http://37signals.com/security-response or http://www.foxycart.com/security-contact on your site where people can submit vulns.
  • Link to it from the footer of your site.
  • Generate a PGP key for security@yoursite.com, set up that alias.
  • Be thankful — the people who find this page and know what to do with it are going to help you make your site more secure.
  • Put the link in your footer.
  • Whitehats WILL find it and email you.

They create foursquare profiles that look like this

do the best you can

  • Keep an eye on updates for stuff you use.
  • Don’t ignore those emails.

contract out the rest

  • If your framework has docs on how to filter and sanitize inputs YOU PAY ATTENTION TO THOSE DOCS.
  • If you have the budget, hire a pentester (you may be REQUIRED to hire one if you’re doing PCI, etc.).
  • If you don’t, the Internet will pentest for you. Hopefully they tell you about it! (see responsible disclosure)

the map is not the territory

OWASP is not the complete picture

  • Observed symptoms of bad applications.

PCI is not the complete picture

spend time thinking about your app and YOUR system

  • Take out your calendar now, pencil in an appointment in two weeks — “Review app security”
  • Do it on a Friday, nice change of pace from the rest of the week. Appsec can be pretty fun.
  • Ask yourself and answer:
    • Where is your input handling sketchy?
    • Where HAVEN’T you filtered your outputs?
    • What should I be doing/learning about security that I’m not?

you don’t know what you don’t know

json_encode flags

If you do this:

    <script type="text/javascript">
    <?php echo json_encode($obj) ?>
    </script>

STOP Do this instead:

http://stackoverflow.com/questions/14741347/php-javascript-json-xss-protection

The short explanation is that things like <script> or \" won’t be properly escape for JSON-embedded-in-an-HTML-script-tag. Those flags add Unicode escapes (such as \u0022 for double quote) to a lot of hazardous characters. Javascript can read and handle the values fine, and it will prevent the browser from running data.

Tagged as: php owasp security

Hey — thanks for reading!

My name is Fred, and I'm a web developer by trade, Linux sysadmin by necessity. I want you to win at hosting your own web applications.

Server administration doesn't have to come with a side of stomach ulcer.

As a developer you've got most of the skills you need, all you need are some practical ways to up your server game.

Questions? Email me.