OWASP & YOU: the notes
SQLi, SQLi everywhere… https://github.com/search?q=extension%3Aphp%20mysql_query%20%24_GET&source=cc
Check out the Symfony security book: http://symfony.com/doc/current/book/security.html
Symfony has components for role-based access control, hashing, secure cookies, etc.
phpass — flexible password hashing: http://www.openwall.com/phpass/
Pretty much the same as 2011, but reordered on prevalence.
Here’s a fun one, doesn’t even require quotes or a script tag:
<img src=x onerror=prompt(document.cookie)>
DOM-based: watch JS usage of GET parameters / fragments.
- Session fixation, PHPSESSID
- short answer: generate NEW session after successful auth
There are good use cases for allowing PHPSESSID in the URL, but make sure that this scenario can’t happen: 1. I send you a link to a page 2. You log in. 3. Now I can use my cookie / session ID to be logged in as well.
- Require email confirmation if not to start using the account, at least within the first day.
testing ssl configurations
Chrome and Safari are fickle about showing the padlock, will hide it if a single piece of content is loaded over HTTP. See
Check your SSL cert install with https://www.ssllabs.com/ssltest/analyze.html. At the very least you should prevent BEAST and CRIME, and disable older and weaker SSL ciphers. They’ll provide links in their report.
security is a moving target
you’re not going to get 100%
because no one gets 100%
- It’s not a moral failing.
- Even the big guys (Google, Facebook, GitHub) have problems.
- The fact that you’re attending a series on security puts you a level above Joe Average Developer.
- You’re not an expert.
- And that’s OK. It’s OK to admit you don’t know. Ask questions. Do your best. Keep learning.
the attacks that slip through are gonna seem unfair
- Seriously, XSS in the HTTP referer header?
- SQLi on the login box?
just one thing to do:
- Red, green, refactor.
ask for help — put up a responsible disclosure page
- Make a page like http://37signals.com/security-response or http://www.foxycart.com/security-contact on your site where people can submit vulns.
- Link to it from the footer of your site.
- Generate a PGP key for firstname.lastname@example.org, set up that alias.
- Be thankful — the people who find this page and know what to do with it are going to help you make your site more secure.
- Put the link in your footer.
- Whitehats WILL find it and email you.
They create foursquare profiles that look like this
do the best you can
- Keep an eye on updates for stuff you use.
- Don’t ignore those emails.
contract out the rest
- If your framework has docs on how to filter and sanitize inputs YOU PAY ATTENTION TO THOSE DOCS.
- If you have the budget, hire a pentester (you may be REQUIRED to hire one if you’re doing PCI, etc.).
- If you don’t, the Internet will pentest for you. Hopefully they tell you about it! (see responsible disclosure)
the map is not the territory
OWASP is not the complete picture
- Observed symptoms of bad applications.
PCI is not the complete picture
- It’s a set of guidelines. See A PCI Compliant Box
spend time thinking about your app and YOUR system
- Take out your calendar now, pencil in an appointment in two weeks — “Review app security”
- Do it on a Friday, nice change of pace from the rest of the week. Appsec can be pretty fun.
- Ask yourself and answer:
- Where is your input handling sketchy?
- Where HAVEN’T you filtered your outputs?
- What should I be doing/learning about security that I’m not?
you don’t know what you don’t know
- Major security exploit in Rails? Go learn from their mistakes!
- Security enhancement in PHP 5.3.27? What got fixed?
- Stripe CTF challenge? Go try it! Read a blog post about it!
- Keep learning, reading, experimenting.
- MAKE time to learn security.
If you do this:
STOP Do this instead:
The short explanation is that things like
\" won’t be properly escape for JSON-embedded-in-an-HTML-script-tag. Those flags add Unicode escapes (such as