Jordi Boggiano | Liip AG

Security, what you MUST know

Who am I?

  1. Injection >
  2. Cross-Site Scripting / XSS >
  3. Broken Auth. and Session Management >
  4. Insecure Direct Object References >
  5. Cross-Site Request Forgery / CSRF >
  6. Misconfiguration >
  7. Insecure Cryptographic Storage >
  8. Failure to Restrict URL Access >
  9. Insufficient Transport Layer Protection >
  10. Unvalidated Redirects and Forwards >
  11. (Clickjacking) >


Escape, escape, escape

SQL is the usual suspect, but also IO, system calls, ..

echo file_get_contents($_GET['file']);
// ?file=../config.php

$pdo->query('SELECT * FROM foo WHERE password="'.$_GET['pwd'].'"');
// ?pwd=food" OR 1=1 --

exec('rm -rf upload/'.$_GET['file']);
// ?file=*; rm -rf /;

Cross-Site Scripting / XSS

Don't trust anyone

<p><?php echo $userContent; ?></p>
<img src="foo.jpg" title="<?php echo $userContent; ?>" />

Broken Auth. and Session Management

Protect passwords

Avoid session fixation and brute-force attacks

Insecure Direct Object References

Attackers aren't retards

Cross-Site Request Forgery / CSRF

Death from above

<form action="">
    <input type="hidden" name="tweet"
        value="I'm in your twitter, spamming all your friends" />
    <input type="submit" value="Click me!" />
<img src="" />
<input name="authenticity_token" type="hidden" value="829000ddb69cdf1ffbdd8f2543b79f5e8b27add6" />


Maintenance is key

Insecure Cryptographic Storage

Encrypt sensitive data

Failure to Restrict URL Access

Links aren't everything

Insufficient Transport Layer Protection

«But cables are so ugly..»

Unvalidated Redirects and Forwards

Still trusting that user input?


Click here to see naked $whateverYouFancy

<iframe src="'m in your tweets again"></iframe>

Goals for a more secure web

Thank you.


References & Links