Jordi Boggiano | Liip AG

Security, what you MUST know

Who am I?

  1. Injection >
  2. Cross-Site Scripting / XSS >
  3. Broken Auth. and Session Management >
  4. Insecure Direct Object References >
  5. Cross-Site Request Forgery / CSRF >
  6. Misconfiguration >
  7. Insecure Cryptographic Storage >
  8. Failure to Restrict URL Access >
  9. Insufficient Transport Layer Protection >
  10. Unvalidated Redirects and Forwards >
  11. (Clickjacking) >

Injection

Escape, escape, escape

SQL is the usual suspect, but also IO, system calls, ..

echo file_get_contents($_GET['file']);
// ?file=../config.php

$pdo->query('SELECT * FROM foo WHERE password="'.$_GET['pwd'].'"');
// ?pwd=food" OR 1=1 --

exec('rm -rf upload/'.$_GET['file']);
// ?file=*; rm -rf /;
            

Cross-Site Scripting / XSS

Don't trust anyone

<p><?php echo $userContent; ?></p>
<img src="foo.jpg" title="<?php echo $userContent; ?>" />
            

Broken Auth. and Session Management

Protect passwords


Avoid session fixation and brute-force attacks

Insecure Direct Object References

Attackers aren't retards

http://example.org/id=3
http://example.org/id=5
http://example.org/id=X
            

Cross-Site Request Forgery / CSRF

Death from above

<form action="http://twitter.com/submit">
    <input type="hidden" name="tweet"
        value="I'm in your twitter, spamming all your friends" />
    <input type="submit" value="Click me!" />
</form>
            
<img src="http://facebook.com/account?action=delete" />
            
<input name="authenticity_token" type="hidden" value="829000ddb69cdf1ffbdd8f2543b79f5e8b27add6" />
            

Misconfiguration

Maintenance is key

Insecure Cryptographic Storage

Encrypt sensitive data

Failure to Restrict URL Access

Links aren't everything

Insufficient Transport Layer Protection

«But cables are so ugly..»

Unvalidated Redirects and Forwards

Still trusting that user input?

http://example.org/redirect.php?url=http://evample.org
            

Clickjacking

Click here to see naked $whateverYouFancy

<iframe src="http://twitter.com/?status=I'm in your tweets again"></iframe>
            

Goals for a more secure web

Thank you.

Questions?

References & Links