Grokking TechTalk 9 - Secure Coding

Secure Coding

Tran Anh Tuan

whoami• Tran Anh Tuan• Security Engineer (old)• xtuanta@gmail.com• xtuanta on irc.freenode.net

Content

• Security with PHP• Secure Web Coding - OWASP

•Input Validation•Output Encoding•Authentication•Data Protection

Security with PHP - CTF Boston Key Party 2015

if (isset($_GET['password'])) { if (is_numeric($_GET['password'])){ if (strlen($_GET['password']) < 4){ if ($_GET['password'] > 999) die('Flag: '.$flag); else print '<p class="alert">Too little</p>'; } else print '<p class="alert">Too long</p>'; } else print '<p class="alert">Password is not numeric</p>';}

Security with PHP - hint

• Descriptionbool is_numeric ( mixed $var )

Finds whether the given variable is numeric. Numeric strings consist of optional sign, any number of digits, optional decimal part and optional exponential part. Thus +0123.45e6 is a valid numeric value. Hexadecimal (e.g. 0xf4c3b00c), Binary (e.g. 0b10100111001), Octal (e.g. 0777) notation is not allowed.

Secure Web Coding - OWASP

• OWASP - The Open Web Application Security Project•free and open community focused on improving the security of application•A free resource for any development team

• OWASP Projects•OWASP Top 10•OWASP WebGoat•OWASP ZAP•...

1. Input Validation

• Conduct all data validation on a trusted system (e.g. The server)• Validate all data from untrusted sources (e.g, other servers)• Data from the client should never be trusted• Where to include validation?

•there should be a centralized input validation?•must be performed on every tier?•but at least, should be checked before use

2. Output Encoding

• Contextually output encode all data returned to the client• Encode all characters unless they are known to be safe• Eg:

Search results for aaaaaaaaaaaaaaaaa'"<>

3. Authentication

• Require authentication for all pages and resources• Password hashing must be implemented• Use only HTTP POST requests to transmit authentication credentials• Please use "Invalid username and/or password", in all function

4. Data Protection

• Remove comments, unnecessary information, documentation,...• and yes, obfuscate, please

Thanks youMore questions, contact me at xtuanta@gmail.com