Embed Size (px)
Citation preview
Secure Coding
Tran Anh Tuan
whoami• Tran Anh Tuan• Security Engineer (old)• [email protected]• xtuanta on irc.freenode.net
Content
• Security with PHP• Secure Web Coding - OWASP
•Input Validation•Output Encoding•Authentication•Data Protection
Security with PHP - CTF Boston Key Party 2015
if (isset($_GET['password'])) { if (is_numeric($_GET['password'])){ if (strlen($_GET['password']) < 4){ if ($_GET['password'] > 999) die('Flag: '.$flag); else print '<p class="alert">Too little</p>'; } else print '<p class="alert">Too long</p>'; } else print '<p class="alert">Password is not numeric</p>';}
Security with PHP - hint
• Descriptionbool is_numeric ( mixed $var )
Finds whether the given variable is numeric. Numeric strings consist of optional sign, any number of digits, optional decimal part and optional exponential part. Thus +0123.45e6 is a valid numeric value. Hexadecimal (e.g. 0xf4c3b00c), Binary (e.g. 0b10100111001), Octal (e.g. 0777) notation is not allowed.
Secure Web Coding - OWASP
• OWASP - The Open Web Application Security Project•free and open community focused on improving the security of application•A free resource for any development team
• OWASP Projects•OWASP Top 10•OWASP WebGoat•OWASP ZAP•...
1. Input Validation
• Conduct all data validation on a trusted system (e.g. The server)• Validate all data from untrusted sources (e.g, other servers)• Data from the client should never be trusted• Where to include validation?
•there should be a centralized input validation?•must be performed on every tier?•but at least, should be checked before use
2. Output Encoding
• Contextually output encode all data returned to the client• Encode all characters unless they are known to be safe• Eg:
Search results for aaaaaaaaaaaaaaaaa'"<>
3. Authentication
• Require authentication for all pages and resources• Password hashing must be implemented• Use only HTTP POST requests to transmit authentication credentials• Please use "Invalid username and/or password", in all function
4. Data Protection
• Remove comments, unnecessary information, documentation,...• and yes, obfuscate, please
Thanks youMore questions, contact me at [email protected]
