Follow this topic:@rjsmelo, #owasp, #php, #appsec

OWASP TOP 10 for PHP programmers

RICARDO MELO

Presented at #PHPLX 11 September 2013

@rjsmelo 2

RICARDO MELO

CTO @ DRI PHP, Mysql, Linux and lots of other OSS

ZCE, RHCE, LPI 3, ITIL, etc +10 years building (and breaking) things

@rjsmelo 3

About

14 Year old academic spin-off Pragmatic OSS Orientation PHP, Mysql, SugarCRM, Drupal, JavaScript, Linux, etc.

Crafters, Integrators

Always looking for software developers Yes, right now!

1999 - 2013 DRI. Some Rights Reserved.

4

Outline

OWASP OWASP TOP 10 What's Next Conclusions

1999 - 2013 DRI. Some Rights Reserved.

5

What is OWASP?

Open Web Application Security Project World wide non-for-profit Focus on security improvement and awareness

Very active community Lots of projects (you can start yours)

1999 - 2013 DRI. Some Rights Reserved.

6

What is OWASP TOP 10

The name is The Top 10 Most Critical Web Application Risks

The focus is awareness Released 2003, 2004, 2007, 2010 and 2013

https://www.owasp.org/index.php/Top_10_2013

1999 - 2013 DRI. Some Rights Reserved.

7

Risk ?

Thread Agent Attack Vectors Weakness Prevalence

Weakness Detectability

Technical Impacts

Business Impacts

Application Specific

EASY WIDESPREAD EASY SEVERE Application / Business Specific

AVERAGE COMMON AVERAGE MODERATE

DIFFICULT UNCOMMON DIFFICULT MINOR

1999 - 2013 DRI. Some Rights Reserved.

8

OWASP TOP 10 - 2013

A1 Injection A2 Broken Authentication and Session Management

A3 Cross-site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards

1999 - 2013 DRI. Some Rights Reserved.

9

A1 - Injection

Occurs when untrusted data is sent directly to the interpreter!

Not only SQL: NoSQL, Ldap, OS, XML, Xpath!

Never, NEVER trust ANY input!

1999 - 2013 DRI. Some Rights Reserved.

10

A1 Injection Examples - SQL