web application security
DESCRIPTION
This talk is designed for people interested in the concepts of web application security but maybe have never been involved with it before or on the other side of the coin i.e. developers. Using Open Source frameworks and tools we discuss an approach to a couple of well known vulnerabilities and demonstrate how these can be fixed well (and not so well). The talk also give the audience a "take away" in the form of further exercises that can be done in order to learn more about the security side of web applications and PHP in particular.TRANSCRIPT
![Page 1: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/1.jpg)
Web Application Security: PHP
Thomas Mackenzie
![Page 2: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/2.jpg)
$ whois spiderlabs.tom
![Page 3: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/3.jpg)
Copyright Trustwave 2011 Confidential
Tom Mackenzie
• Web Application Security
• @tmacuk
• http://www.tmacuk.co.uk
• http://www.upsploit.com
• Podcast
PUBOTD
![Page 4: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/4.jpg)
Copyright Trustwave 2011 Confidential
About SpiderLabs ®
Pentesting
Incident Response Application
Security
Research & Development
Security Conferences
Global Security Report
![Page 5: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/5.jpg)
Copyright Trustwave 2011 Confidential
About SpiderLabs®
• Formed in 2005 to serve a growing need for deep technical professional services within Trustwave’s client base.
• SpiderLabs is the advanced security team at Trustwave.
• SpiderLabs provides thought leadership to the entire Trustwave organisation and our clients.
• In 2009 and 2010, Trustwave’s SpiderLabs responded to over 400 incidents and performed nearly 4,500 penetrations tests for organisations in over 50 different countries.
Featured Speakers at:
![Page 6: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/6.jpg)
Introduction
![Page 7: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/7.jpg)
Copyright Trustwave 2011 Confidential
Expectations
• PHP
• Code and Security
• Live Demos
• Best Practices
• DIY
PUBOTD
![Page 8: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/8.jpg)
DVWA – Damn Vulnerable Web App
![Page 9: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/9.jpg)
Copyright Trustwave 2011 Confidential
About DVWA
• Ryan Dewhurst - @ethicalhack3r
• Damn Vulnerable?
• Security Levels
• PHP & MySQL / PostgreSQL
• http://code.google.com/p/dvwa/
PUBOTD
![Page 10: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/10.jpg)
Copyright Trustwave 2011 Confidential
About DVWA
• How can you help?— Open Source— Contributors
• Fork
• Ideas!
• Ideas?
PUBOTD
![Page 11: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/11.jpg)
Live Demo
![Page 12: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/12.jpg)
Best Practices
![Page 13: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/13.jpg)
Copyright Trustwave 2011 Confidential
OWASP
• Books
• Cheat Sheets
• People
• Events
• Projects
PUBOTD
![Page 14: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/14.jpg)
Copyright Trustwave 2011 Confidential
Intercepting Proxies
• Burp Suite / BS Pro
• ZAP
• ParosPUBOTD
![Page 15: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/15.jpg)
Live Demo
![Page 16: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/16.jpg)
Links
![Page 17: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/17.jpg)
Copyright Trustwave 2011 Confidential
Links
• http://www.dvwa.co.uk
• http://www.owasp.org
• http://portswigger.net/burp/
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• http://www.parosproxy.org/
• https://www.owasp.org/index.php/OWASP_Testing_Project
• http://mdsec.net/wahh/
• http://blog.spiderlabs.com
• https://www.trustwave.com/apppentest.php
![Page 18: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/18.jpg)
Copyright Trustwave 2011 Confidential
SpiderLabs Research Reports
WHID Report
Global Security Report
![Page 19: Web application security](https://reader038.vdocuments.us/reader038/viewer/2022103013/54563eecaf795917618ba159/html5/thumbnails/19.jpg)
Copyright Trustwave 2011 Confidential
Contact
• http://www.tmacuk.co.uk