February 29 - March 2, 2012
Montreal, Canada

PHP Web Security

The advancement of PHP and its available frameworks can now enable us to create stable and secure applications. But many details and good practices measures must be implemented in order to procude a secure application in the end. As it is often the case, we forget and the solution is not that simple.

This workshop will lead the participant to understand the different methods of secure programming in PHP and also in Drupal, Symfony and Zend. All of this workshop’s information will be transmitted with an emphasis on the impact of an attack, because each risk will be demonstrated with a simulation. The final goal is to learn how to break and fix a PHP Web application in today’s reality.

The target attendee is a PHP developer that is not already aware of security methods and/or want to have an overview of the attacker’s perspective.

Introduction

  • Quick risk management overview
  • What is a flaw and how it can become a vulnerability
  • Preparation of tools that we will use
  • General guidelines about fixes
  • Testing and why you can do more than everyone else
  • Solution for the code sample in the “Target audience” section

Finding and fixing vulnerabilities

This part will be iterative over all the subjects throughout the day. PHP, Drupal, Symfony, Zend:

  • Flaw: Finding and understanding a flaw in the code
  • Attack: Guided exploitation of found vulnerabilities
  • Solution: What is needed in order to fix it
  • Verification: Testing that the flaw is really fixed

For example, we will exploit a flaw implemented in Drupal that will gives access to the database and afterwards we will correct the error in the code, in order to finally verify that the vulnerability doesn’t exist anymore.

Conclusion

  • Review of the guidelines for each technology
  • How you can help with risk management
  • General questions and answers

Target audience

The target attendee is a PHP developer that is not already aware of security methods and/or wants to have an overview of the attacker’s perspective.

If you know how to execute the following code without any error, warning or notice by doing an HTTP request in less than two minutes, this formation may not be for you.

<?php

$parts = array('PHP', 'Drupal', 'Symfony', 'Zend');

foreach ($parts as $p) {
        echo $p;
        eval($_GET['Flaw'] . $p);
        mysql_query($_GET['Attack'] . $p);
        file_get_contents($_POST['Solution'] . $p);
        if (system($_COOKIE['Verification'] . $p))
                continue;
        else
                exit;
}

?>

Training Details

  • Duration: 1 day (Tuesday, February 28)
  • Cost: 400$
  • Maximum capacity: 8
  • Requirements: A laptop with a DVD drive and network capabilities

Jonathan Marcil

Jonathan likes being involved in many communities events and in ConFoo, he keeps track of security related talks and OWASP visibility. His main occupation is consulting in Web security, but deep down he is a developer with a agnostic vision of programming languages. He has a diploma in Software Engineering from Ecole de Technologie Superieure and more than 10 years of experience in Information Technology and Security.

Read More

Comments

Please remain courteous and constructive. Comments will be moderated.

Presented by

Sponsored by

Media