141: Web Application Security, Part 2 with Scott Arciszewski

In this weeks episode we continue our discussion with Scott Arciszewski about all things Security and Cryptography. We start off the show by highlighting what a SQL injection attack is and the differences between (emulated) prepared statements. This leads us on to look into how to securely handle file uploads, what a reverse shell is and how to defend yourself against XSS/CSRF attacks. From here we touch upon the recent inclusion of libsodium into PHP, why mcrypt should be avoided, and the side-channel vulnerabilities that brought way to Meltdown and Spectre. Finally, we mention how computers generate seemingly random numbers, what a Web Application Firewall (WAF) is, and how WARD goes about protecting your systems.

Show Links

• Scott Arciszewski on Twitter
• Paragon Initiative Enterprises
• The 2018 Guide to Building Secure PHP Software
• Are PDO prepared statements sufficient to prevent SQL injection?
• Preventing SQL Injection in PHP Applications
• paragonie/easydb - Easy-to-use PDO wrapper for PHP projects.
• Security at the expense of usability comes at the expense of security.
• Security B-Sides Orlando 2017
• TimThumb WebShot Code Execution Exploit (Zeroday)
• Reverse shell !?!
• paragonie/anti-csrf - Full-Featured Anti-CSRF Library
• Using Libsodium in PHP Projects
• paragonie/sodium_compat - Pure PHP polyfill for ext/sodium
• libsodium
• It Turns Out, 2017 is the Year of Simply Secure PHP Cryptography
• The ECB Penguin
• Cache-timing attacks on AES
• Side-Channel Attacks on Everyday Applications
• Meltdown and Spectre
• PCID is now a critical performance/security feature on x86
• If You’re Typing the Word MCRYPT Into Your PHP Code, You’re Doing It Wrong
• Myths about /dev/urandom
• PHP - random_bytes
• PHP - random_int
• Ward - Web Application Realtime Defender