Prevent your app from being hacked by

Jean-KévinDu62

Sylvain Combraque

Developer at les-tilleuls.coop

Security auditor free time

API Platform contributor

@Darkweak

@Darkweak_dev

Les-tilleuls.coop

Self-managed since 2011

35 people, 2000% in 8 years

jobs@les-tilleuls.coop

"You should use Wordpress, it's secure"

Back to the past

mysql_connect

PDO::Query

SELECT *

FROM table

WHERE id = $id

Need to fetch data from database ?

ORM (such as CakePHP ORM)

Better use

Prepared requests

Need to define a url with identifier ?

Url rewrite is better

Cool my app is now secure

Not really

Going further with hacker attack

Prevent your app from bruteforce attack

Login example

Login example

Login example

My reaction

Fail regex example

Form security

"God created CSRF"

Symfony

PWA / SPA

Summary

• ORM (or prepared requests)
• URL rewriting
• Fail2ban
• CSRF

But if a hacker succeed to connect to the server...

Dockerize your app

Will be closed to container itself

Can't expand to system or other containers

Dockerize your app

Define ACL in your containers

Link fail2ban to containers

Link fail2ban to containers

Link fail2ban to containers

Are you developing

real-time apps and push data to clients ?

Websocket ?

Use server sent events

MERCURE

What else ?

(Not Nespresso)

Improve basic PHP security

with Symfony's security component

• security-core
• security-http
• security-csrf
• security-guard

R.U.D.Y Attack​

or

DDoS Attack​​ ?

Be secure from 

Use free and simple service

Do you allow user to upload files and to display them ?

Webshell exploit

Main points to counter this exploit

File integrity

Limit extensions

No encoded payload into this

No escaped characters

What about Man In The Middle (MITM) ?

Then protect your local network

Any tools to test your app/network

SQLMap

Fuzz

Nmap

Hydra

Slowhttptest

MSFConsole

"Best exploits are humans"

Mr Robot

Wants to know more on containerized services management

Questions