Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bad ideas & worst practices - Webcamp Zagreb

Bad ideas & worst practices - Webcamp Zagreb

1f1695d6aaebfb29c08aab76ec1d69eb?s=128

Luka Kladaric

October 03, 2014
Tweet

More Decks by Luka Kladaric

Other Decks in Technology

Transcript

  1. BAD IDEAS & worst practices Luka Kladarić luka@hitlistapp.com @kll @allixsenos

    for Webcamp Zagreb 2014. 1
  2. @allixsenos for Webcamp Zagreb 2014. 2

  3. Bad ideas @allixsenos for Webcamp Zagreb 2014. 3

  4. PHP @allixsenos for Webcamp Zagreb 2014. 4

  5. Worst practices @allixsenos for Webcamp Zagreb 2014. 5

  6. PHP Frameworks @allixsenos for Webcamp Zagreb 2014. 6

  7. Any questions? @allixsenos for Webcamp Zagreb 2014. 7

  8. Kidding.1 1 for the most part. @allixsenos for Webcamp Zagreb

    2014. 8
  9. Who? @allixsenos for Webcamp Zagreb 2014. 9

  10. Luka Kladarić @allixsenos for Webcamp Zagreb 2014. 10

  11. recovering PHPholic @allixsenos for Webcamp Zagreb 2014. 11

  12. 10+ years of professional webdev (asp, php, js, python) @allixsenos

    for Webcamp Zagreb 2014. 12
  13. @allixsenos for Webcamp Zagreb 2014. 13

  14. 3 years at deviantART, a megascale web property @allixsenos for

    Webcamp Zagreb 2014. 14
  15. CTO at Hitlist, a New York-based travel tech startup www.hitlistapp.com

    @allixsenos for Webcamp Zagreb 2014. 15
  16. a lot of experience breaking things @allixsenos for Webcamp Zagreb

    2014. 16
  17. Bad ideas & worst practices? @allixsenos for Webcamp Zagreb 2014.

    17
  18. Antipatterns. @allixsenos for Webcamp Zagreb 2014. 18

  19. Lack of skill, experience and insight to recognize a bad

    solution. @allixsenos for Webcamp Zagreb 2014. 19
  20. Lack of will to find a better one. @allixsenos for

    Webcamp Zagreb 2014. 20
  21. Cowboy coder byproduct.2 2 c2wiki: Cowboy Coder @allixsenos for Webcamp

    Zagreb 2014. 21
  22. 1) Trusting user input @allixsenos for Webcamp Zagreb 2014. 22

  23. SQL injection (and other flavours of injection) SELECT * FROM

    accounts WHERE custID="{$_GET['id']}" http://mysite.com/show_customer.php?id=" OR 1=1; -- SELECT * FROM accounts WHERE custID="" OR 1=1; used to bypass login and permissions, leak sensitive information, extract entire databases... possibilities endless @allixsenos for Webcamp Zagreb 2014. 23
  24. shellshock $ env x='() { :;}; echo vulnerable' bash -c

    "echo this is a test" vulnerable this is a test $ and various other uninentional and malicious exploits from unchecked user input @allixsenos for Webcamp Zagreb 2014. 24
  25. 2) Trusting the middleware (browsers/apps, protocols, proxies, ...) @allixsenos for

    Webcamp Zagreb 2014. 25
  26. Cookies & sessions Set-Cookie: userid=32742427; • hmmmm, I wonder what

    happens if I change the id? • store as little as possible • encrypt/sign to protect against tampering • because people WILL tamper with them @allixsenos for Webcamp Zagreb 2014. 26
  27. Cookies & sessions Cookie: userid=SOMEONE_ELSE; 1. log into the game

    as someone else 2. sell their rare valuables on the marketplace 3. log in as me from a different browser & buy them 4. MUAHAHA. @allixsenos for Webcamp Zagreb 2014. 27
  28. The apps don't work for you @allixsenos for Webcamp Zagreb

    2014. 28
  29. <input type="text" name="SPARE_POINTS" value="0" readonly> <input type="text" name="STRENGTH" value="10" readonly>

    <button>+</button> <input type="text" name="DEXTERITY" value="10" readonly> <button>+</button> <input type="text" name="CONSTITUTION" value="10" readonly> <button>+</button> <input type="text" name="INTELLIGENCE" value="10" readonly> <button>+</button> (circa 2004) the text fields are "read only", the buttons distribute SPARE_POINTS, what could possibly go wrong? @allixsenos for Webcamp Zagreb 2014. 29
  30. <input type="text" name="SPARE_POINTS" value="0" readonly> <input type="text" name="STRENGTH" value="1000" blabla>

    <button>+</button> <input type="text" name="DEXTERITY" value="1000" blabla> <button>+</button> <input type="text" name="CONSTITUTION" value="1000" blabla> <button>+</button> <input type="text" name="INTELLIGENCE" value="1000" blabla> <button>+</button> @allixsenos for Webcamp Zagreb 2014. 30
  31. that didn't actually work @allixsenos for Webcamp Zagreb 2014. 31

  32. they EXPECTED IT @allixsenos for Webcamp Zagreb 2014. 32

  33. but... @allixsenos for Webcamp Zagreb 2014. 33

  34. <input type="text" name="SPARE_POINTS" value="0" readonly> <input type="text" name="STRENGTH" value="440"> <button>+</button>

    <input type="text" name="DEXTERITY" value="300"> <button>+</button> <input type="text" name="CONSTITUTION" value="300"> <button>+</button> <input type="text" name="INTELLIGENCE" value="-1000"> <button>+</button> now that worked. @allixsenos for Webcamp Zagreb 2014. 34
  35. I have successfully used in-transit or in-browser tampering to: @allixsenos

    for Webcamp Zagreb 2014. 35
  36. 1. obtain an expenses-covered invitation to a sporting event on

    a different continent3 3 didn't actually use it (or give my real info) @allixsenos for Webcamp Zagreb 2014. 36
  37. 2. get to the top of the leaderboard in 5

    minutes, in a game I've been playing for months and was #140 on the list @allixsenos for Webcamp Zagreb 2014. 37
  38. 3. buy stuff from / have it shipped to Croatia

    when it wasn't on the supported countries list @allixsenos for Webcamp Zagreb 2014. 38
  39. 4. pay less for goods or services @allixsenos for Webcamp

    Zagreb 2014. 39
  40. 5. get better air travel prices @allixsenos for Webcamp Zagreb

    2014. 40
  41. never, ever, trust anything that may have originated outside your

    system @allixsenos for Webcamp Zagreb 2014. 41
  42. 3) passwords @allixsenos for Webcamp Zagreb 2014. 42

  43. | id | username | password | |----|----------|----------| | 1

    | admin | admin | | 2 | joe | admin | | 3 | moe | moe | | 4 | freddie | 123456 | | 5 | wilma | moe | @allixsenos for Webcamp Zagreb 2014. 43
  44. | id | username | MD5(password) | |----|----------|----------------------------------| | 1

    | admin | 21232f297a57a5a743894a0e4a801fc3 | | 2 | joe | 21232f297a57a5a743894a0e4a801fc3 | | 3 | moe | 7f33334d4c2f6dd6ffc701944cec2f1c | | 4 | freddie | e10adc3949ba59abbe56e057f20f883e | | 5 | wilma | 7f33334d4c2f6dd6ffc701944cec2f1c | @allixsenos for Webcamp Zagreb 2014. 44
  45. | id | username | MD5("salted"+password) | |----|----------|----------------------------------| | 1

    | admin | 886023aadcd890a53976ea52a2c6866f | | 2 | joe | 886023aadcd890a53976ea52a2c6866f | | 3 | moe | 664c3b4abe62bcfa3573b8e5dd8b2608 | | 4 | freddie | 7787501ba5fb91c673983437be99e177 | | 5 | wilma | 664c3b4abe62bcfa3573b8e5dd8b2608 | @allixsenos for Webcamp Zagreb 2014. 45
  46. | id | username | MD5("salted"+username+password) | |----|----------|----------------------------------| | 1

    | admin | 328dd00fe4630672b17c5076d8f26f9b | | 2 | joe | 2b9ec8e996d1325a8d82c0687eb5ec49 | | 3 | moe | 9b20e3736d939cc51893a24175a4635d | | 4 | freddie | 1a17c349bb81758b8f576800a7dfa89e | | 5 | wilma | af72a08de64db30fae66fed8ae024836 | @allixsenos for Webcamp Zagreb 2014. 46
  47. @allixsenos for Webcamp Zagreb 2014. 47

  48. 4) inventing your own wheel a sure-fire recipe for ending

    up on this list is to reinvent something that already exists @allixsenos for Webcamp Zagreb 2014. 48
  49. like rolling your own ID generation system for the database

    @allixsenos for Webcamp Zagreb 2014. 49
  50. and then doing a TALK about it @allixsenos for Webcamp

    Zagreb 2014. 50
  51. @allixsenos for Webcamp Zagreb 2014. 51

  52. @allixsenos for Webcamp Zagreb 2014. 52

  53. @allixsenos for Webcamp Zagreb 2014. 53

  54. @allixsenos for Webcamp Zagreb 2014. 54

  55. databases have been generating IDs since before you heard of

    databases. leave Britney alone. @allixsenos for Webcamp Zagreb 2014. 55
  56. so... @allixsenos for Webcamp Zagreb 2014. 56

  57. how to NOT end up on this list? @allixsenos for

    Webcamp Zagreb 2014. 57
  58. surround yourself with people smarter than you @allixsenos for Webcamp

    Zagreb 2014. 58
  59. show them what you're working on @allixsenos for Webcamp Zagreb

    2014. 59
  60. listen when they tear it apart @allixsenos for Webcamp Zagreb

    2014. 60
  61. do it again. @allixsenos for Webcamp Zagreb 2014. 61

  62. Questions? (for real) @allixsenos for Webcamp Zagreb 2014. 62

  63. Thank you! @allixsenos luka@hitlistapp.com @allixsenos for Webcamp Zagreb 2014. 63