Why even bother? “93% of organizations have been hacked at least once in the past two years through insecure Web applications” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 4
Why even bother? “74% of respondents believe Web applications security is either more critical or equally critical to other security issues faced by their organizations” Download Examples: http://rapp.io/1y State of Web Application Security, Ponemon Institute 5
Why even bother? “12% strongly agree that they have ample resources to detect and remediate insecure Web apps” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 6
Why even bother? “64% do not agree that their organization is able to fix Web application vulnerabilities quickly” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 7
Why even bother? “88% of respondents say their Web application security budget is less than the organization’s coffee budget” State of Web Application Security, Ponemon Institute Download Examples: http://bit.ly/NcGSod 8
Cross-site scripting (XSS) • Occurs when – Data enters an application through an untrusted source, most frequently a web request – The data is included in dynamic content that is sent to a web user without being validated for malicious code https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 11
Cross-site scripting (XSS) • Types of XSS Attacks – Stored XSS Attacks (Persistent) • When injected code is stored and unknowingly retrieved by victims – Reflected XSS Attacks (Non-Persistent) • When injected code is reflected off the application via an un-escaped field https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 12
Cross-site scripting (XSS) • What can an attacker do with an XSS vulnerability? – Launch a phishing attack – Steal session and cookie data to log in as the victim – Perform unwanted actions as the victim https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 13
Cross-site scripting (XSS) • Imagine you have a search results page • You display the query a user inputs in the search field – “You searched for: dogs” Example: lonestar12/XSS/reflected.php
CROSS-SITE SCRIPTING (XSS) MySpace “Samy is my hero” Example http://namb.la/popular/ http://www.slideshare.net/simon/when-ajax-attacks-web-application-security-fundamentals-presentation 20
Cross-site scripting (XSS) October 4th, 2005 12:34 pm: You have 73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. 22
Preventing Cross-site scripting (XSS) • $_GET • $_POST • $_COOKIE • $_REQUEST • $_FILES • $_ENV • $_SERVER 25 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) These all can be manipulated by the user Don’t trust anyone …Not even little girls
Preventing Cross-site scripting (XSS) • Always user validate input – filter_var • Escape or filter all outputs – htmlspecialchars() – htmlentities() – strip_tags() • Beware with tag allowances as attributes are not validated 26
Cross-site Request Forgery (CSRF) • Occurs when victims load a page that contains a malicious request • Malicious because the request inherits the identity and privileges of the victim forcing an undesired action on the victim’s behalf. – Posting a tweet – Purchasing a product http://en.wikipedia.org/wiki/Cross-site_request_forgery 27
Cross-site Request Forgery (CSRF) • An attacker creates a seemingly harmless looking webpage • A visitor lands on the page while logged in to their bank's website, which has a CSRF vulnerability • The malicious page creates a request on behalf of the visitor to transfer funds without permission src="http://bank.com/transferFunds?amount=5000&to=Geoff's Bank Account" width="0" height="0" /> Example: lonestar12/CSRF/img.html 29
Preventing CSRF (crossdomain.xml) • Do not use the following as your crossdomain.xml • Putting this at example.com/crossdomain.xml allows Flash applets on other sites make requests to your site on behalf of the user 37
Command Injection • Occurs when an attacker is able to inject system commands • Command injection attacks are possible in most cases because of lack of correct input data validation 42
Slowloris Denial of Service (DoS) • Slowloris Attack – Tries to keep many connections to the target web server open and hold them open as long as possible. – It accomplishes this by opening connections to the target web server and sending a partial request. – Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. – Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients 55 Example: lonestar12/Denial of Service/slowloris.php
Denial of Service (DoS) • Slowloris affects the following webservers – Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer 56 Example: lonestar12/Denial of Service/slowloris.php # php slowloris.php get 100000 jakefolio.com
Preventing Denial of Service (DoS) Attacks • Apache – mod_security, mod_evasive, mod_qos, mod_antiloris • Look into proper firewalls and intrusion detection systems 57 Example: lonestar12/Denial of Service/slowloris.php
Unnecessary Information Disclosure – Reduce your attack surface • PHP displaying errors/exceptions • Exposing php information • Exposing Apache information • Exposing Server information 59
Unnecessary Information Disclosure Reduce your attackable surfaces 60 Hide displaying of errors and exceptions ; php.ini display_errors = Off OR ini_set(‘display_errors’, false);
Unnecessary Information Disclosure Reduce your attackable surfaces 63 Don’t expose your database, search server, memcache, mail server, etc... Configure your firewall
geoff
techouse
texmeijin
philipschwarz
fwbrasil
prof18
trapezoid
yonetty
deepu105
cer
piyoppi
okuramasafumi
kamilahsantos
bryan
marcelosomers
jcasabona
sferik
chrislema
62gerente
mthomps
andyhume
bluesmoon
bkeepers
notwaldorf
cassininazir