Why even bother? “93% of organizations have been hacked at least once in the past two years through insecure Web applications” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 4
Why even bother? “74% of respondents believe Web applications security is either more critical or equally critical to other security issues faced by their organizations” Download Examples: http://rapp.io/1y State of Web Application Security, Ponemon Institute 5
Why even bother? “12% strongly agree that they have ample resources to detect and remediate insecure Web apps” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 6
Why even bother? “64% do not agree that their organization is able to fix Web application vulnerabilities quickly” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 7
Why even bother? “88% of respondents say their Web application security budget is less than the organization’s coffee budget” State of Web Application Security, Ponemon Institute Download Examples: http://bit.ly/NcGSod 8
Cross-site scripting (XSS) • Occurs when – Data enters an application through an untrusted source, most frequently a web request – The data is included in dynamic content that is sent to a web user without being validated for malicious code https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 11
Cross-site scripting (XSS) • Types of XSS Attacks – Stored XSS Attacks (Persistent) • When injected code is stored and unknowingly retrieved by victims – Reflected XSS Attacks (Non-Persistent) • When injected code is reflected off the application via an un-escaped field https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 12
Cross-site scripting (XSS) • What can an attacker do with an XSS vulnerability? – Launch a phishing attack – Steal session and cookie data to log in as the victim – Perform unwanted actions as the victim https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 13
Cross-site scripting (XSS) • Imagine you have a search results page • You display the query a user inputs in the search field – “You searched for: dogs” Example: lonestar12/XSS/reflected.php
CROSS-SITE SCRIPTING (XSS) MySpace “Samy is my hero” Example http://namb.la/popular/ http://www.slideshare.net/simon/when-ajax-attacks-web-application-security-fundamentals-presentation 20
Cross-site scripting (XSS) October 4th, 2005 12:34 pm: You have 73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. 22
Preventing Cross-site scripting (XSS) • $_GET • $_POST • $_COOKIE • $_REQUEST • $_FILES • $_ENV • $_SERVER 25 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) These all can be manipulated by the user Don’t trust anyone …Not even little girls
Preventing Cross-site scripting (XSS) • Always user validate input – filter_var • Escape or filter all outputs – htmlspecialchars() – htmlentities() – strip_tags() • Beware with tag allowances as attributes are not validated 26
Cross-site Request Forgery (CSRF) • Occurs when victims load a page that contains a malicious request • Malicious because the request inherits the identity and privileges of the victim forcing an undesired action on the victim’s behalf. – Posting a tweet – Purchasing a product http://en.wikipedia.org/wiki/Cross-site_request_forgery 27
Cross-site Request Forgery (CSRF) • An attacker creates a seemingly harmless looking webpage • A visitor lands on the page while logged in to their bank's website, which has a CSRF vulnerability • The malicious page creates a request on behalf of the visitor to transfer funds without permission src="http://bank.com/transferFunds?amount=5000&to=Geoff's Bank Account" width="0" height="0" /> Example: lonestar12/CSRF/img.html 29
Preventing CSRF (crossdomain.xml) • Do not use the following as your crossdomain.xml • Putting this at example.com/crossdomain.xml allows Flash applets on other sites make requests to your site on behalf of the user 37
Command Injection • Occurs when an attacker is able to inject system commands • Command injection attacks are possible in most cases because of lack of correct input data validation 42
Slowloris Denial of Service (DoS) • Slowloris Attack – Tries to keep many connections to the target web server open and hold them open as long as possible. – It accomplishes this by opening connections to the target web server and sending a partial request. – Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. – Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients 55 Example: lonestar12/Denial of Service/slowloris.php
Denial of Service (DoS) • Slowloris affects the following webservers – Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer 56 Example: lonestar12/Denial of Service/slowloris.php # php slowloris.php get 100000 jakefolio.com
Preventing Denial of Service (DoS) Attacks • Apache – mod_security, mod_evasive, mod_qos, mod_antiloris • Look into proper firewalls and intrusion detection systems 57 Example: lonestar12/Denial of Service/slowloris.php
Unnecessary Information Disclosure – Reduce your attack surface • PHP displaying errors/exceptions • Exposing php information • Exposing Apache information • Exposing Server information 59
Unnecessary Information Disclosure Reduce your attackable surfaces 60 Hide displaying of errors and exceptions ; php.ini display_errors = Off OR ini_set(‘display_errors’, false);
Unnecessary Information Disclosure Reduce your attackable surfaces 63 Don’t expose your database, search server, memcache, mail server, etc... Configure your firewall