Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security

Avatar for John Downey John Downey
September 26, 2011

Web Application Security

Avatar for John Downey

John Downey

September 26, 2011
Tweet

More Decks by John Downey

Other Decks in Programming

Transcript

  1. ¡  Authenticating  over  non-­‐SSL   §  Obviously  bad   ¡ 

    Sending  session  IDs  over  non-­‐SSL   §  Session  hijacking   §  Firesheep   ¡  Not  sending  everything  over  SSL   §  JavaScript  injection  
  2. ¡  Classic   §  No  login  for  http://example.com/admin   ¡ 

    More  subtle   §  Forgetting  [Authorize]  on  an  admin  controller  
  3. ¡  Obviously  bad   §  Storing  passwords  in  plaintext  

    ¡  Still  bad   §  Using  unsalted  hashes   §  Using  raw  hash  functions  (MD5,  SHA1,  etc)   ¡  Better  but  not  great   §  Using  a  keyed  hash  function  (HMAC-­‐SHA1)   ¡  Best   §  Using  a  slow  function  (PBKDF2,  bcrypt,  scrypt)  
  4. ¡  Is  all  your  software  up  to  date   § 

    Operating  System   §  Web/App/DB  Server  software   §  Antivirus?   §  Libraries  you  use   ¡  Framework  security  settings   §  Errors  not  displayed  to  public?   §  Cookies  signed?  Maybe  encrypted?  
  5. ¡  Confused  deputy  problem   ¡  Classic  example   § 

    Filelocker  doesn’t  have  any  CSRF  protection   §  Joe  is  a  Filelocker  admin   §  I  get  Joe  to  visit  a  specially  crafted  form   §  Joe’s  browser  submits  form  along  with  his  cookies   §  I  not  have  admin  
  6. <form  method="POST"  action="[path  to  filelocker]/ admin_interface/grant_user_permission?format=json">   <input  type="hidden"  name="userId"

     value="tester"  />   <input  type="hidden"  name="permissionId"  value="admin"  />   </form>  
  7. ¡  Classic  example   §  /Events/Details/5  is  my  event  

    §  /Events/Details/6  is  someone  else's   §  No  check  in  code  to  see  if  I  can  view  #6   ¡  GUIDs  don’t  solve,  just  make  guessing  hard  
  8. ¡  Similar  to   §  Insufficient  Transport  Layer  Protection  

    §  Insecure  Cryptographic  Storage   ¡  Are  session  IDs  in  the  URL?   §  Users  send  URLs  to  people  without  knowing   §  http://example.com/ myservlet;jsessionid=1E6FEC0D14D04454 1DD84D2D013D29ED    
  9. ¡  Can  I  inject  JavaScript  into  your  site?   § 

    Steal  cookies  –  like  session  IDs   §  Redirect  user   §  Abuse  their  permissions   §  Users  have  out  of  date  software   ▪  Adobe  Reader?  Load  a  PDF  virus   ▪  Java?  Load  an  applet  virus   ▪  Media  codecs?  Load  a  MP3  virus  
  10. ¡  Shell  injection   §  system(“$clamscan_exec  $file”)   ¡  File

     injection   §  http://example.com/index.php?page=blah   ¡  SQL  injection   §  SELECT  *  FROM  accounts  WHERE  custID=‘#{id}’   §  id  =  “’  or  ‘1’=‘1”   ¡  JSON  injection   §  Recent  popularity  of  NoSQL  DBs   ¡  LDAP  injection