Web Security 101 - Ruby Fun Day 2014

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Francesco (frodsan) [email protected]

Slide 3

Slide 3 text

Web Security 101

Slide 4

Slide 4 text

Passwords

Slide 5

Slide 5 text

How not to!

Slide 6

Slide 6 text

#1 Just store it!

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

#2 Encryption

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Encryption is reversible

Slide 21

Slide 21 text

DES 3DES AES

Slide 22

Slide 22 text

#3 Hashing

Slide 23

Slide 23 text

Hashing is irreversible

Slide 24

Slide 24 text

hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

Slide 25

Slide 25 text

hash(?) “e10adc3949ba59abbe56e057f20f883e”

Slide 26

Slide 26 text

Hashing is deterministic

Slide 27

Slide 27 text

hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

Slide 28

Slide 28 text

hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mupassword”) “b11d7ccaee763e5840f9d906e0bf2edf”

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Hashing is deterministic

Slide 33

Slide 33 text

hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

Slide 34

Slide 34 text

thelonelyones.heroku.com/passwords.csv  thelonelyones.heroku.com/login Exercise

Slide 35

Slide 35 text

Lookup tables

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

Adobe Security Breach (2013) 38 million active users  passwords, credit card information

Slide 38

Slide 38 text

http://xkcd.com/1286/

Slide 39

Slide 39 text

MD5  SHA1 SHA2

Slide 40

Slide 40 text

✓ Hashing + Salting

Slide 41

Slide 41 text

hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

Slide 42

Slide 42 text

hash(“mypassword”, salt)

Slide 43

Slide 43 text

hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…”

Slide 44

Slide 44 text

hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…    hash(“mypassword”, 1bc1fa3bc1d5d85…)  e92a46f76d413ce73ab5796756bc92…

Slide 45

Slide 45 text

1976 - crypt(3)

Slide 46

Slide 46 text

GPU  FPGA

Slide 47

Slide 47 text

PBKDF2  Bcrypt Scrypt

Slide 48

Slide 48 text

PBKDF2 (armor, pbkdf2)  Bcrypt (bcrypt) Scrypt (scrypt)

Slide 49

Slide 49 text

How to do it

Slide 50

Slide 50 text

ʕ•ᴥ•ʔ ! • Don’t do it (leave it to GitHub, Google, etc.) • If you must do it, use pbkdf2 or bcrypt or scrypt. • Keep password length between 8 and 50. • Nothing can save you easy to guess passwords.

Slide 51

Slide 51 text

Cross Site Scripting - XSS

Slide 52

Slide 52 text

1993

Slide 53

Slide 53 text

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Web Security 101

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Escaping

Slide 59

Slide 59 text

Angle brackets: > <

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

1995

Slide 62

Slide 62 text

JavaScript

Slide 63

Slide 63 text

Slide 64

Slide 64 text

Slide 65

Slide 65 text

var message = "Web Security 101"; ! alert(message);

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

var message = "<b>Web Security 101</b>"; ! document.write(message);

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

JavaScript == DANGER

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

“Samy is my hero” (2005) • XSS attack propagated by Myspace profiles. ! • Over one million affected users within the first 20 hours. ! • 3 years without computer.

Slide 72

Slide 72 text

How to do it

Slide 73

Slide 73 text

Escaping

Slide 74

Slide 74 text

UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&", ">" => ">", "<" => "<", '"' => """, "'" => "'", "/" => "/" } ! string.gsub(UNSAFE, HTML_ESCAPE)

Slide 75

Slide 75 text

UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&", ">" => ">", "<" => "<", '"' => """, "'" => "'", "/" => "/" } ! string.gsub(UNSAFE, HTML_ESCAPE)

Slide 76

Slide 76 text

github.com/frodsan/hache

Slide 77

Slide 77 text

References

Slide 78

Slide 78 text

• OWASP Top 10:  https://www.owasp.org    • Adobe 10GB database passwords leak:  http://bit.ly/188ctZL  • MySpace XSS vulnerability:  http://bit.ly/1urMIbG  • Tweetdeck XSS vulnerability:  http://bit.ly/1urMGAy 

Slide 79

Slide 79 text

thanks ʕ•ᴥ•ʔ