Securing your site like it's 1999

Slide 1

Slide 1 text

SECURING YOUR SITE LIKE it’s 1999

Slide 2

Slide 2 text

SECURING YOUR SITE LIKE it’s 1999

Slide 3

Slide 3 text

@katie_fenn tell me what you think!

Slide 4

Slide 4 text

@katie_fenn cw: large animated image content warnings

Slide 5

Slide 5 text

Hi, I’m Katie

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

@katie_fenn

Slide 8

Slide 8 text

@katie_fenn

Slide 9

Slide 9 text

@katie_fenn post signatures: jamaal10 Post signatures

Slide 10

Slide 10 text

@katie_fenn post signatures: jamaal10

Slide 11

Slide 11 text

@katie_fenn

Slide 12

Slide 12 text

@katie_fenn HTML Bombs

Slide 13

Slide 13 text

@katie_fenn TRUSTING ANY OLD CRAP THE USER SENDS YOU

Slide 14

Slide 14 text

@katie_fenn ALSO KNOWN As...

Slide 15

Slide 15 text

BAD INPUT VALIDATION

Slide 16

Slide 16 text

@katie_fenn

Slide 17

Slide 17 text

@katie_fenn Username Tom Nook Password **************************** Edit user Email address tom@nook.com

Slide 18

Slide 18 text

@katie_fenn Username Tom Nook Edit user Email address tom@nook.com User ID 349 Password ****************************

Slide 19

Slide 19 text

@katie_fenn Username Tom Nook Edit user Email address tom@nook.com User ID 349 Password ****************************

Slide 20

Slide 20 text

@katie_fenn Username Tom Nook Edit user Email address tom@nook.com User ID 1 Password hunter2

Slide 21

Slide 21 text

@katie_fenn

Slide 22

Slide 22 text

@katie_fenn

Slide 23

Slide 23 text

Never ever trust user input

Slide 24

Slide 24 text

Never ever trust user input

Slide 25

Slide 25 text

@katie_fenn ALWAYS Ask yourSelf how the user can use a feature for fun and profit

Slide 26

Slide 26 text

@katie_fenn INPUT validation • use a library like joi to validate data

Slide 27

Slide 27 text

@katie_fenn INPUT validation • use a library like joi to validate data • check a user’s actions against their identity

Slide 28

Slide 28 text

@katie_fenn INPUT validation • use a library like joi to validate data • check a user’s actions against their identity • never rely on client-side validation cw: large animated image

Slide 29

Slide 29 text

@katie_fenn InTERMISSION

Slide 30

Slide 30 text

@katie_fenn InTERMISSION

Slide 31

Slide 31 text

@katie_fenn Username SephirothIsMyBishie Password Login Correct Horse Battery Staple

Slide 32

Slide 32 text

@katie_fenn Username SephirothIsMyBishie Password Login Correct Horse Battery Staple cw: large animated image

Slide 33

Slide 33 text

@katie_fenn Username SephirothIsMyBishie Password Login You are now logged in! Welcome Admin! ' OR '1'='1 cw: large animated image

Slide 34

Slide 34 text

@katie_fenn Allowing the user to run their own Database queries ALSO known as...

Slide 35

Slide 35 text

@katie_fenn Allowing the user to run their own Database queries ALSO known as...

Slide 36

Slide 36 text

SQL INJECTION

Slide 37

Slide 37 text

@katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = ‘’ ‘’

Slide 38

Slide 38 text

@katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD =

Slide 39

Slide 39 text

@katie_fenn Username Alice Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = ‘Alice’ hunter2 ‘hunter2’ You are now logged in! Welcome Alice! > 1

Slide 40

Slide 40 text

@katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD =

Slide 41

Slide 41 text

@katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = ‘’ ‘’

Slide 42

Slide 42 text

@katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD =

Slide 43

Slide 43 text

@katie_fenn Username Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = Admin ' OR ‘1'='1 ‘Admin’ ‘’ OR ‘1’=‘1’ You are now logged in! Welcome Admin! > 349

Slide 44

Slide 44 text

@katie_fenn Username Alice Password Login Admin ' OR ‘1'='1 ‘Admin’ ‘’ OR ‘1’=‘1’ /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = SQL: Give me all the users that have the username “Admin”

Slide 45

Slide 45 text

@katie_fenn Username Alice Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = Admin ‘Admin’ ‘’ OR ‘1’=‘1’ SQL: … or TRUE

Slide 46

Slide 46 text

@katie_fenn Username Alice Password Login /* SQL */ SELECT COUNT(*) FROM USERS WHERE USERNAME = AND PASSWORD = Admin ‘Admin’ ‘’ OR ‘1’=‘1’ ' OR ‘1'='1 SQL: … or TRUE

Slide 47

Slide 47 text

@katie_fenn GIVE me all the users with the username “admin” OR whatever you’ve got I guess

Slide 48

Slide 48 text

SQL INJECTION hands the keys to YOUR database to the user

Slide 49

Slide 49 text

@katie_fenn DRUPALGEDDON •affected every Drupal 7 site before version 7.32

Slide 50

Slide 50 text

@katie_fenn DRUPALGEDDON •affected every Drupal 7 site before version 7.32 •remote code execution

Slide 51

Slide 51 text

@katie_fenn DRUPALGEDDON •affected every Drupal 7 site before version 7.32 •remote code execution •in some cases patched vulnerability to hide breach

Slide 52

Slide 52 text

@katie_fenn SQL INJECTION •never build sql queries using string concatenation

Slide 53

Slide 53 text

@katie_fenn SQL INJECTION •never build sql queries using string concatenation •use parameterised queries (pdo, knex)

Slide 54

Slide 54 text

@katie_fenn SQL INJECTION •never build sql queries using string concatenation •use parameterised queries (pdo, knex) •use an orm

Slide 55

Slide 55 text

@katie_fenn Bonus story cw: full screen video

Slide 56

Slide 56 text

@katie_fenn cw: large animated image

Slide 57

Slide 57 text

@katie_fenn cw: large animated image

Slide 58

Slide 58 text

@katie_fenn InTERMISSION

Slide 59

Slide 59 text

@katie_fenn InTERMISSION

Slide 60

Slide 60 text

@katie_fenn

Slide 61

Slide 61 text

@katie_fenn

Slide 62

Slide 62 text

@katie_fenn

Slide 63

Slide 63 text

@katie_fenn

Slide 64

Slide 64 text

@katie_fenn

Slide 65

Slide 65 text

@katie_fenn Getting other users to do your dirty work for you

Slide 66

Slide 66 text

@katie_fenn ALSO KNOWN As...

Slide 67

Slide 67 text

CROSS-SITE REQUEST FORGERY

Slide 68

Slide 68 text

@katie_fenn

Slide 69

Slide 69 text

@katie_fenn cw: video

Slide 70

Slide 70 text

@katie_fenn cw: video

Slide 71

Slide 71 text

@katie_fenn

Slide 72

Slide 72 text

@katie_fenn

Slide 73

Slide 73 text

@katie_fenn Look, it’s a kitten on a bike!

Slide 74

Slide 74 text

@katie_fenn

Slide 75

Slide 75 text

CSRF exploits the trust between website and browser

Slide 76

Slide 76 text

@katie_fenn Cross site request forgery •verify origin or referer http headers

Slide 77

Slide 77 text

@katie_fenn Cross site request forgery •verify origin or referer http headers •use synchroniser tokens

Slide 78

Slide 78 text

@katie_fenn

Slide 79

Slide 79 text

@katie_fenn Cross site request forgery •verify origin or referer http headers •use synchroniser tokens •use cookie-to-header tokens

Slide 80

Slide 80 text

@katie_fenn Cross site request forgery •verify origin or referer http headers •use synchroniser tokens •use cookie-to-header tokens •no defence if compromised by xss cw: large animated image

Slide 81

Slide 81 text

@katie_fenn InTERMISSION

Slide 82

Slide 82 text

@katie_fenn InTERMISSION

Slide 83

Slide 83 text

@katie_fenn New reply

Slide 84

Slide 84 text

@katie_fenn New reply [img]sephiroth.gif[/img]

Slide 85

Slide 85 text

@katie_fenn

Slide 86

Slide 86 text

@katie_fenn

Slide 87

Slide 87 text

@katie_fenn New reply

Slide 88

Slide 88 text

@katie_fenn New reply [img]guild.gif[url=][/img][/url]

Slide 89

Slide 89 text

@katie_fenn   *~*Ninjad00d*~* /a>

Slide 90

Slide 90 text

@katie_fenn   *~*Ninjad00d*~* /a>

Slide 91

Slide 91 text

@katie_fenn   *~*Ninjad00d*~* /a>

Slide 92

Slide 92 text

@katie_fenn   *~*Ninjad00d*~* /a>

Slide 93

Slide 93 text

@katie_fenn   *~*Ninjad00d*~* /a onload>

Slide 94

Slide 94 text

@katie_fenn   *~*Ninjad00d*~* /a onload>

Slide 95

Slide 95 text

@katie_fenn   *~*Ninjad00d*~* /a onload>

Slide 96

Slide 96 text

@katie_fenn   *~*Ninjad00d*~* /a onload>

Slide 97

Slide 97 text

@katie_fenn ololoololololololololololololololololololololololololololololololo lololololololololololoolololololololololololololololololololololol olololololololololololololololololololoolololololololololololololo lolololololololololololololololololololololololololololoololololol ololololololololololololololololololololololololololololololololol olololoolololololololololololololololololololololololololololololo lolololololololololololoololololololololololololololololololololol ololololololololololololololololololololoololololololololololololo lololololololololololololololololololololololololololololoolololol ololololololololololololololololololololololololololololololololol ololololoololololololololololololololololololololololololololololo lololololololololololololoolololololololololololololololololololol olololololololololololololololololololololoolololololololololololo lolololololololololololololololololololololololololololololoololol ololololololololololololololololololololololololololololololololol olololololoolololololololololololololololololololololololololololo lolololololololololololololo   RoﬂLaz0rz wth is going on

Slide 98

Slide 98 text

@katie_fenn Someone else’s code running on your website

Slide 99

Slide 99 text

@katie_fenn ALSO KNOWN As...

Slide 100

Slide 100 text

CROSS-SITE SCRIPTING

Slide 101

Slide 101 text

@katie_fenn SAMY Kamkar

Slide 102

Slide 102 text

Slide 103

Slide 103 text

Slide 104

Slide 104 text

Slide 105

Slide 105 text

Slide 106

Slide 106 text

and tags allowed, but is ﬁltered

Slide 107

Slide 107 text

@katie_fenn

Slide 108

Slide 108 text

@katie_fenn

Some browsers executed JS inside style properties!

Slide 109

Slide 109 text

@katie_fenn

Slide 110

Slide 110 text

@katie_fenn MySpace ﬁltered the word “javascript”

Slide 111

Slide 111 text

@katie_fenn

Slide 112

Slide 112 text

@katie_fenn Line breaks? No problem!

Slide 113

Slide 113 text

@katie_fenn alert('hah!')

Slide 114

Slide 114 text

@katie_fenn alert(document.body.innerHTML)

Slide 115

Slide 115 text

@katie_fenn alert(eval('document.body.inne' + 'rHTML'))

Slide 116

Slide 116 text

@katie_fenn alert(eval('document.body.inne' + 'rHTML')) Not a problem if you concatenate a string and evaluate with eval

Slide 117

Slide 117 text

@katie_fenn alert(eval('document.body.inne' + ‘rHTML')) eval('XMLHttpRequest.onread' + 'ystatechange = callback');

Slide 118

Slide 118 text

@katie_fenn alert(eval('document.body.inne' + ‘rHTML')) eval('XMLHttpRequest.onread' + 'ystatechange = callback'); This trick also works for XMLHttpRequest.onReadyStateChange (also known as “AJAX”)

Slide 119

Slide 119 text

@katie_fenn if (location.hostname == 'proﬁle.myspace.com') { document.location = 'http://www.myspace.com' + location.pathname + location.search }

Slide 120

Slide 120 text

@katie_fenn if (location.hostname == 'proﬁle.myspace.com') { document.location = 'http://www.myspace.com' + location.pathname + location.search } Browsers restrict requests to domains of different origin. Changing location worked around this.

Slide 121

Slide 121 text

@katie_fenn

Slide 122

Slide 122 text

Slide 123

Slide 123 text

Slide 124

Slide 124 text

Slide 125

Slide 125 text

@katie_fenn Home | Browse | Search | Invite | Film Friend Request Manager From Conﬁrmation Approve Deny Me Listing 1 - 10 of 917,084 Tom @katie_fenn

Slide 126

Slide 126 text

@katie_fenn @katie_fenn

Slide 127

Slide 127 text

@katie_fenn One hour later...

Slide 128

Slide 128 text

@katie_fenn 500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, support@myspace.com and inform them of the time the error occurred, and anything you might have done to cause the error. More information about this error may be found in the server error log.

Slide 129

Slide 129 text

@katie_fenn SAMY Myspace worm • site restored two hours later • raided by u.s. secret service • 90 days community service • $15,000-$20,000 restitution

Slide 130

Slide 130 text

Xss allows users to inject their own code Into your site

Slide 131

Slide 131 text

@katie_fenn Cross site scripting •escape user input on entry using a library

Slide 132

Slide 132 text

@katie_fenn Cross site scripting •escape user input on entry using a library •use an auto-escaping templating library

Slide 133

Slide 133 text

@katie_fenn Cross site scripting •escape user input on entry using a library •use an auto-escaping templating library •implement a content security policy

Slide 134

Slide 134 text

@katie_fenn Cross site scripting •escape user input on entry using a library •use an auto-escaping templating library •implement a content security policy •use sub-resource integrity

Slide 135

Slide 135 text

@katie_fenn https:/ /ﬂic.kr/p/e8eTA5

Slide 136

Slide 136 text

@katie_fenn https:/ /ﬂic.kr/p/84VA2k

Slide 137

Slide 137 text

It’s an important topic but there’s never been a better time to learn

Slide 138

Slide 138 text

Everyone HAs to start somewhere

Slide 139

Slide 139 text

Special thanks Ben Pottier @bone_idol Cory Foy @irongeek_adc Michael Irwin Evan Williams @kitation @lukeb_uk Simon Willison @yesnoornext Justin Safa Steve Christey Coley @dontfeartherepair @SwiftOnSecurity @benofbrown Miriam Wiesner @lucky225 S. VonKetschmann CJ Silverio Lewis Cowper @_gaeel_

Slide 140

Slide 140 text

@katie_fenn Thank you @katie_fenn www.katiefenn.co.uk slides: bit.ly/kf-scotlandjs-2018

Slide 141

Slide 141 text

@katie_fenn Thank you @katie_fenn www.katiefenn.co.uk slides: bit.ly/kf-scotlandjs-2018