DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

                                      ...
Fire! … Aim! Ready?                      DO NOT DISTRIBUTE

Question 1: Web 2.0 content is being developed
               ...
Answers…                                  DO NOT DISTRIBUTE

Question 1: False! Web 2.0 is being developed in
            ...
The Hinges   DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRI...
Understanding Web 2.0 Motivations
                            DO NOT DISTRIBUTE

                                         ...
DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE



Understanding the
   ...
Attack Surface                         DO NOT DISTRIBUTE

Total addressable (attackable) surface area DISTRIBUTE
         ...
Attack Surface                         DO NOT DISTRIBUTE

Total addressable (attackable) surface area DISTRIBUTE
         ...
DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE



Exploiting a bigger
 ...
DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT D...
Exploiting Weaknesses
                                      Users
                                 DO NOT DISTRIBUTE

Ever...
Exploiting Weaknesses
                                    Users
                               DO NOT DISTRIBUTE

        ...
DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

   ...
Exploiting Weaknesses
                                 Rich Content
                                    DO NOT DISTRIBUTE
...
Exploiting Weaknesses
                                            Rich Content
                                           ...
Exploiting Weaknesses
                                     Rich Content
                                        DO NOT DIS...
Exploiting Weaknesses
                                         Rich Content
                                            DO...
DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE
    ...
Exploiting Weaknesses
                                 Functionality
                                   DO NOT DISTRIBUTE
...
Exploiting Weaknesses
                                   Functionality
                                     DO NOT DISTRIB...
Exploiting Weaknesses
                                Functionality
                                   DO NOT DISTRIBUTE

...
DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE



Some really bad
         ...
What Could Possibly Go Wrong? DISTRIBUTE
                           DO NOT

…                                        DO NO...
Client-Side Logic Manipulation DO NOT DISTRIBUTE
try {
                                                                   ...
What Could Possibly Go Wrong? DISTRIBUTE
                           DO NOT

…                                        DO NO...
Client-Side Data Validations                                                      DO NOT DISTRIBUTE
…
button 9 {          ...
What Could Possibly Go Wrong? DISTRIBUTE
                           DO NOT

…                                        DO NO...
Thinking Web 2.0 Offense                                                 DO NOT DISTRIBUTE
private static function query(a...
DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIB...
DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIB...
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE

                                 DO NOT...
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE

                                       ...
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE

                                 DO NOT...
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE
… B-O-O-M                        DO NOT ...
What Did We Just Learn?                  DO NOT DISTRIBUTE

Web 2.0 isn‟t some magical new “thing”; it‟s aDISTRIBUTE
     ...
DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE



Fun new ways ...
Specification for Offline Web Apps DISTRIBUTE
                               DO NOT
From W3.org  http://www.w3.org/TR/off...
Options in Web 2.0 Land                           DO NOT DISTRIBUTE
 Remote System (Application)
                         ...
Simple Problems with Offline Apps DISTRIBUTE
                              DO NOT

                                       ...
(de)Evolution of SoMe…            DO NOT DISTRIBUTE

                                  DO NOT DISTRIBUTE

                ...
(de)Evolution of SoMe…           DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                  ...
(de)Evolution of SoMe…   DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DI...
(de)Evolution of SoMe…   DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DI...
SoMe Attacked Via Extension                DO NOT DISTRIBUTE

FaceBook still fighting worms and hacks against
            ...
DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE



So what do we do
        ...
The 3 Keys to Success                        DO NOT DISTRIBUTE

                                             DO NOT DISTRI...
Perform All Control Logic Server-Side
                              DO NOT DISTRIBUTE

Application-critical logic must alw...
Validate All Data at Ingress/Egress DISTRIBUTE
                               DO NOT

Validate all data as it comes into y...
Build Zero-Trust Interfaces                  DO NOT DISTRIBUTE

Assume exposed APIs/services will be attacked
            ...
Don‟t Rely on Others                     DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

Ev...
Thank You                                         DO NOT DISTRIBUTE

            Rafal Los                             DO ...
Upcoming SlideShare
Loading in...5
×

Sans Feb 2010 - When Web 2 0 Attacks v3.3

2,722

Published on

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,722
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Sans Feb 2010 - When Web 2 0 Attacks v3.3

  1. 1. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE When Web 2.0 DO NOT DISTRIBUTE Attacks! DO NOT DISTRIBUTE Technology gone terribly wrong. DO NOT DISTRIBUTE Rafal M. Los HP -- ASC DO NOT DISTRIBUTE rev 4 1 7 February 2010
  2. 2. Fire! … Aim! Ready? DO NOT DISTRIBUTE Question 1: Web 2.0 content is being developed DO NOT DISTRIBUTE primarily by the same developers that DO NOT DISTRIBUTE write traditional web code. True or False? DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 2: Everyone understands the idea of “Web 2.0” and there are concrete standards. DO NOT DISTRIBUTE True or False? DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 3: Your company has deployed “Web DO NOT DISTRIBUTE 2.0 stuff” already. True or False? 2
  3. 3. Answers… DO NOT DISTRIBUTE Question 1: False! Web 2.0 is being developed in DO NOT DISTRIBUTE a large part not by traditional developers,NOT DISTRIBUTE DO but by “marketing or media folks”… DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 2: False! Ask 2 different people to define “Web 2.0”… listen to their answers. DISTRIBUTE DO NOT DO NOT DISTRIBUTE Question 3: (most likely) True! … and if you DISTRIBUTE DO NOT don‟t know it, it‟s even worse. DO NOT DISTRIBUTE 3
  4. 4. The Hinges DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 4
  5. 5. Understanding Web 2.0 Motivations DO NOT DISTRIBUTE DO NOT DISTRIBUTE 2 reasons “Web 2.0” happened… DO NOT DISTRIBUTE 1. Increased demand for processor cyclesDO NOT DISTRIBUTE 2. Increased demand for bandwidth DO NOT DISTRIBUTE DO NOT DISTRIBUTE What happened… DO NOT DISTRIBUTE • Logic moved from server  client DO NOT DISTRIBUTE • Invention of asynchronous transaction NOT DISTRIBUTE DO • Browser becomes a “fat client” 5
  6. 6. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Understanding the DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE attack surface DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 6
  7. 7. Attack Surface DO NOT DISTRIBUTE Total addressable (attackable) surface area DISTRIBUTE DO NOT DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 7
  8. 8. Attack Surface DO NOT DISTRIBUTE Total addressable (attackable) surface area DISTRIBUTE DO NOT DO NOT DISTRIBUTE Inputs DO NOT DISTRIBUTE Outputs DO NOT DISTRIBUTE APIs DO NOT DISTRIBUTE Functions (interactions) DO NOT DISTRIBUTE Functions (services) DO NOT DISTRIBUTE … DO NOT DISTRIBUTE 8
  9. 9. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Exploiting a bigger DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE attack surface DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 9
  10. 10. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Users love to click stuff … DO NOT DISTRIBUTE Hackers love users who click stuff. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 10
  11. 11. Exploiting Weaknesses Users DO NOT DISTRIBUTE Everyone‟s favorite  Click-Jacking DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE HIDDEN BUTTON DISTRIBUTE DO NOT “Click the DO NOT DISTRIBUTE red dots!” DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 11
  12. 12. Exploiting Weaknesses Users DO NOT DISTRIBUTE DO NOT DISTRIBUTE HIDDEN BUTTON DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE <a href=“http://evilsite.com/exploit.js> ……. DO NOT DISTRIBUTE Click the DO NOT DISTRIBUTE This is an exploit page, hidden UNDER red dots? the cool new game that everyone is playing! DO NOT DISTRIBUTE DO NOT DISTRIBUTE 12
  13. 13. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE The line between code | data DO NOT DISTRIBUTE has become blurred… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 14
  14. 14. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE SoMe (Social Media) sites allow active content… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 15
  15. 15. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE What is the difference? DO NOT DISTRIBUTE DO NOT DISTRIBUTE code <script type="text/javascript“></script> DO NOT DISTRIBUTE <style type="text/css" title="currentStyle" media="screen"> @import "/001/001.css"; </style> DO NOT DISTRIBUTE DO NOT DISTRIBUTE data DO NOT DISTRIBUTE <![CDATA[CHEVRON 0302550]]></name><address><![CDATA[1298 HOWARD ST]]></address><city><![CDATA[SAN DO NOT DISTRIBUTE FRANCISCO]]></city><stateProvince><![CDATA[CA]]></stateProvince><postalCod e><![CDATA[94103]]></postalCode><country><![CDATA[US]]></country><brand>< DO NOT DISTRIBUTE ![CDATA[CHEVRON]]></brand><phone 16
  16. 16. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE DO NOT DISTRIBUTE Very few sites are static DO NOT DISTRIBUTE DO NOT DISTRIBUTE Most site/applications mix code | data at will DISTRIBUTE DO NOT DO NOT DISTRIBUTE  How do developers differentiate? DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Data  static information DO NOT DISTRIBUTE • Code  script or program modifications 17
  17. 17. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE Users (victims) will copy/paste without knowing the DO NOT DISTRIBUTE consequences DO NOT DISTRIBUTE Pimp-My-Profile.com DO NOT DISTRIBUTE is littered with ready- to-paste crap. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Don’t you just want to grab the BeSocial DO NOT DISTRIBUTE toolbar? 18
  18. 18. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE is the arch-enemyDO NOT DISTRIBUTE DO NOT DISTRIBUTE of security DO NOT DISTRIBUTE DO NOT DISTRIBUTE 19
  19. 19. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE Functionality gone totally wrong… DO NOT DISTRIBUTE DO NOT DISTRIBUTE FLASH OBJECT + CrossDomain.xml - security = DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 20
  20. 20. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE Google  filetype:swf inurl:xml DO NOT DISTRIBUTE DO NOT DISTRIBUTE Check CrossDomain.xml for something DO NOT DISTRIBUTE like: <allow-access-from domain=“*”/> DO NOT DISTRIBUTE DO NOT DISTRIBUTE Result: A simple programming “oops” creates a DO NOT DISTRIBUTE catastrophic failure in extended functionality! DO NOT DISTRIBUTE 21
  21. 21. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE Each additional layered component is another DO NOT DISTRIBUTE chance to screw up security DO NOT DISTRIBUTE DO NOT DISTRIBUTE Could you live without… DO NOT DISTRIBUTE • Google? DO NOT DISTRIBUTE • Multiple-app integrations DO NOT DISTRIBUTE (Google+Twitter+Facebook+…?) DO NOT DISTRIBUTE • Flash? 22
  22. 22. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Some really bad DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE [real life] code DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 23
  23. 23. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 24
  24. 24. Client-Side Logic Manipulation DO NOT DISTRIBUTE try { DO NOT DISTRIBUTE strURI = ExternalInterface.call("getLittleServer"); … DO NOT DISTRIBUTE n1 = parseInt(strN1); n2 = parseInt(strN2); DO NOT DISTRIBUTE nAlgo = n1 * n2 * nScore + nScore; strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo; DISTRIBUTE DO NOT encrypted_data = MD5.hash(strToPass); DO NOT DISTRIBUTE submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data; variables = new URLVariables(); DO NOT DISTRIBUTE variables.attr1 = submission_data; DO NOT DISTRIBUTE request = new URLRequest(strURI); request.data = variables; DO NOT DISTRIBUTE navigateToURL(request, "_self"); return submission_data; … 25
  25. 25. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 26
  26. 26. Client-Side Data Validations DO NOT DISTRIBUTE … button 9 { DO NOT DISTRIBUTE on (release, keyPress '<Enter>') { DO NOT DISTRIBUTE if (password eq „ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', ''); } else { DO NOT DISTRIBUTE if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); NOT DO DISTRIBUTE } else { if (password eq ' PASSWORD ') { DO NOT DISTRIBUTE getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', ''); } else { if (password eq „ PASSWORD ') { DO NOT DISTRIBUTE getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', ''); } else { DO NOT DISTRIBUTE if (password eq „ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', ''); } else { DO NOT DISTRIBUTE … 27
  27. 27. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 28
  28. 28. Thinking Web 2.0 Offense DO NOT DISTRIBUTE private static function query(arg0:String, arg1:flash.events::EventDispatcher = null) { DO NOT DISTRIBUTE … trace("2:MySQL Query: " + statement); DO NOT DISTRIBUTE if(this.connection == null) DO NOT DISTRIBUTE { try { DO NOT DISTRIBUTE this.connection = new Connection(irrcrpt("dqgurjudgh.frp", 3), 3306, irrcrpt("icog_nqikp", 2), irrcrpt("d1su4y", 1), irrcrpt("jdph", 3)); DO NOT DISTRIBUTE } catch (e:SecurityError) { DO NOT DISTRIBUTE var loc1:* = e; statement = null; DO NOT DISTRIBUTE Alert.show(statement.message, "Security Error"); … DO NOT DISTRIBUTE } 29
  29. 29. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE LIVE decompile of a DO NOT DISTRIBUTE DO NOT DISTRIBUTE flash fail ! (…err file) DO NOT DISTRIBUTE DO NOT DISTRIBUTE … wait, I thought you couldn’t do that? DO NOT DISTRIBUTE DO NOT DISTRIBUTE 30
  30. 30. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Fun with Web 2.0 DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE … “highly interactive content” NOT DISTRIBUTE DO DO NOT DISTRIBUTE 31
  31. 31. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 32
  32. 32. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE We insert this: DO NOT DISTRIBUTE "><frame DO NOT DISTRIBUTE src=http://google.com></ifr DO NOT DISTRIBUTE ame><script>alert(docume nt.cookie)</script> DISTRIBUTE DO NOT DO NOT DISTRIBUTE PLAIN => PostalCode="><frame DO NOT DISTRIBUTE Let’s ENCODE it to get past black-listing filters… %22%3e%3cframe%20src%3dhttp%3a%2f%2fgoogle.com%3e DO NOT DISTRIBUTE %3c%2fiframe%3e%3cscript%3ealert(document.cookie)%3c%2f script%3e 33
  33. 33. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 34
  34. 34. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE … B-O-O-M DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 35
  35. 35. What Did We Just Learn? DO NOT DISTRIBUTE Web 2.0 isn‟t some magical new “thing”; it‟s aDISTRIBUTE DO NOT conglomeration of old technologies… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE …and yes, all the DO NOT DISTRIBUTE old bugs are DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 36
  36. 36. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Fun new ways to fail DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE or: new bad ideas DO NOT DISTRIBUTE 37
  37. 37. Specification for Offline Web Apps DISTRIBUTE DO NOT From W3.org  http://www.w3.org/TR/offline-webapps/DISTRIBUTE DO NOT DO NOT DISTRIBUTE Users of typical online Web applications are only able to use the applications while they have a connection to the DO NOT DISTRIBUTE Internet. When they go offline, they can no longer check their e-mail, browse their calendar appointments... DISTRIBUTE DO NOT DO NOT DISTRIBUTE The HTML 5 specification provides two solutions NOT DISTRIBUTE DO to this: a SQL-based database API for storing data locally, and an offline application HTTP cache for ensuring NOT DISTRIBUTE DO applications are available even when the user is not DO NOT DISTRIBUTE connected to their network. 39
  38. 38. Options in Web 2.0 Land DO NOT DISTRIBUTE Remote System (Application) DO NOT DISTRIBUTE Would you rather hack DISTRIBUTE DO NOT this… Database Application … or this?DISTRIBUTE DO NOT Hardened Defenses DO NOT DISTRIBUTE DO NOT DISTRIBUTE Browser Internet DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Local Local App Database Cache 40 (SQLite)
  39. 39. Simple Problems with Offline Apps DISTRIBUTE DO NOT DO NOT DISTRIBUTE Online Application Offline Application DO NOT DISTRIBUTE Remote data storage Local data storage Enterprise DB typically “secured” DO NOT DISTRIBUTE Local DB “forgotten” Enterprise DB difficult to access Local DB … on local filesystem DO NOT DISTRIBUTE Attack trips security mechanisms Few local security mechanisms Remote Logic Local “Cached” Logic NOT DISTRIBUTE DO Manipulate at run-time, remotely Manipulate code, locally DISTRIBUTE DO NOT Remote validation of logic Fully control/manipulate logic DO NOT DISTRIBUTE DO NOT DISTRIBUTE 41
  40. 40. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE First, came the applications… DO NOT DISTRIBUTE DO NOT DISTRIBUTE They were attacked…a DISTRIBUTE DO NOT lot… DO NOT DISTRIBUTE …then hardened. DO NOT DISTRIBUTE DO NOT DISTRIBUTE 42
  41. 41. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Users wanted more. DO NOT DISTRIBUTE Applications were DO NOT DISTRIBUTE extended via APIs. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 43
  42. 42. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 3rd parties DO NOT DISTRIBUTE built DO NOT DISTRIBUTE interfaces DOusing the NOT DISTRIBUTE DOAPIs NOT DISTRIBUTE DO NOT DISTRIBUTE 44
  43. 43. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Hackers DO NOT DISTRIBUTE attacked DO NOT DISTRIBUTE users via DOapplication NOT DISTRIBUTE DOAPIs NOT DISTRIBUTE DO NOT DISTRIBUTE 45
  44. 44. SoMe Attacked Via Extension DO NOT DISTRIBUTE FaceBook still fighting worms and hacks against DO NOT DISTRIBUTE users via extensions (or plug-ins) built DO NOT DISTRIBUTE using legal API extensions (Koobface?) DO NOT DISTRIBUTE DO NOT DISTRIBUTE Twitter API continually being abused by worms and “bots” to spam and seed trojan malware NOT DISTRIBUTE DO DO NOT DISTRIBUTE Why attack a hardened resource/site when a DISTRIBUTE DO NOT hacker can use APIs to write malicious plug-ins? DO NOT DISTRIBUTE 46
  45. 45. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE So what do we do DO NOT DISTRIBUTE DO NOT DISTRIBUTE about it? DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 47
  46. 46. The 3 Keys to Success DO NOT DISTRIBUTE DO NOT DISTRIBUTE o Perform all control logic server-side DO NOT DISTRIBUTE o Validate all data at ingress & egress DO NOT DISTRIBUTE o Build zero-trust interfaces DO NOT DISTRIBUTE DO NOT DISTRIBUTE … and don‟t rely on others- remember, “the user DO NOT DISTRIBUTE will always choose dancing bears over security”. - DO NOT DISTRIBUTE Schenier DO NOT DISTRIBUTE 48
  47. 47. Perform All Control Logic Server-Side DO NOT DISTRIBUTE Application-critical logic must always beDO NOT DISTRIBUTE performed on the server side, where it is less likely to be DO NOT DISTRIBUTE manipulated DO NOT DISTRIBUTE DO NOT DISTRIBUTE • You can trust code once it leaves your control DO NOT DISTRIBUTE • Web code can and will be reverse-engineered • Never push critical information (passwords, DISTRIBUTE DO NOT connection strings) to the client DO NOT DISTRIBUTE DO NOT DISTRIBUTE 49
  48. 48. Validate All Data at Ingress/Egress DISTRIBUTE DO NOT Validate all data as it comes into your application, DO NOT DISTRIBUTE and also as it leaves DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Assume all input is malicious DO NOT DISTRIBUTE • Mix white-list, black-list  minimum required DO NOT DISTRIBUTE • Know what‟s leaving your application DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 50
  49. 49. Build Zero-Trust Interfaces DO NOT DISTRIBUTE Assume exposed APIs/services will be attacked DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Never trust the interface to provide cleanNOT DISTRIBUTE DO data, legal calls, or valid requests DO NOT DISTRIBUTE • Authenticate (AuthN) interfaces when ever DO NOT DISTRIBUTE possible • Don‟t forget AuthZ (authorization) DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 51
  50. 50. Don‟t Rely on Others DO NOT DISTRIBUTE DO NOT DISTRIBUTE Every piece of software has exploitable DO NOT DISTRIBUTE defects! DO NOT DISTRIBUTE Don‟t assume other developers wrote secure DISTRIBUTE DO NOT code. DO NOT DISTRIBUTE again. Check, re-check and check again…and DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 52
  51. 51. Thank You DO NOT DISTRIBUTE Rafal Los DO NOT DISTRIBUTE Twitter: @RafalLos DO NOT DISTRIBUTE Email: Rafal@HP.com Direct: +1 (765) 247 - 2325 DO NOT DISTRIBUTE Blogs: DO NOT DISTRIBUTE “Following the White Rabbit” http://www.communities.hp.com/securitysoftware/blogs/rafal/default.aspx “Digital Soapbox” DO NOT DISTRIBUTE http://preachsecurity.blogspot.com DO NOT DISTRIBUTE Oh! … and I work in the HP Application Security Center (ASC) DO NOT DISTRIBUTE DO NOT DISTRIBUTE 53

×