Web Application Security

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    2 Favorites

    Web Application Security - Presentation Transcript

    1. Web Application Security by Example (for LAMP) Arpee Ong
    2. Who Am I? Name: Richard Peter Ong a.k.a. Arpee Work: Lead Developer, Internal Projects at SysIQ Inc. Open Source Affiliations: a.)core developer, MiaCMS
    3. Who Are you? ✔ PHP Developers/Programmers ✔ L/U/W AMP SysAdmins ✔ IT Managers and Practitioners ✔ Geeks and hackers..
    4. Scope and Coverage: ● Securing a Basic U/L AMP Server ● Web Application Attacks Description, Samples and Prevention
    5. WHAT IS A WEB APPLICATION? ✔ Any application that is served commonly via http or https protocol ✔ Usually being served from a remote computer acting as a host/server
    6. WHAT IS SECURITY? ✔ Is a State of being free from damage and being compromised ✔ Is a condition of being protected against danger or loss
    7. Levels of WebApp Security: ✔ Server Level ✔ Application Level
    8. Server Level Security: ✔ The Box(es) (physical or virtual server(s)) ✔ httpd (Apache) ✔ mysqld (MySQL) ✔ PHP
    9. Secure the Box: ✔ Filesystem ✔ Firewall
    10. Filesystem:: File Ownership and Permission ✔ Folders should be 0755 ✔ Files should be 0644 ✔ Files and Folders under Document Root should be owned by the Apache User ✔ 666 is evil, in the web world well, so as 777.
    11. Filesystem:: How to Set Permissions ✔ Folders chmod 0755 {directory} ✔ Files chmod 0644 {files}
    12. Filesystem:: How to Set Ownership ✔ Files/Folders chown -R {apache_user} {document_root}
    13. Firewall:: Opened Ports ✔ Port 80 Web/Http ✔ Port 443 Web/Https ✔ Port 21 FTP ✔ Port 22 SSH ✔ Port 25 SMTP (outgoing) ✔ Port 110 POP (inbound) ✔ Port 3306 MySQL Daemon
    14. Secure httpd (Apache): ✔ Set an apache user ✔ Do not run apache as root rd ✔ 3 Party Tools: ✔ ModSecurity http://www.modsecurity.org/
    15. Secure the mysqld (MySQL): ✔ Set root(admin) password ✔ Rename the root(admin) account ✔ Restrict Network Access ✔ Use SSH Tunneling/Port Forwarding if necessary
    16. MySQL:: Set Admin Password mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD('passw ord'); mysql> FLUSH PRIVILEGES;
    17. MySQL:: Change Admin Username mysql -u root -p{PASSWORD} mysql> update user set user=\"mydbadmin\" where user=\"root\"; mysql> FLUSH PRIVILEGES;
    18. MySQL:: Why Restrict Network Access? ✔Usually only your web application needs access to MySQL Server, NOTHING ELSE.
    19. MySQL:: How to Restrict Network Access? ✔ Open my.cnf ✔ Add skip-networking parameter to mysqld or mysqld_safe (depending which you are using)
    20. MySQL:: How to tunnel mysql via ssh? ssh -N -f -L 3306:localhost:3306 user@mysql_server.com N Do not execute command (useful for port forwarding only) f Run in background L (port:host:hostport)
    21. Secure php.ini (PHP): ✔ disable_functions ✔ register_globals=off ✔ allow_url_fopen=on/off ✔ allow_url_include=off rd ✔ 3 Party Tools: ✔ Suhosin http://www.hardened-php.net/suhosin/
    22. PHP:: Functions to disable ✔ Exec() - executes a command ✔ Passthru() - execute a command and display raw output
    23. PHP:: Register Globals ✔ DO NOT ENABLE register_globals ✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)
    24. PHP:: allow_url_fopen, allow_url_include ✔ Allow_url_fopen if set to on, allows treatment of URLs as files ✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.
    25. PHP:: misuse of register_globals, allow_url_fopen, allow_url_include altogether >> ✔SEE remote file inclusion attacks..
    26. Application Level Security:: Attack Samples and Prevention ✔ Remote File Inclusion ✔ Form Spoofing ✔ XSS (Cross-Site Scripting) ✔ CSRF (Cross-Site Request Forgery) ✔ SQL Injection ✔ Session Fixation
    27. Application Level Security:: Remote File Inclusion Attack Description A Remote File Inclusion is a type of attack where an Remote File attacker executes a php Inclusion script of his liking against the target web application
    28. Application Level Security:: Remote File Inclusion Attack Possible Damage ● Expose/Modiy variable values of the script doing Remote File the include() Inclusion ● Expose stored credentials eg. MySQL user/pass from a webapp configuration file
    29. Application Level Security:: Remote File Inclusion Attack Vectors ● User-controllable value of Remote File variable called by Inclusion include() or require()
    30. Application Level Security:: Remote File Inclusion Attack Prevention ● Disable register_globals ● Disable allow_url_fopen Remote File ● Disable allow_url_include Inclusion ● Do not include() from a dynamic variable with user controllable value
    31. Application Level Security:: Form Spoofing Attack Description A type of an attack where an HTML Form is mimicked Form Spoofing or copied and then submitted from a location different from the original
    32. Application Level Security:: Form Spoofing Attack Possible Damage ● Bypass client-side validation ● Mass data insertion Form Spoofing resulting to flood (eg. Flooded guestbooks, forum boards etc.)
    33. Application Level Security:: Form Spoofing Attack Vectors ● No Form Tokens present, thus all requests thrown Form Spoofing to the accepting script is considered valid
    34. Application Level Security:: Form Spoofing Attack Prevention ● Tokenize the form Form Spoofing ● [optional]Check Referrer
    35. Application Level Security:: XSS Attack Description Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a XSS client-side code such as javascript. The injected html/js code script is then executed on the user browsers visiting the infiltrated web application
    36. Application Level Security:: XSS Attack Possible Damage ● Steal/Fixate browser cookies and direct to another page XSS ● Redirect user to another page ● Mess up a format of web application page
    37. Application Level Security:: XSS Attack Vectors XSS ● Unfiltered input forms
    38. Application Level Security:: XSS Attack Prevention ● Do Not Trust User Input Is not enough, I say, XSS Make User Input Trustable ● Filter incoming data
    39. Application Level Security:: CSRF Attack Description Cross-Site Request Forgery is a type of attack where an attacker CSRF forces an unknowing victim into making (malicious) http requests
    40. Application Level Security:: CSRF Attack Possible Damage ● Make victim execute an operation without his knowledge on a web CSRF application while being validy authenticated (eg. Change Account details, logout, spam etc.
    41. Application Level Security:: CSRF Attack Vectors ● XSS Vulnerabilities ● Untokenized forms CSRF ● Usage of $_GET for operations where $_POST may be best suited
    42. Application Level Security:: CSRF Attack Prevention ● Use $_POST instead of $_GET and/or $_REQUEST CSRF ● Filter incoming data ● Tokenize
    43. Application Level Security:: SQL Injection Attack Description An SQL Injection is an attack where an attacker is able to execute SQL Injection arbitrary sql code against the database
    44. Application Level Security:: SQL Injection: Basic Sample //legit $sort = 'ASC'; //malicious injection? $sort = '; TRUNCATE POSTS'; //actual query $query = \"SELECT * FROM posts ORDER BY date_entered $sort\"; // Output Query: uh-oh! SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS
    45. Application Level Security:: SQL Injection Attack Possible Damage ● Corrupt data by executing truncate() SQL Injection ● Alter current DB data (eg. Change admin password)
    46. Application Level Security:: SQL Injection Attack Vectors ● Dynamic queries getting SQL Injection values from unsanitized user-submitted data
    47. Application Level Security:: SQL Injection (MySQL) Attack Prevention ● Enclose user-submitted SQL Injection Values with mysql_real_escape_string()
    48. Application Level Security:: Session Hijacking Attack Description Session Hijacking is an attack where an attacker impersonates a legitimate Session user(commonly the Hijacking administrator) that is currently logged in on the web application
    49. Application Level Security:: Session Hijacking Attack Possible Damage ● Attacker gaining Session administrator privileges, Hijacking damage/threat is highly serious.
    50. Application Level Security:: Session Hijacking Attack Vectors ● Session ID Fixation via XSS ● Web Application is not going Session thru HTTPS and therefore Hijacking sniffable ● Session id is not regenerated when necessary
    51. Application Level Security:: Session Hijacking Attack Prevention ● Protect Site against XSS attacks (Fixation avoidance only) ● Regenerate SID whenever Session necessary and do not Hijacking trust user-specified session id ● Deliver the web app Over HTTPS to avoid getting sniffed
    52. In a nutshell: ● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server. ● Do not Trust User Input is not enough, Make User Input TRUSTABLE by filtering methods before they undergo processing. ● Tokenize your forms whenever necessary ● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being sniffed or captured .
    53. I hope you enjoyed.. The End...

    + arpeearpee, 2 years ago

    custom

    816 views, 2 favs, 0 embeds more stats

    Event: Tri{PHP}le Treat@USAutoparts Philippines ho more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 816
      • 816 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 2
    • Downloads 33
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    What's New

    © 2009 SlideShare Inc. All rights reserved.