Modern Web Security

5,447 views
5,916 views

Published on

Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.

Published in: Internet, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,447
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Modern Web Security

  1. 1. Bill Condo / @mavrck Modern Web Security Attacks & Improvements 4/2/2014 | Dayton Web Developers
  2. 2. Bill Condo / @mavrck Who here is responsible
 for a website?
  3. 3. Bill Condo / @mavrck Who here has published code updates live in the last month?
  4. 4. Bill Condo / @mavrck Are they secure?
  5. 5. Bill Condo / @mavrck What We’ll Cover • Common Threats • Easy Improvements • Bonus: Passwords
  6. 6. Bill Condo / @mavrck CommonThreats • Cross Site Scripting • SQL Injection • Path Disclosure • Cross Site Request Forgery • Information Disclosure
  7. 7. Bill Condo / @mavrck • Denial of Service • Code Execution • Memory Corruption • Arbitrary File • Local File Include • Remote File Include • Buffer overflow
  8. 8. Bill Condo / @mavrck Cross-site scripting (XSS) • In a nutshell, websites that allow external code to sent with a response to a user’s browser. • Typically this is javascript that is inserted into a query string or form field that is allowed to run. • Opens up cookie and sensitive data
  9. 9. Bill Condo / @mavrck SQL Injection • Allowing user input to directly be inserted into database queries, opening the possibility of unexpected data, and database corruption and data leakage.
 • (original) statement = "SELECT * FROM users WHERE id ='" + id + “';" • (input) 0’; DROP TABLE users • (final) statement = "SELECT * FROM users WHERE id =‘0'; DROP TABLE users;"
  10. 10. Bill Condo / @mavrck http://xkcd.com/327/
  11. 11. Bill Condo / @mavrck Path Disclosure • Allowing an attacker to see the path to the web root. 
 /home/site.com/public/index.php • This could allow viewing of private files, and provides a nugget 
 of knowledge that can be combined to allow full access. • http://site.com/index.php?page=about • http://site.com/index.php?page=../config
  12. 12. Bill Condo / @mavrck Cross Site Request Forgery (CSRF) • Exploits a website’s unauthenticated functionality from an authenticated user. This is commonly from features driven from url parameters that doesn’t have sufficient verification in place. • http://site.com/send-message.php?from=bill&to=brad&message=hi • May also be exploited by malicious code injected into a page.
  13. 13. Bill Condo / @mavrck Information Disclosure • Releasing secure information to an untrusted environment. This 
 can be operating environment, customer data, or trade secrets. • Path that the website runs at, database info, service versions, etc. • Credit card data, private account info (address, phone), 
 and customer history. • Business logic, processes, and long-term business plans.
  14. 14. Bill Condo / @mavrck
  15. 15. Bill Condo / @mavrck
  16. 16. Bill Condo / @mavrck Easy Improvements • Secure Your Environment • Secure Your Website • Establish Audits
  17. 17. Bill Condo / @mavrck Secure your Environment • Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual Private Server (VPS) such as Digital Ocean, Linode, Rackspace, AWS, etc. You don’t want to share security concerns 
 with the world. • Turn of the displaying of errors and debugging info in production, and redirect them to log files. • Turn on automatic updates for security patches. • Turn off broadcasting of service versions and extensions. • Turn off modules that aren’t required.
  18. 18. Bill Condo / @mavrck Sorry, We’re Not Sharing Security…
  19. 19. Bill Condo / @mavrck Thanks for letting me know…
  20. 20. Bill Condo / @mavrck Secure Your Website • Sanitize user input. Always. • Escape and sanitize database queries. Better yet, use an established package for prepared statements. • Store sensitive data outside of the webroot with proper permissions. • SSL where possible. • Sandbox user uploads and treat with suspicion.
  21. 21. Bill Condo / @mavrck Establish Audits • Black Box: Security/Vulnerability Scanners, Penetration Tests • White Box: Source Code Analyzers, Code Tests • Password Testing
  22. 22. Bill Condo / @mavrck More Security Info • http://www.webappsec.org • http://www.owasp.org
  23. 23. Bill Condo / @mavrck Stretch. Last minute bucket. We’re in overtime.
  24. 24. Bill Condo / @mavrck Bonus: Password Security • Terminology • Landscape/Problems • Best Practices • Getting Policy Buy-in
  25. 25. Bill Condo / @mavrck Password Terminology • Encrypting - The process of encoding messages or information in such a way that only authorized parties can read it*. Encryption typically involves a private key and can be performed two way. • Hashing - Password hashing is a one way conversion of an input into a representative string. (i.e. nothing = 4fhk348fhsk48rfk4d3) • Salting - A unique string of characters (hopefully per user) that helps keep the password hashes different for users that have the same password. *http://en.wikipedia.org/wiki/Encryption
  26. 26. Bill Condo / @mavrck • Entropy (Strength) - A measure of the uncertainty associated with a random variable. (i.e. Password Strength) • Rainbow Tables - Pre-calculated lookup values that match a string with a value for a known encrypted algorithm.
  27. 27. Bill Condo / @mavrck http://xkcd.com/936/
  28. 28. Bill Condo / @mavrck Problems
  29. 29. Bill Condo / @mavrck State of Passwords • Most people share between sites • Most people don’t use secure passwords • Secure passwords, with high entropy are impossible to remember • Most people don’t use a password manager
  30. 30. Bill Condo / @mavrck Lack of Transparency • Web Apps & Sites don’t disclosure their password policies, encryption strength, and their isn’t a standard body to police who’s following best practices and who’s being risky. • Users often don’t find out what data was compromised from an attack, and frequently don’t find out about an breach at all until it reaches the news cycle.
  31. 31. Bill Condo / @mavrck Forgotten Trail • With e-commerce, we often have to create an account, provide payment details, and then may never shop there again. However, the data persists. • Users typically don’t keep a master list of sites they have an account on, or have purchased from. Each account can act as a nugget of knowledge, slowly building up to enough data for concern.
  32. 32. Bill Condo / @mavrck Best Practices Worst Practices
  33. 33. Bill Condo / @mavrck Don’t help the enemy • Don’t: Policies that enforce things such as “first character must by upper case” and “must end in a special character”. Allows masking. • Don’t: To an extent, disclosing the minimum requirements for lower case, upper case, numeric, and special characters.
  34. 34. Bill Condo / @mavrck Garbage in, garbage out • Don’t: Having no password policy at all. • Don’t: Allowing common passwords like ‘password’, ‘123456’. • Don’t: Allowing common dictionary words.
  35. 35. Bill Condo / @mavrck Getting Policy Buy-in
  36. 36. Bill Condo / @mavrck #1 Prevent PR Issues
  37. 37. Bill Condo / @mavrck #2 Cost vs Risk • Doing security correctly is less expensive upfront. The opportunity cost is minimal compared the reduction in risk. 
 Cost * Risk = Likelihood Cost • What does it cost to cleanup the mess: reset the passwords, scan the servers, added support calls/requests, etc…
  38. 38. Bill Condo / @mavrck #3 Predictability • Help project/business managers in being able to minimize unexpected security response events. • Better understand how your week is going to go.
  39. 39. Bill Condo / @mavrck
  40. 40. Bill Condo / @mavrck My Ask of You • If you found this information useful, I ask two things of you: • Follow me Twitter for development tips: @mavrck • Back the Salt Mines Device Lab fundraiser for $1+: 
 http://igg.me/p/728005 • Also, we’re hiring at LMG. Grab a card if you’re currently 
 not next to your boss (otherwise email bill@lmgresults.com).
  41. 41. Bill Condo / @mavrck Roaring Applause Here. Thanks for your time.

×