Your SlideShare is downloading. ×
0
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Basic Housekeeping - Plugging Obvious Security Holes In Web Sites - Paris Web2009

6,969

Published on

My talk at Paris Web 2009 about basic web security and how to avoid opening your site for attacks.

My talk at Paris Web 2009 about basic web security and how to avoid opening your site for attacks.

0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,969
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
63
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Basic housekeeping Plugging obvious security  holes in web sites. Chris9an Heilmann, Paris Web, Paris, October 2009
  • 2. A few things to remember  about basic web security.
  • 3. A bit of pimping... Gérer la sécurité de vos applica9ons web (Salle 1) Présenté par : Sébas9en Pauchet (WS Interac9ve),  Frank Taillandier (Académie de Toulouse) a.k.a. Dirty Tricks with @DirtyF
  • 4. The most annoying thing  is that the dangers on the  web are underes9mated.
  • 5. Reasons for aRacks: Spam injec9on. Iden9ty theT. Data mining. Botnet / Zombies / DOS
  • 6. A lot of clever terms are  used in security. SQL injec9on  XSS  CSRF ClickJacking  Phishing
  • 7. In the end, a lot is about  keeping your web  products clean.
  • 8. This very much starts on  the server side.
  • 9. Think about your folders.
  • 10. Telling the world too  much.
  • 11. You don’t want the admin  folders of your app to be  indexed by Google Search Engines.
  • 12. Your system might tell  more about your site than  you are aware of.
  • 13. Error messages are only  needed in produc9on ‐ on  live servers they can tell  more than you want to.
  • 14. Keep your server setup  secure.
  • 15. hRp://yoursite.com/index.php?admin=true hRp://phpsec.org/projects/phpsecinfo/
  • 16. hRp://phpsec.org/projects/phpsecinfo/
  • 17. Basic server measures: Turn off folder browsing. Stop bot indexing (robots.txt). Secure your setup. Turn off error messaging. Disallow remote file inclusion. Delete old and orphan files.
  • 18. The next danger is blindly  relying on soTware.
  • 19. Predefined backdoors and  passwords.
  • 20. admin/admin admin/password default/default user/user preset/preset buil9n/buil9n
  • 21. Plugins
  • 22. Basic soTware measures: Change every password. Check for presets. RTFM. Keep Plugins up‐to‐date. Check for security holes. Don’t trust “easy setup”. Upgrade.
  • 23. Front end security issues. 
  • 24. This is not hard. Don’t trust any user data. HTML is not a database. JavaScript is not a secure data  container. Do not rely on JavaScript.
  • 25. Frontend is public. If you comment, comment on  the backend, do not  “comment out” func9onality.
  • 26. Frontend is insecure. Anything in the frontend is  executed and can be used to  steal all your cookies. (frames, images, scripts, links...)
  • 27. Filtering hRp://us2.php.net/manual/en/book.filter.php
  • 28. Whitelis9ng
  • 29. Clickjacking.
  • 30. Basic frontend measures: Break frames. Filter inputs. Whitelist inputs. Avoid hacks (expression()). Avoid URL assembling.
  • 31. Our users
  • 32. Social engineering.
  • 33. SocEng basics: Show authority. Create fake need of urgency. Take over responsibility.
  • 34. Condi9oning helps. :‐(
  • 35. I approve  of this!
  • 36. Social networks
  • 37. Step 1: Log in yourself
  • 38. Step 2: Get list of followers
  • 39. Step 3: Set the trap
  • 40. http://twitter.com/statuses/ user_timeline/codepo8.xml? count=200
  • 41. Step 4: Lure his followers
  • 42. None  of this!
  • 43. Predictability
  • 44. Basic people measures: Don’t allow for auto log‐in. Share security responsibility with the users. Avoid stressful interfaces. Be very open about your  communica9on.
  • 45. Bot aRacks.
  • 46. Captchas to the rescue? hRp://caca.zoy.org/wiki/PWNtcha
  • 47. Bot aRack measures. Honeyponng. Timed interfaces. Cookie check / Crumbing. Spike detec9on.  OpenID / third party logins.
  • 48. Nothing beats being up‐ to‐date!
  • 49. None  of this!
  • 50. I approve  of this!
  • 51. You learn a  lot from logs.
  • 52. No strength in numbers.
  • 53. Check your posts.
  • 54. And query terms.
  • 55. Some not‐so sci‐fi ideas...
  • 56. Guest passes.
  • 57. oAuth
  • 58. OpenID
  • 59. Caja/ADsafe
  • 60. Caja limits and  secures web  standards.
  • 61. Caja vs. “HTML” ★ Custom aRributes ★ Custom tags ★ Unclosed tags ★ <embed> ★ <iframe> ★ <link rel=‘… ★ javascript:void(0)  ★ Radio buRons in IE ★ Rela9ve url’s
  • 62. Caja vs “JavaScript” ★ eval() ★ new Func9on() ★ Strings as event handlers (node.onclick = '...';) ★ Names ending with double / triple underscores ★ with func9on (with (obj) { ... }) ★ Implicit global variables (specify var variable) ★ Calling a method as a func9on ★ document.write  ★ window.event ★ .onclick ★ OpenSocial gadgets.io.makeRequest return JS
  • 63. Caja vs “CSS” ★ * hacks ★ _ hacks ★ IE condi9onals ★ Insert‐aTer clear fix ★ expression() ★ @import ★ Background images in IE
  • 64. Throwaway logins.
  • 65. New challenges.
  • 66. Social Network aRacks
  • 67. The mobile web.
  • 68. Camera access.
  • 69. Loca9on based services.
  • 70. Biometric recogni9on.
  • 71. Right now things are not  safe.
  • 72. But you can help making  the web safer.
  • 73. Keep it clean, keep it up‐ to‐date and be alert.
  • 74. MERCI!   Chris9an Heilmann   hRp://wait‐9ll‐i.com    hRp://developer‐evangelism.com   hRp://twiRer.com/codepo8   

×