Things that go bump on the web - Web Application Security

Things that go bump on the web Christian Heilmann | http://wait-till-i.com | http://scriptingenabled.org Web Directions North, Denver, Colorado, February 2009

Disclaimer: The following is a personal presentation and the views do not necessarily reflect those of my employer or the conference organizer! There will be strong language, public exposure (of security issues) and some strong opinions. Viewer discretion is advised.

Hello, I am Chris.

I’m here today to talk to you about web application security.

I’ve seen several security presentations myself.

And they fall into a few categories:

Technical mumbo jumbo that leaves you feeling inadequate and scared.

“Neener Neener, look what I can hack” show-offs.

“Use our systems or you’ll be dead tomorrow.” sales pitches.

I wanted to avoid anything like that.

My intention is not to leave you feeling patronised...

...confused or scared.

I want to point out several basics of web security...

...and offer some ideas of how you can prevent the worst and help us make the web safer.

Here’s what I will go through: Close the gates. Clean up your mess. Don’t breed idiots. d sore cen Stay up-to-date. Constant Vigilance, Harry!

Close the Gates!

Here’s a quick roundup of attack technologies and methodologies you should know about.

https://www.owasp.org/index.php? title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

XSS means that people can successfully inject something into your sites that shouldn’t be there.

Successfully injecting JavaScript in your site allows me to steal and fake the identity of your users or yourself.

SQL Injection

Always filter SQL statements from your requests!

http://en.wikipedia.org/wiki/Cross- site_request_forgery

CSRF happens when you have predictable urls to initiate actions – like deleting a form post or transferring money.

This url could then be called in the background from another site – via an image or a form submission in JavaScript.

Clickjacking

http://ha.ckers.org/blog/20080915/clickjacking/

Clickjacking is a trick to cover a real interface in an IFRAME with a transparent GIF or Flash movie...

...to send you to another site or pretend there was a problem and asking for you to log in again.

Isn’t it interesting that the verified by visa security tool makes that look very normal?

Phishing!

Phishing means showing a familiar interface and luring users into entering data.

The only way to prevent this is let the user choose a secret only they know...

...like the Yahoo sign-in seal.

I approve of this!

E! K A F http://en.wikipedia.org/wiki/Cross-boundary- currency-request

Clean up your mess!

A lot of security problems happen because people leave data behind.

This can be in their HTML.

Comments are not a good tool to turn off sections of the page that shouldn’t be available yet!

Or it can be in JavaScript...

Or on their server:

Or in their browsers.

I built TweetEffect.com, a small tool to check your twitter follower changes.

And then I got this email (not real size, it had to be resized)

I checked the user name and saw nothing – just a “this user isn’t available”.

What happened?

Apparently this person was logged in and of course that way authenticated to see the updates.

The same thing happens when one of the friends of that person is logged in!

So, this is interesting...

Step 1: Log in yourself

Step 2: Get his list of followers

Step 3: Set the trap

You can get a user’s updates with a simple REST call: http://twitter.com/statuses/ user_timeline/codepo8.xml? count=200

...alternatively use Ajax...

Step 4: Contact random friend of tuna to visit the site.

As they are authenticated the data will be returned without a question and sent to your server.

Learnings: Do not trust browsers, ever! A lock on a screen does not mean protection! You are as protected as the people you deal with.

Which brings me to the next point...

DANGER! I am now going to be a bit daring. I will ask you to question common ways of thinking and considering alternatives.

Don’t breed idiots!

I’m a designer, why should I care about web application security?

Designers help users do the right things in the easiest and most effective manner.

We have the chance to increase usability to stop people repeatedly shooting themselves in the foot.

None of this!

Users should be conditioned not to trust blindly.

Yet we tell them to store their information on computers and give them an option to stay logged in.

Getting information out of people is easy:

Be confident, show (or fake) authority, keep things confusing and give them a wrong sense of urgency.

“Look, your wireless is ﬂaky, I am in the middle of a phone conference and it keeps dropping out. Is there a wired connection in this lounge?”

“Do you have a ﬁrst class ticket?” “I just asked you where the wired connection is, this is an urgent conference and I need to answer this now!”

= Chris had some hours in the first class lounge!

Why did that work?

People are used to being treated like this.

We also don’t tell users off for using clever passwords like “password” or “happiness”.

Don’t make your end users suffer for your lack of security.

CAPTCHAS solve nothing! http://caca.zoy.org/wiki/PWNtcha

Here’s a challenge for you design and marketing wizards:

How about an interface that makes it fun to change your password every week?

And here’s a challenge for security experts:

Use HUMAN language!

“confused deputy”

“man in the middle attack”

“the password antipattern”

How about “giving your login and password for one system to another system is like writing your pin number on your credit card and asking a stranger to buy something for you!”

Stay up to date!

There is no security in sticking with outdated systems.

Therefore make sure to keep your server, your client software and your operating system up-to-date.

Even if companies offer a way out not to “break the web”.

None of this!

This also applies to your skills.

If you *don’t* want to be the guardian against evil and have *your butt on the line* when things to bump...

...build with frameworks!

Symfony, Django, Rails all offer out-of-the-box filtering and sanitization.

If there is a vulnerability, it can be fixed by a lot of people and pushed out as an update.

Constant vigilance! Screenshot from Harry Potter and the Goblet of fire, found on some blog but probably courtesy of Warner Brothers

The most important thing for you is to constantly be aware of what your servers are up to.

This *does* include your blog and portfolio!

Any server can be a spam hub or part of an attack network.

Your friends are: Server logs Statistics software

Don’t just look at the numbers

More interesting are “posted forms”

And “page query terms”

Keep up-to-date with what’s happening in web security.

http://simonwillison.net/ tags/security/

Stay curious to poke at things and find out their flaws and report them!

THANKS! Christian Heilmann http://wait-till-i.com http://scriptingenabled.org http://twitter.com/codepo8 Images by icanhazcheeseburger.com, failblog.org,kqe.de and from the web. Eye photo: http://flickr.com/photos/jaredmoo/2113943480

http://www.wait-till-i.com	15
http://www.slideshare.net	7
http://icant.co.uk	4
http://east08.webdirections.org	4
http://192.168.10.100	1
http://www.mefeedia.com	1

Things that go bump on the web - Web Application Security

by Christian Heilmann

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 32

Statistics

Things that go bump on the web - Web Application Security Presentation Transcript