• Save
(In)Secure Ajax-Y Websites With PHP
Upcoming SlideShare
Loading in...5
×
 

(In)Secure Ajax-Y Websites With PHP

on

  • 6,200 views

 

Statistics

Views

Total Views
6,200
Views on SlideShare
6,192
Embed Views
8

Actions

Likes
9
Downloads
0
Comments
2

1 Embed 8

http://www.slideshare.net 8

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Second on that. Please make this presentation downloadable. Thanks!
    Are you sure you want to
    Your message goes here
    Processing…
  • Hi, is it possible that you publish the presentation for Download? Thx!
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

(In)Secure Ajax-Y Websites With PHP (In)Secure Ajax-Y Websites With PHP Presentation Transcript

  • (IN)SECURE AJAX-Y WEBSITES WITH PHP Christian Wenz
  • Some Statistics
    • 9 out of 10 web sites have security vulnerabilities.
            • whitehat website security statistics report, March 2008
    • 7.72% of web sites can be automatically compromised. 96.85% of web sites can be compromised with manual means.
            • WASC Web Application Security Statistics Project 2007
    Jun 5, 2009 | |
  • Why? // The Problem
    • Numerous talks, whitepapers, articles and books on web application security
    • Foundation of non-profit organizations like OWASP
    • Heightened awareness in the media
    • But it does not seem to help
    Jun 5, 2009 | |
  • Why? // "Hall of Shame"
    • Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible "success rate"
    • Some high-profile sites have had issues, too
    • Most notably: MySpace, Facebook, Orkut, ...
    Jun 5, 2009 | |
  • Why? // Explanations
    • Bad, inconsistent advice in talks, whitepapers, articles and books
    • Lack of time
    • Ajax applications make it very easy to introduce vulnerabilities
      • Many new (unchecked?) server APIs
      • Applications rely on UGC (user-generated content)
    Jun 5, 2009 | |
  • Why? // Traditional Model Jun 5, 2009 | | Server Client
  • Why? // Ajax Model Jun 5, 2009 | | Server Client
  • XSS // Problem
    • Cross-Site Scripting (XSS)
    • (Old) Problem: Dynamic data is sent to the client – without validation
    • The following content can be dangerous
      • HTML
      • CSS
      • JavaScript
    Jun 5, 2009 | |
  • XSS // New Dangers
    • XSS everywhere
      • XML
      • RSS
      • HTTP Headers
    • Validate all incoming data!
    • Validate in all dynamic files!
      • Including REST-y web service APIs; not only Ajax applications may use them!
    Jun 5, 2009 | |
  • XSS // More Dangers
    • Fancy XSS
      • XSS without JavaScript
      • Advanced JavaScript
      • Attacks using embedded media
    • The browser's same origin policy does not help much
    • Filter using a whitelist approach, not blacklist!
    Jun 5, 2009 | |
  • CSRF // Problem
    • Cross Site Request Forgeries (CSRF)
    • Problem: HTTP requests do not always happen voluntarily
    Victim (client) Attacker (web site) Other web site (1) Requests page (2) Sends JavaScript (3) Requests page Jun 5, 2009 | |
  • CSRF // Countermeasures
    • As user
      • Logout whenever possible, as soon as possible
      • Do not visit unknown sites
      • Apart from that almost no chance to prevent attacks
    • As developer
      • Request login before „critical“ operations
      • Include secret/random token in forms
      • Use random names for form elements (?!)
    Jun 5, 2009 | |
  • SQL Injection // Problem
    • SQL Injection
    • (Old) Problem: Dynamic data is used in SQL statements – without validation
    • The list of attacks does not end with ' OR ''=' !
    Jun 5, 2009 | |
  • SQL Injection // Bad Ideas
    • Filter for „1=1“
    • Filter for '
    • Filter for #
    • Filter for --
    • What's next?!
    • Again: No blacklist, but whitelist
      • Or database-specific escape functions/methods
      • Or even better: Prepared statements (if supported)
    Jun 5, 2009 | |
  • SQL Injection // Fancy attacks
    • Prompting error messages
    • UNION attacks
    • Blind SQL attacks
    • Using built-in functionality
    • Second-order attacks
    • DoS attacks
    Jun 5, 2009 | |
  • Ajax // JavaScript attacks
    • JavaScript Hijacking
    • Vulnerable: GET requests that retrieve JSON information
    • Malicious JavaScript code overrides constructors, enabling to intercept and steal (or modify) JSON data
    • http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
    Jun 5, 2009 | |
  • Ajax // Countermeasures
    • Require POST for server APIs
    • Demand a certain HTTP header (e.g. Content-type: application/json )
    Jun 5, 2009 | |
  • Ajax // Further Concerns
    • Need to maintain state
      • Bookmarks
      • Back/forward buttons
    • Usually implemented using the hash portion of the URL
    • Then, parsed upon load
    • Check your parser!
    • Don't get me started with mashups!
    Jun 5, 2009 | |
  • XML // XML attacks
    • Feeding web services with incorrect XML
    • XPath Injection
    • Nasty entities
    • All input is evil!
    Jun 5, 2009 | |
  • Regular Expressions // RegEx attacks
    • Problem: e modifier in regular expressions
    • Extremely dangerous if user-supplied data is embedded in this regular expression
    • Arbitrary code execution may be possible
    Jun 5, 2009 | |
  • Automation // Trackbacks
    • Problem: Spammers create trackbacks to weblogs to get their URL mentioned and therefore increasing their Google PageRank
    • Trackback API is very simple
      • POST http://victim.tld/trackback?id=0815
      • Content-type: application/x-www-form-urlencoded
      • title=Buy+stuff&url=http://spammer.tld/&excerpt= Buy+my+stuff&blog_name=Spamblog
    Jun 5, 2009 | |
  • Automation // Comments
    • Problem: Spammers (automatically) post comments to weblogs to get their URL mentioned which in turn might increase their Google PageRank
    • Also works with feedback forms and „send-a-friend“ features of websites
    Jun 5, 2009 | |
  • Automation // CAPTCHAs
    • Completely Automated Turing Test to Tell Computers and Humans Apart
    • Turing tests: Decide whether the communication partner is a person or a machine
    • Mostly, an image with text/numbers
    • ASCII and audio CAPTCHAs also exist
    Jun 5, 2009 | |
  • CAPTCHAs // Countermeasures
    • Implementation bugs
    • Cheap workers
    • Horny surfers
    Jun 5, 2009 | |
  • Because! // Conclusion
    • There is no 100% security
      • But you should try
    • Rule #1: Validate all input
    • Rule #2: Escape all output
    • Ajax applications do not always generate new attacks, but allow more entry points
    • Better paranoid than offline ™
    Jun 5, 2009 | |
  • Christian's Conference Guide
    • Tomorrow's security- and Ajax-related sessions
      • Security
        • 11:00am, Hall B: Lesser Known Security Problems in PHP Applications
        • 2:45pm, Hall B: Security-Centered Design (Hall B)
      • Ajax
        • 11:00am, Room 203: The Power and Beauty of Dojo
        • 1:30pm, Hall B: State of Ajax (Keynote)
        • 2:45pm, Room 209: Building RIA with ZF and PHP
        • 4:00pm, Room 203: PHP and Ajax Made Easier with Zend
    Jun 5, 2009 | |
  • Thank You!
    • http://www.hauser-wenz.de/blog/
    • [email_address]
    • Please don't forget the session evals!
    Jun 5, 2009 | |