(IN)SECURE AJAX-Y WEBSITES WITH PHP Christian Wenz

Some Statistics 9 out of 10 web sites have security vulnerabilities. whitehat website security statistics report, March 2008 7.72% of web sites can be automatically compromised. 96.85% of web sites can be compromised with manual means. WASC Web Application Security Statistics Project 2007 Jun 5, 2009 | |

9 out of 10 web sites have security vulnerabilities.

whitehat website security statistics report, March 2008

7.72% of web sites can be automatically compromised. 96.85% of web sites can be compromised with manual means.

WASC Web Application Security Statistics Project 2007

Why? // The Problem Numerous talks, whitepapers, articles and books on web application security Foundation of non-profit organizations like OWASP Heightened awareness in the media But it does not seem to help Jun 5, 2009 | |

Numerous talks, whitepapers, articles and books on web application security

Foundation of non-profit organizations like OWASP

Heightened awareness in the media

But it does not seem to help

Why? // "Hall of Shame" Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible "success rate" Some high-profile sites have had issues, too Most notably: MySpace, Facebook, Orkut, ... Jun 5, 2009 | |

Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible "success rate"

Some high-profile sites have had issues, too

Most notably: MySpace, Facebook, Orkut, ...

Why? // Explanations Bad, inconsistent advice in talks, whitepapers, articles and books Lack of time Ajax applications make it very easy to introduce vulnerabilities Many new (unchecked?) server APIs Applications rely on UGC (user-generated content) Jun 5, 2009 | |

Bad, inconsistent advice in talks, whitepapers, articles and books

Lack of time

Ajax applications make it very easy to introduce vulnerabilities

Many new (unchecked?) server APIs

Applications rely on UGC (user-generated content)

Why? // Traditional Model Jun 5, 2009 | | Server Client

Why? // Ajax Model Jun 5, 2009 | | Server Client

XSS // Problem Cross-Site Scripting (XSS) (Old) Problem: Dynamic data is sent to the client – without validation The following content can be dangerous HTML CSS JavaScript Jun 5, 2009 | |

Cross-Site Scripting (XSS)

(Old) Problem: Dynamic data is sent to the client – without validation

The following content can be dangerous

HTML

CSS

JavaScript

XSS // New Dangers XSS everywhere XML RSS HTTP Headers … Validate all incoming data! Validate in all dynamic files! Including REST-y web service APIs; not only Ajax applications may use them! Jun 5, 2009 | |

XSS everywhere

XML

RSS

HTTP Headers

…

Validate all incoming data!

Validate in all dynamic files!

Including REST-y web service APIs; not only Ajax applications may use them!

XSS // More Dangers Fancy XSS XSS without JavaScript Advanced JavaScript Attacks using embedded media The browser's same origin policy does not help much Filter using a whitelist approach, not blacklist! Jun 5, 2009 | |

Fancy XSS

XSS without JavaScript

Advanced JavaScript

Attacks using embedded media

The browser's same origin policy does not help much

Filter using a whitelist approach, not blacklist!

CSRF // Problem Cross Site Request Forgeries (CSRF) Problem: HTTP requests do not always happen voluntarily Victim (client) Attacker (web site) Other web site (1) Requests page (2) Sends JavaScript (3) Requests page Jun 5, 2009 | |

Cross Site Request Forgeries (CSRF)

Problem: HTTP requests do not always happen voluntarily

CSRF // Countermeasures As user Logout whenever possible, as soon as possible Do not visit unknown sites Apart from that almost no chance to prevent attacks As developer Request login before „critical“ operations Include secret/random token in forms Use random names for form elements (?!) Jun 5, 2009 | |

As user

Logout whenever possible, as soon as possible

Do not visit unknown sites

Apart from that almost no chance to prevent attacks

As developer

Request login before „critical“ operations

Include secret/random token in forms

Use random names for form elements (?!)

SQL Injection // Problem SQL Injection (Old) Problem: Dynamic data is used in SQL statements – without validation The list of attacks does not end with ' OR ''=' ! Jun 5, 2009 | |

SQL Injection

(Old) Problem: Dynamic data is used in SQL statements – without validation

The list of attacks does not end with ' OR ''=' !

SQL Injection // Bad Ideas Filter for „1=1“ Filter for ' Filter for # Filter for -- What's next?! Again: No blacklist, but whitelist Or database-specific escape functions/methods Or even better: Prepared statements (if supported) Jun 5, 2009 | |

Filter for „1=1“

Filter for '

Filter for #

Filter for --

What's next?!

Again: No blacklist, but whitelist

Or database-specific escape functions/methods

Or even better: Prepared statements (if supported)

SQL Injection // Fancy attacks Prompting error messages UNION attacks Blind SQL attacks Using built-in functionality Second-order attacks DoS attacks Jun 5, 2009 | |

Prompting error messages

UNION attacks

Blind SQL attacks

Using built-in functionality

Second-order attacks

DoS attacks

Ajax // JavaScript attacks JavaScript Hijacking Vulnerable: GET requests that retrieve JSON information Malicious JavaScript code overrides constructors, enabling to intercept and steal (or modify) JSON data http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf Jun 5, 2009 | |

JavaScript Hijacking

Vulnerable: GET requests that retrieve JSON information

Malicious JavaScript code overrides constructors, enabling to intercept and steal (or modify) JSON data

http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

Ajax // Countermeasures Require POST for server APIs Demand a certain HTTP header (e.g. Content-type: application/json ) Jun 5, 2009 | |

Require POST for server APIs

Demand a certain HTTP header (e.g. Content-type: application/json )

Ajax // Further Concerns Need to maintain state Bookmarks Back/forward buttons Usually implemented using the hash portion of the URL Then, parsed upon load Check your parser! Don't get me started with mashups! Jun 5, 2009 | |

Need to maintain state

Bookmarks

Back/forward buttons

Usually implemented using the hash portion of the URL

Then, parsed upon load

Check your parser!

Don't get me started with mashups!

XML // XML attacks Feeding web services with incorrect XML XPath Injection Nasty entities All input is evil! Jun 5, 2009 | |

Feeding web services with incorrect XML

XPath Injection

Nasty entities

All input is evil!

Regular Expressions // RegEx attacks Problem: e modifier in regular expressions Extremely dangerous if user-supplied data is embedded in this regular expression Arbitrary code execution may be possible Jun 5, 2009 | |

Problem: e modifier in regular expressions

Extremely dangerous if user-supplied data is embedded in this regular expression

Arbitrary code execution may be possible

Automation // Trackbacks Problem: Spammers create trackbacks to weblogs to get their URL mentioned and therefore increasing their Google PageRank Trackback API is very simple POST http://victim.tld/trackback?id=0815 Content-type: application/x-www-form-urlencoded title=Buy+stuff&url=http://spammer.tld/&excerpt= Buy+my+stuff&blog_name=Spamblog Jun 5, 2009 | |

Problem: Spammers create trackbacks to weblogs to get their URL mentioned and therefore increasing their Google PageRank

Trackback API is very simple

POST http://victim.tld/trackback?id=0815

Content-type: application/x-www-form-urlencoded

title=Buy+stuff&url=http://spammer.tld/&excerpt= Buy+my+stuff&blog_name=Spamblog

Automation // Comments Problem: Spammers (automatically) post comments to weblogs to get their URL mentioned which in turn might increase their Google PageRank Also works with feedback forms and „send-a-friend“ features of websites Jun 5, 2009 | |

Problem: Spammers (automatically) post comments to weblogs to get their URL mentioned which in turn might increase their Google PageRank

Also works with feedback forms and „send-a-friend“ features of websites

Automation // CAPTCHAs Completely Automated Turing Test to Tell Computers and Humans Apart Turing tests: Decide whether the communication partner is a person or a machine Mostly, an image with text/numbers ASCII and audio CAPTCHAs also exist Jun 5, 2009 | |

Completely Automated Turing Test to Tell Computers and Humans Apart

Turing tests: Decide whether the communication partner is a person or a machine

Mostly, an image with text/numbers

ASCII and audio CAPTCHAs also exist

CAPTCHAs // Countermeasures Implementation bugs Cheap workers Horny surfers Jun 5, 2009 | |

Implementation bugs

Cheap workers

Horny surfers

Because! // Conclusion There is no 100% security But you should try Rule #1: Validate all input Rule #2: Escape all output Ajax applications do not always generate new attacks, but allow more entry points Better paranoid than offline ™ Jun 5, 2009 | |

There is no 100% security

But you should try

Rule #1: Validate all input

Rule #2: Escape all output

Ajax applications do not always generate new attacks, but allow more entry points

Better paranoid than offline ™

Christian's Conference Guide Tomorrow's security- and Ajax-related sessions Security 11:00am, Hall B: Lesser Known Security Problems in PHP Applications 2:45pm, Hall B: Security-Centered Design (Hall B) Ajax 11:00am, Room 203: The Power and Beauty of Dojo 1:30pm, Hall B: State of Ajax (Keynote) 2:45pm, Room 209: Building RIA with ZF and PHP 4:00pm, Room 203: PHP and Ajax Made Easier with Zend Jun 5, 2009 | |

Tomorrow's security- and Ajax-related sessions

Security

11:00am, Hall B: Lesser Known Security Problems in PHP Applications

2:45pm, Hall B: Security-Centered Design (Hall B)

Ajax

11:00am, Room 203: The Power and Beauty of Dojo

1:30pm, Hall B: State of Ajax (Keynote)

2:45pm, Room 209: Building RIA with ZF and PHP

4:00pm, Room 203: PHP and Ajax Made Easier with Zend

Thank You! http://www.hauser-wenz.de/blog/ [email_address] Please don't forget the session evals! Jun 5, 2009 | |

http://www.hauser-wenz.de/blog/

[email_address]

Please don't forget the session evals!