Your SlideShare is downloading. ×
(IN)SECURE AJAX-Y WEBSITES WITH PHP Christian Wenz
Some Statistics <ul><li>9 out of 10 web sites have security vulnerabilities. </li></ul><ul><ul><ul><ul><ul><li>whitehat we...
Why?  // The Problem <ul><li>Numerous talks, whitepapers, articles  and books on web application security </li></ul><ul><l...
Why?  // &quot;Hall of Shame&quot; <ul><li>Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible ...
Why?  // Explanations <ul><li>Bad, inconsistent advice in talks, whitepapers, articles and books </li></ul><ul><li>Lack of...
Why?  // Traditional Model Jun 5, 2009   |     | Server Client
Why?  // Ajax Model Jun 5, 2009   |     | Server Client
XSS  // Problem <ul><li>Cross-Site Scripting (XSS) </li></ul><ul><li>(Old) Problem: Dynamic data is sent to the client – w...
XSS  // New Dangers <ul><li>XSS everywhere </li></ul><ul><ul><li>XML </li></ul></ul><ul><ul><li>RSS </li></ul></ul><ul><ul...
XSS  // More Dangers <ul><li>Fancy XSS </li></ul><ul><ul><li>XSS without JavaScript </li></ul></ul><ul><ul><li>Advanced Ja...
CSRF  // Problem <ul><li>Cross Site Request Forgeries (CSRF) </li></ul><ul><li>Problem: HTTP requests do not always happen...
CSRF  // Countermeasures <ul><li>As user </li></ul><ul><ul><li>Logout whenever possible, as soon as possible </li></ul></u...
SQL Injection  // Problem <ul><li>SQL Injection </li></ul><ul><li>(Old) Problem: Dynamic data is used in SQL statements – ...
SQL Injection  // Bad Ideas <ul><li>Filter for „1=1“ </li></ul><ul><li>Filter for  ' </li></ul><ul><li>Filter for # </li><...
SQL Injection  // Fancy attacks <ul><li>Prompting error messages </li></ul><ul><li>UNION  attacks </li></ul><ul><li>Blind ...
Ajax  // JavaScript attacks <ul><li>JavaScript Hijacking </li></ul><ul><li>Vulnerable: GET requests that retrieve JSON inf...
Ajax  // Countermeasures <ul><li>Require POST for server APIs </li></ul><ul><li>Demand a certain HTTP header (e.g.  Conten...
Ajax  // Further Concerns <ul><li>Need to maintain state </li></ul><ul><ul><li>Bookmarks </li></ul></ul><ul><ul><li>Back/f...
XML  // XML attacks <ul><li>Feeding web services with incorrect XML </li></ul><ul><li>XPath Injection </li></ul><ul><li>Na...
Regular Expressions  // RegEx attacks <ul><li>Problem:  e  modifier in regular expressions </li></ul><ul><li>Extremely dan...
Automation  // Trackbacks <ul><li>Problem: Spammers create trackbacks  to weblogs to get their URL mentioned and therefore...
Automation  // Comments <ul><li>Problem: Spammers (automatically) post  comments to weblogs to get their URL  mentioned wh...
Automation  // CAPTCHAs <ul><li>Completely Automated Turing  Test to Tell Computers and  Humans Apart </li></ul><ul><li>Tu...
CAPTCHAs  // Countermeasures <ul><li>Implementation bugs </li></ul><ul><li>Cheap workers </li></ul><ul><li>Horny surfers <...
Because!  // Conclusion <ul><li>There is no 100% security </li></ul><ul><ul><li>But you should try </li></ul></ul><ul><li>...
Christian's Conference Guide <ul><li>Tomorrow's security- and Ajax-related sessions </li></ul><ul><ul><li>Security </li></...
Thank You! <ul><li>http://www.hauser-wenz.de/blog/ </li></ul><ul><li>[email_address]   </li></ul><ul><li>Please don't forg...
Upcoming SlideShare
Loading in...5
×

(In)Secure Ajax-Y Websites With PHP

4,074

Published on

Published in: Technology
2 Comments
10 Likes
Statistics
Notes
  • Second on that. Please make this presentation downloadable. Thanks!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi, is it possible that you publish the presentation for Download? Thx!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,074
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
2
Likes
10
Embeds 0
No embeds

No notes for slide

Transcript of "(In)Secure Ajax-Y Websites With PHP"

  1. 1. (IN)SECURE AJAX-Y WEBSITES WITH PHP Christian Wenz
  2. 2. Some Statistics <ul><li>9 out of 10 web sites have security vulnerabilities. </li></ul><ul><ul><ul><ul><ul><li>whitehat website security statistics report, March 2008 </li></ul></ul></ul></ul></ul><ul><li>7.72% of web sites can be automatically compromised. 96.85% of web sites can be compromised with manual means. </li></ul><ul><ul><ul><ul><ul><li>WASC Web Application Security Statistics Project 2007 </li></ul></ul></ul></ul></ul>Jun 5, 2009 | |
  3. 3. Why? // The Problem <ul><li>Numerous talks, whitepapers, articles and books on web application security </li></ul><ul><li>Foundation of non-profit organizations like OWASP </li></ul><ul><li>Heightened awareness in the media </li></ul><ul><li>But it does not seem to help </li></ul>Jun 5, 2009 | |
  4. 4. Why? // &quot;Hall of Shame&quot; <ul><li>Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible &quot;success rate&quot; </li></ul><ul><li>Some high-profile sites have had issues, too </li></ul><ul><li>Most notably: MySpace, Facebook, Orkut, ... </li></ul>Jun 5, 2009 | |
  5. 5. Why? // Explanations <ul><li>Bad, inconsistent advice in talks, whitepapers, articles and books </li></ul><ul><li>Lack of time </li></ul><ul><li>Ajax applications make it very easy to introduce vulnerabilities </li></ul><ul><ul><li>Many new (unchecked?) server APIs </li></ul></ul><ul><ul><li>Applications rely on UGC (user-generated content) </li></ul></ul>Jun 5, 2009 | |
  6. 6. Why? // Traditional Model Jun 5, 2009 | | Server Client
  7. 7. Why? // Ajax Model Jun 5, 2009 | | Server Client
  8. 8. XSS // Problem <ul><li>Cross-Site Scripting (XSS) </li></ul><ul><li>(Old) Problem: Dynamic data is sent to the client – without validation </li></ul><ul><li>The following content can be dangerous </li></ul><ul><ul><li>HTML </li></ul></ul><ul><ul><li>CSS </li></ul></ul><ul><ul><li>JavaScript </li></ul></ul>Jun 5, 2009 | |
  9. 9. XSS // New Dangers <ul><li>XSS everywhere </li></ul><ul><ul><li>XML </li></ul></ul><ul><ul><li>RSS </li></ul></ul><ul><ul><li>HTTP Headers </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Validate all incoming data! </li></ul><ul><li>Validate in all dynamic files! </li></ul><ul><ul><li>Including REST-y web service APIs; not only Ajax applications may use them! </li></ul></ul>Jun 5, 2009 | |
  10. 10. XSS // More Dangers <ul><li>Fancy XSS </li></ul><ul><ul><li>XSS without JavaScript </li></ul></ul><ul><ul><li>Advanced JavaScript </li></ul></ul><ul><ul><li>Attacks using embedded media </li></ul></ul><ul><li>The browser's same origin policy does not help much </li></ul><ul><li>Filter using a whitelist approach, not blacklist! </li></ul>Jun 5, 2009 | |
  11. 11. CSRF // Problem <ul><li>Cross Site Request Forgeries (CSRF) </li></ul><ul><li>Problem: HTTP requests do not always happen voluntarily </li></ul>Victim (client) Attacker (web site) Other web site (1) Requests page (2) Sends JavaScript (3) Requests page Jun 5, 2009 | |
  12. 12. CSRF // Countermeasures <ul><li>As user </li></ul><ul><ul><li>Logout whenever possible, as soon as possible </li></ul></ul><ul><ul><li>Do not visit unknown sites </li></ul></ul><ul><ul><li>Apart from that almost no chance to prevent attacks </li></ul></ul><ul><li>As developer </li></ul><ul><ul><li>Request login before „critical“ operations </li></ul></ul><ul><ul><li>Include secret/random token in forms </li></ul></ul><ul><ul><li>Use random names for form elements (?!) </li></ul></ul>Jun 5, 2009 | |
  13. 13. SQL Injection // Problem <ul><li>SQL Injection </li></ul><ul><li>(Old) Problem: Dynamic data is used in SQL statements – without validation </li></ul><ul><li>The list of attacks does not end with ' OR ''=' ! </li></ul>Jun 5, 2009 | |
  14. 14. SQL Injection // Bad Ideas <ul><li>Filter for „1=1“ </li></ul><ul><li>Filter for ' </li></ul><ul><li>Filter for # </li></ul><ul><li>Filter for -- </li></ul><ul><li>What's next?! </li></ul><ul><li>Again: No blacklist, but whitelist </li></ul><ul><ul><li>Or database-specific escape functions/methods </li></ul></ul><ul><ul><li>Or even better: Prepared statements (if supported) </li></ul></ul>Jun 5, 2009 | |
  15. 15. SQL Injection // Fancy attacks <ul><li>Prompting error messages </li></ul><ul><li>UNION attacks </li></ul><ul><li>Blind SQL attacks </li></ul><ul><li>Using built-in functionality </li></ul><ul><li>Second-order attacks </li></ul><ul><li>DoS attacks </li></ul>Jun 5, 2009 | |
  16. 16. Ajax // JavaScript attacks <ul><li>JavaScript Hijacking </li></ul><ul><li>Vulnerable: GET requests that retrieve JSON information </li></ul><ul><li>Malicious JavaScript code overrides constructors, enabling to intercept and steal (or modify) JSON data </li></ul><ul><li>http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf </li></ul>Jun 5, 2009 | |
  17. 17. Ajax // Countermeasures <ul><li>Require POST for server APIs </li></ul><ul><li>Demand a certain HTTP header (e.g. Content-type: application/json ) </li></ul>Jun 5, 2009 | |
  18. 18. Ajax // Further Concerns <ul><li>Need to maintain state </li></ul><ul><ul><li>Bookmarks </li></ul></ul><ul><ul><li>Back/forward buttons </li></ul></ul><ul><li>Usually implemented using the hash portion of the URL </li></ul><ul><li>Then, parsed upon load </li></ul><ul><li>Check your parser! </li></ul><ul><li>Don't get me started with mashups! </li></ul>Jun 5, 2009 | |
  19. 19. XML // XML attacks <ul><li>Feeding web services with incorrect XML </li></ul><ul><li>XPath Injection </li></ul><ul><li>Nasty entities </li></ul><ul><li>All input is evil! </li></ul>Jun 5, 2009 | |
  20. 20. Regular Expressions // RegEx attacks <ul><li>Problem: e modifier in regular expressions </li></ul><ul><li>Extremely dangerous if user-supplied data is embedded in this regular expression </li></ul><ul><li>Arbitrary code execution may be possible </li></ul>Jun 5, 2009 | |
  21. 21. Automation // Trackbacks <ul><li>Problem: Spammers create trackbacks to weblogs to get their URL mentioned and therefore increasing their Google PageRank </li></ul><ul><li>Trackback API is very simple </li></ul><ul><ul><li>POST http://victim.tld/trackback?id=0815 </li></ul></ul><ul><ul><li>Content-type: application/x-www-form-urlencoded </li></ul></ul><ul><ul><li>title=Buy+stuff&url=http://spammer.tld/&excerpt= Buy+my+stuff&blog_name=Spamblog </li></ul></ul>Jun 5, 2009 | |
  22. 22. Automation // Comments <ul><li>Problem: Spammers (automatically) post comments to weblogs to get their URL mentioned which in turn might increase their Google PageRank </li></ul><ul><li>Also works with feedback forms and „send-a-friend“ features of websites </li></ul>Jun 5, 2009 | |
  23. 23. Automation // CAPTCHAs <ul><li>Completely Automated Turing Test to Tell Computers and Humans Apart </li></ul><ul><li>Turing tests: Decide whether the communication partner is a person or a machine </li></ul><ul><li>Mostly, an image with text/numbers </li></ul><ul><li>ASCII and audio CAPTCHAs also exist </li></ul>Jun 5, 2009 | |
  24. 24. CAPTCHAs // Countermeasures <ul><li>Implementation bugs </li></ul><ul><li>Cheap workers </li></ul><ul><li>Horny surfers </li></ul>Jun 5, 2009 | |
  25. 25. Because! // Conclusion <ul><li>There is no 100% security </li></ul><ul><ul><li>But you should try </li></ul></ul><ul><li>Rule #1: Validate all input </li></ul><ul><li>Rule #2: Escape all output </li></ul><ul><li>Ajax applications do not always generate new attacks, but allow more entry points </li></ul><ul><li>Better paranoid than offline ™ </li></ul>Jun 5, 2009 | |
  26. 26. Christian's Conference Guide <ul><li>Tomorrow's security- and Ajax-related sessions </li></ul><ul><ul><li>Security </li></ul></ul><ul><ul><ul><li>11:00am, Hall B: Lesser Known Security Problems in PHP Applications </li></ul></ul></ul><ul><ul><ul><li>2:45pm, Hall B: Security-Centered Design (Hall B) </li></ul></ul></ul><ul><ul><li>Ajax </li></ul></ul><ul><ul><ul><li>11:00am, Room 203: The Power and Beauty of Dojo </li></ul></ul></ul><ul><ul><ul><li>1:30pm, Hall B: State of Ajax (Keynote) </li></ul></ul></ul><ul><ul><ul><li>2:45pm, Room 209: Building RIA with ZF and PHP </li></ul></ul></ul><ul><ul><ul><li>4:00pm, Room 203: PHP and Ajax Made Easier with Zend </li></ul></ul></ul>Jun 5, 2009 | |
  27. 27. Thank You! <ul><li>http://www.hauser-wenz.de/blog/ </li></ul><ul><li>[email_address] </li></ul><ul><li>Please don't forget the session evals! </li></ul>Jun 5, 2009 | |

×