• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
(In)Secure Ajax-Y Websites With PHP
 

(In)Secure Ajax-Y Websites With PHP

on

  • 6,134 views

 

Statistics

Views

Total Views
6,134
Views on SlideShare
6,126
Embed Views
8

Actions

Likes
9
Downloads
0
Comments
2

1 Embed 8

http://www.slideshare.net 8

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Second on that. Please make this presentation downloadable. Thanks!
    Are you sure you want to
    Your message goes here
    Processing…
  • Hi, is it possible that you publish the presentation for Download? Thx!
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    (In)Secure Ajax-Y Websites With PHP (In)Secure Ajax-Y Websites With PHP Presentation Transcript

    • (IN)SECURE AJAX-Y WEBSITES WITH PHP Christian Wenz
    • Some Statistics
      • 9 out of 10 web sites have security vulnerabilities.
              • whitehat website security statistics report, March 2008
      • 7.72% of web sites can be automatically compromised. 96.85% of web sites can be compromised with manual means.
              • WASC Web Application Security Statistics Project 2007
      Jun 5, 2009 | |
    • Why? // The Problem
      • Numerous talks, whitepapers, articles and books on web application security
      • Foundation of non-profit organizations like OWASP
      • Heightened awareness in the media
      • But it does not seem to help
      Jun 5, 2009 | |
    • Why? // "Hall of Shame"
      • Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible "success rate"
      • Some high-profile sites have had issues, too
      • Most notably: MySpace, Facebook, Orkut, ...
      Jun 5, 2009 | |
    • Why? // Explanations
      • Bad, inconsistent advice in talks, whitepapers, articles and books
      • Lack of time
      • Ajax applications make it very easy to introduce vulnerabilities
        • Many new (unchecked?) server APIs
        • Applications rely on UGC (user-generated content)
      Jun 5, 2009 | |
    • Why? // Traditional Model Jun 5, 2009 | | Server Client
    • Why? // Ajax Model Jun 5, 2009 | | Server Client
    • XSS // Problem
      • Cross-Site Scripting (XSS)
      • (Old) Problem: Dynamic data is sent to the client – without validation
      • The following content can be dangerous
        • HTML
        • CSS
        • JavaScript
      Jun 5, 2009 | |
    • XSS // New Dangers
      • XSS everywhere
        • XML
        • RSS
        • HTTP Headers
      • Validate all incoming data!
      • Validate in all dynamic files!
        • Including REST-y web service APIs; not only Ajax applications may use them!
      Jun 5, 2009 | |
    • XSS // More Dangers
      • Fancy XSS
        • XSS without JavaScript
        • Advanced JavaScript
        • Attacks using embedded media
      • The browser's same origin policy does not help much
      • Filter using a whitelist approach, not blacklist!
      Jun 5, 2009 | |
    • CSRF // Problem
      • Cross Site Request Forgeries (CSRF)
      • Problem: HTTP requests do not always happen voluntarily
      Victim (client) Attacker (web site) Other web site (1) Requests page (2) Sends JavaScript (3) Requests page Jun 5, 2009 | |
    • CSRF // Countermeasures
      • As user
        • Logout whenever possible, as soon as possible
        • Do not visit unknown sites
        • Apart from that almost no chance to prevent attacks
      • As developer
        • Request login before „critical“ operations
        • Include secret/random token in forms
        • Use random names for form elements (?!)
      Jun 5, 2009 | |
    • SQL Injection // Problem
      • SQL Injection
      • (Old) Problem: Dynamic data is used in SQL statements – without validation
      • The list of attacks does not end with ' OR ''=' !
      Jun 5, 2009 | |
    • SQL Injection // Bad Ideas
      • Filter for „1=1“
      • Filter for '
      • Filter for #
      • Filter for --
      • What's next?!
      • Again: No blacklist, but whitelist
        • Or database-specific escape functions/methods
        • Or even better: Prepared statements (if supported)
      Jun 5, 2009 | |
    • SQL Injection // Fancy attacks
      • Prompting error messages
      • UNION attacks
      • Blind SQL attacks
      • Using built-in functionality
      • Second-order attacks
      • DoS attacks
      Jun 5, 2009 | |
    • Ajax // JavaScript attacks
      • JavaScript Hijacking
      • Vulnerable: GET requests that retrieve JSON information
      • Malicious JavaScript code overrides constructors, enabling to intercept and steal (or modify) JSON data
      • http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
      Jun 5, 2009 | |
    • Ajax // Countermeasures
      • Require POST for server APIs
      • Demand a certain HTTP header (e.g. Content-type: application/json )
      Jun 5, 2009 | |
    • Ajax // Further Concerns
      • Need to maintain state
        • Bookmarks
        • Back/forward buttons
      • Usually implemented using the hash portion of the URL
      • Then, parsed upon load
      • Check your parser!
      • Don't get me started with mashups!
      Jun 5, 2009 | |
    • XML // XML attacks
      • Feeding web services with incorrect XML
      • XPath Injection
      • Nasty entities
      • All input is evil!
      Jun 5, 2009 | |
    • Regular Expressions // RegEx attacks
      • Problem: e modifier in regular expressions
      • Extremely dangerous if user-supplied data is embedded in this regular expression
      • Arbitrary code execution may be possible
      Jun 5, 2009 | |
    • Automation // Trackbacks
      • Problem: Spammers create trackbacks to weblogs to get their URL mentioned and therefore increasing their Google PageRank
      • Trackback API is very simple
        • POST http://victim.tld/trackback?id=0815
        • Content-type: application/x-www-form-urlencoded
        • title=Buy+stuff&url=http://spammer.tld/&excerpt= Buy+my+stuff&blog_name=Spamblog
      Jun 5, 2009 | |
    • Automation // Comments
      • Problem: Spammers (automatically) post comments to weblogs to get their URL mentioned which in turn might increase their Google PageRank
      • Also works with feedback forms and „send-a-friend“ features of websites
      Jun 5, 2009 | |
    • Automation // CAPTCHAs
      • Completely Automated Turing Test to Tell Computers and Humans Apart
      • Turing tests: Decide whether the communication partner is a person or a machine
      • Mostly, an image with text/numbers
      • ASCII and audio CAPTCHAs also exist
      Jun 5, 2009 | |
    • CAPTCHAs // Countermeasures
      • Implementation bugs
      • Cheap workers
      • Horny surfers
      Jun 5, 2009 | |
    • Because! // Conclusion
      • There is no 100% security
        • But you should try
      • Rule #1: Validate all input
      • Rule #2: Escape all output
      • Ajax applications do not always generate new attacks, but allow more entry points
      • Better paranoid than offline ™
      Jun 5, 2009 | |
    • Christian's Conference Guide
      • Tomorrow's security- and Ajax-related sessions
        • Security
          • 11:00am, Hall B: Lesser Known Security Problems in PHP Applications
          • 2:45pm, Hall B: Security-Centered Design (Hall B)
        • Ajax
          • 11:00am, Room 203: The Power and Beauty of Dojo
          • 1:30pm, Hall B: State of Ajax (Keynote)
          • 2:45pm, Room 209: Building RIA with ZF and PHP
          • 4:00pm, Room 203: PHP and Ajax Made Easier with Zend
      Jun 5, 2009 | |
    • Thank You!
      • http://www.hauser-wenz.de/blog/
      • [email_address]
      • Please don't forget the session evals!
      Jun 5, 2009 | |