Your SlideShare is downloading. ×
0
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

(In)Secure Ajax-Y Websites With PHP

4,064

Published on

Published in: Technology
2 Comments
10 Likes
Statistics
Notes
  • Second on that. Please make this presentation downloadable. Thanks!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi, is it possible that you publish the presentation for Download? Thx!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,064
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
2
Likes
10
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. (IN)SECURE AJAX-Y WEBSITES WITH PHP Christian Wenz
  • 2. Some Statistics <ul><li>9 out of 10 web sites have security vulnerabilities. </li></ul><ul><ul><ul><ul><ul><li>whitehat website security statistics report, March 2008 </li></ul></ul></ul></ul></ul><ul><li>7.72% of web sites can be automatically compromised. 96.85% of web sites can be compromised with manual means. </li></ul><ul><ul><ul><ul><ul><li>WASC Web Application Security Statistics Project 2007 </li></ul></ul></ul></ul></ul>Jun 5, 2009 | |
  • 3. Why? // The Problem <ul><li>Numerous talks, whitepapers, articles and books on web application security </li></ul><ul><li>Foundation of non-profit organizations like OWASP </li></ul><ul><li>Heightened awareness in the media </li></ul><ul><li>But it does not seem to help </li></ul>Jun 5, 2009 | |
  • 4. Why? // &quot;Hall of Shame&quot; <ul><li>Recent evaluation of two dozen ramdomly picked Web 2.0 sites had an incredible &quot;success rate&quot; </li></ul><ul><li>Some high-profile sites have had issues, too </li></ul><ul><li>Most notably: MySpace, Facebook, Orkut, ... </li></ul>Jun 5, 2009 | |
  • 5. Why? // Explanations <ul><li>Bad, inconsistent advice in talks, whitepapers, articles and books </li></ul><ul><li>Lack of time </li></ul><ul><li>Ajax applications make it very easy to introduce vulnerabilities </li></ul><ul><ul><li>Many new (unchecked?) server APIs </li></ul></ul><ul><ul><li>Applications rely on UGC (user-generated content) </li></ul></ul>Jun 5, 2009 | |
  • 6. Why? // Traditional Model Jun 5, 2009 | | Server Client
  • 7. Why? // Ajax Model Jun 5, 2009 | | Server Client
  • 8. XSS // Problem <ul><li>Cross-Site Scripting (XSS) </li></ul><ul><li>(Old) Problem: Dynamic data is sent to the client – without validation </li></ul><ul><li>The following content can be dangerous </li></ul><ul><ul><li>HTML </li></ul></ul><ul><ul><li>CSS </li></ul></ul><ul><ul><li>JavaScript </li></ul></ul>Jun 5, 2009 | |
  • 9. XSS // New Dangers <ul><li>XSS everywhere </li></ul><ul><ul><li>XML </li></ul></ul><ul><ul><li>RSS </li></ul></ul><ul><ul><li>HTTP Headers </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Validate all incoming data! </li></ul><ul><li>Validate in all dynamic files! </li></ul><ul><ul><li>Including REST-y web service APIs; not only Ajax applications may use them! </li></ul></ul>Jun 5, 2009 | |
  • 10. XSS // More Dangers <ul><li>Fancy XSS </li></ul><ul><ul><li>XSS without JavaScript </li></ul></ul><ul><ul><li>Advanced JavaScript </li></ul></ul><ul><ul><li>Attacks using embedded media </li></ul></ul><ul><li>The browser's same origin policy does not help much </li></ul><ul><li>Filter using a whitelist approach, not blacklist! </li></ul>Jun 5, 2009 | |
  • 11. CSRF // Problem <ul><li>Cross Site Request Forgeries (CSRF) </li></ul><ul><li>Problem: HTTP requests do not always happen voluntarily </li></ul>Victim (client) Attacker (web site) Other web site (1) Requests page (2) Sends JavaScript (3) Requests page Jun 5, 2009 | |
  • 12. CSRF // Countermeasures <ul><li>As user </li></ul><ul><ul><li>Logout whenever possible, as soon as possible </li></ul></ul><ul><ul><li>Do not visit unknown sites </li></ul></ul><ul><ul><li>Apart from that almost no chance to prevent attacks </li></ul></ul><ul><li>As developer </li></ul><ul><ul><li>Request login before „critical“ operations </li></ul></ul><ul><ul><li>Include secret/random token in forms </li></ul></ul><ul><ul><li>Use random names for form elements (?!) </li></ul></ul>Jun 5, 2009 | |
  • 13. SQL Injection // Problem <ul><li>SQL Injection </li></ul><ul><li>(Old) Problem: Dynamic data is used in SQL statements – without validation </li></ul><ul><li>The list of attacks does not end with ' OR ''=' ! </li></ul>Jun 5, 2009 | |
  • 14. SQL Injection // Bad Ideas <ul><li>Filter for „1=1“ </li></ul><ul><li>Filter for ' </li></ul><ul><li>Filter for # </li></ul><ul><li>Filter for -- </li></ul><ul><li>What's next?! </li></ul><ul><li>Again: No blacklist, but whitelist </li></ul><ul><ul><li>Or database-specific escape functions/methods </li></ul></ul><ul><ul><li>Or even better: Prepared statements (if supported) </li></ul></ul>Jun 5, 2009 | |
  • 15. SQL Injection // Fancy attacks <ul><li>Prompting error messages </li></ul><ul><li>UNION attacks </li></ul><ul><li>Blind SQL attacks </li></ul><ul><li>Using built-in functionality </li></ul><ul><li>Second-order attacks </li></ul><ul><li>DoS attacks </li></ul>Jun 5, 2009 | |
  • 16. Ajax // JavaScript attacks <ul><li>JavaScript Hijacking </li></ul><ul><li>Vulnerable: GET requests that retrieve JSON information </li></ul><ul><li>Malicious JavaScript code overrides constructors, enabling to intercept and steal (or modify) JSON data </li></ul><ul><li>http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf </li></ul>Jun 5, 2009 | |
  • 17. Ajax // Countermeasures <ul><li>Require POST for server APIs </li></ul><ul><li>Demand a certain HTTP header (e.g. Content-type: application/json ) </li></ul>Jun 5, 2009 | |
  • 18. Ajax // Further Concerns <ul><li>Need to maintain state </li></ul><ul><ul><li>Bookmarks </li></ul></ul><ul><ul><li>Back/forward buttons </li></ul></ul><ul><li>Usually implemented using the hash portion of the URL </li></ul><ul><li>Then, parsed upon load </li></ul><ul><li>Check your parser! </li></ul><ul><li>Don't get me started with mashups! </li></ul>Jun 5, 2009 | |
  • 19. XML // XML attacks <ul><li>Feeding web services with incorrect XML </li></ul><ul><li>XPath Injection </li></ul><ul><li>Nasty entities </li></ul><ul><li>All input is evil! </li></ul>Jun 5, 2009 | |
  • 20. Regular Expressions // RegEx attacks <ul><li>Problem: e modifier in regular expressions </li></ul><ul><li>Extremely dangerous if user-supplied data is embedded in this regular expression </li></ul><ul><li>Arbitrary code execution may be possible </li></ul>Jun 5, 2009 | |
  • 21. Automation // Trackbacks <ul><li>Problem: Spammers create trackbacks to weblogs to get their URL mentioned and therefore increasing their Google PageRank </li></ul><ul><li>Trackback API is very simple </li></ul><ul><ul><li>POST http://victim.tld/trackback?id=0815 </li></ul></ul><ul><ul><li>Content-type: application/x-www-form-urlencoded </li></ul></ul><ul><ul><li>title=Buy+stuff&url=http://spammer.tld/&excerpt= Buy+my+stuff&blog_name=Spamblog </li></ul></ul>Jun 5, 2009 | |
  • 22. Automation // Comments <ul><li>Problem: Spammers (automatically) post comments to weblogs to get their URL mentioned which in turn might increase their Google PageRank </li></ul><ul><li>Also works with feedback forms and „send-a-friend“ features of websites </li></ul>Jun 5, 2009 | |
  • 23. Automation // CAPTCHAs <ul><li>Completely Automated Turing Test to Tell Computers and Humans Apart </li></ul><ul><li>Turing tests: Decide whether the communication partner is a person or a machine </li></ul><ul><li>Mostly, an image with text/numbers </li></ul><ul><li>ASCII and audio CAPTCHAs also exist </li></ul>Jun 5, 2009 | |
  • 24. CAPTCHAs // Countermeasures <ul><li>Implementation bugs </li></ul><ul><li>Cheap workers </li></ul><ul><li>Horny surfers </li></ul>Jun 5, 2009 | |
  • 25. Because! // Conclusion <ul><li>There is no 100% security </li></ul><ul><ul><li>But you should try </li></ul></ul><ul><li>Rule #1: Validate all input </li></ul><ul><li>Rule #2: Escape all output </li></ul><ul><li>Ajax applications do not always generate new attacks, but allow more entry points </li></ul><ul><li>Better paranoid than offline ™ </li></ul>Jun 5, 2009 | |
  • 26. Christian's Conference Guide <ul><li>Tomorrow's security- and Ajax-related sessions </li></ul><ul><ul><li>Security </li></ul></ul><ul><ul><ul><li>11:00am, Hall B: Lesser Known Security Problems in PHP Applications </li></ul></ul></ul><ul><ul><ul><li>2:45pm, Hall B: Security-Centered Design (Hall B) </li></ul></ul></ul><ul><ul><li>Ajax </li></ul></ul><ul><ul><ul><li>11:00am, Room 203: The Power and Beauty of Dojo </li></ul></ul></ul><ul><ul><ul><li>1:30pm, Hall B: State of Ajax (Keynote) </li></ul></ul></ul><ul><ul><ul><li>2:45pm, Room 209: Building RIA with ZF and PHP </li></ul></ul></ul><ul><ul><ul><li>4:00pm, Room 203: PHP and Ajax Made Easier with Zend </li></ul></ul></ul>Jun 5, 2009 | |
  • 27. Thank You! <ul><li>http://www.hauser-wenz.de/blog/ </li></ul><ul><li>[email_address] </li></ul><ul><li>Please don't forget the session evals! </li></ul>Jun 5, 2009 | |

×