To be Hacked or not to be Hacked!

393 views

Published on

You have an RFID system to secure library materials, but what about web applications implemented by your library? This session provides an introduction on how you can secure your PHP web applications in order to prevent a potential hacker attack.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
393
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

To be Hacked or not to be Hacked!

  1. 1. To be Hacked or not to be Hacked! Vincci Kwong and Gary Browning Indiana University South Bend Indiana Library Federation Annual Conference October 22, 2013
  2. 2. https://www.youtube.com/watch?v=lw7dt0AhXXI 2013 ILF Annual Conference October 22, 2013
  3. 3. What are Web Applications? 2013 ILF Annual Conference October 22, 2013
  4. 4. What is PHP? • A server-side scripting language designed for web development • Open source programming language • Powering over 80% of all websites • PHP code is as secure as the programmer writes it 2013 ILF Annual Conference October 22, 2013
  5. 5. Why hack web applications? • • • • • • • • Stealing sensitive information Defacement Planting malware Deceit Blackmail Link Spam Worms Phishing 2013 ILF Annual Conference October 22, 2013
  6. 6. Why secure web applications? • Everyone can touch web applications! • It is hard to secure!!! 2013 ILF Annual Conference October 22, 2013
  7. 7. Am I being hacked? • • • • Check your server access logs Look for recently modified files Look for files that shouldn’t be there Scan through your files 2013 ILF Annual Conference October 22, 2013
  8. 8. Top 10 security issues for web applications 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken authentication and session management Cross site scripting (XSS) Insecure direct object references Security misconfiguration Sensitive data exposure Missing function level access control Cross site request forgeries (CSFR) Using known vulnerable components Unvalidated redirects and forwards 2013 ILF Annual Conference October 22, 2013
  9. 9. What can I do? • Write secure code!! • Use PHP Security Cheat Sheet • Use a web application scanner 2013 ILF Annual Conference October 22, 2013
  10. 10. Writing Secure Code • • • • • • Do not trust visitors to your website Understand Register Globals Error messages SQL Injections File Manipulation XSS 2013 ILF Annual Conference October 22, 2013
  11. 11. Register Globals • Feature removed as of PHP 5.4.0 !!!!  • Variables from HTML forms were injected into code automatically • Remember, PHP does not require variable initialization 2013 ILF Annual Conference October 22, 2013
  12. 12. Example: Misuse with register_globals = on <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } if ($authorized) { include "/highly/sensitive/data.php"; } ?> 2013 ILF Annual Conference October 22, 2013
  13. 13. Example: Misuse with register_globals = on <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> 2013 ILF Annual Conference October 22, 2013
  14. 14. SQL Injections SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). ... http://en.wikipedia.org/wiki/SQL_injection 2013 ILF Annual Conference October 22, 2013
  15. 15. Example: SQL Injection $proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); From a web form, someone inputs the following: USERNAME: ' OR 1=1 # 2013 ILF Annual Conference October 22, 2013
  16. 16. Example: SQL Injection $proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); SQL Query: SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’ 2013 ILF Annual Conference October 22, 2013
  17. 17. Example: SQL Injection $proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); SQL Query: SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’ This will return the entire list of usernames and passwords !!!! Fix this using mysql_real_escape_string or mysqli_real_escape_string 2013 ILF Annual Conference October 22, 2013
  18. 18. File Manipulation some.web.address/index.php?index.html 2013 ILF Annual Conference October 22, 2013
  19. 19. File Manipulation some.web.address/index.php?.htaccess 2013 ILF Annual Conference October 22, 2013
  20. 20. XSS (imagine the following code in your index.php file) <?php $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://librarysite.org/">Click to visit</a>"; ?> If someone entered the following on a web form, what would happen? guest<script>alert('attacked')</script> 2013 ILF Annual Conference October 22, 2013
  21. 21. XSS Would you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’? mytrustedsite.org/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-realtrustedsite.com/";}</script> 2013 ILF Annual Conference October 22, 2013
  22. 22. XSS Would you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’? mytrustedsite.org/index.php?name=%3c%73%63%72%69%70%74%3e%77 %69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75 %6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e %6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65 %6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%6 1%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%2 2%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%7 3%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69 %70%74%3e 2013 ILF Annual Conference October 22, 2013
  23. 23. Web Application Scanners https://www.owasp.org/index.php/Category: Vulnerability_Scanning_Tools Contains a list of Open Source and Commercial products 2013 ILF Annual Conference October 22, 2013
  24. 24. It’s not in the Top 10, but… • Unvalidated inputs 2013 ILF Annual Conference October 22, 2013
  25. 25. Reporting a hacked site! • Why do you think the website is being hacked? • What on the website is looking unusual? Did you clear your browser’s cache? • Are you being redirected to another website? If yes, note URL of the site. • Were you being asked to provide confidential information? • Do patrons report receiving unusual email from the library? • When did it happen? 2013 ILF Annual Conference October 22, 2013
  26. 26. Emergency contact list • • • • Library IT personnel Director/Dean of the Library Vendors Patrons 2013 ILF Annual Conference October 22, 2013
  27. 27. Resources • PHP Security Cheat Sheet https://www.owasp.org/index.php/PHP_S ecurity_Cheat_Sheet • PHP Security Guide http://phpsec.org/projects/guide/ • Securing PHP Web Applications http://www.amazon.com/Securing-PHPApplications-TriciaBallad/dp/0321534344 2013 ILF Annual Conference October 22, 2013
  28. 28. Questions? Feel free to contact us at • Vincci Kwong • Email: vkwong@iusb.edu • Phone: 574-520-4444 • Gary Browning • Email: gary@iusb.edu • Phone: 574-520-5516 2013 ILF Annual Conference October 22, 2013

×