To be Hacked or not to be Hacked!
Upcoming SlideShare
Loading in...5
×
 

To be Hacked or not to be Hacked!

on

  • 257 views

You have an RFID system to secure library materials, but what about web applications implemented by your library? This session provides an introduction on how you can secure your PHP web applications ...

You have an RFID system to secure library materials, but what about web applications implemented by your library? This session provides an introduction on how you can secure your PHP web applications in order to prevent a potential hacker attack.

Statistics

Views

Total Views
257
Views on SlideShare
257
Embed Views
0

Actions

Likes
1
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

To be Hacked or not to be Hacked! To be Hacked or not to be Hacked! Presentation Transcript

  • To be Hacked or not to be Hacked! Vincci Kwong and Gary Browning Indiana University South Bend Indiana Library Federation Annual Conference October 22, 2013
  • https://www.youtube.com/watch?v=lw7dt0AhXXI 2013 ILF Annual Conference October 22, 2013
  • What are Web Applications? 2013 ILF Annual Conference October 22, 2013
  • What is PHP? • A server-side scripting language designed for web development • Open source programming language • Powering over 80% of all websites • PHP code is as secure as the programmer writes it 2013 ILF Annual Conference October 22, 2013
  • Why hack web applications? • • • • • • • • Stealing sensitive information Defacement Planting malware Deceit Blackmail Link Spam Worms Phishing 2013 ILF Annual Conference October 22, 2013
  • Why secure web applications? • Everyone can touch web applications! • It is hard to secure!!! 2013 ILF Annual Conference October 22, 2013
  • Am I being hacked? • • • • Check your server access logs Look for recently modified files Look for files that shouldn’t be there Scan through your files 2013 ILF Annual Conference October 22, 2013
  • Top 10 security issues for web applications 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken authentication and session management Cross site scripting (XSS) Insecure direct object references Security misconfiguration Sensitive data exposure Missing function level access control Cross site request forgeries (CSFR) Using known vulnerable components Unvalidated redirects and forwards 2013 ILF Annual Conference October 22, 2013
  • What can I do? • Write secure code!! • Use PHP Security Cheat Sheet • Use a web application scanner 2013 ILF Annual Conference October 22, 2013
  • Writing Secure Code • • • • • • Do not trust visitors to your website Understand Register Globals Error messages SQL Injections File Manipulation XSS 2013 ILF Annual Conference October 22, 2013
  • Register Globals • Feature removed as of PHP 5.4.0 !!!!  • Variables from HTML forms were injected into code automatically • Remember, PHP does not require variable initialization 2013 ILF Annual Conference October 22, 2013
  • Example: Misuse with register_globals = on <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } if ($authorized) { include "/highly/sensitive/data.php"; } ?> 2013 ILF Annual Conference October 22, 2013
  • Example: Misuse with register_globals = on <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> 2013 ILF Annual Conference October 22, 2013
  • SQL Injections SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). ... http://en.wikipedia.org/wiki/SQL_injection 2013 ILF Annual Conference October 22, 2013
  • Example: SQL Injection $proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); From a web form, someone inputs the following: USERNAME: ' OR 1=1 # 2013 ILF Annual Conference October 22, 2013
  • Example: SQL Injection $proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); SQL Query: SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’ 2013 ILF Annual Conference October 22, 2013
  • Example: SQL Injection $proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); SQL Query: SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’ This will return the entire list of usernames and passwords !!!! Fix this using mysql_real_escape_string or mysqli_real_escape_string 2013 ILF Annual Conference October 22, 2013
  • File Manipulation some.web.address/index.php?index.html 2013 ILF Annual Conference October 22, 2013
  • File Manipulation some.web.address/index.php?.htaccess 2013 ILF Annual Conference October 22, 2013
  • XSS (imagine the following code in your index.php file) <?php $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href="http://librarysite.org/">Click to visit</a>"; ?> If someone entered the following on a web form, what would happen? guest<script>alert('attacked')</script> 2013 ILF Annual Conference October 22, 2013
  • XSS Would you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’? mytrustedsite.org/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-realtrustedsite.com/";}</script> 2013 ILF Annual Conference October 22, 2013
  • XSS Would you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’? mytrustedsite.org/index.php?name=%3c%73%63%72%69%70%74%3e%77 %69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75 %6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e %6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65 %6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%6 1%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%2 2%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%7 3%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69 %70%74%3e 2013 ILF Annual Conference October 22, 2013
  • Web Application Scanners https://www.owasp.org/index.php/Category: Vulnerability_Scanning_Tools Contains a list of Open Source and Commercial products 2013 ILF Annual Conference October 22, 2013
  • It’s not in the Top 10, but… • Unvalidated inputs 2013 ILF Annual Conference October 22, 2013
  • Reporting a hacked site! • Why do you think the website is being hacked? • What on the website is looking unusual? Did you clear your browser’s cache? • Are you being redirected to another website? If yes, note URL of the site. • Were you being asked to provide confidential information? • Do patrons report receiving unusual email from the library? • When did it happen? 2013 ILF Annual Conference October 22, 2013
  • Emergency contact list • • • • Library IT personnel Director/Dean of the Library Vendors Patrons 2013 ILF Annual Conference October 22, 2013
  • Resources • PHP Security Cheat Sheet https://www.owasp.org/index.php/PHP_S ecurity_Cheat_Sheet • PHP Security Guide http://phpsec.org/projects/guide/ • Securing PHP Web Applications http://www.amazon.com/Securing-PHPApplications-TriciaBallad/dp/0321534344 2013 ILF Annual Conference October 22, 2013
  • Questions? Feel free to contact us at • Vincci Kwong • Email: vkwong@iusb.edu • Phone: 574-520-4444 • Gary Browning • Email: gary@iusb.edu • Phone: 574-520-5516 2013 ILF Annual Conference October 22, 2013