Building Secure Twitter Apps

Web App Security and Twitter and Twitter

Damon P. Cortesi

Alchemy Security, LLC

TweetStats | TweepSearch | TweetSum

@dacort

Common Issues

SQL Injection

Cross-Site Scripting

Cross-Site Request Forgery

Information Disclosure

Development/Staging sites available

SQL Injection

$sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“;

What if username is: “dpc’ or ‘a’=’a” ?

... username = ‘ dpc’ or ‘a’=’a ‘ ...

SQL Server 2000 && xp_cmdshell

...in action http://xkcd.com/327/

Cross-Site Scripting

User input re-displayed in browser and interpreted as HTML or ... JavaScript

My name is Damon”><script>alert(‘hi’)</script>

Why is this bad?

Phishing

Cookie stealing

Arbitrary JavaScript execution...

Real-World Dangers

We live in an interactive web

Web 2.0 Frameworks

As of Django 1.0 (Sep 2008), HTML is auto-escaped

Does Rails? -------------------------- No

Does Google App Engine? -------- No

Does ASP.NET ---------------------- On built-in controls

Also has built-in request validation

CSRF

Browsing circa 1998

One window. One site.

Browsing circa 2009

CSRF++

Daily browsing - authenticated to many sites at once

GET style attacks

<img src=” http://x.com/message/123/delete ”/>

Cookies sent with this request

POST style attacks

Generally combined with JavaScript

Due to lack of form tokens

CSRF GET

An action that modifies data called via HTTP GET (against HTTP specs).

<img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/>

No tokens? Logged in? Valid message id?

“ Pwned”

POST requests not the solution

CSRF POST

Only difference: JavaScript required to automate attack.

<form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>

CSRF Example

Information Disclosure

Twitter.com

Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords

Retrieve Username $.getJSON(" http://twitter.com /statuses/user_timeline?count=1&callback=? ", function(data) { alert("Username is: " + data[0].user.screen_name ) }); {"text":"Pretty sure humans have kneecaps so we can slam them into tables. *ow*","truncated":false, "user" :{"following":null,"time_zone":"Pacific Time (US & Canada)","description":"Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http://tweetstats.com and http://ratemytalk.com).", "screen_name":"dacort" ,"utc_offset":-28800,"profile_sidebar_border_color":"87bc44","notifications":null,"created_at":"Thu Dec 21 07:14:05 +0000 2006","profile_text_color":"000000","url":"http://dcortesi.com","name":"Damon Cortesi","statuses_count":21385,"profile_background_image_url":"http://static.twitter.com/images/themes/theme1/bg.gif","followers_count":4441,"protected":false,"profile_link_color":"A100FF","profile_background_tile":false,"friends_count":1775,"profile_background_color":"000000","verified":false,"favourites_count":202,"profile_image_url":"http://s3.amazonaws.com/twitter_production/profile_images/90802743/Famous_Glasses_normal.jpg","location":"Seattle, WA","id":99723,"profile_sidebar_fill_color":"e0ff92"},"in_reply_to_status_id":null,"created_at":"Mon Jul 27 21:37:53 +0000 2009","in_reply_to_user_id":null,"favorited":false,"in_reply_to_screen_name":null,"id":2877957719,"source":"<a href="http:// www.atebits.com /">Tweetie</a>"}

Courtesy of @harper

Protected Users