Your SlideShare is downloading. ×
Building Secure Twitter Apps
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Building Secure Twitter Apps

1,167
views

Published on

Presentation given at #140tc in Los Angeles on security issues when building web and Twitter applications.

Presentation given at #140tc in Los Angeles on security issues when building web and Twitter applications.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,167
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web App Security and Twitter and Twitter
    • Damon P. Cortesi
    • Alchemy Security, LLC
    • TweetStats | TweepSearch | TweetSum
  • 2. @dacort
  • 3. Common Issues
    • SQL Injection
    • Cross-Site Scripting
    • Cross-Site Request Forgery
    • Information Disclosure
    • Development/Staging sites available
  • 4. SQL Injection
    • $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“;
    • What if username is: “dpc’ or ‘a’=’a” ?
    • ... username = ‘ dpc’ or ‘a’=’a ‘ ...
    • SQL Server 2000 && xp_cmdshell
  • 5. ...in action http://xkcd.com/327/
  • 6. Cross-Site Scripting
    • User input re-displayed in browser and interpreted as HTML or ... JavaScript
    • My name is Damon”><script>alert(‘hi’)</script>
    • Why is this bad?
      • Phishing
      • Cookie stealing
      • Arbitrary JavaScript execution...
  • 7. Real-World Dangers
    • We live in an interactive web
  • 8. Web 2.0 Frameworks
    • As of Django 1.0 (Sep 2008), HTML is auto-escaped
    • Does Rails? -------------------------- No
    • Does Google App Engine? -------- No
    • Does ASP.NET ---------------------- On built-in controls
      • Also has built-in request validation
  • 9. CSRF
    • Browsing circa 1998
      • One window. One site.
    • Browsing circa 2009
  • 10. CSRF++
    • Daily browsing - authenticated to many sites at once
      • GET style attacks
        • <img src=” http://x.com/message/123/delete ”/>
          • Cookies sent with this request
    • POST style attacks
      • Generally combined with JavaScript
      • Due to lack of form tokens
  • 11. CSRF GET
    • An action that modifies data called via HTTP GET (against HTTP specs).
    • <img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/>
    • No tokens? Logged in? Valid message id?
    • “ Pwned”
    • POST requests not the solution
  • 12. CSRF POST
    • Only difference: JavaScript required to automate attack.
    <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  • 13. CSRF Example
  • 14. Information Disclosure
    • Twitter.com
    • Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords
  • 15. Retrieve Username $.getJSON(&quot; http://twitter.com /statuses/user_timeline?count=1&callback=? &quot;, function(data) { alert(&quot;Username is: &quot; + data[0].user.screen_name ) }); {&quot;text&quot;:&quot;Pretty sure humans have kneecaps so we can slam them into tables. *ow*&quot;,&quot;truncated&quot;:false, &quot;user&quot; :{&quot;following&quot;:null,&quot;time_zone&quot;:&quot;Pacific Time (US & Canada)&quot;,&quot;description&quot;:&quot;Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http://tweetstats.com and http://ratemytalk.com).&quot;, &quot;screen_name&quot;:&quot;dacort&quot; ,&quot;utc_offset&quot;:-28800,&quot;profile_sidebar_border_color&quot;:&quot;87bc44&quot;,&quot;notifications&quot;:null,&quot;created_at&quot;:&quot;Thu Dec 21 07:14:05 +0000 2006&quot;,&quot;profile_text_color&quot;:&quot;000000&quot;,&quot;url&quot;:&quot;http://dcortesi.com&quot;,&quot;name&quot;:&quot;Damon Cortesi&quot;,&quot;statuses_count&quot;:21385,&quot;profile_background_image_url&quot;:&quot;http://static.twitter.com/images/themes/theme1/bg.gif&quot;,&quot;followers_count&quot;:4441,&quot;protected&quot;:false,&quot;profile_link_color&quot;:&quot;A100FF&quot;,&quot;profile_background_tile&quot;:false,&quot;friends_count&quot;:1775,&quot;profile_background_color&quot;:&quot;000000&quot;,&quot;verified&quot;:false,&quot;favourites_count&quot;:202,&quot;profile_image_url&quot;:&quot;http://s3.amazonaws.com/twitter_production/profile_images/90802743/Famous_Glasses_normal.jpg&quot;,&quot;location&quot;:&quot;Seattle, WA&quot;,&quot;id&quot;:99723,&quot;profile_sidebar_fill_color&quot;:&quot;e0ff92&quot;},&quot;in_reply_to_status_id&quot;:null,&quot;created_at&quot;:&quot;Mon Jul 27 21:37:53 +0000 2009&quot;,&quot;in_reply_to_user_id&quot;:null,&quot;favorited&quot;:false,&quot;in_reply_to_screen_name&quot;:null,&quot;id&quot;:2877957719,&quot;source&quot;:&quot;<a href=&quot;http:// www.atebits.com /&quot;>Tweetie</a>&quot;}
  • 16. Courtesy of @harper
  • 17. Protected Users
    • If your app displays tweets
      • Does it respected the protected status
      • Can change at any time
  • 18. Let’s have some fun...
    • Demo time!
  • 19. Mitigation
    • “Increase your security by 80%, by fixing 20% of the problems.”
    • Input Sanitization and Validation
    • Data Encoding and Escaping
  • 20. Sanitization/Encoding
    • SQL: mysql_real_escape_string()
      • Stored Procedures/Frameowkrs
    • HTML/XSS: htmlentities(), innerText
      • “<b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt;
    • Beware encoding
  • 21. Also Watch out for...
  • 22.  
  • 23.  
  • 24. Help your users
  • 25.  
  • 26. Some other things...
    • Keeping systems/software up-to-date
      • Rails < 2.1.1? -- SQL Injection bug
        • JumpBox (Server Provisioning) uses Rails 2.1.0
    • Infrastructure Security
      • Do you know your external network presence?
      • Have all your default passwords been changed?
  • 27. One last thing
    • Not always some über-technical buffer overflow sploit...
    • Access database on unprotected share
    • demo/demo password
    • Email on confirmation page
    • Are people thinking securely?
  • 28. Oh, Shorteners...
  • 29. Third Parties
    • TwitPic Integration from client apps
    • Is your password only local to the client app?
      • Nope. Not if you “twitpic” something.
    • You’re only as secure as the apps that you (or your friends) use.
  • 30. Sorry Twitter