Web Application Security Why is it important? Jason R. Leveille http://jasonleveille.com December 5, 2008 – Damascus High School

Introduction High School Teacher for 8 Years Web Software Developer for 1.5 Security is not my strong point Why am I talking about security? Security is a concern in many layers Server Layer (Apache, IIS, etc) Database Layer (mySQL, PostreSQL, etc) Application Language/Script (PHP, Python, etc) Web App Server/Client Side

High School Teacher for 8 Years

Web Software Developer for 1.5

Security is not my strong point

Why am I talking about security?

Security is a concern in many layers

Server Layer (Apache, IIS, etc)

Database Layer (mySQL, PostreSQL, etc)

Application Language/Script (PHP, Python, etc)

Web App Server/Client Side

A Brief Example: PHP info/secinfo What we see when we look at phpinfo() http://url/talk/psi/info.php What we seen when we look at PHP Sec. Info feedback. http://url/talk/psi/ Illustrates the need to secure your “language”, in your server environment, as best you can

What we see when we look at phpinfo()

http://url/talk/psi/info.php

What we seen when we look at PHP Sec. Info feedback.

http://url/talk/psi/

Illustrates the need to secure your “language”, in your server environment, as best you can

SQL Injection What is SQL Injection An example Stealing usernames/passwords http://url/talk/ex1.php (ex5.php) ?userid=5 ?userid=5 union all select id,email,password from users— What happened? The Source Code Things to think about

What is SQL Injection

An example

Stealing usernames/passwords

http://url/talk/ex1.php (ex5.php)

?userid=5

?userid=5 union all select id,email,password from users—

What happened?

The Source Code

Things to think about

SQL Injection Another example Drop Table http://xkcd.com/327 http://url/talk/foo.php ?first_name=Jason ?first_name=Jason’; DROP TABLE users; What happened? An illustration in phpmyadmin Things to think about?

Another example

Drop Table

http://xkcd.com/327

http://url/talk/foo.php

?first_name=Jason

?first_name=Jason’; DROP TABLE users;

What happened?

An illustration in phpmyadmin

Things to think about?

Cross Site Scripting (XSS) What is XSS? An Example Cookie theft http://url/talk/ex2.php What happened? The Source Code Things to think about

What is XSS?

An Example

Cookie theft

http://url/talk/ex2.php

What happened?

The Source Code

Things to think about

Cross Site Scripting (XSS) A real world example asp application / SQL Server attack Combined XSS SQL Injection Installation of malware Our attack traced back to organized crime in Russia! Should I not have written that …

A real world example

asp application / SQL Server attack

Combined XSS SQL Injection

Installation of malware

Our attack traced back to organized crime in Russia!

Should I not have written that …

Cross Site Request Forgery (CSRF) What is CSRF? An Example http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics

What is CSRF?

An Example

http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics

Security: Filter Input What is input? What does it mean to filter input? An example http://url/talk/ex3.php What’s happening? The Source Code Things to think about

What is input?

What does it mean to filter input?

An example

http://url/talk/ex3.php

What’s happening?

The Source Code

Things to think about

Security: Escape Output What is output? What does it mean to escape output? An example http://url/talk/ex4.php What’s happening? The Source Code Things to think about

What is output?

What does it mean to escape output?

An example

http://url/talk/ex4.php

What’s happening?

The Source Code

Things to think about

Security: Database User Privileges What are user privileges? Reducing user privileges An example Creating a reduced user privileged account Attempting DROP TABLE with this new account Things to think about

What are user privileges?

Reducing user privileges

An example

Creating a reduced user privileged account

Attempting DROP TABLE with this new account

Things to think about

In Conclusion Take care of your own information online Never trust data coming into your application Filter Input Escape Output Reduce Database User Privileges Always store passwords hashed See example of student passwords

Take care of your own information online

Never trust data coming into your application

Filter Input

Escape Output

Reduce Database User Privileges

Always store passwords hashed

See example of student passwords

Questions? http://jasonleveille.com leveillej at gmail dot com

http://jasonleveille.com

leveillej at gmail dot com

Resources http://www.apachesecurity.net/ http://www.microsoft.com/technet/security/prodtech/IIS.mspx http://www.scribd.com/doc/2569459/Securing-MySQL-for-a-Security-Audit http://www.postgresql.org/docs/8.3/static/user-manag.html http://phpsec.org/projects/phpsecinfo/index.html

http://www.apachesecurity.net/

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

http://www.scribd.com/doc/2569459/Securing-MySQL-for-a-Security-Audit

http://www.postgresql.org/docs/8.3/static/user-manag.html

http://phpsec.org/projects/phpsecinfo/index.html

Resources http://dev. mysql .com/tech-resources/articles/guide-to-php-security-ch3.pdf http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ http://xkcd.com/327/ http://xssed.org/ http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines

http://dev. mysql .com/tech-resources/articles/guide-to-php-security-ch3.pdf

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

http://xkcd.com/327/

http://xssed.org/

http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines

Resources http://shiflett.org/articles/cross-site-request-forgeries http://php.net/ctype http://us3.php.net/strip-tags http://us2.php.net/manual/en/book.pcre.php http://ha.ckers.org/xss.html http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss

http://shiflett.org/articles/cross-site-request-forgeries

http://php.net/ctype

http://us3.php.net/strip-tags

http://us2.php.net/manual/en/book.pcre.php

http://ha.ckers.org/xss.html

http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss

Resources http://us.php.net/htmlentities http://shiflett.org/blog/2007/may/character-encoding-and-xss http://htmlpurifier.org/ http://us.php.net/manual/en/mysqli.real-escape-string.php

http://us.php.net/htmlentities

http://shiflett.org/blog/2007/may/character-encoding-and-xss

http://htmlpurifier.org/

http://us.php.net/manual/en/mysqli.real-escape-string.php