Web Application Security

Web Application Security Why is it important? Jason R. Leveille http://jasonleveille.com December 5, 2008 – Damascus High School

Introduction
High School Teacher for 8 Years
Web Software Developer for 1.5
Security is not my strong point
Why am I talking about security?
Security is a concern in many layers
Server Layer (Apache, IIS, etc)
Database Layer (mySQL, PostreSQL, etc)
Application Language/Script (PHP, Python, etc)
Web App Server/Client Side

A Brief Example: PHP info/secinfo
What we see when we look at phpinfo()
http://url/talk/psi/info.php
What we seen when we look at PHP Sec. Info feedback.
http://url/talk/psi/
Illustrates the need to secure your “language”, in your server environment, as best you can

SQL Injection
What is SQL Injection
An example
Stealing usernames/passwords
http://url/talk/ex1.php (ex5.php)
?userid=5
?userid=5 union all select id,email,password from users—
What happened?
The Source Code
Things to think about

SQL Injection
Another example
Drop Table
http://xkcd.com/327
http://url/talk/foo.php
?first_name=Jason
?first_name=Jason’; DROP TABLE users;
What happened?
An illustration in phpmyadmin
Things to think about?

Cross Site Scripting (XSS)
What is XSS?
An Example
Cookie theft
http://url/talk/ex2.php
What happened?
The Source Code

Cross Site Scripting (XSS)
A real world example
asp application / SQL Server attack
Combined XSS SQL Injection
Installation of malware
Our attack traced back to organized crime in Russia!
Should I not have written that …

Cross Site Request Forgery (CSRF)
What is CSRF?
An Example
http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics

Security: Filter Input
What is input?
What does it mean to filter input?
An example
What’s happening?
The Source Code

Security: Escape Output
What is output?
What does it mean to escape output?
An example
What’s happening?
The Source Code

Security: Database User Privileges
What are user privileges?
Reducing user privileges
An example
Creating a reduced user privileged account
Attempting DROP TABLE with this new account

In Conclusion
Take care of your own information online
Never trust data coming into your application
Filter Input
Escape Output
Reduce Database User Privileges
Always store passwords hashed
See example of student passwords

Questions?
http://jasonleveille.com
leveillej at gmail dot com

Resources
http://www.apachesecurity.net/
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
http://www.scribd.com/doc/2569459/Securing-MySQL-for-a-Security-Audit
http://www.postgresql.org/docs/8.3/static/user-manag.html
http://phpsec.org/projects/phpsecinfo/index.html

Resources
http://dev. mysql .com/tech-resources/articles/guide-to-php-security-ch3.pdf
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://xkcd.com/327/
http://xssed.org/
http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines

Resources
http://shiflett.org/articles/cross-site-request-forgeries
http://php.net/ctype
http://us3.php.net/strip-tags
http://us2.php.net/manual/en/book.pcre.php
http://ha.ckers.org/xss.html
http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss

Resources
http://us.php.net/htmlentities
http://shiflett.org/blog/2007/may/character-encoding-and-xss
http://htmlpurifier.org/
http://us.php.net/manual/en/mysqli.real-escape-string.php

http://jasonleveille.com	51
http://feeds2.feedburner.com	5
http://www.slideshare.net	2
http://feeds.feedburner.com	2
http://video.filestube.com	1

Web Application Security

by Jason Leveille on Dec 04, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 61

Statistics

Web Application Security — Presentation Transcript