• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Concern of Web Application Security
 

Concern of Web Application Security

on

  • 10,184 views

A presentation about web application security

A presentation about web application security

Statistics

Views

Total Views
10,184
Views on SlideShare
9,588
Embed Views
596

Actions

Likes
12
Downloads
440
Comments
1

5 Embeds 596

http://mahmudahsan.wordpress.com 492
http://thinkdiff.net 77
http://www.slideshare.net 17
http://blog.thinkdiff.net 9
url_unknown 1

Accessibility

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Concern of Web Application Security Concern of Web Application Security Presentation Transcript

    • Concern of Web Application Security ” First and foremost, you must realize and accept that any user-supplied data is inherently unreliable and can't be trusted.” Md. Mahmud Ahsan Zend Certified Engineer http://mahmudahsan.wordpress.com/ http://www.ftechdb.com/
    • Contents of presentation
      • Overview of security
      • Best Practice
      • Input Filtering
      • Escaping Output
      • SQL Injection
      • Cross-site Scripting
      • Session Hijacking
      • Cross-site request forgeries
    • Security Overview
      • Security is a measurement not a characteristics.
      • Security is difficult to measure . It has no units.
      • Security must be considered at all time.
      What is security?
    • Security Overview
      • According to Chris Shiflett
      • Defense in Depth
      • Least Privilege
      • Simple is beautiful
      • Minimize exposure
      Principles of security?
    • Best Practice
      • According to Chris Shiflett
      • Consider malicious uses of your application.
      • Educate yourself.
      • Remember 2 simple rules:
              • Filter Input
              • Escape Output
      Basic Steps
    • Best Practice Basic Steps
    • Input filtering
      • What is filtering?
      • Filtering is the process by which you inspect data to prove its validity.
      • When possible, use a whitelist approach .
      • Filtering is useless if you can't keep up with what has been filtered and what hasn't.
      • Employ a strict naming convention that lets you easily and reliably distinguish between filtered and tainted data.
    • Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?>
    • Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Initialize array for storing filter data
    • Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Use switch statement to filter sets
    • Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Create cases for the valid values
    • Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Color is definately valid so store in the array
    • Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?>
    • Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Create an array to store filtered data
    • Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Username must be alphanumeric
    • Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> If username is alphanumeric store it in the array
    • Escaping Output
      • What is output?
      • Most output is obvious (anything sent to the client is output) - HTML, JavaScript, etc.
      • The client isn't the only remote destination - databases, session data stores, RSS feeds , etc.
      • The key is to identify the destination of data. If it is destined for any remote system, it is output and must be escaped .
    • Escaping Output
      • What is Escaping?
      • It is the process of escaping any character that has a special meaning in a remote system
      • The two most common destinations are the client (use htmlentities() ) and MySQL (use mysql_real_escape_string() ).
    • Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']}.</p>&quot;; ?>
    • Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']}.</p>&quot;; ?> Initialize array for storing escaped data
    • Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']}.</p>&quot;; ?> Escaped the filtered username and store in the array
    • Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']} .</p>&quot;; ?> Send the filtered and escaped username to the client
    • Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql); ?>
    • Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql); ?> Initialize an array for storing escaped data
    • Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql); ?> Escaped the filter username and store it in the array
    • Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}' &quot;; $result = mysql_query($sql); ?> Use the filtered and escaped username in the SQL query
    • Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql) ; ?> SQL Query is now safe
    • SQL Injection
      • What is SQL Injection?
      • SQL injection is a direct attack on the site’s database.
      • Gain access to restricted areas without proper credentials
      • Insert/Delete data to the database
      • Select private data to then be saved and used for other types of attacks.
    • SQL Injection SQL Injection attacking example: http://example.com/db.php?id=0 http://example.com/db.php?id=0 ;DELETE%20FROM%20users <?php $id = $_GET['id']; // $id = 0;DELETE FROM users $result = mysql_query(&quot;SELECT * FROM users WHERE id={$id}&quot;); SQL Inject code User table data destroyed
    • SQL Injection SQL Injection attacking example 2: <?php $query = &quot;SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'&quot;; mysql_query($query); //$_POST['username'] = 'manzil'; //$_POST['password'] = &quot;' OR ''='&quot;; echo $query; ?> output: SELECT * FROM users WHERE user='manzil' AND password='' OR ''='' SQL Inject code
    • SQL Injection SQL Injection Protection: <?php $name = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string($_POST['password']); $query = &quot;SELECT * FROM users WHERE user='{$name}' AND password='{$pass}'&quot;; mysql_query($query); ?>
    • Cross-Site Scripting What is XSS ? It is a popular attacking to web application as web application largely echo user input. <?php echo &quot;<p>Welcome back, { $_GET['username'] }.</p>&quot;; ?>
    • Cross-Site Scripting Attacking Example: <?php echo &quot;<p>Welcome back, <script> ... </script> .</p>&quot;; ?> XSS Attacking !!!
    • Cross-Site Scripting
      • Prevention of XSS:
      • Filter Input
      • Escape Output
      • <?php
      • $name = $_GET['username'];
      • $name = ctype_alnum($name) ? $name : '';
      • $name = htmlentities($name, ENT_QUOTES);
      • echo &quot;<p>Welcome back, {$name} .</p>&quot;;
      • ?>
    • Cross-Site Scripting htmlentities(): <?php $name = $_GET['username']; // <script> ... </script> echo htmlentities($name, ENT_QUOTES) ; ?> output: &lt;script&gt; ... &lt;/script&gt;
    • Session Hijacking
      • What's the problem?
      • An attacker can impersonate another user if that user's session identifier is known by the attacker.
      • Methods of obtaining a valid session identifier:
      • Fixation
      • Prediction
      • Capture
    • Session Hijacking Example of Session Fixation: http://example.org/login.php?PHPSESSID=1234 Prevention of Session Fixation: Use session_regenerate_id() whenever there is a change in the level of privilege: if ($authenticated) { $_SESSION['logged_in'] = TRUE; session_regenerate_id(); }
    • Session Hijacking Another session security technique: Compare the browser signature headers. <?php session_start(); $chk = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']); if (empty($_SESSION)) $_SESSION['key'] = $chk; else if ( $_SESSION['key'] != $chk ) session_destroy(); ?>
    • Session Hijacking
      • Safer Session Storage
      • By default PHP sessions are stored as files inside the common /tmp directory.
      • This often means any user on the system could see active sessions and “acquire” them or even modify their content.
      • Solutions?
      • Separate session storage directory via session.save_path
      • Database storage mechanism, mysql, pgsql, oci, sqlite.
      • Custom session handler allowing data storage anywhere.
    • Cross Site Request Forgeries What is CSRF? An attacker can send arbitrary HTTP requests from avictim. Because the requests originate from the victim, they can bypass traditional safeguards, including firewalls and access control.
    • Cross Site Request Forgeries
      • Solution of CSRF:
        • Use a unique token in every form that you send to the user.
        • Whenever you receive a request from the user that represents a form submission, check for this unique token.
        • Use sessions to associate a particular token with a particular user.
    • Cross Site Request Forgeries
      • Normal form submission:
        • <form action=&quot;buy.php&quot; method=&quot;POST&quot;>
        • <p>Symbol: <input type=&quot;text&quot; name=&quot;symbol&quot; /></p>
        • <p>Shares: <input type=&quot;text&quot; name=&quot;shares&quot; /></p>
        • <p><input type=&quot;submit&quot; value=&quot;Buy&quot; /></p>
        • </form>
    • Cross Site Request Forgeries
      • Solution of CSRF:
        • <?php
        • $token = md5(uniqid(rand(), TRUE));
        • $ _SESSION['token'] = $token;
        • $_SESSION['token_time'] = time();
        • ?>
        • <form action=&quot;buy.php&quot; method=&quot;post&quot;>
        • <input type=&quot;hidden&quot; name=&quot;token&quot;
        • value=&quot;<?php echo $token; ?> &quot; />
        • <p>
        • Symbol: <input type=&quot;text&quot; name=&quot;symbol&quot; /><br />
        • Shares: <input type=&quot;text&quot; name=&quot;shares&quot; /><br />
        • <input type=&quot;submit&quot; value=&quot;Buy&quot; />
        • </p>
        • </form>
    • Cross Site Request Forgeries
      • Solution of CSRF:
        • <?php
        • if ($_POST['token'] == $_SESSION['token'])
        • {
        • /* Valid Token */
        • }
        • ?>
    • Thank You