Concern of Web Application Security ” First and foremost, you must realize and accept that  any user-supplied data is inhe...
Contents of presentation <ul><li>Overview of security </li></ul><ul><li>Best Practice </li></ul><ul><li>Input Filtering </...
Security Overview <ul><li>Security  is a measurement  not a characteristics. </li></ul><ul><li>Security  is difficult to m...
Security Overview <ul><li>According to Chris Shiflett </li></ul><ul><li>Defense in Depth </li></ul><ul><li>Least Privilege...
Best Practice <ul><li>According to Chris Shiflett </li></ul><ul><li>Consider  malicious uses  of your application. </li></...
Best Practice Basic Steps
Input filtering <ul><li>What is filtering? </li></ul><ul><li>Filtering is the process by which you inspect data to prove i...
Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blu...
Input filtering Filter input example: <?php $clean = array();   switch($_POST['color']){  case 'red': case 'green': case '...
Input filtering Filter input example: <?php $clean = array();  switch($_POST['color']){  case 'red': case 'green': case 'b...
Input filtering Filter input example: <?php $clean = array();  switch($_POST['color']){   case 'red': case 'green': case '...
Input filtering Filter input example: <?php $clean = array();  switch($_POST['color']){   case 'red': case 'green': case '...
Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username...
Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username...
Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] =...
Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] =...
Escaping Output <ul><li>What is output? </li></ul><ul><li>Most output is obvious (anything sent to the client is output) -...
Escaping Output <ul><li>What is Escaping? </li></ul><ul><li>It is the  process of escaping any character  that has a speci...
Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_Q...
Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_Q...
Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_Q...
Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_Q...
Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['u...
Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['u...
Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['u...
Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['u...
Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['u...
SQL Injection <ul><li>What is SQL Injection? </li></ul><ul><li>SQL injection is a direct attack on the site’s database. </...
SQL Injection SQL Injection attacking example: http://example.com/db.php?id=0 http://example.com/db.php?id=0 ;DELETE%20FRO...
SQL Injection SQL Injection attacking example 2: <?php $query = &quot;SELECT * FROM users WHERE  user='{$_POST['username']...
SQL Injection SQL Injection Protection: <?php $name = mysql_real_escape_string($_POST['username']); $pass = mysql_real_esc...
Cross-Site Scripting What is XSS ? It is a popular attacking to web application as web application largely echo user input...
Cross-Site Scripting Attacking Example: <?php echo &quot;<p>Welcome back,  <script> ... </script>  .</p>&quot;; ?> XSS Att...
Cross-Site Scripting <ul><li>Prevention of XSS: </li></ul><ul><li>Filter Input </li></ul><ul><li>Escape Output </li></ul><...
Cross-Site Scripting htmlentities(): <?php $name = $_GET['username'];  // <script> ... </script> echo  htmlentities($name,...
Session Hijacking <ul><li>What's the problem? </li></ul><ul><li>An attacker can impersonate another user if that user's se...
Session Hijacking Example of Session Fixation: http://example.org/login.php?PHPSESSID=1234 Prevention of Session Fixation:...
Session Hijacking Another session security technique: Compare the browser signature headers. <?php session_start(); $chk =...
Session Hijacking <ul><li>Safer Session Storage </li></ul><ul><li>By default PHP sessions are stored as files inside the c...
Cross Site Request Forgeries What is CSRF? An attacker can send arbitrary HTTP requests from avictim. Because the requests...
Cross Site Request Forgeries <ul><li>Solution of CSRF: </li></ul><ul><ul><li>Use a unique token in every form that you sen...
Cross Site Request Forgeries <ul><li>Normal form submission: </li></ul><ul><ul><li><form action=&quot;buy.php&quot; method...
Cross Site Request Forgeries <ul><li>Solution of CSRF: </li></ul><ul><ul><li><?php </li></ul></ul><ul><ul><li>$token = md5...
Cross Site Request Forgeries <ul><li>Solution of CSRF: </li></ul><ul><ul><li><?php </li></ul></ul><ul><ul><li>if ($_POST['...
Thank You
Upcoming SlideShare
Loading in...5
×

Concern of Web Application Security

8,701

Published on

A presentation about web application security

Published in: Technology, News & Politics
1 Comment
12 Likes
Statistics
Notes
No Downloads
Views
Total Views
8,701
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
456
Comments
1
Likes
12
Embeds 0
No embeds

No notes for slide

Transcript of "Concern of Web Application Security"

  1. 1. Concern of Web Application Security ” First and foremost, you must realize and accept that any user-supplied data is inherently unreliable and can't be trusted.” Md. Mahmud Ahsan Zend Certified Engineer http://mahmudahsan.wordpress.com/ http://www.ftechdb.com/
  2. 2. Contents of presentation <ul><li>Overview of security </li></ul><ul><li>Best Practice </li></ul><ul><li>Input Filtering </li></ul><ul><li>Escaping Output </li></ul><ul><li>SQL Injection </li></ul><ul><li>Cross-site Scripting </li></ul><ul><li>Session Hijacking </li></ul><ul><li>Cross-site request forgeries </li></ul>
  3. 3. Security Overview <ul><li>Security is a measurement not a characteristics. </li></ul><ul><li>Security is difficult to measure . It has no units. </li></ul><ul><li>Security must be considered at all time. </li></ul>What is security?
  4. 4. Security Overview <ul><li>According to Chris Shiflett </li></ul><ul><li>Defense in Depth </li></ul><ul><li>Least Privilege </li></ul><ul><li>Simple is beautiful </li></ul><ul><li>Minimize exposure </li></ul>Principles of security?
  5. 5. Best Practice <ul><li>According to Chris Shiflett </li></ul><ul><li>Consider malicious uses of your application. </li></ul><ul><li>Educate yourself. </li></ul><ul><li>Remember 2 simple rules: </li></ul><ul><ul><ul><ul><ul><li>Filter Input </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Escape Output </li></ul></ul></ul></ul></ul>Basic Steps
  6. 6. Best Practice Basic Steps
  7. 7. Input filtering <ul><li>What is filtering? </li></ul><ul><li>Filtering is the process by which you inspect data to prove its validity. </li></ul><ul><li>When possible, use a whitelist approach . </li></ul><ul><li>Filtering is useless if you can't keep up with what has been filtered and what hasn't. </li></ul><ul><li>Employ a strict naming convention that lets you easily and reliably distinguish between filtered and tainted data. </li></ul>
  8. 8. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?>
  9. 9. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Initialize array for storing filter data
  10. 10. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Use switch statement to filter sets
  11. 11. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Create cases for the valid values
  12. 12. Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Color is definately valid so store in the array
  13. 13. Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?>
  14. 14. Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Create an array to store filtered data
  15. 15. Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Username must be alphanumeric
  16. 16. Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> If username is alphanumeric store it in the array
  17. 17. Escaping Output <ul><li>What is output? </li></ul><ul><li>Most output is obvious (anything sent to the client is output) - HTML, JavaScript, etc. </li></ul><ul><li>The client isn't the only remote destination - databases, session data stores, RSS feeds , etc. </li></ul><ul><li>The key is to identify the destination of data. If it is destined for any remote system, it is output and must be escaped . </li></ul>
  18. 18. Escaping Output <ul><li>What is Escaping? </li></ul><ul><li>It is the process of escaping any character that has a special meaning in a remote system </li></ul><ul><li>The two most common destinations are the client (use htmlentities() ) and MySQL (use mysql_real_escape_string() ). </li></ul>
  19. 19. Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']}.</p>&quot;; ?>
  20. 20. Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']}.</p>&quot;; ?> Initialize array for storing escaped data
  21. 21. Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']}.</p>&quot;; ?> Escaped the filtered username and store in the array
  22. 22. Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo &quot;<p>Welcome back, {$html['username']} .</p>&quot;; ?> Send the filtered and escaped username to the client
  23. 23. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql); ?>
  24. 24. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql); ?> Initialize an array for storing escaped data
  25. 25. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql); ?> Escaped the filter username and store it in the array
  26. 26. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}' &quot;; $result = mysql_query($sql); ?> Use the filtered and escaped username in the SQL query
  27. 27. Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = &quot;SELECT * FROM profile WHERE username = '{$mysql['username']}'&quot;; $result = mysql_query($sql) ; ?> SQL Query is now safe
  28. 28. SQL Injection <ul><li>What is SQL Injection? </li></ul><ul><li>SQL injection is a direct attack on the site’s database. </li></ul><ul><li>Gain access to restricted areas without proper credentials </li></ul><ul><li>Insert/Delete data to the database </li></ul><ul><li>Select private data to then be saved and used for other types of attacks. </li></ul>
  29. 29. SQL Injection SQL Injection attacking example: http://example.com/db.php?id=0 http://example.com/db.php?id=0 ;DELETE%20FROM%20users <?php $id = $_GET['id']; // $id = 0;DELETE FROM users $result = mysql_query(&quot;SELECT * FROM users WHERE id={$id}&quot;); SQL Inject code User table data destroyed
  30. 30. SQL Injection SQL Injection attacking example 2: <?php $query = &quot;SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'&quot;; mysql_query($query); //$_POST['username'] = 'manzil'; //$_POST['password'] = &quot;' OR ''='&quot;; echo $query; ?> output: SELECT * FROM users WHERE user='manzil' AND password='' OR ''='' SQL Inject code
  31. 31. SQL Injection SQL Injection Protection: <?php $name = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string($_POST['password']); $query = &quot;SELECT * FROM users WHERE user='{$name}' AND password='{$pass}'&quot;; mysql_query($query); ?>
  32. 32. Cross-Site Scripting What is XSS ? It is a popular attacking to web application as web application largely echo user input. <?php echo &quot;<p>Welcome back, { $_GET['username'] }.</p>&quot;; ?>
  33. 33. Cross-Site Scripting Attacking Example: <?php echo &quot;<p>Welcome back, <script> ... </script> .</p>&quot;; ?> XSS Attacking !!!
  34. 34. Cross-Site Scripting <ul><li>Prevention of XSS: </li></ul><ul><li>Filter Input </li></ul><ul><li>Escape Output </li></ul><ul><li><?php </li></ul><ul><li>$name = $_GET['username']; </li></ul><ul><li>$name = ctype_alnum($name) ? $name : ''; </li></ul><ul><li>$name = htmlentities($name, ENT_QUOTES); </li></ul><ul><li>echo &quot;<p>Welcome back, {$name} .</p>&quot;; </li></ul><ul><li>?> </li></ul>
  35. 35. Cross-Site Scripting htmlentities(): <?php $name = $_GET['username']; // <script> ... </script> echo htmlentities($name, ENT_QUOTES) ; ?> output: &lt;script&gt; ... &lt;/script&gt;
  36. 36. Session Hijacking <ul><li>What's the problem? </li></ul><ul><li>An attacker can impersonate another user if that user's session identifier is known by the attacker. </li></ul><ul><li>Methods of obtaining a valid session identifier: </li></ul><ul><li>Fixation </li></ul><ul><li>Prediction </li></ul><ul><li>Capture </li></ul>
  37. 37. Session Hijacking Example of Session Fixation: http://example.org/login.php?PHPSESSID=1234 Prevention of Session Fixation: Use session_regenerate_id() whenever there is a change in the level of privilege: if ($authenticated) { $_SESSION['logged_in'] = TRUE; session_regenerate_id(); }
  38. 38. Session Hijacking Another session security technique: Compare the browser signature headers. <?php session_start(); $chk = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']); if (empty($_SESSION)) $_SESSION['key'] = $chk; else if ( $_SESSION['key'] != $chk ) session_destroy(); ?>
  39. 39. Session Hijacking <ul><li>Safer Session Storage </li></ul><ul><li>By default PHP sessions are stored as files inside the common /tmp directory. </li></ul><ul><li>This often means any user on the system could see active sessions and “acquire” them or even modify their content. </li></ul><ul><li>Solutions? </li></ul><ul><li>Separate session storage directory via session.save_path </li></ul><ul><li>Database storage mechanism, mysql, pgsql, oci, sqlite. </li></ul><ul><li>Custom session handler allowing data storage anywhere. </li></ul>
  40. 40. Cross Site Request Forgeries What is CSRF? An attacker can send arbitrary HTTP requests from avictim. Because the requests originate from the victim, they can bypass traditional safeguards, including firewalls and access control.
  41. 41. Cross Site Request Forgeries <ul><li>Solution of CSRF: </li></ul><ul><ul><li>Use a unique token in every form that you send to the user. </li></ul></ul><ul><ul><li>Whenever you receive a request from the user that represents a form submission, check for this unique token. </li></ul></ul><ul><ul><li>Use sessions to associate a particular token with a particular user. </li></ul></ul>
  42. 42. Cross Site Request Forgeries <ul><li>Normal form submission: </li></ul><ul><ul><li><form action=&quot;buy.php&quot; method=&quot;POST&quot;> </li></ul></ul><ul><ul><li><p>Symbol: <input type=&quot;text&quot; name=&quot;symbol&quot; /></p> </li></ul></ul><ul><ul><li><p>Shares: <input type=&quot;text&quot; name=&quot;shares&quot; /></p> </li></ul></ul><ul><ul><li><p><input type=&quot;submit&quot; value=&quot;Buy&quot; /></p> </li></ul></ul><ul><ul><li></form> </li></ul></ul>
  43. 43. Cross Site Request Forgeries <ul><li>Solution of CSRF: </li></ul><ul><ul><li><?php </li></ul></ul><ul><ul><li>$token = md5(uniqid(rand(), TRUE)); </li></ul></ul><ul><ul><li>$ _SESSION['token'] = $token; </li></ul></ul><ul><ul><li>$_SESSION['token_time'] = time(); </li></ul></ul><ul><ul><li>?> </li></ul></ul><ul><ul><li><form action=&quot;buy.php&quot; method=&quot;post&quot;> </li></ul></ul><ul><ul><li><input type=&quot;hidden&quot; name=&quot;token&quot; </li></ul></ul><ul><ul><li>value=&quot;<?php echo $token; ?> &quot; /> </li></ul></ul><ul><ul><li><p> </li></ul></ul><ul><ul><li>Symbol: <input type=&quot;text&quot; name=&quot;symbol&quot; /><br /> </li></ul></ul><ul><ul><li>Shares: <input type=&quot;text&quot; name=&quot;shares&quot; /><br /> </li></ul></ul><ul><ul><li><input type=&quot;submit&quot; value=&quot;Buy&quot; /> </li></ul></ul><ul><ul><li></p> </li></ul></ul><ul><ul><li></form> </li></ul></ul>
  44. 44. Cross Site Request Forgeries <ul><li>Solution of CSRF: </li></ul><ul><ul><li><?php </li></ul></ul><ul><ul><li>if ($_POST['token'] == $_SESSION['token']) </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><li>/* Valid Token */ </li></ul></ul><ul><ul><li>} </li></ul></ul><ul><ul><li>?> </li></ul></ul>
  45. 45. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×