Your SlideShare is downloading. ×
Is it good to be paranoid ?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Is it good to be paranoid ?

1,570
views

Published on

Introduction to web security …

Introduction to web security
Tech Talk @ Georgia Tech
9 March 2011


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,570
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. In the year 2011 the estimated figure for spam messages are around seven trillion. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge.
  • Not everyone is technical, we as developers understand many concepts of security and try to be cautious But normal users do not understand many of these concepts Keeping the web safe for such kind of users is very important
  • Transcript

    • 1. Is it good to be paranoid ?
      introduction to web security
      Tech talk @ Georgia Tech,
      March 2011
    • 2. Subramanyan Murali
      yahoo
      Mail Engineer
      Hacker, Photographer, Traveler
      @rmsguhan
    • 3. par·a·noi·a
      nparanoia [pӕrəˈnoiə]
      a type of mental illness in which a person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her
      3
    • 4. in Yahoo!, they are just people who care a lot about web security 
      4
    • 5. Q.What is the problem ?
    • 6. Spammers want to do cheap advertising & unsolicited marketing
    • 7. Phisherswant to steal user identity for personal benefit
    • 8. Crackers want to break into your systems & profit
    • 9. Jokers just want to watch the world burn 
    • 10. “It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”
      • Philip Tellis, Yahoo! Paranoid
      http://www.smashingmagazine.com/author/philip-tellis/
    • 11. A tech-savy user maybe aware …
    • 12. … but to some cookies are still made of dough & chocolate chips
    • 13. A.Keep it simple for normal users Make it hard for users with evil intentions
    • 14. Users have a lot of trust on the web & share a lot of information
    • 15. Every attack is unique & exploits weakness
    • 16. Types of web attacks
      Phishing & Spamming
      Scamming
      Code Injection
      Forgery & spoofing
    • 17. Cross(X)Side Scripting
      17
    • 18. XSS
      Filter all input that you are going to save
      Be aware of the data you are saving
      URL should save only urls
      Numbers should save only numbers
      Never open up your site based purely on trust
    • 19. SQL / Shell Injection
    • 20. http://xkcd.com/327/
    • 21. <?php $user = $_GET[‘user’]; $message = $_GET[‘message’];function save_message($user, $message){  $sql = "INSERT INTO Messages (            user, message          ) VALUES (            '$user', '$message’          )";   return mysql_query($sql);}?>
    • 22. test');DROP TABLE Messages;test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …
    • 23. Cross-Site Request Forgery
    • 24. <imgsrc=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”>
    • 25. <iframename="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message”      method="POST”      target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script>
    • 26. Issue a unique token / crumb that only your server would know for that sessionCheck if the posted data has that token
    • 27. For normal posts, use a time bound token <?phpfunction get_nonce() {  return md5($secret . ":"  . $user . ":"  . ceil(time()/86400));}?>For more sensitive posts, use a token that is stored in user session
    • 28. Click-jackinghttp://erickerr.com/like-clickjacking
    • 29. Tab-Jackinghttp://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
    • 30. New secure technology does not guarantee a secure application
    • 31. As developers, we need to cautious
    • 32. Resources
      http://www.owasp.org/index.php/Main_Page
      http://kilimanjaro.dk/blog/
      http://www.smashingmagazine.com/author/philip-tellis/
      http://code.google.com/edu/security/index.htm
      http://www.slideshare.net/joewalker/web-app-security
      http://www.slideshare.net/shiflett/evolution-of-web-security
      http://www.slideshare.net/txaypanya/owasp-top10-2010
    • 33. Be paranoid, be smartThank you ! 