Web Security<br />Never, ever, trust user inputs<br />Supankar<br />
What is Security?<br />
why does security needs?<br />Haha! Yes I know it. Its really a funny topic!!<br />
Is it call security?<br />
Security why? <br />To prevent stealing important data<br />To secure Personal Data / Credentials<br />Compromising Access...
Common Threats<br />Cross-Site Scripting  (XSS)<br />Session Hijack<br />Click Jacking<br />Cross-site request forgery  (X...
Never, ever, trust user inputs<br />
Input Validation<br />Always use server side validation as client side (javascript) validation can easily be bypassed<br /...
example<br />supankar<script type="text/javascript" src="http://abcNews24.com/gps/malicious.js"></script><br />
Input Validation (Cont..)<br />Don’t expect the return value from selections, radio buttons or check boxes of a form to be...
Input Validation (Cont..)<br />insert  userinfo (gender) values($_POST[‘gender’])<br />Garbage <br /><input type="radio" n...
Input Validation (Cont..)<br />Defensive Programming:<br /> $gender=‘m’;<br />If ($_POST[‘gender’]==‘f’)<br /> $gender=‘f’...
PHP: Some Bad Features<br />Register Globals<br /><ul><li>Consider the following code - </li></ul>if ($password == "my_pas...
To disable register_globals using .htaccess file – </li></ul>php_flagregister_globals0<br /><ul><li>To disable register_gl...
PHP harmful functions<br />eval("shell_exec("rm -rf {$_SERVER['DOCUMENT_ROOT']}");");<br />ini_set(), exec(),fopen(), pope...
SQL Injection<br /><ul><li>Most common and most destructive security hazard
Lets see the common way to check username and password entered into a form – </li></ul>	$check = mysql_query("SELECT Usern...
Error/warring Message<br />
File Manipulation<br /><ul><li>Some sites currently running on the web today have URLs that look like this:</li></ul>index...
When users download a file from your server, if the file name depends on user input, he can easily manipulate it to downlo...
JavaScript!!!<br /><ul><li>A creative innovation.
Giving the user more control over the browser
 Detecting the user's browser, OS, screen size, etc.
 Performing simple computations on the client side
 Validating the user's input
 Handling dates and time
 Generating HTML pages on-the-fly without accessing the Web server.  </li></li></ul><li>Cross-Site Scripting (XSS)<br /><u...
It can also used for cookie hijacking so that a real user can be faked.
Always use htmlentities() function to output user-generated texts.
Limit the character set that can used for a particular text type
Disallow HTML input if possible. If that is not an option, only allow limited HTML tags</li></li></ul><li>I am not Sleepin...
Yes, I am, because it is boring..<br />
Lets have some fun…<br />
Fun…<br />Go to supankar.wordpress.com<br />http://technotip.com/269/moving-image-javascript-small-fun-application/Develop...
XSS – Preventing<br /> Sanitize User input properly<br />Check Character Encoding<br />Double check before printing GET va...
MVC? Is it secure?<br />
Cross-site request forgery(XSRF)<br />Using user’s logged in session to manipulate<br />http://example.com/admin/delete/po...
Cross-site request forgery(XSRF) cont..<br />User A has a post with ID 112<br />
Upcoming SlideShare
Loading in...5
×

Web Security

498

Published on

Presentation slide for Jaba IT

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
498
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Web Security"

  1. 1. Web Security<br />Never, ever, trust user inputs<br />Supankar<br />
  2. 2. What is Security?<br />
  3. 3.
  4. 4. why does security needs?<br />Haha! Yes I know it. Its really a funny topic!!<br />
  5. 5.
  6. 6. Is it call security?<br />
  7. 7. Security why? <br />To prevent stealing important data<br />To secure Personal Data / Credentials<br />Compromising Access Privilege<br />No Data Loss<br />
  8. 8. Common Threats<br />Cross-Site Scripting (XSS)<br />Session Hijack<br />Click Jacking<br />Cross-site request forgery (XSRF)<br />SQL Injection<br />
  9. 9. Never, ever, trust user inputs<br />
  10. 10. Input Validation<br />Always use server side validation as client side (javascript) validation can easily be bypassed<br />Use white-listed values<br />Use built-in escape functions<br />Validate for correct data types, like numbers<br />
  11. 11. example<br />supankar<script type="text/javascript" src="http://abcNews24.com/gps/malicious.js"></script><br />
  12. 12. Input Validation (Cont..)<br />Don’t expect the return value from selections, radio buttons or check boxes of a form to be the ones you mentioned. So, always revalidate.<br />Example:<br /><input type="radio" name="gender" value="m" />Male<br /><input type="radio" name="gender" value="f" />Female<br />
  13. 13. Input Validation (Cont..)<br />insert userinfo (gender) values($_POST[‘gender’])<br />Garbage <br /><input type="radio" name="gender" value=“a" />Male<br /><input type="radio" name="gender" value=“c" />Female<br />
  14. 14. Input Validation (Cont..)<br />Defensive Programming:<br /> $gender=‘m’;<br />If ($_POST[‘gender’]==‘f’)<br /> $gender=‘f’;<br />
  15. 15. PHP: Some Bad Features<br />Register Globals<br /><ul><li>Consider the following code - </li></ul>if ($password == "my_password") { <br />$authorized = 1; <br />} <br />if ($authorized == 1) { <br />echo "Lots of important stuff."; <br />}<br /><ul><li>test.php?authorized=1 will produce “Lots of important stuff.”
  16. 16. To disable register_globals using .htaccess file – </li></ul>php_flagregister_globals0<br /><ul><li>To disable register_globals using php.ini – </li></ul>register_globals = Off<br />Magic Quotes<br />
  17. 17. PHP harmful functions<br />eval("shell_exec("rm -rf {$_SERVER['DOCUMENT_ROOT']}");");<br />ini_set(), exec(),fopen(), popen(), passthru(), readfile(), file(), shell_exec() , system(),etc…<br />
  18. 18. SQL Injection<br /><ul><li>Most common and most destructive security hazard
  19. 19. Lets see the common way to check username and password entered into a form – </li></ul> $check = mysql_query("SELECT Username, Password, UserLevelFROM Users WHERE Username ='".$_POST['username']."' and Password = '".$_POST['password']."'");<br /><ul><li>If we enter the following in the “username” input box and submit -</li></ul> ' OR 1=1 #<br /><ul><li>The query that is going to be executed will now look like this –</li></ul> SELECT Username, Password FROM Users WHERE Username =''OR1=1 #' and Password = ''<br /><ul><li>As you can see, this query will return all the users from the database and as generally first user on a user table is the admin, the hacker will easily gain admin privilege.</li></li></ul><li>SQL Injection - Preventing<br />Sanitize Properly<br />User Prepared Statements<br />Use mysql_real_escape_string()<br />Turn on magic_quote_gpc with Caution<br />
  20. 20. Error/warring Message<br />
  21. 21. File Manipulation<br /><ul><li>Some sites currently running on the web today have URLs that look like this:</li></ul>index.php?page=contactus.html<br /><ul><li>The user can very easily change the "contactus.html" bit to anything they like. For example,</li></ul>index.php?page=.htpasswd<br /><ul><li>By changing the URL, on some systems, to reference a file on another server, they could even run PHP that they have written on your site.
  22. 22. When users download a file from your server, if the file name depends on user input, he can easily manipulate it to download system files by giving inputs like – “../../../etc/passwd”</li></li></ul><li>IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*<br />ini_set('display_errors', 1); ini_set('log_errors', 1); ini_set('error_log', dirname(__FILE__) . '/error_log.txt'); error_reporting(E_ALL);<br />
  23. 23. JavaScript!!!<br /><ul><li>A creative innovation.
  24. 24. Giving the user more control over the browser
  25. 25. Detecting the user's browser, OS, screen size, etc.
  26. 26. Performing simple computations on the client side
  27. 27. Validating the user's input
  28. 28. Handling dates and time
  29. 29. Generating HTML pages on-the-fly without accessing the Web server. </li></li></ul><li>Cross-Site Scripting (XSS)<br /><ul><li>It allows attackers to add keyloggers, tracking scripts or porn banners on your site, or just stop your site working altogether. 
  30. 30. It can also used for cookie hijacking so that a real user can be faked.
  31. 31. Always use htmlentities() function to output user-generated texts.
  32. 32. Limit the character set that can used for a particular text type
  33. 33. Disallow HTML input if possible. If that is not an option, only allow limited HTML tags</li></li></ul><li>I am not Sleeping…….<br />
  34. 34. Yes, I am, because it is boring..<br />
  35. 35. Lets have some fun…<br />
  36. 36. Fun…<br />Go to supankar.wordpress.com<br />http://technotip.com/269/moving-image-javascript-small-fun-application/Develop<br />
  37. 37. XSS – Preventing<br /> Sanitize User input properly<br />Check Character Encoding<br />Double check before printing GET values from<br />URL<br />
  38. 38. MVC? Is it secure?<br />
  39. 39. Cross-site request forgery(XSRF)<br />Using user’s logged in session to manipulate<br />http://example.com/admin/delete/post/1<br />
  40. 40. Cross-site request forgery(XSRF) cont..<br />User A has a post with ID 112<br />
  41. 41. Cross-site request forgery(XSRF) cont..<br />User B Posted on his blog<br /> <img src=‘/admin/delete/post/112’/><br />No Effect for User B<br />
  42. 42. Cross-site request forgery(XSRF) cont..<br />User A visits User B’s blog<br /><img src=‘/admin/delete/post/112’/><br />Delete’s User A’s post with ID 112<br />
  43. 43. XSRF Prevention<br />Use POST<br />Check for the presence of some sort of valid submission<br />
  44. 44. I have more important tasks please leave me now…<br />
  45. 45. Ok, Ok, Just Summery<br />Use common sense<br />Always check user input<br />No direct user input at sql query<br />Disable the error/warring messages at the production time<br />Always try to use defensive programming technique<br />Update your scripts to the latest versions<br />
  46. 46. Suggestions<br />Read security related news and updates<br /><ul><li>http://www.owasp.org/
  47. 47. http://shiflett.org/
  48. 48. http://www.securityfocus.com/</li></li></ul><li>Toooo much, Supankar!! STOP NOW!!<br />
  49. 49. <?php<br /> echo “Question”;<br />?><br />
  50. 50. An ounce of prevention is worth a pound of cure -> Benjamin Franklin<br />Thanks<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×