Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Bill Condo / @mavrck
Modern Web Security
Attacks & Improvements
4/2/2014 | Dayton Web Developers
Bill Condo / @mavrck
Who here is responsible

for a website?
Bill Condo / @mavrck
Who here has published code
updates live in the last month?
Bill Condo / @mavrck
Are they secure?
Bill Condo / @mavrck
What We’ll Cover
• Common Threats
• Easy Improvements
• Bonus: Passwords
Bill Condo / @mavrck
CommonThreats
• Cross Site Scripting
• SQL Injection
• Path Disclosure
• Cross Site Request Forgery
•...
Bill Condo / @mavrck
• Denial of Service
• Code Execution
• Memory Corruption
• Arbitrary File
• Local File Include
• Remo...
Bill Condo / @mavrck
Cross-site scripting (XSS)
• In a nutshell, websites that allow external code to sent with a
response...
Bill Condo / @mavrck
SQL Injection
• Allowing user input to directly be inserted into database queries,
opening the possib...
Bill Condo / @mavrck
http://xkcd.com/327/
Bill Condo / @mavrck
Path Disclosure
• Allowing an attacker to see the path to the web root. 

/home/site.com/public/index...
Bill Condo / @mavrck
Cross Site Request Forgery (CSRF)
• Exploits a website’s unauthenticated functionality from an
authen...
Bill Condo / @mavrck
Information Disclosure
• Releasing secure information to an untrusted environment. This 

can be oper...
Bill Condo / @mavrck
Bill Condo / @mavrck
Bill Condo / @mavrck
Easy Improvements
• Secure Your Environment
• Secure Your Website
• Establish Audits
Bill Condo / @mavrck
Secure your Environment
• Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual
Priv...
Bill Condo / @mavrck
Sorry, We’re Not Sharing Security…
Bill Condo / @mavrck
Thanks for letting me know…
Bill Condo / @mavrck
Secure Your Website
• Sanitize user input. Always.
• Escape and sanitize database queries. Better yet...
Bill Condo / @mavrck
Establish Audits
• Black Box: Security/Vulnerability Scanners, Penetration Tests
• White Box: Source ...
Bill Condo / @mavrck
More Security Info
• http://www.webappsec.org
• http://www.owasp.org
Bill Condo / @mavrck
Stretch.
Last minute bucket. We’re in overtime.
Bill Condo / @mavrck
Bonus: Password Security
• Terminology
• Landscape/Problems
• Best Practices
• Getting Policy Buy-in
Bill Condo / @mavrck
Password Terminology
• Encrypting - The process of encoding messages or information in
such a way tha...
Bill Condo / @mavrck
• Entropy (Strength) - A measure of the uncertainty associated with a
random variable. (i.e. Password...
Bill Condo / @mavrck
http://xkcd.com/936/
Bill Condo / @mavrck
Problems
Bill Condo / @mavrck
State of Passwords
• Most people share between sites
• Most people don’t use secure passwords
• Secur...
Bill Condo / @mavrck
Lack of Transparency
• Web Apps & Sites don’t disclosure their password policies,
encryption strength...
Bill Condo / @mavrck
Forgotten Trail
• With e-commerce, we often have to create an account, provide
payment details, and t...
Bill Condo / @mavrck
Best Practices
Worst Practices
Bill Condo / @mavrck
Don’t help the enemy
• Don’t: Policies that enforce things such as “first character must by
upper case...
Bill Condo / @mavrck
Garbage in, garbage out
• Don’t: Having no password policy at all.
• Don’t: Allowing common passwords...
Bill Condo / @mavrck
Getting Policy Buy-in
Bill Condo / @mavrck
#1 Prevent PR Issues
Bill Condo / @mavrck
#2 Cost vs Risk
• Doing security correctly is less expensive upfront. The opportunity
cost is minimal...
Bill Condo / @mavrck
#3 Predictability
• Help project/business managers in being able to minimize
unexpected security resp...
Bill Condo / @mavrck
Bill Condo / @mavrck
My Ask of You
• If you found this information useful, I ask two things of you:
• Follow me Twitter fo...
Bill Condo / @mavrck
Roaring Applause Here.
Thanks for your time.
Upcoming SlideShare
Loading in …5
×

Modern Web Security

10,743 views

Published on

Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.

Published in: Internet, Technology
  • Be the first to comment

Modern Web Security

  1. 1. Bill Condo / @mavrck Modern Web Security Attacks & Improvements 4/2/2014 | Dayton Web Developers
  2. 2. Bill Condo / @mavrck Who here is responsible
 for a website?
  3. 3. Bill Condo / @mavrck Who here has published code updates live in the last month?
  4. 4. Bill Condo / @mavrck Are they secure?
  5. 5. Bill Condo / @mavrck What We’ll Cover • Common Threats • Easy Improvements • Bonus: Passwords
  6. 6. Bill Condo / @mavrck CommonThreats • Cross Site Scripting • SQL Injection • Path Disclosure • Cross Site Request Forgery • Information Disclosure
  7. 7. Bill Condo / @mavrck • Denial of Service • Code Execution • Memory Corruption • Arbitrary File • Local File Include • Remote File Include • Buffer overflow
  8. 8. Bill Condo / @mavrck Cross-site scripting (XSS) • In a nutshell, websites that allow external code to sent with a response to a user’s browser. • Typically this is javascript that is inserted into a query string or form field that is allowed to run. • Opens up cookie and sensitive data
  9. 9. Bill Condo / @mavrck SQL Injection • Allowing user input to directly be inserted into database queries, opening the possibility of unexpected data, and database corruption and data leakage.
 • (original) statement = "SELECT * FROM users WHERE id ='" + id + “';" • (input) 0’; DROP TABLE users • (final) statement = "SELECT * FROM users WHERE id =‘0'; DROP TABLE users;"
  10. 10. Bill Condo / @mavrck http://xkcd.com/327/
  11. 11. Bill Condo / @mavrck Path Disclosure • Allowing an attacker to see the path to the web root. 
 /home/site.com/public/index.php • This could allow viewing of private files, and provides a nugget 
 of knowledge that can be combined to allow full access. • http://site.com/index.php?page=about • http://site.com/index.php?page=../config
  12. 12. Bill Condo / @mavrck Cross Site Request Forgery (CSRF) • Exploits a website’s unauthenticated functionality from an authenticated user. This is commonly from features driven from url parameters that doesn’t have sufficient verification in place. • http://site.com/send-message.php?from=bill&to=brad&message=hi • May also be exploited by malicious code injected into a page.
  13. 13. Bill Condo / @mavrck Information Disclosure • Releasing secure information to an untrusted environment. This 
 can be operating environment, customer data, or trade secrets. • Path that the website runs at, database info, service versions, etc. • Credit card data, private account info (address, phone), 
 and customer history. • Business logic, processes, and long-term business plans.
  14. 14. Bill Condo / @mavrck
  15. 15. Bill Condo / @mavrck
  16. 16. Bill Condo / @mavrck Easy Improvements • Secure Your Environment • Secure Your Website • Establish Audits
  17. 17. Bill Condo / @mavrck Secure your Environment • Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual Private Server (VPS) such as Digital Ocean, Linode, Rackspace, AWS, etc. You don’t want to share security concerns 
 with the world. • Turn of the displaying of errors and debugging info in production, and redirect them to log files. • Turn on automatic updates for security patches. • Turn off broadcasting of service versions and extensions. • Turn off modules that aren’t required.
  18. 18. Bill Condo / @mavrck Sorry, We’re Not Sharing Security…
  19. 19. Bill Condo / @mavrck Thanks for letting me know…
  20. 20. Bill Condo / @mavrck Secure Your Website • Sanitize user input. Always. • Escape and sanitize database queries. Better yet, use an established package for prepared statements. • Store sensitive data outside of the webroot with proper permissions. • SSL where possible. • Sandbox user uploads and treat with suspicion.
  21. 21. Bill Condo / @mavrck Establish Audits • Black Box: Security/Vulnerability Scanners, Penetration Tests • White Box: Source Code Analyzers, Code Tests • Password Testing
  22. 22. Bill Condo / @mavrck More Security Info • http://www.webappsec.org • http://www.owasp.org
  23. 23. Bill Condo / @mavrck Stretch. Last minute bucket. We’re in overtime.
  24. 24. Bill Condo / @mavrck Bonus: Password Security • Terminology • Landscape/Problems • Best Practices • Getting Policy Buy-in
  25. 25. Bill Condo / @mavrck Password Terminology • Encrypting - The process of encoding messages or information in such a way that only authorized parties can read it*. Encryption typically involves a private key and can be performed two way. • Hashing - Password hashing is a one way conversion of an input into a representative string. (i.e. nothing = 4fhk348fhsk48rfk4d3) • Salting - A unique string of characters (hopefully per user) that helps keep the password hashes different for users that have the same password. *http://en.wikipedia.org/wiki/Encryption
  26. 26. Bill Condo / @mavrck • Entropy (Strength) - A measure of the uncertainty associated with a random variable. (i.e. Password Strength) • Rainbow Tables - Pre-calculated lookup values that match a string with a value for a known encrypted algorithm.
  27. 27. Bill Condo / @mavrck http://xkcd.com/936/
  28. 28. Bill Condo / @mavrck Problems
  29. 29. Bill Condo / @mavrck State of Passwords • Most people share between sites • Most people don’t use secure passwords • Secure passwords, with high entropy are impossible to remember • Most people don’t use a password manager
  30. 30. Bill Condo / @mavrck Lack of Transparency • Web Apps & Sites don’t disclosure their password policies, encryption strength, and their isn’t a standard body to police who’s following best practices and who’s being risky. • Users often don’t find out what data was compromised from an attack, and frequently don’t find out about an breach at all until it reaches the news cycle.
  31. 31. Bill Condo / @mavrck Forgotten Trail • With e-commerce, we often have to create an account, provide payment details, and then may never shop there again. However, the data persists. • Users typically don’t keep a master list of sites they have an account on, or have purchased from. Each account can act as a nugget of knowledge, slowly building up to enough data for concern.
  32. 32. Bill Condo / @mavrck Best Practices Worst Practices
  33. 33. Bill Condo / @mavrck Don’t help the enemy • Don’t: Policies that enforce things such as “first character must by upper case” and “must end in a special character”. Allows masking. • Don’t: To an extent, disclosing the minimum requirements for lower case, upper case, numeric, and special characters.
  34. 34. Bill Condo / @mavrck Garbage in, garbage out • Don’t: Having no password policy at all. • Don’t: Allowing common passwords like ‘password’, ‘123456’. • Don’t: Allowing common dictionary words.
  35. 35. Bill Condo / @mavrck Getting Policy Buy-in
  36. 36. Bill Condo / @mavrck #1 Prevent PR Issues
  37. 37. Bill Condo / @mavrck #2 Cost vs Risk • Doing security correctly is less expensive upfront. The opportunity cost is minimal compared the reduction in risk. 
 Cost * Risk = Likelihood Cost • What does it cost to cleanup the mess: reset the passwords, scan the servers, added support calls/requests, etc…
  38. 38. Bill Condo / @mavrck #3 Predictability • Help project/business managers in being able to minimize unexpected security response events. • Better understand how your week is going to go.
  39. 39. Bill Condo / @mavrck
  40. 40. Bill Condo / @mavrck My Ask of You • If you found this information useful, I ask two things of you: • Follow me Twitter for development tips: @mavrck • Back the Salt Mines Device Lab fundraiser for $1+: 
 http://igg.me/p/728005 • Also, we’re hiring at LMG. Grab a card if you’re currently 
 not next to your boss (otherwise email bill@lmgresults.com).
  41. 41. Bill Condo / @mavrck Roaring Applause Here. Thanks for your time.

×