Building Secure Twitter Apps

1,492 views

Published on

Presentation given at #140tc in Los Angeles on security issues when building web and Twitter applications.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,492
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Building Secure Twitter Apps

  1. 1. Web App Security and Twitter and Twitter <ul><li>Damon P. Cortesi </li></ul><ul><li>Alchemy Security, LLC </li></ul><ul><li>TweetStats | TweepSearch | TweetSum </li></ul>
  2. 2. @dacort
  3. 3. Common Issues <ul><li>SQL Injection </li></ul><ul><li>Cross-Site Scripting </li></ul><ul><li>Cross-Site Request Forgery </li></ul><ul><li>Information Disclosure </li></ul><ul><li>Development/Staging sites available </li></ul>
  4. 4. SQL Injection <ul><li>$sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; </li></ul><ul><li>What if username is: “dpc’ or ‘a’=’a” ? </li></ul><ul><li>... username = ‘ dpc’ or ‘a’=’a ‘ ... </li></ul><ul><li>SQL Server 2000 && xp_cmdshell </li></ul>
  5. 5. ...in action http://xkcd.com/327/
  6. 6. Cross-Site Scripting <ul><li>User input re-displayed in browser and interpreted as HTML or ... JavaScript </li></ul><ul><li>My name is Damon”><script>alert(‘hi’)</script> </li></ul><ul><li>Why is this bad? </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Cookie stealing </li></ul></ul><ul><ul><li>Arbitrary JavaScript execution... </li></ul></ul>
  7. 7. Real-World Dangers <ul><li>We live in an interactive web </li></ul>
  8. 8. Web 2.0 Frameworks <ul><li>As of Django 1.0 (Sep 2008), HTML is auto-escaped </li></ul><ul><li>Does Rails? -------------------------- No </li></ul><ul><li>Does Google App Engine? -------- No </li></ul><ul><li>Does ASP.NET ---------------------- On built-in controls </li></ul><ul><ul><li>Also has built-in request validation </li></ul></ul>
  9. 9. CSRF <ul><li>Browsing circa 1998 </li></ul><ul><ul><li>One window. One site. </li></ul></ul><ul><li>Browsing circa 2009 </li></ul>
  10. 10. CSRF++ <ul><li>Daily browsing - authenticated to many sites at once </li></ul><ul><ul><li>GET style attacks </li></ul></ul><ul><ul><ul><li><img src=” http://x.com/message/123/delete ”/> </li></ul></ul></ul><ul><ul><ul><ul><li>Cookies sent with this request </li></ul></ul></ul></ul><ul><li>POST style attacks </li></ul><ul><ul><li>Generally combined with JavaScript </li></ul></ul><ul><ul><li>Due to lack of form tokens </li></ul></ul>
  11. 11. CSRF GET <ul><li>An action that modifies data called via HTTP GET (against HTTP specs). </li></ul><ul><li><img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/> </li></ul><ul><li>No tokens? Logged in? Valid message id? </li></ul><ul><li>“ Pwned” </li></ul><ul><li>POST requests not the solution </li></ul>
  12. 12. CSRF POST <ul><li>Only difference: JavaScript required to automate attack. </li></ul><form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  13. 13. CSRF Example
  14. 14. Information Disclosure <ul><li>Twitter.com </li></ul><ul><li>Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords </li></ul>
  15. 15. Retrieve Username $.getJSON(&quot; http://twitter.com /statuses/user_timeline?count=1&callback=? &quot;, function(data) { alert(&quot;Username is: &quot; + data[0].user.screen_name ) }); {&quot;text&quot;:&quot;Pretty sure humans have kneecaps so we can slam them into tables. *ow*&quot;,&quot;truncated&quot;:false, &quot;user&quot; :{&quot;following&quot;:null,&quot;time_zone&quot;:&quot;Pacific Time (US & Canada)&quot;,&quot;description&quot;:&quot;Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http://tweetstats.com and http://ratemytalk.com).&quot;, &quot;screen_name&quot;:&quot;dacort&quot; ,&quot;utc_offset&quot;:-28800,&quot;profile_sidebar_border_color&quot;:&quot;87bc44&quot;,&quot;notifications&quot;:null,&quot;created_at&quot;:&quot;Thu Dec 21 07:14:05 +0000 2006&quot;,&quot;profile_text_color&quot;:&quot;000000&quot;,&quot;url&quot;:&quot;http://dcortesi.com&quot;,&quot;name&quot;:&quot;Damon Cortesi&quot;,&quot;statuses_count&quot;:21385,&quot;profile_background_image_url&quot;:&quot;http://static.twitter.com/images/themes/theme1/bg.gif&quot;,&quot;followers_count&quot;:4441,&quot;protected&quot;:false,&quot;profile_link_color&quot;:&quot;A100FF&quot;,&quot;profile_background_tile&quot;:false,&quot;friends_count&quot;:1775,&quot;profile_background_color&quot;:&quot;000000&quot;,&quot;verified&quot;:false,&quot;favourites_count&quot;:202,&quot;profile_image_url&quot;:&quot;http://s3.amazonaws.com/twitter_production/profile_images/90802743/Famous_Glasses_normal.jpg&quot;,&quot;location&quot;:&quot;Seattle, WA&quot;,&quot;id&quot;:99723,&quot;profile_sidebar_fill_color&quot;:&quot;e0ff92&quot;},&quot;in_reply_to_status_id&quot;:null,&quot;created_at&quot;:&quot;Mon Jul 27 21:37:53 +0000 2009&quot;,&quot;in_reply_to_user_id&quot;:null,&quot;favorited&quot;:false,&quot;in_reply_to_screen_name&quot;:null,&quot;id&quot;:2877957719,&quot;source&quot;:&quot;<a href=&quot;http:// www.atebits.com /&quot;>Tweetie</a>&quot;}
  16. 16. Courtesy of @harper
  17. 17. Protected Users <ul><li>If your app displays tweets </li></ul><ul><ul><li>Does it respected the protected status </li></ul></ul><ul><ul><li>Can change at any time </li></ul></ul>
  18. 18. Let’s have some fun... <ul><li>Demo time! </li></ul>
  19. 19. Mitigation <ul><li>“Increase your security by 80%, by fixing 20% of the problems.” </li></ul><ul><li>Input Sanitization and Validation </li></ul><ul><li>Data Encoding and Escaping </li></ul>
  20. 20. Sanitization/Encoding <ul><li>SQL: mysql_real_escape_string() </li></ul><ul><ul><li>Stored Procedures/Frameowkrs </li></ul></ul><ul><li>HTML/XSS: htmlentities(), innerText </li></ul><ul><ul><li>“<b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; </li></ul></ul><ul><li>Beware encoding </li></ul>
  21. 21. Also Watch out for...
  22. 24. Help your users
  23. 26. Some other things... <ul><li>Keeping systems/software up-to-date </li></ul><ul><ul><li>Rails < 2.1.1? -- SQL Injection bug </li></ul></ul><ul><ul><ul><li>JumpBox (Server Provisioning) uses Rails 2.1.0 </li></ul></ul></ul><ul><li>Infrastructure Security </li></ul><ul><ul><li>Do you know your external network presence? </li></ul></ul><ul><ul><li>Have all your default passwords been changed? </li></ul></ul>
  24. 27. One last thing <ul><li>Not always some über-technical buffer overflow sploit... </li></ul><ul><li>Access database on unprotected share </li></ul><ul><li>demo/demo password </li></ul><ul><li>Email on confirmation page </li></ul><ul><li>Are people thinking securely? </li></ul>
  25. 28. Oh, Shorteners...
  26. 29. Third Parties <ul><li>TwitPic Integration from client apps </li></ul><ul><li>Is your password only local to the client app? </li></ul><ul><ul><li>Nope. Not if you “twitpic” something. </li></ul></ul><ul><li>You’re only as secure as the apps that you (or your friends) use. </li></ul>
  27. 30. Sorry Twitter

×