Web security

464 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
464
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web security

  1. 1. Web SecurityBy David Haskins
  2. 2. Hashing and Encryption• Types of hashes:– md5 (generally considered compromised)– SHA-1, SHA-2, SHA-3– LANMAN (definitely compromised)
  3. 3. Hashing and Encryption• Hash of "hello Memphis PHP meetup group!":– a52cc137d1f59dc9265c59751cd3e624• Hash of "1":– c4ca4238a0b923820dcc509a6f75849b• Hash of "10":– d3d9446802a44259755d38e6d163e820
  4. 4. Hashing and EncryptionProperties of hashes:can be used to identify changes to data.are considered one-way:md5("my_string_here"); //existsunmd5("535f8bd2e548ffed92027c53d5a24b56"); //doesnt exist
  5. 5. Hashing and EncryptionEncryption is reversible. Encryption requires a key todecrypt.Symmetric versus asymmetric key cryptography.Symmetric would work like:$key = secret;$msg = encrypt("hidden message", $key);echo decrypt($msg, $key);
  6. 6. Hashing and EncryptionThe problem:How do you get the key to someone overthe internet without some 12-year old hackerreading it?
  7. 7. Hashing and EncryptionAsymmetric would work like:$encrypt_key = key_123;$decrypt_key = key_456;$msg = encrypt(“hidden message”, $encrypt_key);echo decrypt($msg, $decrypt_key);
  8. 8. Hashing and EncryptionAsymmetric would be like:The point to remember, is that this will produce gibberish:echo decrypt($msg, $encrypt_key);
  9. 9. Hashing and EncryptionIn public key cryptography, there exist two keys:- a public key- a private keyOne is used for encryption, the other is used fordecryption.The whole reason this stuff works is because I canencrypt a message with a public key, but it can onlybe decrypted with a private key.
  10. 10. Hashing and EncryptionSmall problem:Asymmetric cryptography is slow.
  11. 11. Hashing and EncryptionSmall problem:Asymmetric cryptography is slow.Solution:Use asymmetric cryptography to share asymmetric key. Then use symmetriccryptography.
  12. 12. HTTPSUserAmazon server
  13. 13. HTTPSUserAmazon serverSend connection request on port 443
  14. 14. HTTPSUserAmazon serverSend connection request on port 443Send public key
  15. 15. HTTPSUserAmazon serverSend connection request on port 443Send public keyThe browser generates a symmetric key,encrypts it with Amazons public key andsends it to Amazon.
  16. 16. HTTPSUserAmazon serverSend connection request on port 443Send public keyThe browser generates a symmetrickey, encrypts it with Amazons public keyand sends it to Amazon.Amazon decrypts symmetric key withAmazons private key and sendsresponse encrypted with symmetric key.
  17. 17. Hashes and SaltingRemember hashes?They work like one-way encryption.$string = 1;echo md5($string);//outputs 4ca4238a0b923820dcc509a6f75849b
  18. 18. Hashes and SaltingWe can use this for validating passwords.
  19. 19. Hashes and SaltingThe plain-text problem:$password = $_POST[password];$user = $_POST[user];$query = "select id from user where password = $password anduserName = $user";ID UserName Password1 cypherTXT l3m0ns2 fred password1233 david_TN m3mph!$4 sallyW omgPonies!5 agent_007 1337h4x0r
  20. 20. Hashes and SaltingStore the hash of the password instead of the plain-text:$password = md5($_POST[password]);$user = $_POST[user];$query = "select id from user where password = $password anduserName = $user";ID UserName Password1 cypherTXT cf5712b00855500691cff0e4b0566c682 fred 482c811da5d5b4bc6d497ffa98491e383 david_TN f145a55e591e1c6ed235ce456a5166f74 sallyW e2c29e21e004f9e71ef9db780884ede15 agent_007 81d3ebd158986fbdd6bd47177312c026
  21. 21. Hashes and SaltingRainbow tablesplain text hasha 0cc175b9c0f1b6a831c399e269772661b 92eb5ffee6ae2fec3ad71c777531578fc 4a8a08f09d37b73795649038408b5f33… …aa 4124bc0a9335c27f086f24ba207a4912ab 187ef4436122d1cc2f40dc2b92f0eba0ac e2075474294983e013ee4dd2201c7a73… …zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
  22. 22. Hashes and SaltingRainbow tablesplain text hasha 0cc175b9c0f1b6a831c399e269772661b 92eb5ffee6ae2fec3ad71c777531578fc 4a8a08f09d37b73795649038408b5f33… …aa 4124bc0a9335c27f086f24ba207a4912ab 187ef4436122d1cc2f40dc2b92f0eba0ac e2075474294983e013ee4dd2201c7a73… …zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
  23. 23. Hashes and SaltingPlace a "salt" in the code.$salt = s3kr3t;$password = md5($_POST[password] . $salt);If the user uses "password123", his password becomes"password123s3kr3t", which is much more complex.$query = "select id from user where password = $password anduser = $user";
  24. 24. Hashes and SaltingStore the hash of the password and a unique salt:$password = md5($_POST[password] . $salt);$user = $_POST[user];$query = "select id from user where password = $password anduserName = $user";ID UserName Password Salt1 cypherTXT cf5712b00855500691cff0e4b0566c68 bawex2 fred 482c811da5d5b4bc6d497ffa98491e38 msefz3 david_TN f145a55e591e1c6ed235ce456a5166f7 juftv4 sallyW e2c29e21e004f9e71ef9db780884ede1 irqhj5 agent_007 81d3ebd158986fbdd6bd47177312c026 coowo
  25. 25. SQL injection
  26. 26. SQL injection$password = $_POST*‘password’+;$id = $_SESSION*‘id’+;$query = “update user set password =‘$password’ where id = $id”;
  27. 27. SQL injection// assume $password = ‘secret_password’;// assume $id = 7;$query = “update user set password = ‘$password’where id = $id”;Sent to the database:update user setpassword = ‘secret_password’where id = 7
  28. 28. SQL injection// assume $password = ‘secret_password’--’;// assume $id = 7;$query = “update user set password = ‘$password’where id = $id”;Sent to the database:update user setpassword = ‘secret_password’--’where id = 7
  29. 29. SQL injection//wrong solution:$password = str_replace(“’”,”’”,$password);$query = “update user set password =‘$password’ where id = $id”;Depending on web server encoding anddatabase encoding, you may still be vulnerable
  30. 30. SQL injection//correct solution:Use prepared statements$query = “update user set password = ?where id = ?”;$stmt = $dbh->prepare($query);$stmt->bindParam(1,$password);$stmt->bindParam(2,$id);
  31. 31. Command injectionfunction safe_query($query){$database = “ABC_DB";$username = ‘IDEF42;$password = ‘JKLM873’;$destination = "localhost";//connectmysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error());//choose databasemysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error());//submit query$result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error());return $result;}
  32. 32. Command injectionfunction safe_query($query){shellexec(“echo $query >> record_queries.txt ”);$database = “ABC_DB";$username = ‘IDEF42;$password = ‘JKLM873’;$destination = "localhost";//connectmysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error());//choose databasemysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error());//submit query$result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error());return $result;}
  33. 33. Command injectionAssume $query:select * from article where id = 7; cp /backup/*.tgz .;function safe_query($query){shellexec(“echo $query >> record_queries.txt ”);…blah, blah, blah…return $result;}
  34. 34. Command injectionAssume $query:select * from article where id = 7; cp /backup/*.tgz .;function safe_query($query){shellexec(“echo $query >> record_queries.txt ”);…blah, blah, blah…return $result;}
  35. 35. Command injectionAnother interesting option:Assume $query:select * from article where id = 7; rm –rf /;function safe_query($query){shellexec(“echo $query >> record_queries.txt ”);…blah, blah, blah…return $result;}
  36. 36. Command injectionSolution to preventing command injection:
  37. 37. Command injectionSolution to preventing command injection:DON’T ALLOW SHELL ACCESS IN YOUR CODEDON’T ALLOW SHELL ACCESS IN YOUR CODEDON’T ALLOW SHELL ACCESS IN YOUR CODEDON’T ALLOW SHELL ACCESS IN YOUR CODEDON’T ALLOW SHELL ACCESS IN YOUR CODEDON’T ALLOW SHELL ACCESS IN YOUR CODE
  38. 38. Command injectionIf you’re going to do it anyway, use escapeshellcmd().$code_that_will_get_me_fired = escapeshellcmd($query);shellexec(“echo $code_that_will_get_me_fired >>record_queries.txt ”);
  39. 39. File upload attackUsers can upload images (.jpg, .gif, .bmp, etc).
  40. 40. File upload attackMake sure users can’t upload .php, .pl, .asp, etc.files.Use a whitelist, rather than a blacklist to enforcethis control.The uploaded directory shouldn’t have anyexecute permissions.

×