DC
Uploaded byDamon Cortesi
1,468 views

Building Secure Twitter Apps

The document discusses common web application security issues such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF), highlighting how these vulnerabilities can be exploited. It emphasizes the importance of input sanitization, data encoding, and system updates to mitigate risks. The text also notes specific challenges related to social media APIs, particularly in the context of protecting user data and privacy.

Embed presentation

Web App Security and Twitter and Twitter Damon P. Cortesi Alchemy Security, LLC TweetStats | TweepSearch | TweetSum
@dacort
Common Issues SQL Injection Cross-Site Scripting Cross-Site Request Forgery Information Disclosure Development/Staging sites available
SQL Injection $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; What if username is: “dpc’ or ‘a’=’a” ? ... username = ‘ dpc’ or ‘a’=’a ‘ ... SQL Server 2000 && xp_cmdshell
...in action http://xkcd.com/327/
Cross-Site Scripting User input re-displayed in browser and interpreted as HTML or ... JavaScript My name is Damon”><script>alert(‘hi’)</script> Why is this bad? Phishing Cookie stealing Arbitrary JavaScript execution...
Real-World Dangers We live in an interactive web
Web 2.0 Frameworks As of Django 1.0 (Sep 2008), HTML is auto-escaped Does Rails? -------------------------- No Does Google App Engine? -------- No Does ASP.NET ---------------------- On built-in controls Also has built-in request validation
CSRF Browsing circa 1998 One window. One site. Browsing circa 2009
CSRF++ Daily browsing - authenticated to many sites at once GET style attacks <img src=” http://x.com/message/123/delete ”/> Cookies sent with this request POST style attacks Generally combined with JavaScript Due to lack of form tokens
CSRF GET An action that modifies data called via HTTP GET (against HTTP specs). <img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/> No tokens? Logged in? Valid message id? “ Pwned” POST requests not the solution
CSRF POST Only difference: JavaScript required to automate attack. <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
CSRF Example
Information Disclosure Twitter.com Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords
Retrieve Username $.getJSON(&quot; http://twitter.com /statuses/user_timeline?count=1&callback=? &quot;, function(data) { alert(&quot;Username is: &quot; + data[0].user.screen_name ) }); {&quot;text&quot;:&quot;Pretty sure humans have kneecaps so we can slam them into tables. *ow*&quot;,&quot;truncated&quot;:false, &quot;user&quot; :{&quot;following&quot;:null,&quot;time_zone&quot;:&quot;Pacific Time (US & Canada)&quot;,&quot;description&quot;:&quot;Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http:\/\/tweetstats.com and http:\/\/ratemytalk.com).&quot;, &quot;screen_name&quot;:&quot;dacort&quot; ,&quot;utc_offset&quot;:-28800,&quot;profile_sidebar_border_color&quot;:&quot;87bc44&quot;,&quot;notifications&quot;:null,&quot;created_at&quot;:&quot;Thu Dec 21 07:14:05 +0000 2006&quot;,&quot;profile_text_color&quot;:&quot;000000&quot;,&quot;url&quot;:&quot;http:\/\/dcortesi.com&quot;,&quot;name&quot;:&quot;Damon Cortesi&quot;,&quot;statuses_count&quot;:21385,&quot;profile_background_image_url&quot;:&quot;http:\/\/static.twitter.com\/images\/themes\/theme1\/bg.gif&quot;,&quot;followers_count&quot;:4441,&quot;protected&quot;:false,&quot;profile_link_color&quot;:&quot;A100FF&quot;,&quot;profile_background_tile&quot;:false,&quot;friends_count&quot;:1775,&quot;profile_background_color&quot;:&quot;000000&quot;,&quot;verified&quot;:false,&quot;favourites_count&quot;:202,&quot;profile_image_url&quot;:&quot;http:\/\/s3.amazonaws.com\/twitter_production\/profile_images\/90802743\/Famous_Glasses_normal.jpg&quot;,&quot;location&quot;:&quot;Seattle, WA&quot;,&quot;id&quot;:99723,&quot;profile_sidebar_fill_color&quot;:&quot;e0ff92&quot;},&quot;in_reply_to_status_id&quot;:null,&quot;created_at&quot;:&quot;Mon Jul 27 21:37:53 +0000 2009&quot;,&quot;in_reply_to_user_id&quot;:null,&quot;favorited&quot;:false,&quot;in_reply_to_screen_name&quot;:null,&quot;id&quot;:2877957719,&quot;source&quot;:&quot;<a href=\&quot;http:\/\/ www.atebits.com \/\&quot;>Tweetie<\/a>&quot;}
Courtesy of @harper
Protected Users If your app displays tweets Does it respected the protected status Can change at any time
Let’s have some fun... Demo time!
Mitigation “Increase your security by 80%, by fixing 20% of the problems.” Input Sanitization and Validation Data Encoding and Escaping
Sanitization/Encoding SQL: mysql_real_escape_string() Stored Procedures/Frameowkrs HTML/XSS: htmlentities(), innerText “<b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; Beware encoding
Also Watch out for...
 
 
Help your users
 
Some other things... Keeping systems/software up-to-date Rails < 2.1.1? -- SQL Injection bug JumpBox (Server Provisioning) uses Rails 2.1.0 Infrastructure Security Do you know your external network presence? Have all your default passwords been changed?
One last thing Not always some über-technical buffer overflow sploit... Access database on unprotected share demo/demo password Email on confirmation page Are people thinking securely?
Oh, Shorteners...
Third Parties TwitPic Integration from client apps Is your password only local to the client app? Nope. Not if you “twitpic” something. You’re only as secure as the apps that you (or your friends) use.
Sorry Twitter

More Related Content

KEY
Page Caching Resurrected
byBen Scofield
 
PPTX
YQL talk at OHD Jakarta
byMichael Smith Jr.
 
PDF
Secure Coding With Wordpress (BarCamp Orlando 2009)
byMark Jaquith
 
PPT
PHPUG Presentation
byDamon Cortesi
 
PDF
User Experience is dead. Long live the user experience!
byGreg Bell
 
PDF
Front End on Rails
byJustin Halsall
 
PDF
Make Everyone a Tester: Natural Language Acceptance Testing
byViget Labs
 
PDF
Flickr Open Api Mashup
byJinho Jung
 
Page Caching Resurrected
byBen Scofield
 
YQL talk at OHD Jakarta
byMichael Smith Jr.
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
byMark Jaquith
 
PHPUG Presentation
byDamon Cortesi
 
User Experience is dead. Long live the user experience!
byGreg Bell
 
Front End on Rails
byJustin Halsall
 
Make Everyone a Tester: Natural Language Acceptance Testing
byViget Labs
 
Flickr Open Api Mashup
byJinho Jung
 

What's hot

PPT
ARTDM 170, Week 16: Publishing
byGilbert Guerrero
 
PPT
WordPress Development Confoo 2010
byBrendan Sera-Shriar
 
ODP
Optimizing Drupal for Mobile Devices
bySugree Phatanapherom
 
PPT
What's new in Rails 2?
bybrynary
 
ODP
Zend Form Tutorial
byMichelangelo van Dam
 
ODP
SlideShare Instant
bySaket Choudhary
 
PPT
SlideShare Instant
bySaket Choudhary
 
PPT
Php 3 1
byDigital Insights - Digital Marketing Agency
 
PDF
Integrating WordPress With Web APIs
byrandyhoyt
 
PPT
Changing Template Engine
byTakatsugu Shigeta
 
PPT
Evolution of API With Blogging
byTakatsugu Shigeta
 
PPT
Advanced and Hidden WordPress APIs
byandrewnacin
 
PPT
Advanced SEO for Web Developers
byNathan Buggia
 
PPT
Lecture 6 - Comm Lab: Web @ ITP
byyucefmerhi
 
KEY
Web Typography with sIFR 3 at Drupalcamp Copenhagen
byMark Wubben
 
PDF
Findability Bliss Through Web Standards
byAarron Walter
 
PPT
Microformats at Web 2.0 Expo April 2007
byJohn Allsopp
 
ZIP
Ajax On S2 Odp
byghessler
 
ODP
IBM Lotus Notes Domino XPages and XPages for Mobile
byChris Toohey
 
PDF
Bringing Typography to the Web with sIFR 3 at <head>
byMark Wubben
 
ARTDM 170, Week 16: Publishing
byGilbert Guerrero
 
WordPress Development Confoo 2010
byBrendan Sera-Shriar
 
Optimizing Drupal for Mobile Devices
bySugree Phatanapherom
 
What's new in Rails 2?
bybrynary
 
Zend Form Tutorial
byMichelangelo van Dam
 
SlideShare Instant
bySaket Choudhary
 
SlideShare Instant
bySaket Choudhary
 
Php 3 1
byDigital Insights - Digital Marketing Agency
 
Integrating WordPress With Web APIs
byrandyhoyt
 
Changing Template Engine
byTakatsugu Shigeta
 
Evolution of API With Blogging
byTakatsugu Shigeta
 
Advanced and Hidden WordPress APIs
byandrewnacin
 
Advanced SEO for Web Developers
byNathan Buggia
 
Lecture 6 - Comm Lab: Web @ ITP
byyucefmerhi
 
Web Typography with sIFR 3 at Drupalcamp Copenhagen
byMark Wubben
 
Findability Bliss Through Web Standards
byAarron Walter
 
Microformats at Web 2.0 Expo April 2007
byJohn Allsopp
 
Ajax On S2 Odp
byghessler
 
IBM Lotus Notes Domino XPages and XPages for Mobile
byChris Toohey
 
Bringing Typography to the Web with sIFR 3 at <head>
byMark Wubben
 

Viewers also liked

PDF
Building Lanyrd
bySimon Willison
 
PDF
MongoDB ClickStream and Visualization
byCameron Sim
 
PDF
Evoking & Creating wisdom
byCP Yen Foundation 朝邦文教基金會
 
PPT
Ognjen Divljak Web Portali i E-Poslovanje
byOgnjen Divljak
 
PPTX
朝邦基金會 對話力課程及引導服務 2013
byCP Yen Foundation 朝邦文教基金會
 
PDF
Survey Results - Welfare Benefits
byMark
 
PPT
The Frog Frenzy
bylfenn
 
PPT
Marks Trip To Ground Zero And Valley Forge Presentation
byguest3413db
 
PPT
Microapps Story
bychikee7808
 
PDF
Group project photos @ Beijing Institute of Technology
byCP Yen Foundation 朝邦文教基金會
 
PPT
Mexico
byknutsone
 
PPT
Demografi MovieZine
byDaniel Feldt
 
PPT
Oreo Project
bylfenn
 
PDF
Dialogic Change Workshop Handbook (11/4/2011) - bilingual
byCP Yen Foundation 朝邦文教基金會
 
PDF
Julia Newton Presentation
byMark
 
PDF
Liferay cloud services lnlug-6-march-2014
byRuud Kluivers
 
POT
Figaronron Lego Jango Fett
byshameleon
 
PDF
Drustvene Mreze Su Raj Za Marketing - Ognjen Divljak
byOgnjen Divljak
 
DOC
Amit Golchha_CV
byamitjain
 
PDF
Social Media in the Job Search
byMichael Severy
 
Building Lanyrd
bySimon Willison
 
MongoDB ClickStream and Visualization
byCameron Sim
 
Evoking & Creating wisdom
byCP Yen Foundation 朝邦文教基金會
 
Ognjen Divljak Web Portali i E-Poslovanje
byOgnjen Divljak
 
朝邦基金會 對話力課程及引導服務 2013
byCP Yen Foundation 朝邦文教基金會
 
Survey Results - Welfare Benefits
byMark
 
The Frog Frenzy
bylfenn
 
Marks Trip To Ground Zero And Valley Forge Presentation
byguest3413db
 
Microapps Story
bychikee7808
 
Group project photos @ Beijing Institute of Technology
byCP Yen Foundation 朝邦文教基金會
 
Mexico
byknutsone
 
Demografi MovieZine
byDaniel Feldt
 
Oreo Project
bylfenn
 
Dialogic Change Workshop Handbook (11/4/2011) - bilingual
byCP Yen Foundation 朝邦文教基金會
 
Julia Newton Presentation
byMark
 
Liferay cloud services lnlug-6-march-2014
byRuud Kluivers
 
Figaronron Lego Jango Fett
byshameleon
 
Drustvene Mreze Su Raj Za Marketing - Ognjen Divljak
byOgnjen Divljak
 
Amit Golchha_CV
byamitjain
 
Social Media in the Job Search
byMichael Severy
 

Similar to Building Secure Twitter Apps

PPT
B-sides Las Vegas - social network security
byDamon Cortesi
 
PDF
JavaScript Security
byJason Harwig
 
PPT
External Data Access with jQuery
byDoncho Minkov
 
PDF
Security Vulnerabilities: How to Defend Against Them
byMartin Vigo
 
KEY
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
PDF
Web vulnerabilities
byOleksandr Kovalchuk
 
PDF
Secure Form Processing and Protection - Sunshine PHP 2015
byJoe Ferguson
 
PPT
what is-twitter
byaiesecjalandhar
 
PDF
500Startups @ Twitter
byRaffi Krikorian
 
KEY
Application Security for RIAs
byjohnwilander
 
PDF
Evolution Of Web Security
byChris Shiflett
 
PPTX
Browser Security 101
byStormpath
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPT
Security Vulnerabilities
byMarius Vorster
 
KEY
Intro to developing for @twitterapi (updated)
byRaffi Krikorian
 
PDF
Intro to developing for @twitterapi
byRaffi Krikorian
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPTX
Web application security
byJin Castor
 
PPTX
Web Application Security in front end
byErlend Oftedal
 
PDF
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
B-sides Las Vegas - social network security
byDamon Cortesi
 
JavaScript Security
byJason Harwig
 
External Data Access with jQuery
byDoncho Minkov
 
Security Vulnerabilities: How to Defend Against Them
byMartin Vigo
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
Web vulnerabilities
byOleksandr Kovalchuk
 
Secure Form Processing and Protection - Sunshine PHP 2015
byJoe Ferguson
 
what is-twitter
byaiesecjalandhar
 
500Startups @ Twitter
byRaffi Krikorian
 
Application Security for RIAs
byjohnwilander
 
Evolution Of Web Security
byChris Shiflett
 
Browser Security 101
byStormpath
 
API SECURITY
byTubagus Rizky Dharmawan
 
Security Vulnerabilities
byMarius Vorster
 
Intro to developing for @twitterapi (updated)
byRaffi Krikorian
 
Intro to developing for @twitterapi
byRaffi Krikorian
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
Web application security
byJin Castor
 
Web Application Security in front end
byErlend Oftedal
 
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 

Recently uploaded

PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
final.pdf
byomarbishtawi04
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
final.pdf
byomarbishtawi04
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Workflow and decision Automation with Flowable
bychakib ch
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 

Building Secure Twitter Apps

  • 1.
    Web App Securityand Twitter and Twitter Damon P. Cortesi Alchemy Security, LLC TweetStats | TweepSearch | TweetSum
  • 2.
  • 3.
    Common Issues SQLInjection Cross-Site Scripting Cross-Site Request Forgery Information Disclosure Development/Staging sites available
  • 4.
    SQL Injection $sql = “SELECT * FROM users WHERE username = ‘“ . $_POST[‘username’] . “‘ AND password = ‘“ . $_POST[‘password’] . “‘“; What if username is: “dpc’ or ‘a’=’a” ? ... username = ‘ dpc’ or ‘a’=’a ‘ ... SQL Server 2000 && xp_cmdshell
  • 5.
  • 6.
    Cross-Site Scripting Userinput re-displayed in browser and interpreted as HTML or ... JavaScript My name is Damon”><script>alert(‘hi’)</script> Why is this bad? Phishing Cookie stealing Arbitrary JavaScript execution...
  • 7.
    Real-World Dangers Welive in an interactive web
  • 8.
    Web 2.0 FrameworksAs of Django 1.0 (Sep 2008), HTML is auto-escaped Does Rails? -------------------------- No Does Google App Engine? -------- No Does ASP.NET ---------------------- On built-in controls Also has built-in request validation
  • 9.
    CSRF Browsing circa1998 One window. One site. Browsing circa 2009
  • 10.
    CSRF++ Daily browsing- authenticated to many sites at once GET style attacks <img src=” http://x.com/message/123/delete ”/> Cookies sent with this request POST style attacks Generally combined with JavaScript Due to lack of form tokens
  • 11.
    CSRF GET Anaction that modifies data called via HTTP GET (against HTTP specs). <img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/> No tokens? Logged in? Valid message id? “ Pwned” POST requests not the solution
  • 12.
    CSRF POST Onlydifference: JavaScript required to automate attack. <form name=”csrf” action=” http://x.com/delete.php ” method=”POST”> <input type=”hidden” name=”id” value=”123”> </form> <script>document.csrf.submit()</script>
  • 13.
  • 14.
    Information Disclosure Twitter.comAny site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords
  • 15.
    Retrieve Username $.getJSON(&quot;http://twitter.com /statuses/user_timeline?count=1&callback=? &quot;, function(data) { alert(&quot;Username is: &quot; + data[0].user.screen_name ) }); {&quot;text&quot;:&quot;Pretty sure humans have kneecaps so we can slam them into tables. *ow*&quot;,&quot;truncated&quot;:false, &quot;user&quot; :{&quot;following&quot;:null,&quot;time_zone&quot;:&quot;Pacific Time (US & Canada)&quot;,&quot;description&quot;:&quot;Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http:\/\/tweetstats.com and http:\/\/ratemytalk.com).&quot;, &quot;screen_name&quot;:&quot;dacort&quot; ,&quot;utc_offset&quot;:-28800,&quot;profile_sidebar_border_color&quot;:&quot;87bc44&quot;,&quot;notifications&quot;:null,&quot;created_at&quot;:&quot;Thu Dec 21 07:14:05 +0000 2006&quot;,&quot;profile_text_color&quot;:&quot;000000&quot;,&quot;url&quot;:&quot;http:\/\/dcortesi.com&quot;,&quot;name&quot;:&quot;Damon Cortesi&quot;,&quot;statuses_count&quot;:21385,&quot;profile_background_image_url&quot;:&quot;http:\/\/static.twitter.com\/images\/themes\/theme1\/bg.gif&quot;,&quot;followers_count&quot;:4441,&quot;protected&quot;:false,&quot;profile_link_color&quot;:&quot;A100FF&quot;,&quot;profile_background_tile&quot;:false,&quot;friends_count&quot;:1775,&quot;profile_background_color&quot;:&quot;000000&quot;,&quot;verified&quot;:false,&quot;favourites_count&quot;:202,&quot;profile_image_url&quot;:&quot;http:\/\/s3.amazonaws.com\/twitter_production\/profile_images\/90802743\/Famous_Glasses_normal.jpg&quot;,&quot;location&quot;:&quot;Seattle, WA&quot;,&quot;id&quot;:99723,&quot;profile_sidebar_fill_color&quot;:&quot;e0ff92&quot;},&quot;in_reply_to_status_id&quot;:null,&quot;created_at&quot;:&quot;Mon Jul 27 21:37:53 +0000 2009&quot;,&quot;in_reply_to_user_id&quot;:null,&quot;favorited&quot;:false,&quot;in_reply_to_screen_name&quot;:null,&quot;id&quot;:2877957719,&quot;source&quot;:&quot;<a href=\&quot;http:\/\/ www.atebits.com \/\&quot;>Tweetie<\/a>&quot;}
  • 16.
  • 17.
    Protected Users Ifyour app displays tweets Does it respected the protected status Can change at any time
  • 18.
    Let’s have somefun... Demo time!
  • 19.
    Mitigation “Increase yoursecurity by 80%, by fixing 20% of the problems.” Input Sanitization and Validation Data Encoding and Escaping
  • 20.
    Sanitization/Encoding SQL: mysql_real_escape_string()Stored Procedures/Frameowkrs HTML/XSS: htmlentities(), innerText “<b>Damon</b> >> &quot;&lt;b&gt;Damon&lt;/b&gt; Beware encoding
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
    Some other things...Keeping systems/software up-to-date Rails < 2.1.1? -- SQL Injection bug JumpBox (Server Provisioning) uses Rails 2.1.0 Infrastructure Security Do you know your external network presence? Have all your default passwords been changed?
  • 27.
    One last thingNot always some über-technical buffer overflow sploit... Access database on unprotected share demo/demo password Email on confirmation page Are people thinking securely?
  • 28.
  • 29.
    Third Parties TwitPicIntegration from client apps Is your password only local to the client app? Nope. Not if you “twitpic” something. You’re only as secure as the apps that you (or your friends) use.
  • 30.