This document discusses the importance of being security-conscious or "paranoid" when developing web applications. It outlines various types of common web attacks like phishing, spamming, SQL injection, cross-site scripting, and clickjacking. The document emphasizes that developers need to carefully filter all user input, implement tokens to prevent CSRF attacks, and not assume new technologies alone will prevent security issues. Developers are encouraged to learn about common vulnerabilities and threats from resources on secure coding best practices.

1. Is it good to be paranoid ?introduction to web securityTech talk @ Georgia Tech, March 2011

2. Subramanyan MuraliyahooMail Engineer Hacker, Photographer, Traveler @rmsguhan

3. par·a·noi·anparanoia [pӕrəˈnoiə]a type of mental illness in which a person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her3

4. in Yahoo!, they are just people who care a lot about web security 4

5. Q.What is the problem ?

6. Spammers want to do cheap advertising & unsolicited marketing

7. Phisherswant to steal user identity for personal benefit

8. Crackers want to break into your systems & profit

9. Jokers just want to watch the world burn 

10. “It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”Philip Tellis, Yahoo! Paranoidhttp://www.smashingmagazine.com/author/philip-tellis/

11. A tech-savy user maybe aware …

12. … but to some cookies are still made of dough & chocolate chips

13. A.Keep it simple for normal users Make it hard for users with evil intentions

14. Users have a lot of trust on the web & share a lot of information

15. Every attack is unique & exploits weakness

16. Types of web attacksPhishing & Spamming Scamming Code InjectionForgery & spoofing

17. Cross(X)Side Scripting 17

18. XSSFilter all input that you are going to save Be aware of the data you are saving URL should save only urlsNumbers should save only numbers Never open up your site based purely on trust

19. SQL / Shell Injection

20. http://xkcd.com/327/

21. <?php $user = $_GET[‘user’]; $message = $_GET[‘message’];function save_message($user, $message){ $sql = "INSERT INTO Messages ( user, message ) VALUES ( '$user', '$message’ )"; return mysql_query($sql);}?>

22. test');DROP TABLE Messages;test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …

23. Cross-Site Request Forgery

24. <imgsrc=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”>

25. <iframename="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message” method="POST” target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script>

26. Issue a unique token / crumb that only your server would know for that sessionCheck if the posted data has that token

27. For normal posts, use a time bound token <?phpfunction get_nonce() { return md5($secret . ":" . $user . ":" . ceil(time()/86400));}?>For more sensitive posts, use a token that is stored in user session

28. Click-jackinghttp://erickerr.com/like-clickjacking

29. Tab-Jackinghttp://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

30. New secure technology does not guarantee a secure application

31. As developers, we need to cautious

32. Resourceshttp://www.owasp.org/index.php/Main_Pagehttp://kilimanjaro.dk/blog/http://www.smashingmagazine.com/author/philip-tellis/http://code.google.com/edu/security/index.htmhttp://www.slideshare.net/joewalker/web-app-securityhttp://www.slideshare.net/shiflett/evolution-of-web-securityhttp://www.slideshare.net/txaypanya/owasp-top10-2010

33. Be paranoid, be smartThank you ! 