4. Reasons for Security
n Reliable systems are secure
n Security of a system = Security of the weakest part
n Hard to fix after system is ready
n Everyone should care
Monday, April 29, 13
5. How It All Started
n John Draper (Cap’n
Crunch)
n phreaking in the 70s
Monday, April 29, 13
6. How It All Started
n 1986 Brain
n 1988 Morris
n Both (meant as) harmless
n Lead to CERT
Monday, April 29, 13
7. How It All Started
n 90s gave birth to phishing
attacks
n AOL being the first victim
Monday, April 29, 13
8. How It All Started
n Security became an issue
n 2003 Summer of worms
n Blaster, Nachi, SoBig
Monday, April 29, 13
9. IT Security Today
NPR.org Hacked; 'Syrian Electronic
Army' Takes Responsibility
April 16,
Monday, April 29, 13
20. Client Side
n Web browser takes data
and renders on screen
n Browsers: IE, Firefox,
Chrome, Safari
n Languages: JavaScript,
ActionScript, Java
(Applets)
Monday, April 29, 13
22. Web Weakness
n Client-Server gap is too easy
n HTTP is state-less
n Many different technologies and vendors
n Code/Data intermix
n It’s way more complicated than it looks
Monday, April 29, 13
24. SQL Injections
n Started in 1999
n (Probably) the most famous technique
n 83% of data breaches 2005-2011
n attack rate: 70 attempts / hour
Monday, April 29, 13
25. Famous Victims
n (2002) guess.com revealed 200K customer names
and credit cards
n (2007) Microsoft UK Defacement
n (2009) RockYou DB hacked for 30Mil users
n (2011) MySql.com hacked
n (2012) Yahoo lost 450K login credentials
Monday, April 29, 13
27. What Did Bobby Break
$query = "SELECT name, grade " +
"FROM students " +
"WHERE name = '$user'"
Monday, April 29, 13
28. What Did Bobby Break
$query = "SELECT name, grade " +
"FROM students " +
"WHERE name = 'Robert'; DROP TABLE students'"
Expected data
got code
Monday, April 29, 13
29. SQLi Examples
n See if you can log in
n Login form code:
https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
SQLInjection/Login.pm
Monday, April 29, 13
30. SQLi Example
n See if you can print out names and passwords
n https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
SQLInjection/InfoLeak.pm
Monday, April 29, 13
31. Affected Languages
n All programming languages
n Usually found in ASP, Java, Perl and PHP
Monday, April 29, 13
32. Bug Spotting
n Search for code that:
n Takes user input
n Does not validate input
n Uses input to talk to DB
Monday, April 29, 13
33. Bug Spotting
n In code review
n Find DB code
n Make sure its input is sanitized
Monday, April 29, 13
34. Black-Box Spotting
n Many automated tools will
help you find SQL
Inejctions
n Popular: Havij
http://www.itsecteam.com/
products/havij-v116-
advanced-sql-injection/
Monday, April 29, 13
35. How To Avoid
n Use prepared statements
n Demo:
SELECT name, grade FROM students
WHERE name=?
? are later bound
to data
Monday, April 29, 13
36. How To Avoid
n Sanitize your input. Always
n Demo:
if ( ! $name =~ /^[a-z]+$/ ) {
die "Invalid Input";
}
if ( ! $age =~ /^[0-9]+$/ ) {
die "Invalid Input";
}
Monday, April 29, 13
37. Extra Precautions
n Keep users passwords hashed in the DB
n Encrypt important data in DB
n Microsoft URLScan
n TrustWave ModSecurity (Open Source)
Monday, April 29, 13
45. Example: OpenBB
PHP remote file inclusion vulnerability in Open
Bulletin Board (OpenBB) 1.0.8 and earlier allows
remote attackers to execute arbitrary PHP code
via a URL in the root_path parameter to (1)
index.php and possibly (2) collector.php.
CVE-2006-4722
Monday, April 29, 13
46. Bug Spotting
n Search for code that loads external files
n Search for code that stores external files
n Make sure file name is sanitized
Monday, April 29, 13
47. How To Avoid
n Avoid by sanitizing your input
n Don’t allow uploads if you don’t have to
Monday, April 29, 13
49. Demo
n Try to find a company’s id using:
https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
XPathInjection/Leak.pm
Monday, April 29, 13
50. Client-Side Injections
n A relatively new category of injections uses Client
Side languages (mainly JavaScript)
n Attacker uses website to attack other users
Monday, April 29, 13
52. JavaScript Security
n Browsers use a security policy called
“Same Origin Policy”
n A page has an origin
n Some actions are restricted to the page’s origin
Monday, April 29, 13
53. JavaScript Risks
n Same Origin Policy protects the following:
n Unauthorized access to cookies
n Unauthorized access to canvas
n Unauthorized AJAX calls
Monday, April 29, 13
54. Famous Injections
n XSS is the most famous JavaScript injection
n Variants: Inject code to flash
Monday, April 29, 13
60. Examples
n Throwing users out of a public chat room
n Getting a user to send a “fake” message
https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
JSInjection/Chatter.pm
Monday, April 29, 13
61. Examples
n Hijacking a user’s session through messaging
n Getting a user to send a fake message
https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
XSS/SessionHijack.pm
Monday, April 29, 13
62. Bug Spotting
n Search for code that writes markup to user
n Verify all output is sanitized
Monday, April 29, 13
66. Code Weak Spots
n Injections are more likely
to occur in:
n Cookies
n HTTP Headers
n Don’t forget to sanitize
these too
Monday, April 29, 13
67. Web Security
n Security of a system = the weakest part
n System breaches usually involve more than one
vulnerability
n Use the power of frameworks
Monday, April 29, 13
68. Thanks For Listening
n Ynon Perek
n http://ynonperek.com
n ynon@ynonperek.com
Monday, April 29, 13