The document discusses various security concerns for web applications including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It provides examples of each vulnerability and emphasizes the importance of filtering input, escaping output, and reducing database user privileges to help prevent security issues.

1. Web Application Security Why is it important? Jason R. Leveille http://jasonleveille.com December 5, 2008 – Damascus High School

2. Introduction High School Teacher for 8 Years Web Software Developer for 1.5 Security is not my strong point Why am I talking about security? Security is a concern in many layers Server Layer (Apache, IIS, etc) Database Layer (mySQL, PostreSQL, etc) Application Language/Script (PHP, Python, etc) Web App Server/Client Side

3. A Brief Example: PHP info/secinfo What we see when we look at phpinfo() http://url/talk/psi/info.php What we seen when we look at PHP Sec. Info feedback. http://url/talk/psi/ Illustrates the need to secure your “language”, in your server environment, as best you can

4. SQL Injection What is SQL Injection An example Stealing usernames/passwords http://url/talk/ex1.php (ex5.php) ?userid=5 ?userid=5 union all select id,email,password from users— What happened? The Source Code Things to think about

5. SQL Injection Another example Drop Table http://xkcd.com/327 http://url/talk/foo.php ?first_name=Jason ?first_name=Jason’; DROP TABLE users; What happened? An illustration in phpmyadmin Things to think about?

6. Cross Site Scripting (XSS) What is XSS? An Example Cookie theft http://url/talk/ex2.php What happened? The Source Code Things to think about

7. Cross Site Scripting (XSS) A real world example asp application / SQL Server attack Combined XSS SQL Injection Installation of malware Our attack traced back to organized crime in Russia! Should I not have written that …

8. Cross Site Request Forgery (CSRF) What is CSRF? An Example http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics

9. Security: Filter Input What is input? What does it mean to filter input? An example http://url/talk/ex3.php What’s happening? The Source Code Things to think about

10. Security: Escape Output What is output? What does it mean to escape output? An example http://url/talk/ex4.php What’s happening? The Source Code Things to think about

11. Security: Database User Privileges What are user privileges? Reducing user privileges An example Creating a reduced user privileged account Attempting DROP TABLE with this new account Things to think about

12. In Conclusion Take care of your own information online Never trust data coming into your application Filter Input Escape Output Reduce Database User Privileges Always store passwords hashed See example of student passwords

13. Questions? http://jasonleveille.com leveillej at gmail dot com

14. Resources http://www.apachesecurity.net/ http://www.microsoft.com/technet/security/prodtech/IIS.mspx http://www.scribd.com/doc/2569459/Securing-MySQL-for-a-Security-Audit http://www.postgresql.org/docs/8.3/static/user-manag.html http://phpsec.org/projects/phpsecinfo/index.html

15. Resources http://dev. mysql .com/tech-resources/articles/guide-to-php-security-ch3.pdf http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ http://xkcd.com/327/ http://xssed.org/ http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines

16. Resources http://shiflett.org/articles/cross-site-request-forgeries http://php.net/ctype http://us3.php.net/strip-tags http://us2.php.net/manual/en/book.pcre.php http://ha.ckers.org/xss.html http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss

17. Resources http://us.php.net/htmlentities http://shiflett.org/blog/2007/may/character-encoding-and-xss http://htmlpurifier.org/ http://us.php.net/manual/en/mysqli.real-escape-string.php