Kristaps Kūlis, profile picture
Uploaded byKristaps Kūlis
287 views

Web security 101

The document provides an overview of common internet security topics such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), password storage best practices, and discusses the importance of using encryption and securing web applications, servers, networks and personal devices and data. It emphasizes that security is an ongoing process and outlines some specific vulnerabilities in PHP as well as recommendations for improving security.

Embed presentation

Download to read offline
Net security 101 Internet is hostile network Kristaps Kūlis
“Real” security ● Security trough security, not obscurity House secured by door keys, not by putting doors on roof. ● Ongoing process
Web applications Be conservative in what you do; be liberal in what you accept from others /Postel's law/
SQL injection
SQL injections ● Creating queries by string concatenation is “the wrong way” ● MySQL don't do multiple queries. ● Let DB do validation - use parametrized queries ● ORM frameworks lift the burden ● It is easy to forget to validate inline SQL somewhere
XSS
XSS ● Escape HTML/JS/XML special characters on output ● Vulnerability can exist on client side (JS). ● It can get hairy with JS, AJAX, JSONP etc ...
CSRF <img src=”http://www.bank.lv/pay?to=kristaps&amount=100” /> ● Third party unauthorized request to web site ● Include unique token into each response and validate on request. ● Never update data with GET
Storing passwords ● Do not expose DB / other credentials ● MD5 is too “cheap”. SHA1 is not “expensive enough” ● Make hash functions slow. ● Multiple iterations ● Bcrypt
Authorization vs Authentication Autentication: authenticating user credentials. Usually done once per session. Authorization: checks that user is authorized to do particular action. Must be done on every request.
Session fixation ● Session cookie stealing / guessing ● Initialize sessions ● Tie sessions to IP address / User Agent ● Expire / invalidate sessions.
PHP specific problems
register_globals ~50% of open source PHP app vulnerabilities works only when register_globals are on
safe_mode Wrong place, wrong solution
magic_quotes Gives false sense of security and no real protection
display_errors Gives away too much information Log your errors, do not display them
One .php file as one script PHP engine has no “application” concept. Class files, configuration files, etc should not be executable … ...everything that is not .php by default is dumped as plaintext in browser
include and require accepts URLs as parameters Remote code injection made dead easy If you disable remote_url_fopen, you cannot open any URL (without CURL)
All these settings should be disabled by default On most hosting servers they are not
Server security enviroment matters
TLS (SSL) ● Public-Private key infrastructure ● Server verification and data encryption ● Ultimate trust to Certificate Authorities (CA) ● Don't use self-signed certificates. Roll out your own CA .
Secure / insecure protocols ● HTTP sends all information in plaintext ● So does FTP/IMAP/POP3/STMP ● Use HTTPS / SFTP / IMAPs / POP3s / STMP over TLS ● DNS is built on trust. DNSSEC is not (yet) working.
[D]DoS ● DoS – “million” requests from one client ● DDoS – “zillion” requests from “million” clients ● Handle DoS at firewall level. ● Try to survive DDoS at router level.
Shared hosting ● Easy, fast, secure – pick two ● “Jail” each site ● Selinux / AppArmor to rescue ● IDS / mod_security is slow ● Test backups.
Real life 100% secure system Slide intentionally left blank
Personal security weakest chain link
Passwords Passwords are like underwear. You don't share them and you change them often. KeepassX
Think ● Don't use plaintext protocols over open WiFi ● Secure your home router ● Check URLs and filenames ● Malware doesn't expose itself anymore ● Botnet ● Information stealing ● Avoid buggy and insecure software (flash and acrobat reader).
Securing digital communication ● Skype is sort-of secure ● PGP ● S/MIME
Handling incidents ● Not all hackers all bad ● Preserve evidence ● Presume that attacker obtained maximum information. ● System is compromised ● Eliminate attack vectors ● Offline backups help.
Questions ?
Futher reading ● www.owasp.org – knowledge ● www.cert.lv – Latvia netsecurity team Books ● Stealing the Network: How to Own the Box by R. Russel – hacking “fiction” book. ● Art of Deception by Kevin Mitnick – hacker “memoirs”

More Related Content

PPTX
KiwiCon 2016 - Kicking Orion's Assets
byRob Fuller
 
PDF
When the internet bleeded : RootConf 2014
byAnant Shrivastava
 
PDF
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
byDane Schneider
 
PPTX
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
PDF
Post Metasploitation
byegypt
 
PDF
Sec 101
byDiego Pacheco
 
PDF
Offensive Security with Metasploit
byegypt
 
PDF
Ieee S&P 2020 - Software Security: from Research to Industry.
byMinded Security
 
KiwiCon 2016 - Kicking Orion's Assets
byRob Fuller
 
When the internet bleeded : RootConf 2014
byAnant Shrivastava
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
byDane Schneider
 
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
Post Metasploitation
byegypt
 
Sec 101
byDiego Pacheco
 
Offensive Security with Metasploit
byegypt
 
Ieee S&P 2020 - Software Security: from Research to Industry.
byMinded Security
 

What's hot

PDF
Content Security Policy - Lessons learned at Yahoo
byBinu Ramakrishnan
 
PPTX
Web & Cloud Security in the real world
byMadhu Akula
 
PDF
Security awareness training
bySumedt Jitpukdebodin
 
PDF
SSL Pinning and Bypasses: Android and iOS
byAnant Shrivastava
 
PDF
The Art of Executing JavaScript by Akhil Mahendra
byCysinfo Cyber Security Community
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
PPTX
The magic of ettercap
byn|u - The Open Security Community
 
PDF
SSH - From Zero to Hero
byOWASP Khartoum
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
PPTX
Nodejs Security
byJason Ross
 
PPT
Node.JS security
byDeepu S Nath
 
PDF
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
byNick Sullivan
 
PPTX
[OWASP Poland Day] Saving private token
byOWASP
 
PDF
Wireless Hotspot: The Hackers Playground
byJim Geovedi
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
PDF
Nodevember 2015
byAdam Baldwin
 
PDF
CloudFlare - The Heartbleed Bug - Webinar
byCloudflare
 
PPTX
Apache Struts2 CVE-2017-5638
byRiyaz Walikar
 
PDF
Node Day - Node.js Security in the Enterprise
byAdam Baldwin
 
PDF
already-0wned
byegypt
 
Content Security Policy - Lessons learned at Yahoo
byBinu Ramakrishnan
 
Web & Cloud Security in the real world
byMadhu Akula
 
Security awareness training
bySumedt Jitpukdebodin
 
SSL Pinning and Bypasses: Android and iOS
byAnant Shrivastava
 
The Art of Executing JavaScript by Akhil Mahendra
byCysinfo Cyber Security Community
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
The magic of ettercap
byn|u - The Open Security Community
 
SSH - From Zero to Hero
byOWASP Khartoum
 
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
Nodejs Security
byJason Ross
 
Node.JS security
byDeepu S Nath
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
byNick Sullivan
 
[OWASP Poland Day] Saving private token
byOWASP
 
Wireless Hotspot: The Hackers Playground
byJim Geovedi
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
Nodevember 2015
byAdam Baldwin
 
CloudFlare - The Heartbleed Bug - Webinar
byCloudflare
 
Apache Struts2 CVE-2017-5638
byRiyaz Walikar
 
Node Day - Node.js Security in the Enterprise
byAdam Baldwin
 
already-0wned
byegypt
 

Viewers also liked

PPS
Al estar aqui
byPABLO GOMEZ-LOBO RODRIGUEZ
 
PPS
Alma de cristo
byPABLO GOMEZ-LOBO RODRIGUEZ
 
PPS
Adorare tu cuerpo_herido
byPABLO GOMEZ-LOBO RODRIGUEZ
 
PPTX
Libre office examen
byMilen Ita
 
PPS
Entregame tu corazon
byPABLO GOMEZ-LOBO RODRIGUEZ
 
PPTX
José eloy alfaro delgado
byJhonatan SO
 
PDF
Lectores enero 2017
byMontserrat Navarro Morales
 
PPSX
Act2 lfcf
byEomar58
 
PDF
Embedding Testing 2015
byGeorg Lohrer
 
PPTX
As Tendências de Marketing Digital para 2016
byÉber Gustavo
 
PDF
Decoramos el colegio San Pedro para Halloween
byMontserrat Navarro Morales
 
PDF
RCS Catalog 2015 web
byRaphael Grover
 
PPTX
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
byEomar58
 
PPTX
Atc3 Equipo 1
byEomar58
 
PDF
JI
byMike Hamilton, CEH, MCAD
 
Al estar aqui
byPABLO GOMEZ-LOBO RODRIGUEZ
 
Alma de cristo
byPABLO GOMEZ-LOBO RODRIGUEZ
 
Adorare tu cuerpo_herido
byPABLO GOMEZ-LOBO RODRIGUEZ
 
Libre office examen
byMilen Ita
 
Entregame tu corazon
byPABLO GOMEZ-LOBO RODRIGUEZ
 
José eloy alfaro delgado
byJhonatan SO
 
Lectores enero 2017
byMontserrat Navarro Morales
 
Act2 lfcf
byEomar58
 
Embedding Testing 2015
byGeorg Lohrer
 
As Tendências de Marketing Digital para 2016
byÉber Gustavo
 
Decoramos el colegio San Pedro para Halloween
byMontserrat Navarro Morales
 
RCS Catalog 2015 web
byRaphael Grover
 
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
byEomar58
 
Atc3 Equipo 1
byEomar58
 
JI
byMike Hamilton, CEH, MCAD
 

Similar to Web security 101

PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PDF
Web Security
byGerald Villorente
 
PDF
How to secure web applications
byMohammed A. Imran
 
PPT
Intro to Web Application Security
byRob Ragan
 
PPTX
Web Application Vulnerabilities
byPreetish Panda
 
PPTX
Open Source Security
bySander Temme
 
PPT
Application Security
bynirola
 
PDF
Hacking Vulnerable Websites to Bypass Firewalls
byNetsparker
 
PDF
Workshop on Network Security
byUC San Diego
 
PDF
How to Destroy a Database
byJohn Ashmead
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PPTX
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
bySachintha Gunasena
 
PPTX
Attacking Web Applications
bySasha Goldshtein
 
PPT
Dmk bo2 k8_ccc
byDan Kaminsky
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
PPT
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
PDF
Web Application Scanning 101
bySasha Nunke
 
ODP
Security In PHP Applications
byAditya Mooley
 
PDF
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)
byJames Titcumb
 
PPT
Web Application Security
byChris Hillman
 
Invited Talk - Cyber Security and Open Source
byhack33
 
Web Security
byGerald Villorente
 
How to secure web applications
byMohammed A. Imran
 
Intro to Web Application Security
byRob Ragan
 
Web Application Vulnerabilities
byPreetish Panda
 
Open Source Security
bySander Temme
 
Application Security
bynirola
 
Hacking Vulnerable Websites to Bypass Firewalls
byNetsparker
 
Workshop on Network Security
byUC San Diego
 
How to Destroy a Database
byJohn Ashmead
 
Owasp top 10 2013
byEdouard de Lansalut
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
bySachintha Gunasena
 
Attacking Web Applications
bySasha Goldshtein
 
Dmk bo2 k8_ccc
byDan Kaminsky
 
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
Web Application Scanning 101
bySasha Nunke
 
Security In PHP Applications
byAditya Mooley
 
Dip Your Toes in the Sea of Security (PHP Dorset, 2nd June 2014)
byJames Titcumb
 
Web Application Security
byChris Hillman
 

Web security 101

  • 1.
    Net security 101 Internet is hostile network Kristaps Kūlis
  • 2.
    “Real” security ● Security trough security, not obscurity House secured by door keys, not by putting doors on roof. ● Ongoing process
  • 3.
    Web applications Be conservativein what you do; be liberal in what you accept from others /Postel's law/
  • 4.
  • 5.
    SQL injections ● Creating queries by string concatenation is “the wrong way” ● MySQL don't do multiple queries. ● Let DB do validation - use parametrized queries ● ORM frameworks lift the burden ● It is easy to forget to validate inline SQL somewhere
  • 6.
  • 7.
    XSS ● Escape HTML/JS/XML special characters on output ● Vulnerability can exist on client side (JS). ● It can get hairy with JS, AJAX, JSONP etc ...
  • 8.
    CSRF <img src=”http://www.bank.lv/pay?to=kristaps&amount=100” /> ● Third party unauthorized request to web site ● Include unique token into each response and validate on request. ● Never update data with GET
  • 9.
    Storing passwords ● Do not expose DB / other credentials ● MD5 is too “cheap”. SHA1 is not “expensive enough” ● Make hash functions slow. ● Multiple iterations ● Bcrypt
  • 10.
    Authorization vs Authentication Autentication:authenticating user credentials. Usually done once per session. Authorization: checks that user is authorized to do particular action. Must be done on every request.
  • 11.
    Session fixation ● Session cookie stealing / guessing ● Initialize sessions ● Tie sessions to IP address / User Agent ● Expire / invalidate sessions.
  • 12.
  • 13.
    register_globals ~50% of opensource PHP app vulnerabilities works only when register_globals are on
  • 14.
  • 15.
    magic_quotes Gives false senseof security and no real protection
  • 16.
    display_errors Gives awaytoo much information Log your errors, do not display them
  • 17.
    One .php fileas one script PHP engine has no “application” concept. Class files, configuration files, etc should not be executable … ...everything that is not .php by default is dumped as plaintext in browser
  • 18.
    include and requireaccepts URLs as parameters Remote code injection made dead easy If you disable remote_url_fopen, you cannot open any URL (without CURL)
  • 19.
    All these settingsshould be disabled by default On most hosting servers they are not
  • 20.
    Server security enviroment matters
  • 21.
    TLS (SSL) ● Public-Private key infrastructure ● Server verification and data encryption ● Ultimate trust to Certificate Authorities (CA) ● Don't use self-signed certificates. Roll out your own CA .
  • 22.
    Secure / insecureprotocols ● HTTP sends all information in plaintext ● So does FTP/IMAP/POP3/STMP ● Use HTTPS / SFTP / IMAPs / POP3s / STMP over TLS ● DNS is built on trust. DNSSEC is not (yet) working.
  • 23.
    [D]DoS ● DoS – “million” requests from one client ● DDoS – “zillion” requests from “million” clients ● Handle DoS at firewall level. ● Try to survive DDoS at router level.
  • 24.
    Shared hosting ● Easy, fast, secure – pick two ● “Jail” each site ● Selinux / AppArmor to rescue ● IDS / mod_security is slow ● Test backups.
  • 25.
    Real life 100%secure system Slide intentionally left blank
  • 26.
    Personal security weakest chain link
  • 27.
    Passwords Passwords are like underwear. You don't share them and you change them often. KeepassX
  • 28.
    Think ● Don't use plaintext protocols over open WiFi ● Secure your home router ● Check URLs and filenames ● Malware doesn't expose itself anymore ● Botnet ● Information stealing ● Avoid buggy and insecure software (flash and acrobat reader).
  • 29.
    Securing digital communication ● Skype is sort-of secure ● PGP ● S/MIME
  • 30.
    Handling incidents ● Not all hackers all bad ● Preserve evidence ● Presume that attacker obtained maximum information. ● System is compromised ● Eliminate attack vectors ● Offline backups help.
  • 31.
  • 32.
    Futher reading ● www.owasp.org – knowledge ● www.cert.lv – Latvia netsecurity team Books ● Stealing the Network: How to Own the Box by R. Russel – hacking “fiction” book. ● Art of Deception by Kevin Mitnick – hacker “memoirs”