Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
What are you on about?
flickr.com/photos/jurvetson
flickr.com/photos/meg
flickr.com/photos/muehlinghaus
flickr.com/photos/purpleslog
flickr.com/photos/pixelfrenzy
flickr.com/photos/kogakure
flickr.com/photos/elfsternberg
flickr.com/photos/a_mason
flickr.com/photos/rzrxtion
flickr.com/photos/bahkubean
flickr.com/photos/kevinsteele
flickr.com/photos/helfyland
flickr.com/photos/meg
flickr.com/photos/fbouly
<ul><li>Economy Dropped </li></ul><ul><li>The Dark Knight came out </li></ul><ul><li>Heath Ledger died </li></ul><ul><li>O...
One out of 11 minutes is spent Social networking
“ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending Mar...
flickr.com/photos/alancleaver
 
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
flickr.com/photos/sebastiagiralt
flickr.com/photos/herry
flickr.com/photos/23905174@N00
<ul><li>3,800,000 </li></ul>
<ul><li>4,400,000 </li></ul>
<ul><li>$3,500,000,000 </li></ul>
<ul><li>“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twic...
flickr.com/photos/hmvh
flickr.com/photos/negatyf
<ul><li>Grabbing your cookies </li></ul><ul><li>Grabbing your history </li></ul><ul><li>Discover your internal NAT’ed IP <...
(Ab)use case - example
<ul><li>“ The attack works by including a link or script in a page that accesses a site to which the user is known (or sup...
<ul><li><img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” /> </li></ul>
flickr.com/photos/8363028@N08
(Ab)use case - example
Internet Management Interface (HTTPS) Admin
Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
Internet Management Interface (HTTPS) 2. Browse the Net Admin
Internet Management Interface (HTTPS) 3. Check mail Admin
Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.as...
Internet Management Interface (HTTPS) 5. No more SAN. Admin
<ul><li>Time Magazine’s Top 100 </li></ul><ul><li>Twitter </li></ul><ul><li>ADSL Routers </li></ul>
flickr.com/photos/soloflight
Recommendations <ul><li>Don’t make changes upon receipt of GET requests, only POST </li></ul><ul><li>Synchroniser Token Pa...
flickr.com/photos/tambako
flickr.com/photos/delhaye
flickr.com/photos/sarflondondunc
http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
 
 
flickr.com/photos/fabiogis50
flickr.com/photos/markop
www.owasp.org
flickr.com/photos/st3f4n
flickr.com/photos/kolya
 
<ul><li>International Not-for-profit </li></ul><ul><li>Open participation </li></ul><ul><li>130+ Chapters (incl. Perth!) <...
 
 
 
 
 
 
<ul><li>Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for ev...
<ul><li>There is a set of security control interfaces.  They define for example types of parameters that are passed to typ...
<ul><li>There is a reference implementation for each security control.  The logic is not organisation‐specific and the log...
<ul><li>There are optionally your own implementations for each security control.  There may be application logic contained...
<ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Input Validation </li></ul><ul><li>Output encodi...
 
Authenticator interface <ul><li>Public interface Authenticator { </li></ul><ul><li>User login(HttpServlerRequest request, ...
AccessController Interface <ul><li>Public interface AccessController { </li></ul><ul><li>boolean isAuthorizedForURL(string...
HTTPUtilities Interface <ul><li>Public interface HTTPUtilities { </li></ul><ul><li>String addCSRFToken(string href); </li>...
flickr.com/photos/st3f4n
flickr.com/photos/onkel_wart
flickr.com/photos/sophistechate
flickr.com/photos/dalbera
<ul><li>“ With great power comes great responsibility” </li></ul>
Upcoming SlideShare
Loading in …5
×

Barcamp Perth 4.0 Web Security

3,720 views

Published on

Published in: Technology
  • Be the first to comment

Barcamp Perth 4.0 Web Security

  1. “ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
  2. Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
  3. What are you on about?
  4. flickr.com/photos/jurvetson
  5. flickr.com/photos/meg
  6. flickr.com/photos/muehlinghaus
  7. flickr.com/photos/purpleslog
  8. flickr.com/photos/pixelfrenzy
  9. flickr.com/photos/kogakure
  10. flickr.com/photos/elfsternberg
  11. flickr.com/photos/a_mason
  12. flickr.com/photos/rzrxtion
  13. flickr.com/photos/bahkubean
  14. flickr.com/photos/kevinsteele
  15. flickr.com/photos/helfyland
  16. flickr.com/photos/meg
  17. flickr.com/photos/fbouly
  18. <ul><li>Economy Dropped </li></ul><ul><li>The Dark Knight came out </li></ul><ul><li>Heath Ledger died </li></ul><ul><li>Obama was elected </li></ul>
  19. One out of 11 minutes is spent Social networking
  20. “ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”
  21. flickr.com/photos/alancleaver
  22.  
  23. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
  24. flickr.com/photos/sebastiagiralt
  25. flickr.com/photos/herry
  26. flickr.com/photos/23905174@N00
  27. <ul><li>3,800,000 </li></ul>
  28. <ul><li>4,400,000 </li></ul>
  29. <ul><li>$3,500,000,000 </li></ul>
  30. <ul><li>“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twice as many days to detect fraud, compared to other age groups..” </li></ul>Javelin Strategy & Research 2010 Identity Fraud Survey Report
  31. flickr.com/photos/hmvh
  32. flickr.com/photos/negatyf
  33. <ul><li>Grabbing your cookies </li></ul><ul><li>Grabbing your history </li></ul><ul><li>Discover your internal NAT’ed IP </li></ul><ul><li>Port scan behind the firewall </li></ul><ul><li>Exploit Intranet web-enabled devices </li></ul>
  34. (Ab)use case - example
  35. <ul><li>“ The attack works by including a link or script in a page that accesses a site to which the user is known (or supposed) to have been authenticated.” </li></ul>
  36. <ul><li><img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” /> </li></ul>
  37. flickr.com/photos/8363028@N08
  38. (Ab)use case - example
  39. Internet Management Interface (HTTPS) Admin
  40. Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
  41. Internet Management Interface (HTTPS) 2. Browse the Net Admin
  42. Internet Management Interface (HTTPS) 3. Check mail Admin
  43. Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
  44. Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
  45. Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.aspx?t=now” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin
  46. Internet Management Interface (HTTPS) 5. No more SAN. Admin
  47. <ul><li>Time Magazine’s Top 100 </li></ul><ul><li>Twitter </li></ul><ul><li>ADSL Routers </li></ul>
  48. flickr.com/photos/soloflight
  49. Recommendations <ul><li>Don’t make changes upon receipt of GET requests, only POST </li></ul><ul><li>Synchroniser Token Pattern </li></ul><ul><ul><li><form action=“/action.php” method=“post”> </li></ul></ul><ul><ul><li><input type=“hidden” name=“CSRFToken” value=“OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTViMGYwMGEwOA==“ /> </li></ul></ul>
  50. flickr.com/photos/tambako
  51. flickr.com/photos/delhaye
  52. flickr.com/photos/sarflondondunc
  53. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
  54.  
  55.  
  56. flickr.com/photos/fabiogis50
  57. flickr.com/photos/markop
  58. www.owasp.org
  59. flickr.com/photos/st3f4n
  60. flickr.com/photos/kolya
  61.  
  62. <ul><li>International Not-for-profit </li></ul><ul><li>Open participation </li></ul><ul><li>130+ Chapters (incl. Perth!) </li></ul><ul><li>Open source tools </li></ul><ul><li>Open source collaborative projects </li></ul>
  63.  
  64.  
  65.  
  66.  
  67.  
  68.  
  69. <ul><li>Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. </li></ul>
  70. <ul><li>There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls. </li></ul>
  71. <ul><li>There is a reference implementation for each security control. The logic is not organisation‐specific and the logic is not application‐specific. </li></ul><ul><li>An example: string‐based input validation. </li></ul>
  72. <ul><li>There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organisation. </li></ul><ul><li>An example: enterprise authentication. </li></ul>
  73. <ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Input Validation </li></ul><ul><li>Output encoding/escaping </li></ul><ul><li>Cryptography </li></ul><ul><li>Error handling and logging </li></ul><ul><li>Communication security </li></ul><ul><li>HTTP security </li></ul><ul><li>Security configuration </li></ul>
  74.  
  75. Authenticator interface <ul><li>Public interface Authenticator { </li></ul><ul><li>User login(HttpServlerRequest request, HttpServletResponse response) throws AuthenticationException; </li></ul><ul><li>User getUser(long accountId); </li></ul><ul><li>} </li></ul>
  76. AccessController Interface <ul><li>Public interface AccessController { </li></ul><ul><li>boolean isAuthorizedForURL(string url); </li></ul><ul><li>} </li></ul>
  77. HTTPUtilities Interface <ul><li>Public interface HTTPUtilities { </li></ul><ul><li>String addCSRFToken(string href); </li></ul><ul><li>void verifyCSRFToken(HttpServletRequest request) throws IntrusionException; </li></ul><ul><li>} </li></ul>
  78. flickr.com/photos/st3f4n
  79. flickr.com/photos/onkel_wart
  80. flickr.com/photos/sophistechate
  81. flickr.com/photos/dalbera
  82. <ul><li>“ With great power comes great responsibility” </li></ul>

×