SlideShare una empresa de Scribd logo

Web security

Descargar como PPTX, PDF
D
davidahaskins
EducaciónTecnología
1 de 42
Web Security By David Haskins
Hashing and Encryption • Types of hashes: – md5 (generally considered compromised) – SHA-1, SHA-2, SHA-3 – LANMAN (definitely compromised)
Hashing and Encryption • Hash of "hello Memphis PHP meetup group!": – a52cc137d1f59dc9265c59751cd3e624 • Hash of "1": – c4ca4238a0b923820dcc509a6f75849b • Hash of "10": – d3d9446802a44259755d38e6d163e820
Hashing and Encryption Properties of hashes: can be used to identify changes to data. are considered one-way: md5("my_string_here"); //exists unmd5("535f8bd2e548ffed92027c53d5a24b56"); //doesn't exist
Hashing and Encryption Encryption is reversible. Encryption requires a key to decrypt. Symmetric versus asymmetric key cryptography. Symmetric would work like: $key = 'secret'; $msg = encrypt("hidden message", $key); echo decrypt($msg, $key);
Hashing and Encryption The problem: How do you get the key to someone over the internet without some 12-year old hacker reading it?
Hashing and Encryption Asymmetric would work like: $encrypt_key = 'key_123'; $decrypt_key = 'key_456'; $msg = encrypt(“hidden message”, $encrypt_key); echo decrypt($msg, $decrypt_key);
Hashing and Encryption Asymmetric would be like: The point to remember, is that this will produce gibberish: echo decrypt($msg, $encrypt_key);
Hashing and Encryption In public key cryptography, there exist two keys: - a public key - a private key One is used for encryption, the other is used for decryption. The whole reason this stuff works is because I can encrypt a message with a public key, but it can only be decrypted with a private key.
Hashing and Encryption Small problem: Asymmetric cryptography is slow.
Hashing and Encryption Small problem: Asymmetric cryptography is slow. Solution: Use asymmetric cryptography to share a symmetric key. Then use symmetric cryptography.
HTTPS User Amazon server
HTTPS User Amazon server Send connection request on port 443
HTTPS User Amazon server Send connection request on port 443 Send public key
HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon.
HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon. Amazon decrypts symmetric key with Amazon's private key and sends response encrypted with symmetric key.
Hashes and Salting Remember hashes? They work like one-way encryption. $string = '1'; echo md5($string); //outputs 4ca4238a0b923820dcc509a6f75849b
Hashes and Salting We can use this for validating passwords.
Hashes and Salting The plain-text problem: $password = $_POST['password']; $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT l3m0ns 2 fred password123 3 david_TN m3mph!$ 4 sallyW omgPonies! 5 agent_007 1337h4x0r
Hashes and Salting Store the hash of the password instead of the plain-text: $password = md5($_POST['password']); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT cf5712b00855500691cff0e4b0566c68 2 fred 482c811da5d5b4bc6d497ffa98491e38 3 david_TN f145a55e591e1c6ed235ce456a5166f7 4 sallyW e2c29e21e004f9e71ef9db780884ede1 5 agent_007 81d3ebd158986fbdd6bd47177312c026
Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
Hashes and Salting Place a "salt" in the code. $salt = 's3kr3t'; $password = md5($_POST['password'] . $salt); If the user uses "password123", his password becomes "password123s3kr3t", which is much more complex. $query = "select id from user where password = '$password' and user = '$user'";
Hashes and Salting Store the hash of the password and a unique salt: $password = md5($_POST['password'] . $salt); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password Salt 1 cypherTXT cf5712b00855500691cff0e4b0566c68 bawex 2 fred 482c811da5d5b4bc6d497ffa98491e38 msefz 3 david_TN f145a55e591e1c6ed235ce456a5166f7 juftv 4 sallyW e2c29e21e004f9e71ef9db780884ede1 irqhj 5 agent_007 81d3ebd158986fbdd6bd47177312c026 coowo
SQL injection
SQL injection $password = $_POST*‘password’+; $id = $_SESSION*‘id’+; $query = “update user set password = ‘$password’ where id = $id”;
SQL injection // assume $password = ‘secret_password’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ where id = 7
SQL injection // assume $password = ‘secret_password’--’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ --’where id = 7
SQL injection //wrong solution: $password = str_replace(“’”,”’”,$password); $query = “update user set password = ‘$password’ where id = $id”; Depending on web server encoding and database encoding, you may still be vulnerable
SQL injection //correct solution: Use prepared statements $query = “update user set password = ? where id = ?”; $stmt = $dbh->prepare($query); $stmt->bindParam(1,$password); $stmt->bindParam(2,$id);
Command injection function safe_query($query){ $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
Command injection function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
Command injection Another interesting option: Assume $query: select * from article where id = 7; rm –rf /; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
Command injection Solution to preventing command injection:
Command injection Solution to preventing command injection: DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE
Command injection If you’re going to do it anyway, use escapeshellcmd(). $code_that_will_get_me_fired = escapeshellcmd($query); shellexec(“echo $code_that_will_get_me_fired >> record_queries.txt ”);
File upload attack Users can upload images (.jpg, .gif, .bmp, etc).
File upload attack Make sure users can’t upload .php, .pl, .asp, etc. files. Use a whitelist, rather than a blacklist to enforce this control. The uploaded directory shouldn’t have any execute permissions.

Recomendados

2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQLHung-yu Lin
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Daily notes
Daily notesDaily notes
Daily notesmeghendra168
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanGregg Donovan
 
Potential Friend Finder
Potential Friend FinderPotential Friend Finder
Potential Friend FinderRichard Schneeman
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 

Recomendados

2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQLHung-yu Lin
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Daily notes
Daily notesDaily notes
Daily notesmeghendra168
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanGregg Donovan
 
Potential Friend Finder
Potential Friend FinderPotential Friend Finder
Potential Friend FinderRichard Schneeman
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus PerlFlavio Poletti
 
Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Fwdays
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRSTVictor Ramiro
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Damien Seguy
 
Living with garbage
Living with garbageLiving with garbage
Living with garbagelucenerevolution
 
Insertcustomer
InsertcustomerInsertcustomer
Insertcustomeramirthalingam m
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helperslicejack
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!Luís Cobucci
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconGiovanni Fernandez-Kincade
 
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Cliff Seal
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Ulf Wendel
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Cod
CodCod
CodStan Adrian
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 
Togaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsTogaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsBalu Subramanian
 
Unit testing
Unit testingUnit testing
Unit testingdavidahaskins
 

Más contenido relacionado

La actualidad más candente

주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Fwdays
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Damien Seguy
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helperslicejack
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!Luís Cobucci
 
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Cliff Seal
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Ulf Wendel
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 

La actualidad más candente (20)

주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus Perl
 
Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Emil Bay "Password Hashing"
Emil Bay "Password Hashing"
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortals
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRST
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
 
Living with garbage
Living with garbageLiving with garbage
Living with garbage
 
Insertcustomer
InsertcustomerInsertcustomer
Insertcustomer
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helper
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Cod
CodCod
Cod
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 

Destacado

Togaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsTogaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsBalu Subramanian
 

Destacado (6)

Togaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsTogaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-components
 
Unit testing
Unit testingUnit testing
Unit testing
 
Agile development
Agile developmentAgile development
Agile development
 
Togaf v9-m3-intro-adm
Togaf v9-m3-intro-admTogaf v9-m3-intro-adm
Togaf v9-m3-intro-adm
 
Quatorze juillet
Quatorze juilletQuatorze juillet
Quatorze juillet
 
Scan
ScanScan
Scan
 

Similar a Web security

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?ConFoo
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统yiditushe
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinTobias Zander
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioningSource Ministry
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuHasin Hayder
 

Similar a Web security (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security Stance
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjects
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
 

Último

On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Shubhangi Sonawane
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIShubhangi Sonawane
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 

Último (20)

On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 

Web security

  • 2. Hashing and Encryption • Types of hashes: – md5 (generally considered compromised) – SHA-1, SHA-2, SHA-3 – LANMAN (definitely compromised)
  • 3. Hashing and Encryption • Hash of "hello Memphis PHP meetup group!": – a52cc137d1f59dc9265c59751cd3e624 • Hash of "1": – c4ca4238a0b923820dcc509a6f75849b • Hash of "10": – d3d9446802a44259755d38e6d163e820
  • 4. Hashing and Encryption Properties of hashes: can be used to identify changes to data. are considered one-way: md5("my_string_here"); //exists unmd5("535f8bd2e548ffed92027c53d5a24b56"); //doesn't exist
  • 5. Hashing and Encryption Encryption is reversible. Encryption requires a key to decrypt. Symmetric versus asymmetric key cryptography. Symmetric would work like: $key = 'secret'; $msg = encrypt("hidden message", $key); echo decrypt($msg, $key);
  • 6. Hashing and Encryption The problem: How do you get the key to someone over the internet without some 12-year old hacker reading it?
  • 7. Hashing and Encryption Asymmetric would work like: $encrypt_key = 'key_123'; $decrypt_key = 'key_456'; $msg = encrypt(“hidden message”, $encrypt_key); echo decrypt($msg, $decrypt_key);
  • 8. Hashing and Encryption Asymmetric would be like: The point to remember, is that this will produce gibberish: echo decrypt($msg, $encrypt_key);
  • 9. Hashing and Encryption In public key cryptography, there exist two keys: - a public key - a private key One is used for encryption, the other is used for decryption. The whole reason this stuff works is because I can encrypt a message with a public key, but it can only be decrypted with a private key.
  • 10. Hashing and Encryption Small problem: Asymmetric cryptography is slow.
  • 11. Hashing and Encryption Small problem: Asymmetric cryptography is slow. Solution: Use asymmetric cryptography to share a symmetric key. Then use symmetric cryptography.
  • 14. HTTPS User Amazon server Send connection request on port 443 Send public key
  • 15. HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon.
  • 16. HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon. Amazon decrypts symmetric key with Amazon's private key and sends response encrypted with symmetric key.
  • 17.
  • 18. Hashes and Salting Remember hashes? They work like one-way encryption. $string = '1'; echo md5($string); //outputs 4ca4238a0b923820dcc509a6f75849b
  • 19. Hashes and Salting We can use this for validating passwords.
  • 20. Hashes and Salting The plain-text problem: $password = $_POST['password']; $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT l3m0ns 2 fred password123 3 david_TN m3mph!$ 4 sallyW omgPonies! 5 agent_007 1337h4x0r
  • 21. Hashes and Salting Store the hash of the password instead of the plain-text: $password = md5($_POST['password']); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT cf5712b00855500691cff0e4b0566c68 2 fred 482c811da5d5b4bc6d497ffa98491e38 3 david_TN f145a55e591e1c6ed235ce456a5166f7 4 sallyW e2c29e21e004f9e71ef9db780884ede1 5 agent_007 81d3ebd158986fbdd6bd47177312c026
  • 22. Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
  • 23. Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
  • 24. Hashes and Salting Place a "salt" in the code. $salt = 's3kr3t'; $password = md5($_POST['password'] . $salt); If the user uses "password123", his password becomes "password123s3kr3t", which is much more complex. $query = "select id from user where password = '$password' and user = '$user'";
  • 25. Hashes and Salting Store the hash of the password and a unique salt: $password = md5($_POST['password'] . $salt); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password Salt 1 cypherTXT cf5712b00855500691cff0e4b0566c68 bawex 2 fred 482c811da5d5b4bc6d497ffa98491e38 msefz 3 david_TN f145a55e591e1c6ed235ce456a5166f7 juftv 4 sallyW e2c29e21e004f9e71ef9db780884ede1 irqhj 5 agent_007 81d3ebd158986fbdd6bd47177312c026 coowo
  • 27. SQL injection $password = $_POST*‘password’+; $id = $_SESSION*‘id’+; $query = “update user set password = ‘$password’ where id = $id”;
  • 28. SQL injection // assume $password = ‘secret_password’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ where id = 7
  • 29. SQL injection // assume $password = ‘secret_password’--’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ --’where id = 7
  • 30. SQL injection //wrong solution: $password = str_replace(“’”,”’”,$password); $query = “update user set password = ‘$password’ where id = $id”; Depending on web server encoding and database encoding, you may still be vulnerable
  • 31. SQL injection //correct solution: Use prepared statements $query = “update user set password = ? where id = ?”; $stmt = $dbh->prepare($query); $stmt->bindParam(1,$password); $stmt->bindParam(2,$id);
  • 32.
  • 33. Command injection function safe_query($query){ $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
  • 34. Command injection function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
  • 35. Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
  • 36. Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
  • 37. Command injection Another interesting option: Assume $query: select * from article where id = 7; rm –rf /; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
  • 38. Command injection Solution to preventing command injection:
  • 39. Command injection Solution to preventing command injection: DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE
  • 40. Command injection If you’re going to do it anyway, use escapeshellcmd(). $code_that_will_get_me_fired = escapeshellcmd($query); shellexec(“echo $code_that_will_get_me_fired >> record_queries.txt ”);
  • 41. File upload attack Users can upload images (.jpg, .gif, .bmp, etc).
  • 42. File upload attack Make sure users can’t upload .php, .pl, .asp, etc. files. Use a whitelist, rather than a blacklist to enforce this control. The uploaded directory shouldn’t have any execute permissions.