Presentation is loading. Please wait.

Presentation is loading. Please wait.

UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

Published byRosemary Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:"— Presentation transcript:

1 UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/ukuug2008

2 UKUUG Linux 2008 Overview ● Brief introduction to HTTP ● Cross-site scripting (XSS) ● Cross-site request forgery (XSRF) ● SQL injection ● Authentication bypass ● Session Hijacking ● Conclusion and Questions

3 UKUUG Linux 2008 Theme.... ● Web application security flaws are often caused by: – Trusting and/or not validating user input ● Anything that comes from users or can be controlled by them is suspect: URLs, form data, cookie values, etc.

4 UKUUG Linux 2008... and sub-theme ● Developers often assume, incorrectly, that input to their web applications always comes from browsers – It is trivial to generate HTTP from programs – Javascript validation is only useful as a help to the user. It does not provide any server-side protection

5 UKUUG Linux 2008 HTTP – the web protocol ● Browser sends HTTP requests and then displays the results (generally HTML/image) ● Very simple protocol, with a few commands: – HEAD – get the headers and dates for the page – GET – get the html (or image or...), parameters are part of URL (.../foo?id=4&page=3) – POST – encodes form parameters into the request which goes to a specific program named in FORM – There are more, these are the most common

6 UKUUG Linux 2008 HTTP Example [jake@ouzel ~]$ telnet lwn.net 80... GET /talks/ukuug2008/ HTTP/1.1 Host: lwn.net HTTP/1.1 200 OK Date: Mon, 03 Nov 2008 01:49:22 GMT Server: Apache Last-Modified: Mon, 03 Nov 2008 01:24:32 GMT ETag: "b08004-318-45abecf1e5400" Accept-Ranges: bytes Content-Length: 792 Connection: close Content-Type: text/html UKUUG Linux 2008...

7 UKUUG Linux 2008 HTML Forms ● These are the standard web forms that we fill in all the time: ● The parameters (name, password) will get encoded and submitted as a POST

8 UKUUG Linux 2008 GET vs. POST ● HTTP GET requests are not meant to change the state of the application – Classic example: http://somehost.com/delete?id=4http://somehost.com/delete?id=4 ● State changes should be done through POST (i.e. forms) ● This is important to protect against trivial XSRF as well as innocent mistakes like the above

9 UKUUG Linux 2008 Sessions ● HTTP is a stateless protocol ● Sessions are established to track users through a web application ● A session ID is generated and typically stored in a browser cookie ● Cookies are associated with a particular URL and sent each time a request is made

10 UKUUG Linux 2008 Cross-site scripting (XSS) ● Comes from echoing user input back to browser without properly handling HTML elements ● Common mistake is to put user input into error message: Unknown input alert(“XSS”) ● Attacker controls Javascript sent by your app ● Can be used to send cookie or other sensitive information to attacker-controlled sites

11 UKUUG Linux 2008 Avoiding XSS ● The main defense is to filter all user input before sending it back to the browser ● In particular, it is recommended that these characters: ( ) & # be filtered – < > ( &#41 & # are substitutes – Usually the language has a function to call to do that for you: htmlentities(), cgi.escape(), etc.

12 UKUUG Linux 2008 Cross-site request forgery (XSRF) ● User follows a link (from email, irc,...) that quietly causes some action on a different site ● For GETs that change the state, the page could have an – Cookies get helpfully sent along by browser ● An iframe or other scheme to create a FORM and submit it to BankURL/form, cookies too ● Multiple vulnerable sites can be tried to find one where the user has an active cookie

13 UKUUG Linux 2008 Avoiding XSRF ● Do not use state-changing GETs ● For forms, add a randomly named hidden field with a random value, associate those with a session and check them on FORM submission ● If app is susceptible to XSS, the random name/values can be extracted from forms ● For extremely sensitive operations (changing password, others), require re-authentication

14 UKUUG Linux 2008 SQL injection ● Abuses SQL queries with crafted data from form variables: SELECT id FROM users WHERE name='$name' AND pass='$pass' if $pass is: ' OR 1=1 -- query becomes: SELECT id FROM users WHERE name='$name' AND pass='' OR 1=1 --' ● SQL injections can be used to retrieve entire database contents ● They can also be used to delete the data

15 UKUUG Linux 2008 Avoiding SQL injection ● Easiest method is to use placeholders in query: db_call(“SELECT id FROM users WHERE name=? AND pass=?”, $name, $pass) ● If database API does not allow that, use db ‑ specific quote filter on user input: db_quote($name) db_quote($pass) ● Depending on DBMS, stored procedures can also prevent SQL injection

16 UKUUG Linux 2008 Authentication bypass ● A variety of techniques to circumvent the username/password of a web app ● For apps that check pathnames, aliasing can be a problem. Ex: /path/foo vs. /path//foo ● When links to certain pages are only presented post- login, some believe this effectively protects them, but it is easy to guess/know the path

17 UKUUG Linux 2008 Avoiding authentication bypass ● App must be coded such that each privileged page checks auth status whenever accessed – There are too many ways to get to the same page with different looking URLs ● Attackers can sign up for app or in some other way determine the paths – “Hidden” paths are security through obscurity ● If separate program is used to perform the privileged operation, it must also check auth

18 UKUUG Linux 2008 Session Hijacking ● Essentially an authentication bypass ● Attacker somehow gets access to the session ID via a cookie, SQL injection, or other means ● While that session is valid, attacker can act as the real authenticated user

19 UKUUG Linux 2008 Avoiding Session Hijacking ● There is a window in time while the session is valid. Shorter sessions mean less exposure. ● Sessions can be restricted based on IP, but that is vulnerable to spoofing or ISP IP changes ● Sensitive operations should require re ‑ authentication

20 UKUUG Linux 2008 Additional threats ● Remote file include – provides a means to retrieve and execute code from a remote server. PHP 4 particularly vulnerable. ● Denial of service – crashing the application or web server to interfere with normal functioning ● HTTP response splitting – unfiltered user input that ends up in the HTTP headers can lead to attacker content sent to browser ● Lots more – new types are found regularly

21 UKUUG Linux 2008 General web and app security ● All user input should be validated ● All unused services should be disabled ● There are Linux security tools that can assist in locking down web servers: – SELinux – AppArmor – SMACK, Tomoyo Linux, grsecurity, RSBAC, etc.

22 UKUUG Linux 2008 Theme and sub-theme ● Any input that can be controlled or influenced by a user (or attacker) must be validated carefully. Period. – Validation should use whitelists, not blacklists ● Browsers do not generate very much hostile traffic, programs do. Expect the unexpected. – Javascript validation is not sufficient

23 UKUUG Linux 2008 Where to get more information? ● A few links: http://lwn.net/talks/ukuug2008http://lwn.net/talks/ukuug2008 ● Open Web Application Security Project (OWASP): http://owasp.org http://owasp.org ● Wikipedia has good descriptions of vulnerabilities

24 UKUUG Linux 2008 Questions?

Download ppt "UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google