Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Never, ever, trust user inputs Supankar.

Published byRamiro Patchin Modified over 10 years ago

Similar presentations

Presentation on theme: "Web Security Never, ever, trust user inputs Supankar."— Presentation transcript:

1 Web Security Never, ever, trust user inputs Supankar

2 What is Security?

3

4 why does security needs? Haha! Yes I know it. Its really a funny topic!!

5

6 Is it call security?

7 Security why? To prevent stealing important data To secure Personal Data / Credentials Compromising Access Privilege No Data Loss

8 Common Threats Cross-Site Scripting (XSS) Session Hijack Click Jacking Cross-site request forgery (XSRF) SQL Injection

9 Never, ever, trust user inputs

10 Input Validation Always use server side validation as client side (javascript) validation can easily be bypassed Use white-listed values Use built-in escape functions Validate for correct data types, like numbers

11 example supankar

12 Input Validation (Cont..) Dont expect the return value from selections, radio buttons or check boxes of a form to be the ones you mentioned. So, always revalidate. Example: Male Female

13 Input Validation (Cont..) insert userinfo (gender) values($_POST[gender]) Garbage Male Female

14 Input Validation (Cont..) Defensive Programming: $gender=m; If ($_POST[gender]==f) $gender=f;

15 PHP: Some Bad Features Register Globals Consider the following code - if ($password == "my_password") { $authorized = 1; } if ($authorized == 1) { echo "Lots of important stuff."; } test.php?authorized=1 will produce Lots of important stuff. To disable register_globals using.htaccess file – php_flag register_globals 0 To disable register_globals using php.ini – register_globals = Off Magic Quotes

16 PHP harmful functions eval("shell_exec(\"rm -rf {$_SERVER['DOCUMENT_ROOT']}\");"); ini_set()ini_set(), exec(),fopen(), popen(), passthru(), rea dfile(), file(), shell_exec(), system(),etc…exec()fopen()popen()passthru()rea dfile()file()shell_exec()system()

17 SQL Injection Most common and most destructive security hazard Lets see the common way to check username and password entered into a form – $check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); If we enter the following in the username input box and submit - ' OR 1=1 # The query that is going to be executed will now look like this – SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = '' As you can see, this query will return all the users from the database and as generally first user on a user table is the admin, the hacker will easily gain admin privilege.

18 SQL Injection - Preventing Sanitize Properly User Prepared Statements Use mysql_real_escape_string() Turn on magic_quote_gpc with Caution

19 Error/warring Message

20 File Manipulation Some sites currently running on the web today have URLs that look like this: index.php?page=contactus.html The user can very easily change the "contactus.html" bit to anything they like. For example, index.php?page=.htpasswd By changing the URL, on some systems, to reference a file on another server, they could even run PHP that they have written on your site. When users download a file from your server, if the file name depends on user input, he can easily manipulate it to download system files by giving inputs like –../../../etc/passwd

21 IndexIgnore.htaccess */.??* *~ *# */HEADER* */README* */_vti* ini_set('display_errors', 1); ini_set('log_errors', 1); ini_set('error_log', dirname(__FILE__). '/error_log.txt'); error_reporting(E_ALL);

22 JavaScript!!! A creative innovation. Giving the user more control over the browser Detecting the user's browser, OS, screen size, etc. Performing simple computations on the client side Validating the user's input Handling dates and time Generating HTML pages on-the-fly without accessing the Web server.

23 Cross-Site Scripting (XSS) It allows attackers to add keyloggers, tracking scripts or porn banners on your site, or just stop your site working altogether. It can also used for cookie hijacking so that a real user can be faked. Always use htmlentities() function to output user- generated texts. Limit the character set that can used for a particular text type Disallow HTML input if possible. If that is not an option, only allow limited HTML tags

24 I am not Sleeping…….

25 Yes, I am, because it is boring..

26 Lets have some fun…

27 Fun… Go to supankar.wordpress.com http://technotip.com/269/moving-image- javascript-small-fun-application/Develop

28 XSS – Preventing Sanitize User input properly Check Character Encoding Double check before printing GET values from URL

29 MVC? Is it secure?

30 Cross-site request forgery (XSRF) Using users logged in session to manipulate http://example.com/admin/delete/post/1

31 Cross-site request forgery (XSRF) cont.. User A has a post with ID 112

32 Cross-site request forgery (XSRF) cont.. User B Posted on his blog No Effect for User B

33 Cross-site request forgery (XSRF) cont.. User A visits User Bs blog Deletes User As post with ID 112

34 XSRF Prevention Use POST Check for the presence of some sort of valid submission

35 I have more important tasks please leave me now…

36 Ok, Ok, Just Summery Use common sense Always check user input No direct user input at sql query Disable the error/warring messages at the production time Always try to use defensive programming technique Update your scripts to the latest versions

37 Suggestions Read security related news and updates o http://www.owasp.org/ o http://shiflett.org/ o http://www.securityfocus.com/

38 Toooo much, Supankar!! STOP NOW!!

39 <?php echo Question; ?>

40 An ounce of prevention is worth a pound of cure -> Benjamin Franklin Thanks

Download ppt "Web Security Never, ever, trust user inputs Supankar."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
PHP Security.

PHP Security.

Similar presentations

Ads by Google