Web Security 101 - Ruby Fun Day 2014

Transcript

1. None

2. Francesco (frodsan) [email protected]

3. Web Security 101

4. Passwords

5. How not to!

6. #1 Just store it!

7. None
8. None
9. None
10. None

11. #2 Encryption

12. None
13. None
14. None
15. None
16. None
17. None
18. None
19. None

20. Encryption is reversible

21. DES 3DES AES

22. #3 Hashing

23. Hashing is irreversible

24. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

25. hash(?) “e10adc3949ba59abbe56e057f20f883e”

26. Hashing is deterministic

27. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

28. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mupassword”) “b11d7ccaee763e5840f9d906e0bf2edf”

29. None
30. None
31. None

32. Hashing is deterministic

33. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

34. thelonelyones.heroku.com/passwords.csv
 thelonelyones.heroku.com/login Exercise

35. Lookup tables

36. None

37. Adobe Security Breach (2013) 38 million active users
 passwords, credit

    card information

38. http://xkcd.com/1286/

39. MD5
 SHA1 SHA2

40. ✓ Hashing + Salting

41. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

42. hash(“mypassword”, salt)

43. hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…”

44. hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…
 
 hash(“mypassword”, 1bc1fa3bc1d5d85…)
 e92a46f76d413ce73ab5796756bc92…

45. 1976 - crypt(3)

46. GPU
 FPGA

47. PBKDF2
 Bcrypt Scrypt

48. PBKDF2 (armor, pbkdf2)
 Bcrypt (bcrypt) Scrypt (scrypt)

49. How to do it

50. ʕ•ᴥ•ʔ ! • Don’t do it (leave it to GitHub,

    Google, etc.) • If you must do it, use pbkdf2 or bcrypt or scrypt. • Keep password length between 8 and 50. • Nothing can save you easy to guess passwords.

51. Cross Site Scripting - XSS

52. 1993

53. <HTML/>

54. <html> ! </html>

55. <html> <b>Web Security 101</b> </html>

56. None

57. </>?

58. Escaping

59. <html> <b>Angle brackets: &gt; &lt;</b> </html>

60. None

61. 1995

62. JavaScript

63. <html> ! </html>

64. <html> <script>
 </script> </html>

65. <html> <script> var message = "Web Security 101"; ! alert(message);

    </script> </html>
66. None

67. <html> <script> var message = "<b>Web Security 101</b>"; ! document.write(message);

    </script> </html>
68. None

69. JavaScript == DANGER

70. None

71. “Samy is my hero” (2005) • XSS attack propagated by

    Myspace profiles. ! • Over one million affected users within the first 20 hours. ! • 3 years without computer.

72. How to do it

73. Escaping

74. UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&amp;",

    ">" => "&gt;", "<" => "&lt;", '"' => "&quot;", "'" => "&#x27;", "/" => "&#x2F;" } ! string.gsub(UNSAFE, HTML_ESCAPE)

75. UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&amp;",

    ">" => "&gt;", "<" => "&lt;", '"' => "&quot;", "'" => "&#x27;", "/" => "&#x2F;" } ! string.gsub(UNSAFE, HTML_ESCAPE)

76. github.com/frodsan/hache

77. References

78. • OWASP Top 10:
 https://www.owasp.org
 
 • Adobe 10GB database

    passwords leak:
 http://bit.ly/188ctZL
 • MySpace XSS vulnerability:
 http://bit.ly/1urMIbG
 • Tweetdeck XSS vulnerability:
 http://bit.ly/1urMGAy


79. thanks ʕ•ᴥ•ʔ