Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security

Web Application Security

I'm not a security expert. I'm not even a web developer.

Furthermore, these slides are not very meaningful without the talk to accompany them. But, enjoy!

ERRATA 1: Cal Evans pointed out that the StackOverflow answer I quoted isn't quite right. It claims that if you convert all < characters to < then you're safe. But some older browsers are vulnerable to a crazy UTF-7 XSS attack that can succeed even when < is escaped. Newer browsers do not have this bug.

ERRATA 2: Markdown doesn't strip out or escape HTML tags by itself. Some Markdown libraries support a special "safe mode" that does this.

Jason Orendorff

February 12, 2013
Tweet

More Decks by Jason Orendorff

Other Decks in Programming

Transcript

  1. attackers can’t exploit it to make bad stuff happen. A

    system is secure if What is security? Tuesday, February 12, 13
  2. A system is secure if attackers can’t exploit it to

    make bad stuff happen. Tuesday, February 12, 13
  3. A system is secure if attackers can’t exploit it to

    make bad stuff happen. Tuesday, February 12, 13
  4. • denial of service • loss of control of servers

    Security risks Tuesday, February 12, 13
  5. • denial of service • loss of control of servers

    • data loss Security risks Tuesday, February 12, 13
  6. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers Security risks Tuesday, February 12, 13
  7. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) Security risks Tuesday, February 12, 13
  8. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) • attackers impersonating users Security risks Tuesday, February 12, 13
  9. • immediate financial loss (fraud, theft, lost productivity) • unhappy

    customers • damage to reputation • contractual trouble (service-level agreements) • regulatory trouble (privacy & auditing requirements) Business risks Tuesday, February 12, 13
  10. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) • attackers impersonating users Security risks Tuesday, February 12, 13
  11. • immediate financial loss (fraud, theft, lost productivity) • unhappy

    customers • damage to reputation • contractual trouble (service-level agreements) • regulatory trouble (privacy & auditing requirements) Business risks Tuesday, February 12, 13
  12. • Do you have a list of all the servers

    you’re running? Tuesday, February 12, 13
  13. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? Tuesday, February 12, 13
  14. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? Tuesday, February 12, 13
  15. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? • Do you have a plan for updating that software? Tuesday, February 12, 13
  16. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? • Do you have a plan for updating that software? • Would the answer still be yes even if a key employee quit tomorrow? Tuesday, February 12, 13
  17. 4 Direct object reference attacks – mitigated Who are you?

    (authentication) Tuesday, February 12, 13
  18. 4 Direct object reference attacks – mitigated Are you allowed

    here? (authorization) Tuesday, February 12, 13
  19. 3 Broken authentication – examples • Passwords sent in the

    clear • Passwords stored in the clear Tuesday, February 12, 13
  20. 3 Broken authentication – examples • Passwords sent in the

    clear • Passwords stored in the clear • Session IDs exposed Tuesday, February 12, 13
  21. 1 Injection attacks – illustrated $sql = "SELECT id FROM

    users WHERE " + "username = '" + $username + "' " + "AND password = '" + $password + "'"; Tuesday, February 12, 13
  22. 1 Injection attacks – illustrated SELECT id FROM users WHERE

    username = 'jason' AND password = 'Laurel' Tuesday, February 12, 13
  23. 1 Injection attacks – illustrated SELECT id FROM users WHERE

    username = 'ben'--' AND password = 'whatever' Tuesday, February 12, 13
  24. 1 Injection attacks – illustrated SELECT id FROM users WHERE

    username = 'ben'--' AND password = 'whatever' Tuesday, February 12, 13
  25. 1 Injection attacks – mitigated • Use ORM • Use

    positional parameters Tuesday, February 12, 13
  26. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party ORM Tuesday, February 12, 13
  27. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party templates/formatting Use third-party ORM Tuesday, February 12, 13
  28. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Tuesday, February 12, 13
  29. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Tuesday, February 12, 13
  30. Injection Cross-site scripting 1 2 Broken authentication Insecure direct object

    references 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Cross-site request forgery (CSRF) 5 Tuesday, February 12, 13
  31. Injection Cross-site scripting 1 2 Broken authentication Insecure direct object

    references 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Cross-site request forgery (CSRF) 5 Use third-party form validation Tuesday, February 12, 13