Web Application Security

Transcript

1. Tuesday, February 12, 13

2. Web Application Security Nashville PHP User Group, 12 February 2013

   Jason Orendorff Tuesday, February 12, 13

3. Tuesday, February 12, 13

4. Top four 2 Tuesday, February 12, 13

5. How I think about security Top four 1 2 Tuesday,

   February 12, 13

6. What is security? Tuesday, February 12, 13

7. A system is secure if What is security? Tuesday, February

   12, 13

8. attackers can’t exploit it to make bad stuff happen. A

   system is secure if What is security? Tuesday, February 12, 13

9. Tuesday, February 12, 13

10. Tuesday, February 12, 13

11. Tuesday, February 12, 13

12. Tuesday, February 12, 13

13. Tuesday, February 12, 13

14. features Tuesday, February 12, 13

15. features security Tuesday, February 12, 13

16. Tuesday, February 12, 13

17. A system is secure if attackers can’t exploit it to

    make bad stuff happen. Tuesday, February 12, 13

18. A system is secure if attackers can’t exploit it to

    make bad stuff happen. Tuesday, February 12, 13

19. (exercise) Tuesday, February 12, 13

20. Security risks Tuesday, February 12, 13

21. • denial of service Security risks Tuesday, February 12, 13

22. • denial of service • loss of control of servers

    Security risks Tuesday, February 12, 13

23. • denial of service • loss of control of servers

    • data loss Security risks Tuesday, February 12, 13

24. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers Security risks Tuesday, February 12, 13

25. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) Security risks Tuesday, February 12, 13

26. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) • attackers impersonating users Security risks Tuesday, February 12, 13

27. • immediate financial loss (fraud, theft, lost productivity) • unhappy

    customers • damage to reputation • contractual trouble (service-level agreements) • regulatory trouble (privacy & auditing requirements) Business risks Tuesday, February 12, 13

28. • denial of service • loss of control of servers

    • data loss • theft of goods or services by attackers • attackers obtaining secret information (personal user info, passwords, credit card numbers, etc.) • attackers impersonating users Security risks Tuesday, February 12, 13

29. • immediate financial loss (fraud, theft, lost productivity) • unhappy

    customers • damage to reputation • contractual trouble (service-level agreements) • regulatory trouble (privacy & auditing requirements) Business risks Tuesday, February 12, 13

30. • Slide body Photo by Pliketi Plok: flickr.com/photos/colinica Tuesday, February

    12, 13

31. • Slide body Slide title Photo by Pliketi Plok: flickr.com/photos/colinica

    Tuesday, February 12, 13

32. Tuesday, February 12, 13

33. • Do you have a list of all the servers

    you’re running? Tuesday, February 12, 13

34. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? Tuesday, February 12, 13

35. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? Tuesday, February 12, 13

36. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? • Do you have a plan for updating that software? Tuesday, February 12, 13

37. • Do you have a list of all the servers

    you’re running? • Do you know what third-party software is running on them? • If that software had a critical update, would you know? • Do you have a plan for updating that software? • Would the answer still be yes even if a key employee quit tomorrow? Tuesday, February 12, 13

38. Tuesday, February 12, 13

39. Tuesday, February 12, 13

40. Tuesday, February 12, 13

41. The web is not secure by default. Tuesday, February 12,

    13

42. Top four Tuesday, February 12, 13

43. 4 Tuesday, February 12, 13

44. 4 Insecure direct object references Tuesday, February 12, 13

45. 4 Direct object reference attacks – illustrated Tuesday, February 12,

    13

46. 4 Direct object reference attacks – illustrated front page Tuesday,

    February 12, 13

47. 4 Direct object reference attacks – mitigated Who are you?

    (authentication) Tuesday, February 12, 13

48. 4 Direct object reference attacks – mitigated Are you allowed

    here? (authorization) Tuesday, February 12, 13

49. 3 Tuesday, February 12, 13

50. 3 Broken authentication & session management Tuesday, February 12, 13

51. 3 Broken authentication – examples Tuesday, February 12, 13

52. 3 Broken authentication – examples • Passwords sent in the

    clear Tuesday, February 12, 13

53. 3 Broken authentication – examples • Passwords sent in the

    clear • Passwords stored in the clear Tuesday, February 12, 13

54. 3 Broken authentication – examples • Passwords sent in the

    clear • Passwords stored in the clear • Session IDs exposed Tuesday, February 12, 13

55. 1 Broken authentication – mitigated Tuesday, February 12, 13

56. 1 Broken authentication – mitigated ...or don’t have passwords Tuesday,

    February 12, 13

57. 2 Tuesday, February 12, 13

58. 2 Cross-site scripting Tuesday, February 12, 13

59. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Tuesday, February 12, 13

60. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Tuesday, February 12, 13

61. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Tuesday, February 12, 13

62. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Tuesday, February 12, 13

63. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Tuesday, February 12, 13

64. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Tuesday, February 12, 13

65. 2 Cross-site scripting – illustrated Web server Database User’s browser

    Attacker Other server Tuesday, February 12, 13

66. 2 Cross-site scripting – mitigated badly <?= preg_replace("/<script/", "", $comment)

    ?> Tuesday, February 12, 13

67. 2 Cross-site scripting – mitigated badly <?= preg_replace("/<\s*script/", "", $comment)

    ?> Tuesday, February 12, 13

68. 2 Cross-site scripting – mitigated badly <?= preg_replace("/<\s*script/i", "", $comment)

    ?> Tuesday, February 12, 13

69. 2 Cross-site scripting – mitigated badly Tuesday, February 12, 13

70. 2 Cross-site scripting – mitigated badly Tuesday, February 12, 13

71. 2 Cross-site scripting – mitigated Tuesday, February 12, 13

72. 2 Cross-site scripting – mitigated • Use Twig. Tuesday, February

    12, 13

73. 2 Cross-site scripting – mitigated • Use Twig. • Use

    Markdown. Tuesday, February 12, 13

74. 1 Tuesday, February 12, 13

75. 1 Injection Tuesday, February 12, 13

76. 1 Injection attacks – illustrated $sql = "SELECT id FROM

    users WHERE " + "username = '" + $username + "' " + "AND password = '" + $password + "'"; Tuesday, February 12, 13

77. 1 Injection attacks – illustrated SELECT id FROM users WHERE

    username = 'jason' AND password = 'Laurel' Tuesday, February 12, 13

78. 1 Injection attacks – illustrated SELECT id FROM users WHERE

    username = 'ben'--' AND password = 'whatever' Tuesday, February 12, 13

79. 1 Injection attacks – illustrated SELECT id FROM users WHERE

    username = 'ben'--' AND password = 'whatever' Tuesday, February 12, 13

80. 1 Injection attacks – illustrated Tuesday, February 12, 13

81. 1 Injection attacks – mitigated Tuesday, February 12, 13

82. 1 Injection attacks – mitigated • Use ORM Tuesday, February

    12, 13

83. 1 Injection attacks – mitigated • Use ORM • Use

    positional parameters Tuesday, February 12, 13

84. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Tuesday, February 12, 13

85. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party ORM Tuesday, February 12, 13

86. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party templates/formatting Use third-party ORM Tuesday, February 12, 13

87. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Tuesday, February 12, 13

88. Injection Cross-site Scripting 1 2 Broken Authentication Insecure Direct Object

    References 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Tuesday, February 12, 13

89. 5 Bonus round! Tuesday, February 12, 13

90. 5 Cross-site request forgery Bonus round! Tuesday, February 12, 13

91. Injection Cross-site scripting 1 2 Broken authentication Insecure direct object

    references 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Cross-site request forgery (CSRF) 5 Tuesday, February 12, 13

92. Injection Cross-site scripting 1 2 Broken authentication Insecure direct object

    references 3 4 Use third-party authentication Use third-party templates/formatting Use third-party ORM Use third-party authorization Cross-site request forgery (CSRF) 5 Use third-party form validation Tuesday, February 12, 13

93. Please, make a plan to keep your servers patched. Thanks.

    Tuesday, February 12, 13