Basic housekeeping Plugging obvious security holes in web sites. - - PowerPoint PPT Presentation

▶

Aug 04, 2023 172 likes •1.08k views

Basic housekeeping Plugging obvious security holes in web sites. Chris9an Heilmann, Paris Web, Paris, October 2009 A few things to remember about basic web security. A bit of pimping... Grer la scurit de vos applica9ons web (Salle 1)

SLIDE 1

Basic housekeeping

Plugging obvious security holes in web sites.

Chris9an Heilmann, Paris Web, Paris, October 2009

SLIDE 2

SLIDE 3

SLIDE 4

A few things to remember about basic web security.

SLIDE 5

A bit of pimping...

Gérer la sécurité de vos applica9ons web (Salle 1) Présenté par : Sébas9en Pauchet (WS Interac9ve), Frank Taillandier (Académie de Toulouse)

a.k.a. Dirty Tricks with @DirtyF

SLIDE 6

The most annoying thing is that the dangers on the web are underes9mated.

SLIDE 7

SLIDE 8

Reasons for aRacks:

Spam injec9on. Iden9ty theT. Data mining. Botnet / Zombies / DOS

SLIDE 9

A lot of clever terms are used in security. SQL injec9on XSS CSRF ClickJacking Phishing

SLIDE 10

In the end, a lot is about keeping your web products clean.

SLIDE 11

This very much starts on the server side.

SLIDE 12

Think about your folders.

SLIDE 13

SLIDE 14

SLIDE 15

SLIDE 16

SLIDE 17

Telling the world too much.

SLIDE 18

You don’t want the admin folders of your app to be indexed by Google Search Engines.

SLIDE 19

Your system might tell more about your site than you are aware of.

SLIDE 20

Error messages are only needed in produc9on ‐ on live servers they can tell more than you want to.

SLIDE 21

Keep your server setup secure.

SLIDE 22

hRp://yoursite.com/index.php?admin=true

hRp://phpsec.org/projects/phpsecinfo/

SLIDE 23

hRp://phpsec.org/projects/phpsecinfo/

SLIDE 24

Basic server measures:

Turn off folder browsing. Stop bot indexing (robots.txt). Secure your setup. Turn off error messaging. Disallow remote file inclusion. Delete old and orphan files.

SLIDE 25

The next danger is blindly relying on soTware.

SLIDE 26

Predefined backdoors and passwords.

SLIDE 27

admin/admin admin/password default/default user/user preset/preset buil9n/buil9n

SLIDE 28

Plugins

SLIDE 29

Basic soTware measures:

Change every password. Check for presets. RTFM. Keep Plugins up‐to‐date. Check for security holes. Don’t trust “easy setup”. Upgrade.

SLIDE 30

Front end security issues.

SLIDE 31

This is not hard.

Don’t trust any user data. HTML is not a database. JavaScript is not a secure data container. Do not rely on JavaScript.

SLIDE 32

Frontend is public.

If you comment, comment on the backend, do not “comment out” func9onality.

SLIDE 33

Frontend is insecure.

Anything in the frontend is executed and can be used to steal all your cookies.

(frames, images, scripts, links...)

SLIDE 34

hRp://us2.php.net/manual/en/book.filter.php

Filtering

SLIDE 35

Whitelis9ng

SLIDE 36

Clickjacking.

SLIDE 37

SLIDE 38

Basic frontend measures:

Break frames. Filter inputs. Whitelist inputs. Avoid hacks (expression()). Avoid URL assembling.

SLIDE 39

Our users

SLIDE 40

Social engineering.

SLIDE 41

SocEng basics:

Show authority. Create fake need of urgency. Take over responsibility.

SLIDE 42

Condi9oning helps. :‐(

SLIDE 43

I approve

f this!

SLIDE 44

Social networks

SLIDE 45

SLIDE 46

SLIDE 47

SLIDE 48

Step 1: Log in yourself

SLIDE 49

Step 2: Get list of followers

SLIDE 50

SLIDE 51

Step 3: Set the trap

SLIDE 52

http://twitter.com/statuses/ user_timeline/codepo8.xml? count=200

SLIDE 53

SLIDE 54

Step 4: Lure his followers

SLIDE 55

None

f this!

SLIDE 56

Predictability

SLIDE 57

Basic people measures:

Don’t allow for auto log‐in. Share security responsibility with the users. Avoid stressful interfaces. Be very open about your communica9on.

SLIDE 58

Bot aRacks.

SLIDE 59

hRp://caca.zoy.org/wiki/PWNtcha

Captchas to the rescue?

SLIDE 60

Bot aRack measures.

Honeyponng. Timed interfaces. Cookie check / Crumbing. Spike detec9on. OpenID / third party logins.

SLIDE 61

Nothing beats being up‐ to‐date!

SLIDE 62

SLIDE 63

None

f this!

SLIDE 64

I approve

f this!

SLIDE 65

You learn a lot from logs.

SLIDE 66

SLIDE 67

No strength in numbers.

SLIDE 68

Check your posts.

SLIDE 69

And query terms.

SLIDE 70

Some not‐so sci‐fi ideas...

SLIDE 71

Guest passes.

SLIDE 72

Auth

SLIDE 73

OpenID

SLIDE 74

Caja/ADsafe

SLIDE 75

Caja limits and secures web standards.

SLIDE 76

★ Custom aRributes ★ Custom tags ★ Unclosed tags ★ <embed> ★ <iframe> ★ <link rel=‘… ★ javascript:void(0) ★ Radio buRons in IE ★ Rela9ve url’s

Caja vs. “HTML”

SLIDE 77

★ eval() ★ new Func9on() ★ Strings as event handlers (node.onclick = '...';) ★ Names ending with double / triple underscores ★ with func9on (with (obj) { ... }) ★ Implicit global variables (specify var variable) ★ Calling a method as a func9on ★ document.write ★ window.event ★ .onclick ★ OpenSocial gadgets.io.makeRequest return JS

Caja vs “JavaScript”

SLIDE 78

★ * hacks ★ _ hacks ★ IE condi9onals ★ Insert‐aTer clear fix ★ expression() ★ @import ★ Background images in IE

Caja vs “CSS”

SLIDE 79

Throwaway logins.

SLIDE 80

New challenges.

SLIDE 81

Social Network aRacks

SLIDE 82

The mobile web.

SLIDE 83

Camera access.

SLIDE 84

Loca9on based services.

SLIDE 85

Biometric recogni9on.

SLIDE 86

Right now things are not safe.

SLIDE 87

But you can help making the web safer.

SLIDE 88

Keep it clean, keep it up‐ to‐date and be alert.

SLIDE 89

Chris9an Heilmann hRp://wait‐9ll‐i.com hRp://developer‐evangelism.com hRp://twiRer.com/codepo8