security oriented feedback on high traffic web site
play

Security oriented feedback on high traffic web site Bruno Michel - PowerPoint PPT Presentation

Feb 21, 2023 •244 likes •560 views

LinuxFr.org Security oriented feedback on high traffic web site Bruno Michel nono@linuxfr.org Benot Sibaud oumph@linuxfr.org Webmasters 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  1. LinuxFr.org Security oriented feedback on high traffic web site Bruno Michel – nono@linuxfr.org Benoît Sibaud – oumph@linuxfr.org Webmasters 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  2. LinuxFr.org French speaking news website about free software 11 years old website, with benevolent team high traffic web site (14M visits/year, 37000 accounts, 4000 active accounts, pagerank 7) news reused by other medias stores personal data (email, lastname/forname, sessions IP, passwords, etc.) many users have IT skills 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  3. LinuxFr.org 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  4. LinuxFr.org (see LSM 2008 “10 years of LinuxFr.org” for details...) 1998: first LinuxFr.org (LAMP) 2000-2002: daCode CMS (PHP3/4, GPL) used (was used by x.org) 2002-now: templeet framework (PHP4/5, GPL) + our templates in templeet+javascript 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  5. This talk About: ● LinuxFr.org from a security point of view ● gives a lot of experience in the security area ● security problems disclosure ● no security by obscurity Not about: ● non security related software/hardware failures ● legal aspects (libel, hate speech, etc.) ● lamers filtering (captcha, karma system, multiple accounts detection, etc.) or content (pre/post)moderation 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  6. Security info leak: not so secret session with 2 cookies md5 and unique_id unique_id 32 randomized alphanum char md5 md5sum(concat(SECRET, unique_id)) = session id Compare user md5 cookie & server md5sum Each user: several sessions, can close each session md5 used to protect from random generator prediction 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  7. Security info leak: not so secret Failure: SECRET was a MD5.txt file, in the DOCUMENT_ROOT Effect: useless md5 cookie Exploit: indexed by webcrawlers, available with something like 'site:linuxfr.org MD5.txt' Fix: generate a new MD5.txt, outside DOCUMENT_ROOT, purge sessions 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  8. Social Engineering 2 ingredients A rumor than closing accounts doesn't work Curious users Alternative version: A 'click here' link (or more evil, 'do not click here') (closing account is not purging account, but you need an admin to get your account back) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  9. Social Engineering Effect: several users closed their accounts Exploit: a simple comment with a link Fix: Inform users Added a confirmation on that page 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  10. Social engineering/XSS: board worm A chat via web (the LinuxFr.org board ) Free space, where many links are posted (and clicked) Sort of playground http://badguy.invalid/davirusboard/ [ 16:25:22 ] user4 – What a great link [url] [ 16:25:13 ] user3 – Huh, what the f*ck? [ 16:25:03 ] user3 – What a great link [url] [ 16:24:17 ] user2 – What a great link [url] [ 16:23:48 ] user1 – What a great link [url] 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  11. Social engineering/XSS: board worm Failure: automatic form submit on load + no confirmation on user action + user cookies Effect: unwanted post on the daCode board Exploit: <html> <head><title>DaVirusBoard</title></head> <body onload="document.form.submit()" > <form name="form" method="post" action="http://linuxfr.org/board/add.php3" > <input type="hidden" name="message" value="What a great link. http://badguy.invalid/davirusboard/" > </form> </body> </html> 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  12. Social engineering/XSS: board worm Fix (10/2002): check REFERER only HTTP POST ask confirmation for sensitive actions (news moderation, admin functions, account deletions...) full code check (unique token for each form... not implemented) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  13. XSS on daCode news.php3 User input in news submission was filtered to a subset of HTML tags. But is this enough? 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  14. XSS on daCode news.php3 Failure: users can inject javascript in the src or data attribute (<img>, <object>, ...) Effect: XSS can be used to steal sessions and to gain privileges Fix (09/2002): + $table['body'] = preg_replace('/(src|data)([\s])?=(["\'\s])?javascript:/i','', $table['body']); 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  15. XSS again on the cuthtml function The cuthtml function in templeet is used for cutting HTML texts... but also for cleaning it: ● makes HTML well-formed ● deletes not-allowed tags (like <iframe>) ● deletes not-allowed attributes But is this enough? 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  16. XSS again on the cuthtml function Failure: users can inject javascript in the href attribute of an <a> tag. Effect: XSS can be used to steal sessions and to gain privileges Fix (10/2005): - if (preg_match("/^[\"']?\s*javascript:/i",$value)) + $decodevalue = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $value); + $decodevalue = preg_replace('~&#([0-9]+);~e', 'chr(\\1)', $decodevalue); + + if (preg_match("/^[\"']?\s*(?:javascript|vbscript|mocha|livescript):/i", $decodevalue)) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  17. XSS via USER_AGENT A chat via web (the board) [ 16:25:22 ] user4 – Huh? 16:23:48 [ 16:25:13 ] user3 – Oops my keyboard is blo [ 16:25:03 ] user3 – I've nothing to tell [ 16:24:17 ] user2 – LinuxFr.org is a great site [ 16:23:48 ] user1 – blabla [ 16:23:48 ] Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.20) Gecko/2008 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  18. XSS via USER_AGENT Failure: users can inject HTML (and javascript) via USER_AGENT Effect: XSS can be used to steal sessions and to gain privileges Fix: use htmlentities() to escape HTML for all user inputs (and addslashes() for SQL parts) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  19. Personal data leak: CSRF Generated js/admin.js adds the user email in a <div> via document.write() Called in each page header Generated js/users_admininfo.js do the same thing with all user personal data Called in the user page 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  20. Personal data leak: CSRF Failure: Javascript Cross-Site Request Forgeries Direct access to some .js files and DOM reading to get info Effect: personal data leak 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  21. Personal data leak: CSRF Exploit: <div style="display:none;" > <div id="logindelete" ></div> <script src="https://linuxfr.org/js/admin.js" ></script> <script> display_authbox(); var matches = document.getElementById('login'). innerHTML.match(/>[^@<>]*@[^<>]*</); var email = matches[0].slice(1, -1); </script> </div> <p> Email: <script> document.write(email); </script></p> Fix (2008/07): email removed from admin.js and /js/users_admininfo.js => /js/users_admininfo,T3VtcGg=.js (salt) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  22. Session hijacking: random generator The site was using daCode 1.4 CMS (and our webmasters were the daCode developpers) makerand() was used to generate session id, calling srand() with an int argument. 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  23. Session hijacking: random generator Failure: things went in PHP4. But in PHP3, if seed ≥ 2 31 , signedness problem, (half a day) the seed and the generated id were constant. Effect: half a day, you could easily guess one session. And due to session id uniqueness, only the first one could connect. Exploit: just forge a cookie half a day Fix (2002/10): stop using bogus PHP3 (!), handle signedness for srand() 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  24. Session hijacking: random generator (again) Two sites using daCode CMS. A user mistakenly copy its session cookie from the wrong site... and gets a valid session! (info coming from one of our users, thanks kadreg) How unlikely: sessionID = 20 alphanum char, about (26+26+10) 20 occurrences, ~7x10 35 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp; Approaches Security: Challenges &amp; Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
MARKETING PRESENTATION ExploreGeorgia.org Highlights 82% of site traffic is first time

MARKETING PRESENTATION ExploreGeorgia.org Highlights 82% of site traffic is first time

2011 GEORGIA GOVERNORS TOURISM CONFERENCE MARKETING PRESENTATION ExploreGeorgia.org Highlights 82% of site traffic is first time visitors Site traffic this year is up by more than 20% To date for 2011, traffic has

752 views • 40 slides
Outline Feedback UML More UML and OOD Reading Chapter 2 2 1 Feedback

Outline Feedback UML More UML and OOD Reading Chapter 2 2 1 Feedback

CS1007: Object Oriented Design and Programming in Java Lecture #5 Jan 31 Shlomo Hershkop shlomo@cs.columbia.edu 1 Outline Feedback UML More UML and OOD Reading Chapter 2 2 1 Feedback If you feel that the pace

839 views • 31 slides
Security oriented codes: What we know and what we dont Osnat Keren Bar-Ilan University On

Security oriented codes: What we know and what we dont Osnat Keren Bar-Ilan University On

ENICS -Emerging Nanoscaled Integrated Circuits and Systems Labs Security oriented codes: What we know and what we dont Osnat Keren Bar-Ilan University On security oriented codes Outline Fault injection attacks &amp; HW countermeasures

878 views • 20 slides
TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review

TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review

TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions Estimate future conditions Determine traffic impact Recommendations SITE LOCATION AND STUDY INTERSECTIONS FUTURE SITE

119 views • 10 slides
Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Green Lights Forever: Analyzing the Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic Infrastructure Case Study Threat Model Types of Attack Recommendation Broader Lesson Conclusion Outline

777 views • 36 slides
Pen enn Man anor r High h Sc School ol De Design n Upda date te Board Meeting November

Pen enn Man anor r High h Sc School ol De Design n Upda date te Board Meeting November

Pen enn Man anor r High h Sc School ol De Design n Upda date te Board Meeting November 6, 2017 Crabtree, Rohrbaugh &amp; Associates, Architects AGENDA Site Plan Floor Plans Exterior Questions? SITE PLAN Organized Traffic

705 views • 22 slides
The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang

The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang

The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang jgkang@ certcc.or.kr jgkang@ certcc.or.kr KrCERT/CC KrCERT/CC KrCERT/CC, KISA Contents Contents I. Methodology to predict incidents II.

635 views • 14 slides
Outline Feedback Background CS1007: Object Oriented Design Arrays Scopes and

Outline Feedback Background CS1007: Object Oriented Design Arrays Scopes and

Outline Feedback Background CS1007: Object Oriented Design Arrays Scopes and Programming in Java Static Method Overloading Basic classes Constructors Lecture #3 Useful tools T 1/24 Exception

708 views • 14 slides
1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions

1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions

TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions Estimate future conditions Determine traffic impact Recommendations SITE LOCATION AND STUDY INTERSECTIONS FUTURE SITE

95 views • 9 slides
Using a Volterra Feedback Model Maarten Schoukens, Fritjof Griesing Scheiwe Benchmarks Cascaded

Using a Volterra Feedback Model Maarten Schoukens, Fritjof Griesing Scheiwe Benchmarks Cascaded

Modeling Nonlinear Systems Using a Volterra Feedback Model Maarten Schoukens, Fritjof Griesing Scheiwe Benchmarks Cascaded Tanks Bouc-Wen Block-Oriented Modeling? Block-Oriented Modeling Block-Oriented Modeling Block-Oriented Modeling Pros

758 views • 29 slides
Work Site Traffic Management Practice Review Progress Update and Options for Changes to Current

Work Site Traffic Management Practice Review Progress Update and Options for Changes to Current

Work Site Traffic Management Practice Review Progress Update and Options for Changes to Current Practice Project Brief Review current work site traffic management practices in Queensland with a view to improving value for money and

421 views • 18 slides
Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1

Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1

CS1007: Object Oriented Design and Programming in Java Lecture #5 Sept 20 Shlomo Hershkop shlomo@cs.columbia.edu Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1 Feedback Lots of UML

422 views • 24 slides
25 th April Traffic Group Update Dual Objectives To assess the impact on traffic for one or more

25 th April Traffic Group Update Dual Objectives To assess the impact on traffic for one or more

25 th April Traffic Group Update Dual Objectives To assess the impact on traffic for one or more of the site(s) selected for/by developers To assess a number of traffic management options that could be used in conjunction with

628 views • 34 slides
Middlemarsh High Risk Illegal Waste Site 590_11_SD15 Introduction Site operated by father and

Middlemarsh High Risk Illegal Waste Site 590_11_SD15 Introduction Site operated by father and

Keepers Paddock, Middlemarsh High Risk Illegal Waste Site 590_11_SD15 Introduction Site operated by father and son Site occupied for five years Small rural location, 10 miles from Dorchester on main A352 road to Sherborne Formally a stable

1.67k views • 31 slides
Neighborhood Traffic Mitigation Meeting #10 September 28, 2017 5:30 Welcome 5:40

Neighborhood Traffic Mitigation Meeting #10 September 28, 2017 5:30 Welcome 5:40

Neighborhood Traffic Mitigation Meeting #10 September 28, 2017 5:30 Welcome 5:40 Status of pilot 5:55 Overview of community feedback 6:15 Traffic study analysis 6:35 Committee discussion 7:10 East

177 views • 15 slides
SIMPLE My religion consists of a humble admiration of the About illimitable superior spirit who

SIMPLE My religion consists of a humble admiration of the About illimitable superior spirit who

SIMPLE My religion consists of a humble admiration of the About illimitable superior spirit who reveals himself in the company slight details we are able to perceive with our frail and feeble mind. Our Silence propagates itself, and the

2.09k views • 174 slides
The Judiciary Department of Political Science and Government Aarhus University October 9, 2014

The Judiciary Department of Political Science and Government Aarhus University October 9, 2014

Presidency (cont.) The Judiciary Preview of Next Time The Judiciary Department of Political Science and Government Aarhus University October 9, 2014 Presidency (cont.) The Judiciary Preview of Next Time Presidency (cont.) 1 2 The

537 views • 34 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
General status and plans of light readout system Clara Cuesta CIEMAT September 1 st , 2017 1

General status and plans of light readout system Clara Cuesta CIEMAT September 1 st , 2017 1

General status and plans of light readout system Clara Cuesta CIEMAT September 1 st , 2017 1 Light Readout System Status 1. Procurement of 40 8 Hamamatsu R5912-20mod PMTs (DONE) 2. Design, production and tests of the PMT bases (DONE) 3.

247 views • 9 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
At-Risk Afterschool Meals Workshop Child Nutrition Programs 405-521-3327 or CACFP@sde.ok.gov

At-Risk Afterschool Meals Workshop Child Nutrition Programs 405-521-3327 or CACFP@sde.ok.gov

At-Risk Afterschool Meals Workshop Child Nutrition Programs 405-521-3327 or CACFP@sde.ok.gov USDA Guidance At-Risk Afterschool Meals Guide Other Documents in CARS Resource Library on CACFP ATR = At-Risk Guide TM = CACFP

1.4k views • 110 slides
At-Risk Afterschool Meals Workshop Child Nutrition Programs 405-521-3327 or CACFP@sde.ok.gov

At-Risk Afterschool Meals Workshop Child Nutrition Programs 405-521-3327 or CACFP@sde.ok.gov

12/16/2020 At-Risk Afterschool Meals Workshop Child Nutrition Programs 405-521-3327 or CACFP@sde.ok.gov 1 USDA Guidance At-Risk Afterschool Meals Guide Other Documents in CARS Resource Library on CACFP ATR = At-Risk

589 views • 37 slides
Dynamic List Building Using Blaise Barbara S. Bibb &amp; Gilbert Rodriguez September 26 28,

Dynamic List Building Using Blaise Barbara S. Bibb &amp; Gilbert Rodriguez September 26 28,

Dynamic List Building Using Blaise Barbara S. Bibb &amp; Gilbert Rodriguez September 26 28, 2007 IBUC RTI International is a trade name of Research Triangle Institute 1 Objectives Objectives Define the problem Describe the solution

252 views • 22 slides

More recommend