Is it good to be paranoid ?introduction to web security

Tech talk @ Georgia Tech, March 2011

Subramanyan MuraliyahooMail Engineer Hacker, Photographer, Traveler @rmsguhan

3

par·a·noi·a

• n paranoia [pӕrəˈnoiə]– a type of mental illness in which a

person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her

in Yahoo!, they are just people who care a lot about

web security

4

Q.What is the problem ?

Spammers want to do cheap

advertising & unsolicited marketing

Phishers want to steal user identity

for personal benefit

Crackers want to break into your

systems & profit

Jokers just want to watch the

world burn

“It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”- Philip Tellis, Yahoo! Paranoid

http://www.smashingmagazine.com/author/philip-tellis/

A tech-savy user maybe aware …

… but to some cookies are still made of dough &

chocolate chips

A.Keep it simple for normal

users Make it hard for users with

evil intentions

Users have a lot of trust on the web & share a lot of

information

Every attack is unique & exploits weakness

Types of web attacks

• Phishing & Spamming • Scamming • Code Injection• Forgery & spoofing

Cross(X) Side Scripting

17

XSS

• Filter all input that you are going to save

• Be aware of the data you are saving – URL should save only urls – Numbers should save only numbers

• Never open up your site based purely on trust

SQL / Shell Injection

http://xkcd.com/327/

<?php $user = $_GET[‘user’]; $message = $_GET[‘message’];

function save_message($user, $message){  $sql = "INSERT INTO Messages (            user, message          ) VALUES (            '$user', '$message’          )";   return mysql_query($sql);}?>

test');DROP TABLE Messages;

test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …

Cross-Site Request Forgery

<img

src=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”>

<iframe name="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message”      method="POST”      target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script>

Issue a unique token / crumb that only your server would know for that session

Check if the posted data has that token

For normal posts, use a time bound token

<?phpfunction get_nonce() {  return md5($secret . ":"  . $user . ":"  . ceil(time()/86400));}?>

For more sensitive posts, use a token that is stored in user session

Click-jacking

http://erickerr.com/like-clickjacking

Tab-Jacking

http://www.azarask.in/blog/post/a-new-type-of-phishing-

attack/

New secure technology does not guarantee a

secure application

As developers, we need to cautious

Resources

• http://www.owasp.org/index.php/Main_Page• http://kilimanjaro.dk/blog/• http://www.smashingmagazine.com/author/philip-tellis/• http://code.google.com/edu/security/index.htm• http://www.slideshare.net/joewalker/web-app-security• http://www.slideshare.net/shiflett/evolution-of-web-

security• http://www.slideshare.net/txaypanya/owasp-top10-2010

Be paranoid, be smart

Thank you !