Upload
subramanyan-murali
View
1.616
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Introduction to web security Tech Talk @ Georgia Tech 9 March 2011
Citation preview
Is it good to be paranoid ?introduction to web security
Tech talk @ Georgia Tech, March 2011
Subramanyan MuraliyahooMail Engineer Hacker, Photographer, Traveler @rmsguhan
3
par·a·noi·a
• n paranoia [pӕrəˈnoiə]– a type of mental illness in which a
person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her
in Yahoo!, they are just people who care a lot about
web security
4
Q.What is the problem ?
Spammers want to do cheap
advertising & unsolicited marketing
Phishers want to steal user identity
for personal benefit
Crackers want to break into your
systems & profit
Jokers just want to watch the
world burn
“It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”- Philip Tellis, Yahoo! Paranoid
http://www.smashingmagazine.com/author/philip-tellis/
A tech-savy user maybe aware …
… but to some cookies are still made of dough &
chocolate chips
A.Keep it simple for normal
users Make it hard for users with
evil intentions
Users have a lot of trust on the web & share a lot of
information
Every attack is unique & exploits weakness
Types of web attacks
• Phishing & Spamming • Scamming • Code Injection• Forgery & spoofing
Cross(X) Side Scripting
17
XSS
• Filter all input that you are going to save
• Be aware of the data you are saving – URL should save only urls – Numbers should save only numbers
• Never open up your site based purely on trust
SQL / Shell Injection
http://xkcd.com/327/
<?php $user = $_GET[‘user’]; $message = $_GET[‘message’];
function save_message($user, $message){ $sql = "INSERT INTO Messages ( user, message ) VALUES ( '$user', '$message’ )"; return mysql_query($sql);}?>
test');DROP TABLE Messages;
test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …
Cross-Site Request Forgery
<img
src=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”>
<iframe name="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message” method="POST” target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script>
Issue a unique token / crumb that only your server would know for that session
Check if the posted data has that token
For normal posts, use a time bound token
<?phpfunction get_nonce() { return md5($secret . ":" . $user . ":" . ceil(time()/86400));}?>
For more sensitive posts, use a token that is stored in user session
Click-jacking
http://erickerr.com/like-clickjacking
Tab-Jacking
http://www.azarask.in/blog/post/a-new-type-of-phishing-
attack/
New secure technology does not guarantee a
secure application
As developers, we need to cautious
Resources
• http://www.owasp.org/index.php/Main_Page• http://kilimanjaro.dk/blog/• http://www.smashingmagazine.com/author/philip-tellis/• http://code.google.com/edu/security/index.htm• http://www.slideshare.net/joewalker/web-app-security• http://www.slideshare.net/shiflett/evolution-of-web-
security• http://www.slideshare.net/txaypanya/owasp-top10-2010
Be paranoid, be smart
Thank you !