web security
Post on 18-Nov-2014
1.533 Views
Preview:
DESCRIPTION
TRANSCRIPT
Web SecurityWeb SecurityGerald Z. VillorenteGerald Z. Villorente
Web SecurityWeb SecurityGerald Z. VillorenteGerald Z. Villorente
Lorma Colleges San Fernando, La UnionLorma Colleges San Fernando, La Union Lorma Colleges San Fernando, La UnionLorma Colleges San Fernando, La Union
if [ “$SLIDE” -eq “intro” ]; thenif [ “$SLIDE” -eq “intro” ]; then echo “I'm Gerald Z. Villorente” echo “I'm Gerald Z. Villorente”fifi
if [ “$SLIDE” -eq “intro” ]; thenif [ “$SLIDE” -eq “intro” ]; then echo “I'm Gerald Z. Villorente” echo “I'm Gerald Z. Villorente”fifi
● Senior Web Developer, Kite Systems Ltd.Senior Web Developer, Kite Systems Ltd. Hong Kong / Philippines
● Drupal Developer, Cable Network Drupal Developer, Cable Network NewsNews (CNN) (CNN) TravelTravel Hong Kong / Atlanta, USA
● System Administrator, InternetJailSystem Administrator, InternetJail Oregon, USA
● Drupal Phil. Users Group (DPUG) member● FreelancerFreelancer
● Senior Web Developer, Kite Systems Ltd.Senior Web Developer, Kite Systems Ltd. Hong Kong / Philippines
● Drupal Developer, Cable Network Drupal Developer, Cable Network NewsNews (CNN) (CNN) TravelTravel Hong Kong / Atlanta, USA
● System Administrator, InternetJailSystem Administrator, InternetJail Oregon, USA
● Drupal Phil. Users Group (DPUG) member● FreelancerFreelancer
AgendaAgendaAgendaAgenda● Security levels
● Aspect of Data Security
● Most common Web application threats and counter measures
● Principle of Secure Development
● Best Practices
● Tools
● Security levels
● Aspect of Data Security
● Most common Web application threats and counter measures
● Principle of Secure Development
● Best Practices
● Tools
What is a Web Application?What is a Web Application?What is a Web Application?What is a Web Application?
• Any application that is served commonly via http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as host/server
• Any application that is served commonly via http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as host/server
What is a Web Application?What is a Web Application?What is a Web Application?What is a Web Application?
• Any application that is served commonly via http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as host/server
• Any application that is served commonly via http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as host/server
What is a Web Application?What is a Web Application?What is a Web Application?What is a Web Application?
• Any application that is served commonly via http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as host/server
• Any application that is served commonly via http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as host/server
What is Web Security?What is Web Security?What is Web Security?What is Web Security?
• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack
• Is a state of being free from damage and being compromised
• Is a condition of being protected against danger or loss
• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack
• Is a state of being free from damage and being compromised
• Is a condition of being protected against danger or loss
What is Web Security?What is Web Security?What is Web Security?What is Web Security?
• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack
• Is a state of being free from damage and being compromised
• Is a condition of being protected against danger or loss
• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack
• Is a state of being free from damage and being compromised
• Is a condition of being protected against danger or loss
What is Web Security?What is Web Security?What is Web Security?What is Web Security?
• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack
• Is a state of being free from damage and being compromised
• Is a condition of being protected against danger or loss
• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack
• Is a state of being free from damage and being compromised
• Is a condition of being protected against danger or loss
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels
• Server level
• Network level
• Application level
• User level
• Server level
• Network level
• Application level
• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels
• Server level
• Network level
• Application level
• User level
• Server level
• Network level
• Application level
• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels
• Server level
• Network level
• Application level
• User level
• Server level
• Network level
• Application level
• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels
• Server level
• Network level
• Application level
• User level
• Server level
• Network level
• Application level
• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels• Server level - Ensure you have installed the latest operating system security patches. - Keep your web server software up-to-date - Limit access from the Internet to your servers. Use firewall software to block access to any port but the following: * 80 * 443 (SSL, only if your application uses it) * 22 (SSH, SCP) * 21 (not recomended)• Network level• Application level• User level
• Server level - Ensure you have installed the latest operating system security patches. - Keep your web server software up-to-date - Limit access from the Internet to your servers. Use firewall software to block access to any port but the following: * 80 * 443 (SSL, only if your application uses it) * 22 (SSH, SCP) * 21 (not recomended)• Network level• Application level• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels
• Server level• Network level - Place servers that your users do not directly interact with (e.g., a back-end database server) in a private network that is inaccessible from the Internet. If that is not possible, then use firewall software to block access from any computer other than your web server.• Application level• User level
• Server level• Network level - Place servers that your users do not directly interact with (e.g., a back-end database server) in a private network that is inaccessible from the Internet. If that is not possible, then use firewall software to block access from any computer other than your web server.• Application level• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels• Server level• Network level• Application level - Never store passwords in clear text. Instead, use a hashing algorithm such as MD5 or SHA-256 to create a signature of the user's password for storage. - Generate a unique signature for the user based on the login and password and store that in the cookie. - Carefully check any parameters you pass to SQL statements in your application. Validate all user inputs. - Purge unused/unnecessary user data from your system regularly.• User level
• Server level• Network level• Application level - Never store passwords in clear text. Instead, use a hashing algorithm such as MD5 or SHA-256 to create a signature of the user's password for storage. - Generate a unique signature for the user based on the login and password and store that in the cookie. - Carefully check any parameters you pass to SQL statements in your application. Validate all user inputs. - Purge unused/unnecessary user data from your system regularly.• User level
Security LevelsSecurity LevelsSecurity LevelsSecurity Levels
• Server level• Network level• Application level• User level - Protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them. - Keep your personal information in private - Use complex password - Keep your computer away from viruses, worms, keyloggers, trojans, malwares, etc
• Server level• Network level• Application level• User level - Protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them. - Keep your personal information in private - Use complex password - Keep your computer away from viruses, worms, keyloggers, trojans, malwares, etc
Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
• Privacy - keeping your information private
• Integrity - knowing that the information has not been changed
• Authenticity - knowing who sent the information
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Parameter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Parameter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing
Source: OWASPSource: OWASP
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsCross Site Scripting - Injecting Javascript or other scripts that will run on behalf of other user. This code usually steals cookies (authenticated credentials) of the person who “sees” the infected web page.
Ex:<script>alert(“This site has been hacked!”);</script>Preventions:1. Filter all foreign data - $filter_user_input = htmlentities($post['userinput']);2. Always assume data to be invalid until it is proved valid.3. Use BBCode – [b]bold[/b] vs <b>bold</b>
XSS Cheat Sheet
Cross Site Scripting - Injecting Javascript or other scripts that will run on behalf of other user. This code usually steals cookies (authenticated credentials) of the person who “sees” the infected web page.
Ex:<script>alert(“This site has been hacked!”);</script>Preventions:1. Filter all foreign data - $filter_user_input = htmlentities($post['userinput']);2. Always assume data to be invalid until it is proved valid.3. Use BBCode – [b]bold[/b] vs <b>bold</b>
XSS Cheat Sheet
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsSQL Injection - an attack where an attacker is able to execute arbitrary sql code against the database
Ex: // legit$sort = 'ASC';// malicious injection$sort = '; TRUNCATE USERS';// actual query$query = “SELECT * FROM users ORDER BY membership_date $sort”;
// output querySELECT * FROM users ORDER BY membership_date; TRUCATE USERS
SQL Injection - an attack where an attacker is able to execute arbitrary sql code against the database
Ex: // legit$sort = 'ASC';// malicious injection$sort = '; TRUNCATE USERS';// actual query$query = “SELECT * FROM users ORDER BY membership_date $sort”;
// output querySELECT * FROM users ORDER BY membership_date; TRUCATE USERS
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsSQL Injection (cont.)
Possible damage:1. Corrupt data by executing truncate()2. Alter current data (e.g change admin password)
Vectors:1. Dynamic queries getting values from unsanitized user-submitted data
Prevention(MySQL):1. Enclose user-submitted values with mysql_real_escape_string()2. Harden the environment by reducing sql account permissions, remove unneeded system stored procedures, and audit password strength
SQL Injection (cont.)
Possible damage:1. Corrupt data by executing truncate()2. Alter current data (e.g change admin password)
Vectors:1. Dynamic queries getting values from unsanitized user-submitted data
Prevention(MySQL):1. Enclose user-submitted values with mysql_real_escape_string()2. Harden the environment by reducing sql account permissions, remove unneeded system stored procedures, and audit password strength
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
Improper Error Handling - errors are not properly handled by system codeImproper Error Handling - errors are not properly handled by system code
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
Parameter Tampering - based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
Ex: http://www.attackbank.com/savepage.asp?nr=147&status=read
Attackhttp://www.attackbank.com/savepage.asp?nr=147&status=del
Parameter Tampering - based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
Ex: http://www.attackbank.com/savepage.asp?nr=147&status=read
Attackhttp://www.attackbank.com/savepage.asp?nr=147&status=del
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsDenial-of-Service - an attack to make a computer resources unavailable to its intended users
Resources: 1. Bandwidth 2. CPU
Preventions: 1. Firewall 2. Router & Switches 3. Intrusion Prevention Systems (IPS) 4. DoS Defense System (DDS)
Denial-of-Service - an attack to make a computer resources unavailable to its intended users
Resources: 1. Bandwidth 2. CPU
Preventions: 1. Firewall 2. Router & Switches 3. Intrusion Prevention Systems (IPS) 4. DoS Defense System (DDS)
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsRemote File Inclusion - an attack where attacker executes a script of his liking from against the target web application
Possible Damage: 1. Expose / Modify variable values of the script doing the include 2. Expose stored credentials (e.g username/password from a web app configuration file
Vector: User-controllable value of variable called by include() or require()
Remote File Inclusion - an attack where attacker executes a script of his liking from against the target web application
Possible Damage: 1. Expose / Modify variable values of the script doing the include 2. Expose stored credentials (e.g username/password from a web app configuration file
Vector: User-controllable value of variable called by include() or require()
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
Remote File Inclusion
Preventions(PHP): 1. Disable register_globals 2. Disable allow_url_open 3. Disable allow_url_include 4. Do not include from a dynamic variable with user controllable value
Remote File Inclusion
Preventions(PHP): 1. Disable register_globals 2. Disable allow_url_open 3. Disable allow_url_include 4. Do not include from a dynamic variable with user controllable value
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
Form Spoofing - an attack where an HTML form is mimicked or
copied and then submitted from a location different from original
Possible Damage: 1. Bypass client-side validation 2. Mass data insertion resulting to flood (e.g guestbook, forum, etc.)
Form Spoofing - an attack where an HTML form is mimicked or
copied and then submitted from a location different from original
Possible Damage: 1. Bypass client-side validation 2. Mass data insertion resulting to flood (e.g guestbook, forum, etc.)
Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats
Form Spoofing
Vectors: 1. No forms tokens present, thus all request thrown to the accepting script is considered valid
Preventions: 1. Tokenize the form 2. (Optional) Check referrer
Form Spoofing
Vectors: 1. No forms tokens present, thus all request thrown to the accepting script is considered valid
Preventions: 1. Tokenize the form 2. (Optional) Check referrer
The Principles of Secure Development
The Principles of Secure Development
1. Input Validation2. Output Validation3. Error Handling4. Authentication and Authorisation5. Session Management6. Secure Communications7. Secure Storage8. Secure Resource Access
1. Input Validation2. Output Validation3. Error Handling4. Authentication and Authorisation5. Session Management6. Secure Communications7. Secure Storage8. Secure Resource Access
Know your toolsKnow your toolsKnow your toolsKnow your tools
● Each language is different and has different strengths and weaknesses
* PHP * Python * .NET * ASP * Ruby * Scala * Java
● Each language is different and has different strengths and weaknesses
* PHP * Python * .NET * ASP * Ruby * Scala * Java
Best PracticesBest PracticesBest PracticesBest Practices
1. Never ever use WAMP, XAMP stack in production2. Avoid spaghetti code3. Don't re-invent the wheel4. Naming conventions5. Use case-sensitive6. Secure the filesystem
1. Never ever use WAMP, XAMP stack in production2. Avoid spaghetti code3. Don't re-invent the wheel4. Naming conventions5. Use case-sensitive6. Secure the filesystem
if [ “$SLIDE” -eq “end” ]; thenif [ “$SLIDE” -eq “end” ]; then echo -n “Any question? [Y/n]”echo -n “Any question? [Y/n]” read QTNread QTN if [ "$QTN" == "N" -o "$QTN" == "n" ]; thenif [ "$QTN" == "N" -o "$QTN" == "n" ]; then echo "Thank You!"echo "Thank You!" exit 1exit 1 elif [ "$QTN" == "Y" -o "$QTN" == "y" ]; thenelif [ "$QTN" == "Y" -o "$QTN" == "y" ]; then echo “Ok I'll try to answer them.”echo “Ok I'll try to answer them.” elseelse echo “Email me if you have. Thanks”echo “Email me if you have. Thanks” fifififi
if [ “$SLIDE” -eq “end” ]; thenif [ “$SLIDE” -eq “end” ]; then echo -n “Any question? [Y/n]”echo -n “Any question? [Y/n]” read QTNread QTN if [ "$QTN" == "N" -o "$QTN" == "n" ]; thenif [ "$QTN" == "N" -o "$QTN" == "n" ]; then echo "Thank You!"echo "Thank You!" exit 1exit 1 elif [ "$QTN" == "Y" -o "$QTN" == "y" ]; thenelif [ "$QTN" == "Y" -o "$QTN" == "y" ]; then echo “Ok I'll try to answer them.”echo “Ok I'll try to answer them.” elseelse echo “Email me if you have. Thanks”echo “Email me if you have. Thanks” fifififi
f70c89933a2f18cfd69af64ed32e9141 - f25d38b18f6da9feff9a76e0cfe6c245f70c89933a2f18cfd69af64ed32e9141 - f25d38b18f6da9feff9a76e0cfe6c245
top related