concern of web application security

Concern of Web Application Security

First and foremost, you must realize and accept that any user-supplied data is inherently unreliable and can't be trusted.

Md. Mahmud Ahsan
Zend Certified Engineerhttp://mahmudahsan.wordpress.com/http://www.ftechdb.com/

Contents of presentation

Overview of security

Best Practice

Input Filtering

Escaping Output

SQL Injection

Cross-site Scripting

Session Hijacking

Cross-site request forgeries

Security Overview

Security is a measurement not a characteristics.

Security is difficult to measure. It has no units.

Security must be considered at all time.

What is security?

Security Overview

According to Chris Shiflett

Defense in Depth

Least Privilege

Simple is beautiful

Minimize exposure

Principles of security?

Best Practice

According to Chris Shiflett

Consider malicious uses of your application.

Educate yourself.

Remember 2 simple rules:

Filter Input

Escape Output

Basic Steps

Best Practice

Basic Steps

Input filtering

What is filtering?

Filtering is the process by which you inspect data to prove its validity.

When possible, use a whitelist approach .

Filtering is useless if you can't keep up with what has been filtered and what hasn't.

Employ a strict naming convention that lets you easily and reliably distinguish between filtered and tainted data.

Input filtering

Filter input example:

Input filtering


Initialize array for storing filterdata

Input filtering


Use switch statement to filtersets

Input filtering


Create cases for the validvalues

Input filtering


Color is definately validso store in the array

Most common attacks

Filter input example 2:

Most common attacks


Create an array to storefiltered data

Input filtering


Username must be alphanumeric

Input filtering


If username is alphanumericstore it in the array

Escaping Output

What is output?

Most output is obvious (anything sent to the client is output) - HTML, JavaScript, etc.

The client isn't the only remote destination - databases, session data stores, RSS feeds, etc.

The key is to identify the destination of data. If it is destined for any remote system, it is output and must be escaped.

Escaping Output

What is Escaping?

It is the process of escaping any character that has a special meaning in a remote system

The two most common destinations are the client (use htmlentities()) and MySQL (use mysql_real_escape_string()).

Escaping Output

Escaping output example:

Cross-Site Scripting

htmlentities():

output:

Session Hijacking

What's the problem?

An attacker can impersonate another user if that user's session identifier is known by the attacker.

Methods of obtaining a valid session identifier:

Fixation

Prediction

Capture

Session Hijacking

Example of Session Fixation:

http://example.org/login.php?PHPSESSID=1234

Prevention of Session Fixation:Use session_regenerate_id() whenever there is a change in the level of privilege:

if ($authenticated){ $_SESSION['logged_in'] = TRUE; session_regenerate_id();}

Session Hijacking

Another session security technique: Compare the browser signature headers.

Session Hijacking

Safer Session Storage

By default PHP sessions are stored as files inside the common /tmp directory.

This often means any user on the system could see active sessions and acquire them or even modify their content.

Solutions?

Separate session storage directory via session.save_path

Database storage mechanism, mysql, pgsql, oci, sqlite.

Custom session handler allowing data storage anywhere.

Cross Site Request Forgeries

What is CSRF?

An attacker can send arbitrary HTTP requests from avictim. Because the requests originate from the victim, they can bypass traditional safeguards, including firewalls and access control.


Solution of CSRF:

Use a unique token in every form that you send to the user.

Whenever you receive a request from the user that represents a form submission, check for this unique token.

Use sessions to associate a particular token with a particular user.


Normal form submission:

Symbol:

Shares:


Solution of CSRF:

concern of web application security

Technology