concern of web application security
TRANSCRIPT
Concern of Web Application Security
First and foremost, you must realize and accept that any user-supplied data is inherently unreliable and can't be trusted.
Md. Mahmud Ahsan
Zend Certified
Engineerhttp://mahmudahsan.wordpress.com/http://www.ftechdb.com/
Contents of presentation
Overview of security
Best Practice
Input Filtering
Escaping Output
SQL Injection
Cross-site Scripting
Session Hijacking
Cross-site request forgeries
Security Overview
Security is a measurement not a characteristics.
Security is difficult to measure. It has no units.
Security must be considered at all time.
What is security?
Security Overview
According to Chris Shiflett
Defense in Depth
Least Privilege
Simple is beautiful
Minimize exposure
Principles of security?
Best Practice
According to Chris Shiflett
Consider malicious uses of your application.
Educate yourself.
Remember 2 simple rules:
Filter Input
Escape Output
Basic Steps
Best Practice
Basic Steps
Input filtering
What is filtering?
Filtering is the process by which you inspect data to prove its validity.
When possible, use a whitelist approach .
Filtering is useless if you can't keep up with what has been filtered and what hasn't.
Employ a strict naming convention that lets you easily and reliably distinguish between filtered and tainted data.
Input filtering
Filter input example:
Input filtering
Filter input example:
Initialize array for storing filterdata
Input filtering
Filter input example:
Use switch statement to filtersets
Input filtering
Filter input example:
Create cases for the validvalues
Input filtering
Filter input example:
Color is definately validso store in the array
Most common attacks
Filter input example 2:
Most common attacks
Filter input example 2:
Create an array to storefiltered data
Input filtering
Filter input example 2:
Username must be alphanumeric
Input filtering
Filter input example 2:
If username is alphanumericstore it in the array
Escaping Output
What is output?
Most output is obvious (anything sent to the client is output) - HTML, JavaScript, etc.
The client isn't the only remote destination - databases, session data stores, RSS feeds, etc.
The key is to identify the destination of data. If it is destined for any remote system, it is output and must be escaped.
Escaping Output
What is Escaping?
It is the process of escaping any character that has a special meaning in a remote system
The two most common destinations are the client (use htmlentities()) and MySQL (use mysql_real_escape_string()).
Escaping Output
Escaping output example:
Cross-Site Scripting
htmlentities():
output:
Session Hijacking
What's the problem?
An attacker can impersonate another user if that user's session identifier is known by the attacker.
Methods of obtaining a valid session identifier:
Fixation
Prediction
Capture
Session Hijacking
Example of Session Fixation:
http://example.org/login.php?PHPSESSID=1234
Prevention of Session Fixation:Use session_regenerate_id() whenever there is a change in the level of privilege:
if ($authenticated){ $_SESSION['logged_in'] = TRUE; session_regenerate_id();}
Session Hijacking
Another session security technique: Compare the browser signature headers.
Session Hijacking
Safer Session Storage
By default PHP sessions are stored as files inside the common /tmp directory.
This often means any user on the system could see active sessions and acquire them or even modify their content.
Solutions?
Separate session storage directory via session.save_path
Database storage mechanism, mysql, pgsql, oci, sqlite.
Custom session handler allowing data storage anywhere.
Cross Site Request Forgeries
What is CSRF?
An attacker can send arbitrary HTTP requests from avictim. Because the requests originate from the victim, they can bypass traditional safeguards, including firewalls and access control.
Cross Site Request Forgeries
Solution of CSRF:
Use a unique token in every form that you send to the user.
Whenever you receive a request from the user that represents a form submission, check for this unique token.
Use sessions to associate a particular token with a particular user.
Cross Site Request Forgeries
Normal form submission:
Symbol:
Shares:
Cross Site Request Forgeries
Solution of CSRF: