lecture 12. web application security
TRANSCRIPT
-
8/8/2019 Lecture 12. Web Application Security
1/51
Web Application SecurityWeb Application SecurityInternet technologyInternet technology -- IT00803IT00803
-
8/8/2019 Lecture 12. Web Application Security
2/51
-
8/8/2019 Lecture 12. Web Application Security
3/51
OverviewOverview
What is Security?What is Security?
5 (+ or5 (+ or -- 2) Aspects of Security2) Aspects of Security
Fundamental TechnologiesFundamental Technologies Secure Client/Server InteractionSecure Client/Server Interaction
Securing the ClientSecuring the Client
Securing the ServerSecuring the Server
Securing Web ApplicationsSecuring Web Applications
-
8/8/2019 Lecture 12. Web Application Security
4/51
What is Security?What is Security?
The definition of security, as it applies, to theThe definition of security, as it applies, to the
Web, is often too narrow.Web, is often too narrow.
An SSLAn SSL--enabled Web application?enabled Web application?
A properly patched and firewalled server?A properly patched and firewalled server?
Service availabilityService availability
Managing riskManaging risk
Traditional risk analysisTraditional risk analysis Best practicesBest practices
Compliance with legal obligationsCompliance with legal obligations
CopyrightsCopyrights
Privacy lawsPrivacy laws
-
8/8/2019 Lecture 12. Web Application Security
5/51
5 (5 ( 2 ) Aspects of Security2 ) Aspects of Security
Confidentiality
Integrity Availability
-
8/8/2019 Lecture 12. Web Application Security
6/51
5 (5 ( 2 ) Aspects of Security2 ) Aspects of Security
Availability
Non-Repudiation Authorization
Confidentiality
Integrity
Authentication
-
8/8/2019 Lecture 12. Web Application Security
7/51
5 (5 ( 2 ) Aspects of Security2 ) Aspects of Security
Non-Repudiation Authorization
Confidentiality
Integrity
Authentication
Privacy
Availability
-
8/8/2019 Lecture 12. Web Application Security
8/51
ConfidentialityConfidentiality
Information exchanged between theInformation exchanged between theclient and service provider cannot beclient and service provider cannot beread by an unauthorized party.read by an unauthorized party.
Encryption is the fundamentalEncryption is the fundamentaltechnology for ensuring confidentialitytechnology for ensuring confidentiality
Messages in transitMessages in transit
Messages in storageMessages in storage Confidentiality vs. PrivacyConfidentiality vs. Privacy
Confidentiality: Obligation ofConfidentiality: Obligation ofproviderprovidertotorestrict access.restrict access.
Privacy:Privacy: individualindividualright to control access.right to control access.
-
8/8/2019 Lecture 12. Web Application Security
9/51
IntegrityIntegrity
The assurance that data & information cannot beThe assurance that data & information cannot be
altered.altered.
Accidental corruptionAccidental corruption
Willful alterationWillful alteration Here, we discuss integrity in terms ofHere, we discuss integrity in terms ofdata integritydata integrity
Data has not been altered during transmissionData has not been altered during transmission
In CIA model,In CIA model, source integritysource integrity= authentication= authentication
Primary technologies/techniques to ensure integrity:Primary technologies/techniques to ensure integrity:
Digital signaturesDigital signatures
Hash algorithmsHash algorithms
ChecksumsChecksums
-
8/8/2019 Lecture 12. Web Application Security
10/51
AvailabilityAvailability
Authorized clients have timely andAuthorized clients have timely and
reliable access to resources.reliable access to resources.
Proper availability depends onProper availability depends onapplicationapplication
Myth of the NinesMyth of the Nines
How reliable is 99.9% availability?How reliable is 99.9% availability?
Relevant technologies/techniquesRelevant technologies/techniques
High availability protocolsHigh availability protocols
RedundancyRedundancy
S stem desi n without sin le oint of failureS stem desi n without sin le oint of failure
-
8/8/2019 Lecture 12. Web Application Security
11/51
AuthenticationAuthentication
Is the client (person or machine) reallyIs the client (person or machine) reallywho they claim to be?who they claim to be?
The most secure authentication schemesThe most secure authentication schemesuse 3 factors:use 3 factors:
Something youSomething you knowknow e.g., passworde.g., password
Something youSomething you havehave e.g., key/tokene.g., key/token
Something youSomething you areare e.g., fingerprinte.g., fingerprint
TechnologiesTechnologies
Login/password combinationLogin/password combination
Public Key InfrastructurePublic Key Infrastructure
BiometricsBiometrics
-
8/8/2019 Lecture 12. Web Application Security
12/51
AuthorizationAuthorization
Allowing access only to those resourcesAllowing access only to those resourcesto which the client has been grantedto which the client has been grantedpermission.permission.
Granting authorization may depend on:Granting authorization may depend on:
IdentityIdentity
Client characteristic (e.g., age, domain)Client characteristic (e.g., age, domain)
Access control list (ACL) is still theAccess control list (ACL) is still theprimary technology.primary technology.
So, whats the difference betweenSo, whats the difference betweenauthenticationauthentication && authorization?authorization?
-
8/8/2019 Lecture 12. Web Application Security
13/51
NonNon--Repudiation (Auditing)Repudiation (Auditing)
Preventing both the sender & receiver ofPreventing both the sender & receiver of
information from denying theirinformation from denying their
involvement in an exchange.involvement in an exchange.
SenderSenderreceives proof ofreceives proof ofdeliverydelivery..
RecipientRecipient receives proof ofreceives proof oforiginorigin..
NonNon--repudiation encompasses:repudiation encompasses:
Approval & sending (origin)Approval & sending (origin)
SubmissionSubmission
TransportTransport
Receipt & Knowledge (delivery)Receipt & Knowledge (delivery)
-
8/8/2019 Lecture 12. Web Application Security
14/51
PrivacyPrivacy
The clients expectation that their dataThe clients expectation that their datawill be released only to those parties thatwill be released only to those parties thattheytheyauthorize.authorize.
Common view of privacy invasionsCommon view of privacy invasions CookiesCookies
SpywareSpyware
Privacy expectations vary acrossPrivacy expectations vary acrosssocieties and industries.societies and industries.
HighHigh: Europe, health care (HIPAA Privacy: Europe, health care (HIPAA PrivacyRule)Rule)
LowLow: North America in general: North America in general
-
8/8/2019 Lecture 12. Web Application Security
15/51
FundamentalFundamental
TechnologiesTechnologies
-
8/8/2019 Lecture 12. Web Application Security
16/51
Introduction to EncryptionIntroduction to Encryption
A mathematical process for transforming a plain textA mathematical process for transforming a plain textmessage intomessage into cipher text.cipher text.
AA ciphercipheris an algorithm for encrypting or decrypting ais an algorithm for encrypting or decrypting amessage.message.
lassical ciphersClassical ciphers substitution & transpositionsubstitution & transposition
Modern ciphersModern ciphers mathematical transformationsmathematical transformations
Symmetric vs. asymmetricSymmetric vs. asymmetric
Block vs. streamBlock vs. stream
A cipher is said to be strong if it cannot be broken by aA cipher is said to be strong if it cannot be broken by abrutebrute--force attackforce attack(i.e., trying all possible keys)(i.e., trying all possible keys)
-
8/8/2019 Lecture 12. Web Application Security
17/51
Symmetric Key AlgorithmsSymmetric Key Algorithms
The sender/receiver use the same key toThe sender/receiver use the same key toencrypt/decrypt a message.encrypt/decrypt a message.
ExamplesExamples: AES, Blowfish, DES, Triple: AES, Blowfish, DES, Triple--DESDES
Not all algorithms are created alike.Not all algorithms are created alike. Secrecy of the keySecrecy of the key
Key lengthKey length
Inversion of the encryption algorithmInversion of the encryption algorithm
Known parts of the plaintext.Known parts of the plaintext.
BiggestBiggest advantageadvantage: speed: speed
BiggestBiggest disadvantagesdisadvantages: key exchange, storage: key exchange, storage
-
8/8/2019 Lecture 12. Web Application Security
18/51
How DES WorksHow DES Works
5656--bit key length (64bit key length (64 8 parity bits)8 parity bits)
Actual # of keys (humanActual # of keys (human--entered) = 96entered) = 9688
No longer considered a strong algorithm.No longer considered a strong algorithm.
TripleTriple--DES produces effective length of 168 bitsDES produces effective length of 168 bits
Source: Web Engineering, Kappel et. al.
-
8/8/2019 Lecture 12. Web Application Security
19/51
Public Key AlgorithmsPublic Key Algorithms
Sender and receiver employ different keysSender and receiver employ different keys
for encrypting/decrypting a message.for encrypting/decrypting a message.
Each person/entity has a publicEach person/entity has a public--priv
ate keypriv
ate keypairpair
Private key mustPrivate key must neverneverbe revealed!be revealed!
ExamplesExamples
DiffieDiffie--HellmanHellman originally proposed in 1975.originally proposed in 1975.
RSARSA
Most commonly used for encryption andMost commonly used for encryption and
digitalsignaturesdigitalsignatures..
-
8/8/2019 Lecture 12. Web Application Security
20/51
How Public Key AlgorithmsHow Public Key Algorithms
WorkWork
Source: Web Security, Privacy & Commerce. Garfinkel.
-
8/8/2019 Lecture 12. Web Application Security
21/51
Digital SignaturesDigital Signatures
Rely on public key algorithms andRely on public key algorithms and hashhashfunctionsfunctions to provide:to provide:
IntegrityIntegrity
NonNon--repudiationrepudiationAuthenticationAuthentication
A hash function (e.g., MD5, SHAA hash function (e.g., MD5, SHA--1) creates a1) creates asmallsmall message digestmessage digest, or fingerprint, of the, or fingerprint, of the
much larger original message.much larger original message. By signing the digest with a private key, itBy signing the digest with a private key, it
becomes virtually impossible to alter a messagebecomes virtually impossible to alter a messagewithout detection.without detection.
-
8/8/2019 Lecture 12. Web Application Security
22/51
Digital Certificates & PKIDigital Certificates & PKI
In reality, public key encryption is viableIn reality, public key encryption is viableprovided we can trust the integrity of theprovided we can trust the integrity of thepublic key itself.public key itself.
Public Key Infrastructures provide thisPublic Key Infrastructures provide thisintegrity throughintegrity through delegated trustdelegated trust..
X.509 Digital CertificatesX.509 Digital Certificates binds public keys tobinds public keys toidentity of the private key holderidentity of the private key holder
PGP and GPGPGP and GPG A Certification Authority (CA) digitally signsA Certification Authority (CA) digitally signs
issued certificates to vouch for the integrityissued certificates to vouch for the integrityof the certificate.of the certificate.
-
8/8/2019 Lecture 12. Web Application Security
23/51
The Limits of CryptographyThe Limits of Cryptography
Encryption is but one of the tools necessaryEncryption is but one of the tools necessary
for Web security.for Web security.
Encryption alone doesnt solve all securityEncryption alone doesnt solve all security
problems.problems.
Unencrypted documentsUnencrypted documents
Stolen keysStolen keys
DenialDenial--ofof--service attacksservice attacks Traffic analysisTraffic analysis
Compromised encryption programsCompromised encryption programs
Human errorsHuman errors
-
8/8/2019 Lecture 12. Web Application Security
24/51
Secure Client/ServerSecure Client/Server
InteractionInteraction
-
8/8/2019 Lecture 12. Web Application Security
25/51
Secure vs. NonSecure vs. Non--secure Appssecure Apps
So, why arent the secure apps adopted?So, why arent the secure apps adopted? Security vs. convenience.Security vs. convenience.
Average user is unaware of them.Average user is unaware of them.
Costs outweigh benefits.Costs outweigh benefits.
PurposePurpose NonNon--securesecure SecureSecure
WebbrowsingWebbrowsing HTTPHTTP HTTPS (SSL)HTTPS (SSL)
File TransferFile Transfer FTPFTP SFTP, SCPSFTP, SCP
RemoteRemote
Access (UNIX)Access (UNIX)
TelnetTelnet SSHSSH
-
8/8/2019 Lecture 12. Web Application Security
26/51
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Originally released by Netscape (1996), allowing for:Originally released by Netscape (1996), allowing for:
Authentication of the server & client (dig. sig.)Authentication of the server & client (dig. sig.)
Confidentiality (encryption)Confidentiality (encryption)
Integrity (message authentication codes)Integrity (message authentication codes) SSLs features have made it popularSSLs features have made it popular
Separation of dutiesSeparation of duties
EfficiencyEfficiency
CertificateCertificate--based authenticationbased authentication
Protocol agnostic (doesnt require TCP/IP)Protocol agnostic (doesnt require TCP/IP)
Protection against certain attacksProtection against certain attacks
-
8/8/2019 Lecture 12. Web Application Security
27/51
SSL Handshake, Step by StepSSL Handshake, Step by Step
1.1. Client sends HTTPS request, includingClient sends HTTPS request, includinginfo about its cryptographic settings.info about its cryptographic settings.
2.2. Server replies with its encryptionServer replies with its encryptionsettings and its certificate.settings and its certificate.
3.3. Client verifies validity of certificate.Client verifies validity of certificate. Is issuing CA trusted?Is issuing CA trusted?
Verify signature with CAs public key.Verify signature with CAs public key.
Verify validity period.Verify validity period.
Verify domain name.Verify domain name.
Verify certificate is not on revocation list.Verify certificate is not on revocation list.
-
8/8/2019 Lecture 12. Web Application Security
28/51
SSL Handshake, Step by StepSSL Handshake, Step by Step --22
4.4. Client generates a preClient generates a pre--master secret,master secret,encrypts it using servers public key, andencrypts it using servers public key, and
sends to server.sends to server.
5.5. Client & server generate a master secretClient & server generate a master secretbased on the prebased on the pre--master secret.master secret.
6.6. Using master secret, both client & serverUsing master secret, both client & servergenerate agenerate a symmetric keysymmetric keyfor thefor the sessionsession..
7.7. Client informs server that future messagesClient informs server that future messageswill be encrypted; sends encryptedwill be encrypted; sends encrypted
messages acknowledging completion.messages acknowledging completion.
8.8. Server does the same.Server does the same.
-
8/8/2019 Lecture 12. Web Application Security
29/51
Authentication MethodsAuthentication Methods
Were all familiar with login/password.Were all familiar with login/password.
Best practice: use SSLBest practice: use SSL--secured connections.secured connections.
Also wise to store hashed or encrypted passwordsAlso wise to store hashed or encrypted passwordson server.on server.
Digital CertificatesDigital Certificates
Can be used for email or web browsing.Can be used for email or web browsing.
Average user does not possess one.Average user does not possess one.
SingleSingle--sign onsign on
Example systems: Kerberos, Microsoft PassportExample systems: Kerberos, Microsoft Passport
Upon initial signUpon initial sign--on, clients receive a token.on, clients receive a token.
Can be used across an organization or enterprise.Can be used across an organization or enterprise.
-
8/8/2019 Lecture 12. Web Application Security
30/51
Authorization & Access ControlsAuthorization & Access Controls
Authorization policies specify what resourcesAuthorization policies specify what resourcesauthenticated users may access.authenticated users may access.
For files,For files, access control listsaccess control lists (ACL) are the most(ACL) are the mostpopular mechanism.popular mechanism.
Explicitly ALLOW orDENY accessExplicitly ALLOW orDENY access
OS or Web server level (e.g., .htaccess files inOS or Web server level (e.g., .htaccess files inApache)Apache)
Individual, group, role, or everyone.Individual, group, role, or everyone.
Domain, user characteristics, time of day, etc.Domain, user characteristics, time of day, etc. For greater security, evaluation points (page, gateway)For greater security, evaluation points (page, gateway)
are separated from the decision point. (application)are separated from the decision point. (application)
-
8/8/2019 Lecture 12. Web Application Security
31/51
Securing the ClientSecuring the Client
-
8/8/2019 Lecture 12. Web Application Security
32/51
OverviewOverview
What you can control, as a serviceWhat you can control, as a serviceprovider:provider:
SSLSSL--enabled connectionsenabled connections
Preserving PrivacyPreserving Privacy
Sandboxes & Code signingSandboxes & Code signing
What you cant controlWhat you cant control
Desktop securityDesktop securityAntiAnti--virus applicationsvirus applications
FirewallsFirewalls
Intrusion detectionIntrusion detection
Phishing and web spoofingPhishing and web spoofing
-
8/8/2019 Lecture 12. Web Application Security
33/51
Preserving PrivacyPreserving Privacy
Platform for Privacy Preferences (P3P)Platform for Privacy Preferences (P3P)
W3C standard for privacy policies (2002).W3C standard for privacy policies (2002).
Supported by major browsers.Supported by major browsers.
An XMLAn XML--based standard for publishing privacybased standard for publishing privacypolicies.policies.
Allows privacy agents (e.g., Privacy Bird) toAllows privacy agents (e.g., Privacy Bird) to
evaluate a websites privacy policy for you.evaluate a websites privacy policy for you.
Relies on goodRelies on good--faith of websites.faith of websites.
MotivationMotivation
Help users gain more control over disclosure ofHelp users gain more control over disclosure of
personal information.personal information.
Help organizations gain customers trust.Help organizations gain customers trust.
-
8/8/2019 Lecture 12. Web Application Security
34/51
Sandboxing & Code SigningSandboxing & Code Signing
SandboxSandbox: restricted environment for: restricted environment fordownloaded code (e.g., a Java applet).downloaded code (e.g., a Java applet).
E.g., Cannot access file system.E.g., Cannot access file system.
Restricts both malicious and trusted.Restricts both malicious and trusted.
If more functionality is requiredIf more functionality is required
User adjust security policy (highly unlikely)User adjust security policy (highly unlikely)
Service provider digitally signs code.Service provider digitally signs code. Both Java and ActiveX rely on codeBoth Java and ActiveX rely on code
signing.signing.
Signed code isSigned code ispotentiallypotentiallytrusted code.trusted code.
Unsigned or untrusted code is rejected.Unsigned or untrusted code is rejected.
-
8/8/2019 Lecture 12. Web Application Security
35/51
Securing the DesktopSecuring the Desktop
Threats enter the system at the mostThreats enter the system at the mostvulnerable points.vulnerable points.
Email/websitesEmail/websites
User curiosityUser curiosity Measures the average user is asked to take:Measures the average user is asked to take:
Patch operating systemPatch operating system
Install, enable, and update virus protectionInstall, enable, and update virus protection
Install, enable, and update firewallInstall, enable, and update firewall
Beware of adware and spyware.Beware of adware and spyware.
Ongoing debateOngoing debate: automation vs. education: automation vs. education
-
8/8/2019 Lecture 12. Web Application Security
36/51
Phishing & Web SpoofingPhishing & Web Spoofing
Because SSL makes intercepted messages virtuallyBecause SSL makes intercepted messages virtuallyimpossible to break, determined attackers go after theimpossible to break, determined attackers go after theendpoints.endpoints.
Steal data from server/clientSteal data from server/client
Dupe clients into volunteering dataDupe clients into volunteering data
Email and website look legitimateEmail and website look legitimate
Convincing URLsConvincing URLs
Financial company websites are among the greatest atFinancial company websites are among the greatest at
risk.risk. Business based on trust.Business based on trust.
Highest potential payoff for attacker.Highest potential payoff for attacker.
-
8/8/2019 Lecture 12. Web Application Security
37/51
AntiAnti--Phishing MechanismPhishing Mechanism
-
8/8/2019 Lecture 12. Web Application Security
38/51
Securing the ServerSecuring the Server
-
8/8/2019 Lecture 12. Web Application Security
39/51
Physical SecurityPhysical Security
The majority of attacks originateThe majority of attacks originate internallyinternally..
As with Web access, physical accessAs with Web access, physical access
should be kept to the minimum requiredshould be kept to the minimum required
((least privilegeleast privilege).).
Though physical security needs varyThough physical security needs vary
dramatically, every organization should:dramatically, every organization should:
Have a physical security planHave a physical security plan Have a disaster security planHave a disaster security plan
Have a (data) backup plan, includingHave a (data) backup plan, including
verification.verification.
Contingency plans for loss of service, staff.Contingency plans for loss of service, staff.
-
8/8/2019 Lecture 12. Web Application Security
40/51
Backing up DataBacking up Data
You cant predict the next emergency, soYou cant predict the next emergency, so
making regular backups is vital.making regular backups is vital.
Means of backup will depend on budget,Means of backup will depend on budget,
value of data, amount of datavalue of data, amount of data
CD backupsCD backups
Tape backupsTape backups
RAIDRAID
Back up anything unique to your system.Back up anything unique to your system.
Performing the backup is notPerforming the backup is not
enoughdoes the backup actually work???enoughdoes the backup actually work???
-
8/8/2019 Lecture 12. Web Application Security
41/51
Secure OperationSecure Operation
The longer a computer is run, the lessThe longer a computer is run, the lesssecure it becomes.secure it becomes.
As a system administrator, be sure to:As a system administrator, be sure to:
Patch your systemPatch your system Keep informed of known vulnerabilitiesKeep informed of known vulnerabilities
Keep and rotate logsKeep and rotate logs
Turn off unnecessary servicesTurn off unnecessary services
Of course, backupsOf course, backups
Utilize security toolsUtilize security tools TripwireTripwire intrusion & change detectionintrusion & change detection
KSAKSA snapshot & network scanningsnapshot & network scanning
-
8/8/2019 Lecture 12. Web Application Security
42/51
More on Access ControlsMore on Access Controls
3 Ways to restrict access3 Ways to restrict access Hidden URLsHidden URLs
HostHost--Based restrictionsBased restrictions
IdentityIdentity--Based restrictionsBased restrictions
An example .htaccess file in Apache:An example .htaccess file in Apache:AuthUserFile /home/jgrady/htpasswd/.htpasswdAuthUserFile /home/jgrady/htpasswd/.htpasswd
AuthName Admin SectionAuthName Admin Section
AuthType BasicAuthType Basic
order deny,alloworder deny,allow
deny from alldeny from all
allow from 71.240.12allow from 71.240.12
require user homeworkrequire user homework
-
8/8/2019 Lecture 12. Web Application Security
43/51
Securing WebSecuring Web
ApplicationsApplications
-
8/8/2019 Lecture 12. Web Application Security
44/51
Securing Web AppsSecuring Web Apps -- OverviewOverview
CGI, scripting languages, and server modules notCGI, scripting languages, and server modules notonly extend functionality, but also risk.only extend functionality, but also risk.
Keys to writing secure codeKeys to writing secure code
Design carefully
Design carefully
Have someone else look at your designHave someone else look at your design
Code and test iterativelyCode and test iteratively
Validate all userValidate all user--provided valuesprovided values manymanybugsbugs
arise because of unexpected input.arise because of unexpected input. Check arguments to OS functions and returnCheck arguments to OS functions and return
codes.codes.
Write to a dedicated log file.Write to a dedicated log file.
Reuse (trusted) code.Reuse (trusted) code.
-
8/8/2019 Lecture 12. Web Application Security
45/51
CrossCross--Side Scripting (XSS)Side Scripting (XSS)
An attack that exploits vulnerabilities inAn attack that exploits vulnerabilities indynamically Web pagesdynamically Web pages ---- lack of validationlack of validation
ExampleExample: Simple check using alert( );: Simple check using alert( );
alert(Whoops);alert(Whoops);
If the above works, then its possible for anIf the above works, then its possible for an
attacker to grab cookiesvia a remote script.attacker to grab cookiesvia a remote script.
In PHP, simply passing the above throughIn PHP, simply passing the above throughfilter_input( ) would prevent the XSS.filter_input( ) would prevent the XSS.
Additionally, validating the response is aAdditionally, validating the response is a
good idea.good idea.
-
8/8/2019 Lecture 12. Web Application Security
46/51
SQL InjectionsSQL Injections
Passing code into an application that was notPassing code into an application that was not
intended by the developerintended by the developer
Takes advantage of poor input validation &Takes advantage of poor input validation &
other improper codingother improper coding
May also exploit overMay also exploit over--privileged databaseprivileged database
accounts, gaining unauthorized access to dataaccounts, gaining unauthorized access to data
and OS resourcesand OS resources ExampleExample: Type OR = into password field.: Type OR = into password field.
Scarier exampleScarier example::
'exec master..xp_cmdshell 'net'exec master..xp_cmdshell 'netuseruser hacker1 nopassword /ADD'hacker1 nopassword /ADD'----
-
8/8/2019 Lecture 12. Web Application Security
47/51
Securing PHPSecuring PHP -- ConfigurationConfiguration
The php.ini file gives you control over PHPsThe php.ini file gives you control over PHPsbehavior.behavior.
Some best practicesSome best practices D
o not install the standalone binary in the cgiD
o not install the standalone binary in the cgi--bin;bin;install it outside the web servers hierarchy.install it outside the web servers hierarchy.
Install only those modules that are absolutelyInstall only those modules that are absolutelyneeded.needed.
Set display_errors = off; log_errors=on;Set display_errors = off; log_errors=on;
Set register_globals=off;Set register_globals=off; Look for any files named or titled phpinfo*,Look for any files named or titled phpinfo*,
and remove themand remove them there is no need tothere is no need toadvertise this information.advertise this information.
-
8/8/2019 Lecture 12. Web Application Security
48/51
Securing Your PHP CodeSecuring Your PHP Code
Again, validate input, especially whenAgain, validate input, especially when
Building SQL strings.Building SQL strings.
Running file commands.Running file commands.
Running system commands.Running system commands.
Check user credentials on each page.Check user credentials on each page.
Protect session IDs by usingProtect session IDs by using
session_regenerate_id( )session_regenerate_id( ) function.function.
PHP website suggests hiding your code byPHP website suggests hiding your code by
making it look like some other file type (e.g.,making it look like some other file type (e.g.,
.html).html)
Security by obscurity is weak.Security by obscurity is weak.
-
8/8/2019 Lecture 12. Web Application Security
49/51
Threats to AvailabilityThreats to Availability
An attacker does not have to steal data toAn attacker does not have to steal data tocause economic loss.cause economic loss.
DenialDenial--ofof--serviceservice
Preventing a web server from servingPreventing a web server from servingrequests.requests.
Attacks can be on CPU, memory, or disk.Attacks can be on CPU, memory, or disk.
Can also the result of accidents orCan also the result of accidents ornegligence.negligence.
Buffer overflowsBuffer overflows Caused by making erroneous assumptionsCaused by making erroneous assumptions
about the length of user input.about the length of user input.
User input is larger than preUser input is larger than pre--allocatedallocatedmemormemor
-
8/8/2019 Lecture 12. Web Application Security
50/51
Final ThoughtsFinal Thoughts
Like testing & documentation, security isLike testing & documentation, security isthe responsibility ofthe responsibility ofall team membersall team members.. Multiple minds find more potential risks.Multiple minds find more potential risks.
Blurring of the boundaries betweenBlurring of the boundaries betweenapplication and platform.application and platform.
If nothing else, rememberIf nothing else, remember Backup frequently!Backup frequently!
Validate user input!Validate user input! Keep yourOS and security software upKeep yourOS and security software up--toto--
datedate
Use the concept of least privilegeUse the concept of least privilege
-
8/8/2019 Lecture 12. Web Application Security
51/51
BYOPBYOP