Web SecurityWeb SecurityGerald Z. VillorenteGerald Z. Villorente

Web SecurityWeb SecurityGerald Z. VillorenteGerald Z. Villorente

Lorma Colleges San Fernando, La UnionLorma Colleges San Fernando, La Union Lorma Colleges San Fernando, La UnionLorma Colleges San Fernando, La Union

if [ “$SLIDE” -eq “intro” ]; thenif [ “$SLIDE” -eq “intro” ]; then echo “I'm Gerald Z. Villorente” echo “I'm Gerald Z. Villorente”fifi

if [ “$SLIDE” -eq “intro” ]; thenif [ “$SLIDE” -eq “intro” ]; then echo “I'm Gerald Z. Villorente” echo “I'm Gerald Z. Villorente”fifi

● Senior Web Developer, Kite Systems Ltd.Senior Web Developer, Kite Systems Ltd. Hong Kong / Philippines

● Drupal Developer, Cable Network Drupal Developer, Cable Network NewsNews (CNN) (CNN) TravelTravel Hong Kong / Atlanta, USA

● System Administrator, InternetJailSystem Administrator, InternetJail Oregon, USA

● Drupal Phil. Users Group (DPUG) member● FreelancerFreelancer

● Senior Web Developer, Kite Systems Ltd.Senior Web Developer, Kite Systems Ltd. Hong Kong / Philippines

● Drupal Developer, Cable Network Drupal Developer, Cable Network NewsNews (CNN) (CNN) TravelTravel Hong Kong / Atlanta, USA

● System Administrator, InternetJailSystem Administrator, InternetJail Oregon, USA

● Drupal Phil. Users Group (DPUG) member● FreelancerFreelancer

AgendaAgendaAgendaAgenda● Security levels

● Aspect of Data Security

● Most common Web application threats and counter measures

● Principle of Secure Development

● Best Practices

● Tools

● Security levels

● Aspect of Data Security

● Most common Web application threats and counter measures

● Principle of Secure Development

● Best Practices

● Tools

What is a Web Application?What is a Web Application?What is a Web Application?What is a Web Application?

• Any application that is served commonly via http or https protocol

• Usually running under port 80 or port 443

• Served from a remote computer acting as host/server

• Any application that is served commonly via http or https protocol

• Usually running under port 80 or port 443

• Served from a remote computer acting as host/server

What is a Web Application?What is a Web Application?What is a Web Application?What is a Web Application?

• Any application that is served commonly via http or https protocol

• Usually running under port 80 or port 443

• Served from a remote computer acting as host/server

• Any application that is served commonly via http or https protocol

• Usually running under port 80 or port 443

• Served from a remote computer acting as host/server

What is a Web Application?What is a Web Application?What is a Web Application?What is a Web Application?

• Any application that is served commonly via http or https protocol

• Usually running under port 80 or port 443

• Served from a remote computer acting as host/server

• Any application that is served commonly via http or https protocol

• Usually running under port 80 or port 443

• Served from a remote computer acting as host/server

What is Web Security?What is Web Security?What is Web Security?What is Web Security?

• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack

• Is a state of being free from damage and being compromised

• Is a condition of being protected against danger or loss

• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack

• Is a state of being free from damage and being compromised

• Is a condition of being protected against danger or loss

What is Web Security?What is Web Security?What is Web Security?What is Web Security?

• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack

• Is a state of being free from damage and being compromised

• Is a condition of being protected against danger or loss

• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack

• Is a state of being free from damage and being compromised

• Is a condition of being protected against danger or loss

What is Web Security?What is Web Security?What is Web Security?What is Web Security?

• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack

• Is a state of being free from damage and being compromised

• Is a condition of being protected against danger or loss

• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack

• Is a state of being free from damage and being compromised

• Is a condition of being protected against danger or loss

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels

• Server level

• Network level

• Application level

• User level

• Server level

• Network level

• Application level

• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels

• Server level

• Network level

• Application level

• User level

• Server level

• Network level

• Application level

• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels

• Server level

• Network level

• Application level

• User level

• Server level

• Network level

• Application level

• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels

• Server level

• Network level

• Application level

• User level

• Server level

• Network level

• Application level

• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels• Server level - Ensure you have installed the latest operating system security patches. - Keep your web server software up-to-date - Limit access from the Internet to your servers. Use firewall software to block access to any port but the following: * 80 * 443 (SSL, only if your application uses it) * 22 (SSH, SCP) * 21 (not recomended)• Network level• Application level• User level

• Server level - Ensure you have installed the latest operating system security patches. - Keep your web server software up-to-date - Limit access from the Internet to your servers. Use firewall software to block access to any port but the following: * 80 * 443 (SSL, only if your application uses it) * 22 (SSH, SCP) * 21 (not recomended)• Network level• Application level• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels

• Server level• Network level - Place servers that your users do not directly interact with (e.g., a back-end database server) in a private network that is inaccessible from the Internet. If that is not possible, then use firewall software to block access from any computer other than your web server.• Application level• User level

• Server level• Network level - Place servers that your users do not directly interact with (e.g., a back-end database server) in a private network that is inaccessible from the Internet. If that is not possible, then use firewall software to block access from any computer other than your web server.• Application level• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels• Server level• Network level• Application level - Never store passwords in clear text. Instead, use a hashing algorithm such as MD5 or SHA-256 to create a signature of the user's password for storage. - Generate a unique signature for the user based on the login and password and store that in the cookie. - Carefully check any parameters you pass to SQL statements in your application. Validate all user inputs. - Purge unused/unnecessary user data from your system regularly.• User level

• Server level• Network level• Application level - Never store passwords in clear text. Instead, use a hashing algorithm such as MD5 or SHA-256 to create a signature of the user's password for storage. - Generate a unique signature for the user based on the login and password and store that in the cookie. - Carefully check any parameters you pass to SQL statements in your application. Validate all user inputs. - Purge unused/unnecessary user data from your system regularly.• User level

Security LevelsSecurity LevelsSecurity LevelsSecurity Levels

• Server level• Network level• Application level• User level - Protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them. - Keep your personal information in private - Use complex password - Keep your computer away from viruses, worms, keyloggers, trojans, malwares, etc

• Server level• Network level• Application level• User level - Protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them. - Keep your personal information in private - Use complex password - Keep your computer away from viruses, worms, keyloggers, trojans, malwares, etc

Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

Aspects of Data SecurityAspects of Data SecurityAspects of Data SecurityAspects of Data Security

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

• Privacy - keeping your information private

• Integrity - knowing that the information has not been changed

• Authenticity - knowing who sent the information

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Parameter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Parameter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing

Source: OWASPSource: OWASP

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsCross Site Scripting - Injecting Javascript or other scripts that will run on behalf of other user. This code usually steals cookies (authenticated credentials) of the person who “sees” the infected web page.

Ex:<script>alert(“This site has been hacked!”);</script>Preventions:1. Filter all foreign data - $filter_user_input = htmlentities($post['userinput']);2. Always assume data to be invalid until it is proved valid.3. Use BBCode – [b]bold[/b] vs <b>bold</b>

XSS Cheat Sheet

Cross Site Scripting - Injecting Javascript or other scripts that will run on behalf of other user. This code usually steals cookies (authenticated credentials) of the person who “sees” the infected web page.

Ex:<script>alert(“This site has been hacked!”);</script>Preventions:1. Filter all foreign data - $filter_user_input = htmlentities($post['userinput']);2. Always assume data to be invalid until it is proved valid.3. Use BBCode – [b]bold[/b] vs <b>bold</b>

XSS Cheat Sheet

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsSQL Injection - an attack where an attacker is able to execute arbitrary sql code against the database

Ex: // legit$sort = 'ASC';// malicious injection$sort = '; TRUNCATE USERS';// actual query$query = “SELECT * FROM users ORDER BY membership_date $sort”;

// output querySELECT * FROM users ORDER BY membership_date; TRUCATE USERS

SQL Injection - an attack where an attacker is able to execute arbitrary sql code against the database

Ex: // legit$sort = 'ASC';// malicious injection$sort = '; TRUNCATE USERS';// actual query$query = “SELECT * FROM users ORDER BY membership_date $sort”;

// output querySELECT * FROM users ORDER BY membership_date; TRUCATE USERS

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsSQL Injection (cont.)

Possible damage:1. Corrupt data by executing truncate()2. Alter current data (e.g change admin password)

Vectors:1. Dynamic queries getting values from unsanitized user-submitted data

Prevention(MySQL):1. Enclose user-submitted values with mysql_real_escape_string()2. Harden the environment by reducing sql account permissions, remove unneeded system stored procedures, and audit password strength

SQL Injection (cont.)

Possible damage:1. Corrupt data by executing truncate()2. Alter current data (e.g change admin password)

Vectors:1. Dynamic queries getting values from unsanitized user-submitted data

Prevention(MySQL):1. Enclose user-submitted values with mysql_real_escape_string()2. Harden the environment by reducing sql account permissions, remove unneeded system stored procedures, and audit password strength

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

Improper Error Handling - errors are not properly handled by system codeImproper Error Handling - errors are not properly handled by system code

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

Parameter Tampering - based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

Ex: http://www.attackbank.com/savepage.asp?nr=147&status=read

Attackhttp://www.attackbank.com/savepage.asp?nr=147&status=del

Parameter Tampering - based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

Ex: http://www.attackbank.com/savepage.asp?nr=147&status=read

Attackhttp://www.attackbank.com/savepage.asp?nr=147&status=del

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsDenial-of-Service - an attack to make a computer resources unavailable to its intended users

Resources: 1. Bandwidth 2. CPU

Preventions: 1. Firewall 2. Router & Switches 3. Intrusion Prevention Systems (IPS) 4. DoS Defense System (DDS)

Denial-of-Service - an attack to make a computer resources unavailable to its intended users

Resources: 1. Bandwidth 2. CPU

Preventions: 1. Firewall 2. Router & Switches 3. Intrusion Prevention Systems (IPS) 4. DoS Defense System (DDS)

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsRemote File Inclusion - an attack where attacker executes a script of his liking from against the target web application

Possible Damage: 1. Expose / Modify variable values of the script doing the include 2. Expose stored credentials (e.g username/password from a web app configuration file

Vector: User-controllable value of variable called by include() or require()

Remote File Inclusion - an attack where attacker executes a script of his liking from against the target web application

Possible Damage: 1. Expose / Modify variable values of the script doing the include 2. Expose stored credentials (e.g username/password from a web app configuration file

Vector: User-controllable value of variable called by include() or require()

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

Remote File Inclusion

Preventions(PHP): 1. Disable register_globals 2. Disable allow_url_open 3. Disable allow_url_include 4. Do not include from a dynamic variable with user controllable value

Remote File Inclusion

Preventions(PHP): 1. Disable register_globals 2. Disable allow_url_open 3. Disable allow_url_include 4. Do not include from a dynamic variable with user controllable value

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

Form Spoofing - an attack where an HTML form is mimicked or

copied and then submitted from a location different from original

Possible Damage: 1. Bypass client-side validation 2. Mass data insertion resulting to flood (e.g guestbook, forum, etc.)

Form Spoofing - an attack where an HTML form is mimicked or

copied and then submitted from a location different from original

Possible Damage: 1. Bypass client-side validation 2. Mass data insertion resulting to flood (e.g guestbook, forum, etc.)

Most Common Security ThreatsMost Common Security ThreatsMost Common Security ThreatsMost Common Security Threats

Form Spoofing

Vectors: 1. No forms tokens present, thus all request thrown to the accepting script is considered valid

Preventions: 1. Tokenize the form 2. (Optional) Check referrer

Form Spoofing

Vectors: 1. No forms tokens present, thus all request thrown to the accepting script is considered valid

Preventions: 1. Tokenize the form 2. (Optional) Check referrer

The Principles of Secure Development

The Principles of Secure Development

1. Input Validation2. Output Validation3. Error Handling4. Authentication and Authorisation5. Session Management6. Secure Communications7. Secure Storage8. Secure Resource Access

1. Input Validation2. Output Validation3. Error Handling4. Authentication and Authorisation5. Session Management6. Secure Communications7. Secure Storage8. Secure Resource Access

Know your toolsKnow your toolsKnow your toolsKnow your tools

● Each language is different and has different strengths and weaknesses

* PHP * Python * .NET * ASP * Ruby * Scala * Java

● Each language is different and has different strengths and weaknesses

* PHP * Python * .NET * ASP * Ruby * Scala * Java

Best PracticesBest PracticesBest PracticesBest Practices

1. Never ever use WAMP, XAMP stack in production2. Avoid spaghetti code3. Don't re-invent the wheel4. Naming conventions5. Use case-sensitive6. Secure the filesystem

1. Never ever use WAMP, XAMP stack in production2. Avoid spaghetti code3. Don't re-invent the wheel4. Naming conventions5. Use case-sensitive6. Secure the filesystem

if [ “$SLIDE” -eq “end” ]; thenif [ “$SLIDE” -eq “end” ]; then echo -n “Any question? [Y/n]”echo -n “Any question? [Y/n]” read QTNread QTN if [ "$QTN" == "N" -o "$QTN" == "n" ]; thenif [ "$QTN" == "N" -o "$QTN" == "n" ]; then echo "Thank You!"echo "Thank You!" exit 1exit 1 elif [ "$QTN" == "Y" -o "$QTN" == "y" ]; thenelif [ "$QTN" == "Y" -o "$QTN" == "y" ]; then echo “Ok I'll try to answer them.”echo “Ok I'll try to answer them.” elseelse echo “Email me if you have. Thanks”echo “Email me if you have. Thanks” fifififi

if [ “$SLIDE” -eq “end” ]; thenif [ “$SLIDE” -eq “end” ]; then echo -n “Any question? [Y/n]”echo -n “Any question? [Y/n]” read QTNread QTN if [ "$QTN" == "N" -o "$QTN" == "n" ]; thenif [ "$QTN" == "N" -o "$QTN" == "n" ]; then echo "Thank You!"echo "Thank You!" exit 1exit 1 elif [ "$QTN" == "Y" -o "$QTN" == "y" ]; thenelif [ "$QTN" == "Y" -o "$QTN" == "y" ]; then echo “Ok I'll try to answer them.”echo “Ok I'll try to answer them.” elseelse echo “Email me if you have. Thanks”echo “Email me if you have. Thanks” fifififi

f70c89933a2f18cfd69af64ed32e9141 - f25d38b18f6da9feff9a76e0cfe6c245f70c89933a2f18cfd69af64ed32e9141 - f25d38b18f6da9feff9a76e0cfe6c245