Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Similar documents
PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application Security. Philippe Bogaerts

Copyright

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

1 About Web Security. What is application security? So what can happen? see [?]

Ruby on Rails Secure Coding Recommendations

HTTP Protocol and Server-Side Basics

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application vulnerabilities and defences

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

P2_L12 Web Security Page 1

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Bank Infrastructure - Video - 1

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Curso: Ethical Hacking and Countermeasures

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Welcome to the OWASP TOP 10

Web Application Vulnerabilities: OWASP Top 10 Revisited

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Ethical Hacking and Prevention

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Advanced Web Technology 10) XSS, CSRF and SQL Injection

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Solutions Business Manager Web Application Security Assessment

Security Testing White Paper

C1: Define Security Requirements

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Access Controls. CISSP Guide to Security Essentials Chapter 2

Hacking by Numbers OWASP. The OWASP Foundation

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Sichere Software vom Java-Entwickler

CSCD 303 Essential Computer Security Fall 2018

Application Layer Security

SECURE CODING ESSENTIALS

epldt Web Builder Security March 2017

Accounting Information Systems

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

CIS 4360 Secure Computer Systems XSS

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WEB SECURITY: XSS & CSRF

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Tutorial: Web Application Security

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Certified Secure Web Application Engineer

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Security. 1 Introduction. Alex S. 1.1 Authentication

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Web Application Whitepaper

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0


Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Security Course. WebGoat Lab sessions

DreamFactory Security Guide

Developing Web Applications

OWASP TOP 10. By: Ilia

Secure Coding, some simple steps help. OWASP EU Tour 2013

CSCD 303 Essential Computer Security Fall 2017

EasyCrypt passes an independent security audit

Architecture. Steven M. Bellovin October 31,

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

CSCE 813 Internet Security Case Study II: XSS

The security of Mozilla Firefox s Extensions. Kristjan Krips

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

Endpoint Security - what-if analysis 1

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

PRESENTED BY:

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Your Turn to Hack the OWASP Top 10!

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Information Security. Gabriel Lawrence Director, IT Security UCSD

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Transcription:

Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25

Outline Web insecurity Security strategies General security Listing of server-side risks Language specific security Web Programming Web Security Slide 2/25

PHP-security information on the web Quotes from an on-line forum: Web Programming Web Security Slide 3/25

PHP-security information on the web Quotes from an on-line forum: Perl/CGI scripts are very insecure. A PHP programmer does not have to worry about security. Web Programming Web Security Slide 3/25

PHP-security information on the web Quotes from an on-line forum: Perl/CGI scripts are very insecure. A PHP programmer does not have to worry about security. At first my remote connection to Mysql did not work, but then I discovered I only had to stop my firewall and it worked fine. Web Programming Web Security Slide 3/25

PHP-security information on the web Quotes from an on-line forum: Perl/CGI scripts are very insecure. A PHP programmer does not have to worry about security. At first my remote connection to Mysql did not work, but then I discovered I only had to stop my firewall and it worked fine. You can use HTTP REFERER to make sure that your site can only be accessed from your web form. Web Programming Web Security Slide 3/25

All you need to connect to a database with PHP is something like this: <?php $db = pg pconnect("host=localhost,dbname=a,user=b"); pg exec($db,"select * from $table";);?> Web Programming Web Security Slide 4/25

To send an email with PHP back to a user, you ll need something like this: <?php $body = "Hi, How are you?"; mail($user, "Subject", $body)?> Web Programming Web Security Slide 5/25

Apache error log: 66.147.118.70-[7/7/06] GET /phpadmin/main.php HTTP/1.1 404 66.147.118.70-[7/7/06] GET /phpmyadmin1/main.php HTTP/1.1 404 66.147.118.70-[7/7/06] GET /phpadmin-2/main.php HTTP/1.1 404 Web Programming Web Security Slide 6/25

Web Programming Web Security Slide 7/25

Scripting languages are different If you search the Web for information on PHP: you may find useless information. Web Programming Web Security Slide 8/25

Scripting languages are different If you search the Web for information on PHP: you may find useless information. If you search the Web for information on Haskell: you ll find accurate information. Why? Web Programming Web Security Slide 8/25

Scripting languages are different If you search the Web for information on PHP: you may find useless information. If you search the Web for information on Haskell: you ll find accurate information. Why? For PHP: only trust the official manual!!! Web Programming Web Security Slide 8/25

Server-side applications... Client-server separation. End-users and content providers have different security requirements. Browser security versus server security. Web space is often hosted externally and shared with other users. Most HTTP traffic is plain text (non encrypted). Limitations of the HTTP-protocol. Web Programming Web Security Slide 9/25

Server-side applications (continued) Even with sessions: security checks are required for each data transfer, i.e. more than once per session. Security problems apply equally to all scripting languages (Perl, PHP, ASP, etc). But some languages are more open about the problems while others keep more details hidden from the programmers. Web Programming Web Security Slide 10/25

Security Strategies Prevention security guidelines, advisories, common sense Detection monitor webserver logs, system activity, detection software Response script-level, webserver, institutional policies Web Programming Web Security Slide 11/25

Software testing Traditional approaches for software testing (functional testing, user testing,...) are useless for security validation. Security validation: no debugging, no immediate feedback no clear testing protocols different types of problems are possible: requires lateral thinking Web Programming Web Security Slide 12/25

Security Engineering see patterns & practices Security Engineering Index (msdn.microsoft.com) Security objectives Threat modelling Security design guidelines Security architecture and design reviews Security code reviews Security testing Security deployment reviews Web Programming Web Security Slide 13/25

General security risks Physical security Social engineering and human error (e.g. insecure passwords) Eavesdropping, man-in-the-middle attacks Software flaws (buffer overflows) Software vulnerabilities (check security advisories) Outdated software Installation of malicious software: Trojan horses, back doors, viruses, worms Denial of service (DoS) attacks Web Programming Web Security Slide 14/25

Webserver security Web space is often hosted externally and shared with other users. Files with permission 755 or 644 can be read by other users on the same host. Disallow server-side includes. Disallow indexes. Only store files in the public html directory if they really need to be there. Security through obscurity. Set usage limits for script CPU time and storage space. Web Programming Web Security Slide 15/25

Webserver security (continued) Apache s mod security Place Apache in a chroot directory. POST filtering based on headers, values, IP addresses. POST payload analysis. Restrict the use of certain HTML tags (e.g. <script>). Prevent SQL injection ( delete, insert ). Prevent SHELL commands. etc Of course, the server will run slower and use more memory. Web Programming Web Security Slide 16/25

Other server functions Email: protect against spam and phishing Install email server on different machine from webserver. Don t allow the www user to send email. HTACCESS Useful for group-based restriction to part of site, not very useful for login/registration of users. Database DB security and script security need to be integrated. Web Programming Web Security Slide 17/25

Client-side threats Content spoofing: tricks a user into believing content is from a different website (e.g. using redirection). Cross-site scripting (XSS): forces a website to display malicious code in a user s browser. Phishing: masquerading as a trustworthy website in order to obtain user s passwords, bank details etc. Spam: unwanted email. Hacker abuses script that sends emails to unchecked addresses entered via a web form. These are server threats, if your server or script is the one that is being abused by a hacker in this manner. Web Programming Web Security Slide 18/25

General server-side threats Trojan horses: code downloaded from somewhere and integrated into a script without being carefully checked. Predictable resource location: hackers scan for predictable names of scripts and files that could be abused. Directory indexing and path traversal: list directory contents, if index.html does not exist. These can all lead to information leakage. Web Programming Web Security Slide 19/25

Hacker pretends to be another user Authentication: insufficient authentication or obtaining passwords by brute force or by recovering another user s password. Authorisation: insufficient authorisation or hijacking another user s session. Cross-site request forgery: forces one user s browser to make a HTTP request pretending to be another user. Session hijacking: hacker predicts session ID or captures it from another user s cookie or HTTP request by cross-site request forgery. Sessions and cookies cannot be trusted to come from the correct user. Web Programming Web Security Slide 20/25

Unchecked user input HTML injection: user enters Javascript etc into textfields of a web form. Defacing: user enters <img> etc into a guestbook or forum, which then displays the image to other users. (Phishing and XSS can be achieved in this manner.) Spoofed form submission or spoofed HTTP request: User guesses hidden variables or filenames used in a script and uses them to disclose information or opening files. User edits the query string or POST data. User edits environment variables: HTTP REFERER, HTTP USER AGENT, etc can never be trusted. Unencrypted cookies can be read and modified by user. Solution: remove all HTML tags and special characters from form data. Check all form variables. Make no assumptions about form variables, environment variables or cookies. Encrypt cookies. Web Programming Web Security Slide 21/25

Unchecked user input sent to other processes SQL injection: user data from a web form is directly entered into an SQL statement without careful checking. (E.g. user enters 0; additional query; - -.) Similar: LDAP injection, SSI injection, etc. Shell access: user could try to start a new process or to open shell from database. Information leakage: disclose hidden information, for example, user enters somebody@somewhere</etc/passwd; as an email address. Solution: remove special characters (e.g. semicolon) from user data. Check all user input. Apply some heuristics for checking email addresses or check them manually. Web Programming Web Security Slide 22/25

How paranoid does one need to be? If your site doesn t store sensitive data, then you probably mainly need to worry about information leakage, shell access and general server threats. You don t need to worry about sessions and cookies. Defacing, phishing, and XSS mostly apply to websites that permanently display external data (guestbooks, forums, wikis, hosted blogs). The less a script interacts with other resources on the server (email, database, opening files), the more secure it is. If you are storing sensitive customer data (addresses, credit card numbers, etc), then you must encrypt the whole session using SSL and you must check for all possible threats. Web Programming Web Security Slide 23/25

PHP security Read the security part in the PHP manual. Use the latest version of PHP (which is more secure). Use appropriate functions: htmlspecialchars(); strip tags(); add slashes(); mysql real escape string(); etc. Encrypt cookies: setcookie(base64 encode($cookie)). Apply hardening patch or Suhosin to PHP before installing. PHP safe mode: no longer available in PHP 6.0 because it is misleading. open basedir: only files in specified directory-tree can be opened. Web Programming Web Security Slide 24/25

Perl security Read about Perl and CGI security in the W3 Security FAQ. Use tainted mode (Perl -T). Be extremely careful with system calls, backticks, open(), etc. Check user input. A few lines of regular expression code should do the trick. Web Programming Web Security Slide 25/25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback