Secure Coding and Code Review. Berlin : 2012

Similar documents
Web basics: HTTP cookies

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Chrome Extension Security Architecture

Security. CSC309 TA: Sukwon Oh

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

WEB SECURITY: XSS & CSRF

Common Websites Security Issues. Ziv Perry

C1: Define Security Requirements

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Information Security CS 526 Topic 11

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Security IV: Cross-Site Attacks

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web Security II. Slides from M. Hicks, University of Maryland

Information Security CS 526 Topic 8

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CIS 4360 Secure Computer Systems XSS

Contents. xvii xix xxiil. xxvii

Computer Security CS 426 Lecture 41

Web Security: Vulnerabilities & Attacks

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Vulnerabilities. And The People Who Love Them

CSCD 303 Essential Computer Security Fall 2018

RKN 2015 Application Layer Short Summary

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

EasyCrypt passes an independent security audit

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Security. Aggelos Kiayias Justin Neumann

COMP9321 Web Application Engineering

Web Security: Vulnerabilities & Attacks

Copyright

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CSC 405 Computer Security. Web Security

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Match the attack to its description:

CS 161 Computer Security

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

W3Conf, November 15 & 16, Brad Scott

PHP is a scripting language that can be embedded into HTML. Estimated 20 million PHP websites as of 2007

Hacking Web Sites Cross Site Scripting

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web security: an introduction to attack techniques and defense methods

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Advanced Web Technology 10) XSS, CSRF and SQL Injection

WHY CSRF WORKS. Implicit authentication by Web browsers

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Security for the Web. Thanks to Dave Levin for some slides

Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer

Reflected XSS Cross-Site Request Forgery Other Attacks

Solutions Business Manager Web Application Security Assessment

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CS 142 Winter Session Management. Dan Boneh

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Your Turn to Hack the OWASP Top 10!

Ruby on Rails Secure Coding Recommendations

Web Application Penetration Testing

Project 2: Web Security


Application security : going quicker

CSC 482/582: Computer Security. Cross-Site Security

Security for the Web. Thanks to Dave Levin for some slides

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Web Security. Thierry Sans


WebGoat& WebScarab. What is computer security for $1000 Alex?

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Content Security Policy

Pro ASP.NET MVC 2 Framework

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Aguascalientes Local Chapter. Kickoff

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

PHP and MySQL Programming

SECURE CODING ESSENTIALS

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Introduction to Ethical Hacking

Integrity attacks (from data to code): Cross-site Scripting - XSS

Exploiting and Defending: Common Web Application Vulnerabilities

CS 161 Computer Security

IS 2150 / TEL 2810 Introduction to Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

eb Security Software Studio

Transcription:

Secure Coding and Code Review Berlin : 2012

Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code

Top Problems Cross-Site Scriptng (xss) Cross-Site Request Forgery (csrf) Register Globals SQL Injection

XSS An attacker is able to inject client-side scripting into a web page, executed by others. May, or may not, be cross-domain. Can result in: Authenticated Requests by victim Session hijacking Click jacking Propagation of Script (xss worm) Internal network access / portscanning

Reflected XSS Javascript in the request is written to the page <input type="text" name="search_term" value="<? echo $_GET['search_term'];?>" /> And if someone sends you a link: page.php?search_term= ><script>alert()</script><!--?

2 nd Order (Stored) XSS Attacker-controlled data is stored on the website, and executable scripts are displayed to the viewer (victim)

3 rd Order (Dom-based) XSS Attacker controls existing DOM manipulations in a way that generates attacker-influenced execution of scripts

Cross-Site Script Inclusion (xssi) (or Javascript Hijacking ) A script with sensitive data is included and manipulated from another domain

Preventing XSS Validate your input Escape your output Mediawiki Tools: Html, Xml, Sanitizer classes jquery elements Jsonp api runs as anonymous

Additional Reading For the theories behind XSS, and why certain filter should be applied, read: https://www.owasp.org/index.php/xss_(cross_s Quick reference of how to escape data in different html/document contexts: https://www.owasp.org/index.php/abridged_xss_

Additional Reading on SOP Understanding cross-domain aspects of xss requires knowledge of the Same Origin Policy (SOP) you are dealing with https://www.owasp.org/index.php/file:sameorigin http://code.google.com/p/browsersec/wiki/part2 The SOP for javascript, XHR, and Flash are different!

Cross-Site Request Forgery (csrf) If a user has an authenticated session established to a secure site, a remote site can reference resources on that site, which will be requested with the authority of the logged-in user. A page on funnykitties.com can call the image : <img src='http://en.wikipedia.com/wiki/index.php? title=some_thing&action=delete' />

Preventing CSRF Tokens written into form just prior to editing, and checked when form is received This is in addition to authentication / authorization checks Tokens must be difficult to predict Mediawiki uses edittoken

Register Globals If register_globals is on, then an attacker can set variables in your script If an attacker can control variables in your script, there is potential for Remote File Inclusion Altering code execution path

Register Global Vulnerabilities include($lang.".php"); <?php //MyScript.php if ( authenticate( $_POST['username'], $_POST['pass'] ) ) { $authenticated = true; } if ( $authenticated ) {... }

Register Global Protections Don't use globals in script paths Ensure your script is called in the correct context if (!defined( 'MEDIAWIKI' ) ) die( 'Invalid entry point.' ); Sanitize defined globals before use Define security-critical variables before use as 'false' or 'null'

SQL Injection Poorly validated data received from the user is used as part of a database (SQL) statement Can result in: Authentication Bypass Data Corruption System Compromise

Preventing SQLi Use MediaWiki built-in database classes and pass key=>value pairs to the functions select(), selectrow(), insert(), insertselect(), update(), delete(), deletejoin(), buildlike()

Additional Top Web Vulnerabilities OWASP Top 10 https://www.owasp.org/index.php/category:owa

Secure Design Principles Simplicity Secure by Default Secure the Weakest Link Least Privilege

Secure Coding Checklist Avoid eval, create_function Regex'es Don't use /e Escape with preg_quote() Filter / Validate your Inputs intval(), getint(), etc Use a whitelist of expected values when possible

Secure Coding Checklist Use HTMLForm class, or include/check $wguser->edittoken Defend against register-globals Use Html and Xml helper classes Use Sanitizer::checkCss to use user's css Use database wrapper functions Write clean, clearly commented code!

Write Some Secure Code Create a Special Page that allows searching, and showing results Assume you have a database of important text data: CREATE table `mydata` (`id` INT, `name` varchar(80), `body` TEXT); Present a search box Search the database for matches in `name` or `body, display matches to user

Review a Volunteer's Code

Secure Coding and Code Review Berlin : 2012

Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code

Top Problems Cross-Site Scriptng (xss) Cross-Site Request Forgery (csrf) Register Globals SQL Injection

XSS An attacker is able to inject client-side scripting into a web page, executed by others. May, or may not, be cross-domain. Can result in: Authenticated Requests by victim Session hijacking Click jacking Propagation of Script (xss worm) Internal network access / portscanning

Reflected XSS Javascript in the request is written to the page <input type="text" name="search_term" value="<? echo $_GET['search_term'];?>" /> And if someone sends you a link: page.php?search_term= ><script>alert()</script><!--?

2 nd Order (Stored) XSS Attacker-controlled data is stored on the website, and executable scripts are displayed to the viewer (victim)

3 rd Order (Dom-based) XSS Attacker controls existing DOM manipulations in a way that generates attacker-influenced execution of scripts

Cross-Site Script Inclusion (xssi) (or Javascript Hijacking ) A script with sensitive data is included and manipulated from another domain

Validate your input Escape your output Preventing XSS Mediawiki Tools: Html, Xml, Sanitizer classes jquery elements Jsonp api runs as anonymous

Additional Reading For the theories behind XSS, and why certain filter should be applied, read: https://www.owasp.org/index.php/xss_(cross_s Quick reference of how to escape data in different html/document contexts: https://www.owasp.org/index.php/abridged_xss_

Additional Reading on SOP Understanding cross-domain aspects of xss requires knowledge of the Same Origin Policy (SOP) you are dealing with https://www.owasp.org/index.php/file:sameorigin http://code.google.com/p/browsersec/wiki/part2 The SOP for javascript, XHR, and Flash are different!

Cross-Site Request Forgery (csrf) If a user has an authenticated session established to a secure site, a remote site can reference resources on that site, which will be requested with the authority of the logged-in user. A page on funnykitties.com can call the image : <img src='http://en.wikipedia.com/wiki/index.php? title=some_thing&action=delete' />

Preventing CSRF Tokens written into form just prior to editing, and checked when form is received This is in addition to authentication / authorization checks Tokens must be difficult to predict Mediawiki uses edittoken

Register Globals If register_globals is on, then an attacker can set variables in your script If an attacker can control variables in your script, there is potential for Remote File Inclusion Altering code execution path

Register Global Vulnerabilities include($lang.".php"); <?php //MyScript.php if ( authenticate( $_POST['username'], $_POST['pass'] ) ) { $authenticated = true; } if ( $authenticated ) {... }

Register Global Protections Don't use globals in script paths Ensure your script is called in the correct context if (!defined( 'MEDIAWIKI' ) ) die( 'Invalid entry point.' ); Sanitize defined globals before use Define security-critical variables before use as 'false' or 'null'

SQL Injection Poorly validated data received from the user is used as part of a database (SQL) statement Can result in: Authentication Bypass Data Corruption System Compromise

Preventing SQLi Use MediaWiki built-in database classes and pass key=>value pairs to the functions select(), selectrow(), insert(), insertselect(), update(), delete(), deletejoin(), buildlike()

Additional Top Web Vulnerabilities OWASP Top 10 https://www.owasp.org/index.php/category:owa

Secure Design Principles Simplicity Secure by Default Secure the Weakest Link Least Privilege

Secure Coding Checklist Avoid eval, create_function Regex'es Don't use /e Escape with preg_quote() Filter / Validate your Inputs intval(), getint(), etc Use a whitelist of expected values when possible

Secure Coding Checklist Use HTMLForm class, or include/check $wguser->edittoken Defend against register-globals Use Html and Xml helper classes Use Sanitizer::checkCss to use user's css Use database wrapper functions Write clean, clearly commented code!

Write Some Secure Code Create a Special Page that allows searching, and showing results Assume you have a database of important text data: CREATE table `mydata` (`id` INT, `name` varchar(80), `body` TEXT); Present a search box Search the database for matches in `name` or `body, display matches to user

Review a Volunteer's Code

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback