Concern of Web Application Security

Concern of Web Application Security ” First and foremost, you must realize and accept that any user-supplied data is inherently unreliable and can't be trusted.” Md. Mahmud Ahsan Zend Certified Engineer http://mahmudahsan.wordpress.com/ http://www.ftechdb.com/

Contents of presentation Overview of security Best Practice Input Filtering Escaping Output SQL Injection Cross-site Scripting Session Hijacking Cross-site request forgeries

Security Overview Security is a measurement not a characteristics. Security is difficult to measure . It has no units. Security must be considered at all time. What is security?

Security Overview According to Chris Shiflett Defense in Depth Least Privilege Simple is beautiful Minimize exposure Principles of security?

Best Practice According to Chris Shiflett Consider malicious uses of your application. Educate yourself. Remember 2 simple rules: Filter Input Escape Output Basic Steps

Input filtering What is filtering? Filtering is the process by which you inspect data to prove its validity. When possible, use a whitelist approach . Filtering is useless if you can't keep up with what has been filtered and what hasn't. Employ a strict naming convention that lets you easily and reliably distinguish between filtered and tainted data.

Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?>

Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Initialize array for storing filter data

Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Use switch statement to filter sets

Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Create cases for the valid values

Input filtering Filter input example: <?php $clean = array(); switch($_POST['color']){ case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; } ?> Color is definately valid so store in the array

Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?>

Most common attacks Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Create an array to store filtered data

Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> Username must be alphanumeric

Input filtering Filter input example 2: <?php $clean = array(); if (ctype_alnum($_POST['username'])){ $clean['username'] = $_POST['username']; } ?> If username is alphanumeric store it in the array

Escaping Output What is output? Most output is obvious (anything sent to the client is output) - HTML, JavaScript, etc. The client isn't the only remote destination - databases, session data stores, RSS feeds , etc. The key is to identify the destination of data. If it is destined for any remote system, it is output and must be escaped .

Escaping Output What is Escaping? It is the process of escaping any character that has a special meaning in a remote system The two most common destinations are the client (use htmlentities() ) and MySQL (use mysql_real_escape_string() ).

Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo "<p>Welcome back, {$html['username']}.</p>"; ?>

Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo "<p>Welcome back, {$html['username']}.</p>"; ?> Initialize array for storing escaped data

Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo "<p>Welcome back, {$html['username']}.</p>"; ?> Escaped the filtered username and store in the array

Escaping Output Escaping output example: <?php $html = array(); $html['username'] = htmlentities($clean['username'], ENT_QUOTES); echo "<p>Welcome back, {$html['username']} .</p>"; ?> Send the filtered and escaped username to the client

Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql); ?>

Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql); ?> Initialize an array for storing escaped data

Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql); ?> Escaped the filter username and store it in the array

Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}' "; $result = mysql_query($sql); ?> Use the filtered and escaped username in the SQL query

Escaping Output Escaping output example 2: <?php $mysql = array(); $mysql['username'] = mysql_real_escape_string($clean['username']); $sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'"; $result = mysql_query($sql) ; ?> SQL Query is now safe

SQL Injection What is SQL Injection? SQL injection is a direct attack on the site’s database. Gain access to restricted areas without proper credentials Insert/Delete data to the database Select private data to then be saved and used for other types of attacks.

SQL Injection SQL Injection attacking example: http://example.com/db.php?id=0 http://example.com/db.php?id=0 ;DELETE%20FROM%20users <?php $id = $_GET['id']; // $id = 0;DELETE FROM users $result = mysql_query("SELECT * FROM users WHERE id={$id}"); SQL Inject code User table data destroyed

SQL Injection SQL Injection attacking example 2: <?php $query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'"; mysql_query($query); //$_POST['username'] = 'manzil'; //$_POST['password'] = "' OR ''='"; echo $query; ?> output: SELECT * FROM users WHERE user='manzil' AND password='' OR ''='' SQL Inject code

SQL Injection SQL Injection Protection: <?php $name = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string($_POST['password']); $query = "SELECT * FROM users WHERE user='{$name}' AND password='{$pass}'"; mysql_query($query); ?>

Cross-Site Scripting What is XSS ? It is a popular attacking to web application as web application largely echo user input. <?php echo "<p>Welcome back, { $_GET['username'] }.</p>"; ?>

Cross-Site Scripting Attacking Example: <?php echo "<p>Welcome back, <script> ... </script> .</p>"; ?> XSS Attacking !!!

Cross-Site Scripting Prevention of XSS: Filter Input Escape Output <?php $name = $_GET['username']; $name = ctype_alnum($name) ? $name : ''; $name = htmlentities($name, ENT_QUOTES); echo "<p>Welcome back, {$name} .</p>"; ?>

Cross-Site Scripting htmlentities(): <?php $name = $_GET['username']; // <script> ... </script> echo htmlentities($name, ENT_QUOTES) ; ?> output: <script> ... </script>

Session Hijacking What's the problem? An attacker can impersonate another user if that user's session identifier is known by the attacker. Methods of obtaining a valid session identifier: Fixation Prediction Capture

Session Hijacking Example of Session Fixation: http://example.org/login.php?PHPSESSID=1234 Prevention of Session Fixation: Use session_regenerate_id() whenever there is a change in the level of privilege: if ($authenticated) { $_SESSION['logged_in'] = TRUE; session_regenerate_id(); }

Session Hijacking Another session security technique: Compare the browser signature headers. <?php session_start(); $chk = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']); if (empty($_SESSION)) $_SESSION['key'] = $chk; else if ( $_SESSION['key'] != $chk ) session_destroy(); ?>

Session Hijacking Safer Session Storage By default PHP sessions are stored as files inside the common /tmp directory. This often means any user on the system could see active sessions and “acquire” them or even modify their content. Solutions? Separate session storage directory via session.save_path Database storage mechanism, mysql, pgsql, oci, sqlite. Custom session handler allowing data storage anywhere.

Cross Site Request Forgeries What is CSRF? An attacker can send arbitrary HTTP requests from avictim. Because the requests originate from the victim, they can bypass traditional safeguards, including firewalls and access control.

Cross Site Request Forgeries Solution of CSRF: Use a unique token in every form that you send to the user. Whenever you receive a request from the user that represents a form submission, check for this unique token. Use sessions to associate a particular token with a particular user.

Cross Site Request Forgeries Normal form submission: <form action="buy.php" method="POST"> <p>Symbol: <input type="text" name="symbol" /></p> <p>Shares: <input type="text" name="shares" /></p> <p><input type="submit" value="Buy" /></p> </form>

Cross Site Request Forgeries Solution of CSRF: <?php $token = md5(uniqid(rand(), TRUE)); $ _SESSION['token'] = $token; $_SESSION['token_time'] = time(); ?> <form action="buy.php" method="post"> <input type="hidden" name="token" value="<?php echo $token; ?> " /> <p> Symbol: <input type="text" name="symbol" /><br /> Shares: <input type="text" name="shares" /><br /> <input type="submit" value="Buy" /> </p> </form>

Cross Site Request Forgeries Solution of CSRF: <?php if ($_POST['token'] == $_SESSION['token']) { /* Valid Token */ } ?>

Concern of Web Application Security

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Concern of Web Application Security (20)

Recently uploaded (20)

Concern of Web Application Security