Secure Form Processing and Protection - Devspace 2015
0 likes637 views
Joe Ferguson discusses common web application vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). He explains different types of XSS exploits and how CSRF works. To prevent these issues, he recommends sanitizing user input, using cryptographic nonces, and leveraging security features in frameworks like Angular, Zend, Symfony, Laravel and others. He also provides examples of widespread exploits on sites like Twitter, Facebook and MySpace to demonstrate the importance of secure form processing.
More Related Content
What's hot (20)
Similar to Secure Form Processing and Protection - Devspace 2015 (20)
More from Joe Ferguson (20)
![php[world] 2015 Laravel 5.1: From Homestead to the Cloud](https://cdn.slidesharecdn.com/ss_thumbnails/phpworld-2015-laravelhomestead-4x3-151118212002-lva1-app6891-thumbnail.jpg?width=560&fit=bounds)
Recently uploaded (20)
Secure Form Processing and Protection - Devspace 2015
- 1. Secure Form Processing and Protection Joe Ferguson October 9th 2015
- 2. Who Am I? Joe Ferguson PHP Developer Twitter: @JoePFerguson Organizer of @MemphisPHP @NomadPHP Lightning Talks Passionate about Community
- 3. “What keeps you up at night?”
- 4. For me, it was form Processing - for a while, at least
- 5. “how do I safely, securely, and reliably get input from my users?”
- 8. Cross Site Scripting (XSS) “XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy” http://en.wikipedia.org/wiki/Cross-site_scripting
- 9. There is no Standard classification of xss
- 10. Types of XSS Exploits Reflected (Non-persistent) Persistent Server-side versus DOM-based vulnerabilities Can also be distinguished by:
- 11. Reflected (Non- persistent) Data passed to the app immediately without sanitizing the data
- 13. Persistent Data passed to the app is saved by the server When the code to display the dynamic data is run again, the code that was inject runs again.
- 14. Data passed to the app is saved by the server
- 15. Injected Code Runs again Wherever the dynamic content is called, the injected code runs http://www.phparch.com/magazine/2014-2/august/
- 16. Server-side versus DOM- based vulnerabilities Examples: Single page applications (JavaScript) Still need to protect these applications Malicious code doesn’t touch server, only DOM
- 17. Widespread XSS Exploits Twitter September 21, 2010 “MouseOver” tweeting a JavaScript function for “onMouseOver" Victims would mouseover areas of a tweet that looked like highlighted areas and code would execute to tweet out the same exploit from their account. http://en.wikipedia.org/wiki/Twitter
- 18. Widespread XSS Exploits Facebook Early 2013 Chat & Checkin vulnerable Chat: GUI for presenting the link to post was unfiltered / not sanitized. Checkin: Attacker could post malicious scripts in pages and code would run when victims checked in to location http://thehackernews.com/2013/04/hacking-facebook-users-just-from-chat.html
- 19. Widespread XSS Exploits MySpace October 2005 Samy (computer worm) Added an XSS on a profile that would posted to the victims own profile. The exploit spread like a worm virus infecting new users whenever an infected profile was viewed http://en.wikipedia.org/wiki/Samy_%28computer_worm%29
- 20. Cross Site Request Forgery (CSRF) Sending unauthorized commands from a user that an application trusts Relies on tricking a user into viewing a malicious image or clicking on a malicious link.
- 21. CSRF Characteristics Targets a site that knows about the victim Exploit the trust (often logged in state) of victim Trick victim into sending HTTP requests to target HTTP requests have side effects (malicious intent)
- 22. login csrf Used to log a user into an application
- 23. Google youtube CrossDomain Security Flaw *.google.com was trusted Send a malicious SWF file to the attacker’s gmail and locate the download URL Logged in YouTube user visits attacker’s malicious page
- 24. Google youtube CrossDomain Security Flaw Force user to authenticate and exploit a login- CSRF / session initialization vulnerability to authenticate the victim as the attacker. Attacker embeds the malicious SWF file to the page the victim viewing. Attacker now has read/write access to victim’s YouTube account http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html
- 25. Dynamic CSRF Dynamically created as part of an XSS exploit Sammy Worm that hit MySpace is an example Tokens could be sent by attacker via brute force or some type of session fixation type exploit
- 26. CSRF limitations Target site that doesn't check referrer header or the victim's browser supports referrer spoofing The attacker must target some submission point on the victim's computer (changes / reads of victim's personal information, modify bank account records, etc)
- 27. CSRF limitations The attacker must determine the correct values to submit to the application The victim must be logged into the target application
- 28. CSRF attacks are blind
- 30. Scared yet?
- 31. Of course not! This shouldn’t be the first time you have heard these terms
- 32. – Benjamin Franklin “An ounce of prevention is worth a pound of cure”
- 33. Cryptographic nonce Preventing Replay Attacks and CSRF
- 34. Cryptographic nonce Arbitrary number used ONCE in a cryptographic communication Used in HTTP digest access authentication to has the password . Nonce changes every time the 401 response is presented. Use to prevent replay attacks.
- 35. Example Nonce in PHP https://github.com/timostamm/NonceUtil-PHP
- 36. Using Wordpress & Nonce Curious? WordPress has it’s own internal NONCE System It isn’t a true NONCE since you can use it more than once. More info: https://www.getpantheon.com/blog/nonce- upon-time-wordpress Written by Cal Evans
- 37. Preventing XSS
- 38. htmlentities() Convert all applicable characters to HTML entities This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities. http://php.net/htmlentities
- 39. Preventing XSS
- 40. filter_var() Filters a variable with a specified filter Returns the filtered data, or FALSE if the filter fails. Example Filters: FILTER_VALIDATE_EMAIL FILTER_VALIDATE_INT http://php.net/manual/en/function.filter-var.php
- 41. Sanitize with filter_var() Sanitize incoming or outgoing data Example Filters: FILTER_SANITIZE_EMAIL FILTER_SANITIZE_STRING FILTER_SANITIZE_NUMBER_INT FILTER_SANITIZE_URL http://php.net/manual/en/filter.filters.sanitize.php
- 42. Preventing XSS
- 43. Many frameworks have this built in
- 44. Angularjs Angular calls it XSRF Server needs to set a JavaScript readable cookie “X-XSRF-TOKEN” Unique per user and be verifiable by the server https://docs.angularjs.org/api/ng/service/$http
- 45. Zend ZendEscaper contains methods for escaping output ZendFilter contains common data filters ZendFormElementCsrf Protection is achieved by adding a hash element to a form and verifying it when the form is submitted. http://framework.zend.com/manual/current/en/modules/zend.form.element.csrf.html
- 48. Symfony Generate CSRF Token (SymfonyComponentForm ExtensionCsrfCsrfProvider) {{ csrf_token('authenticate') }} Twig Template can default to automatic escaping If disabled: {{ user.username|e }}
- 50. Symfony Escaping Output http://twig.sensiolabs.org/doc/templates.html If the escaper extension is enabled, escaping is automatic. Otherwise you can use :
- 51. Slimphp Slim-Extras - Slim Authentication and XSS Middlewares SlimExtrasMiddlewareCsrfGuard https://github.com/codeguy/Slim-Extras
- 52. Laravel Query Builder uses PDO parameter binding to protect against SQL injection Automatically handles CSRF when using Form::open Escape output by using {{{ $input }}} in Blade
- 55. Laravel CSRF Protection Middleware in Laravel 5
- 56. Laravel Escaping Output Laravel 5.x Output is automatically escaped
- 58. Other Software and Frameworks Check the documentation for best practices!
- 59. XSS testing Tools Acunetix Web Vulnerability Scanner (Paid) http://www.acunetix.com IBM Security AppScan (Paid) http://www-03.ibm.com/software/products/en/appscan Burp Suite (Free or Paid) http://portswigger.net/burp OWASP Zed Attack Proxy Project (Donation/Free) https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project
- 60. Links Examples & Links: https://github.com/svpernova09/Secure-Form- Processing-and-Protection-Talk http://en.wikipedia.org/wiki/Cross-site_scripting http://en.wikipedia.org/wiki/Cross-site_request_forgery http://securingphp.com “HTML Form Processing with PHP” Article: http://www.phparch.com/magazine/2014-2/august/