Web security 101

32
Net security 101 Internet is hostile network Kristaps Kūlis

Transcript of Web security 101

Page 1: Web security 101

Net security 101Internet is hostile network

Kristaps Kūlis

Page 2: Web security 101

“Real” security

● Security trough security, not obscurity

House secured by door keys, not by putting doors on roof.

● Ongoing process

Page 3: Web security 101

Be conservative in what you do; be liberal in what you accept from others

/Postel's law/

Web applications

Page 4: Web security 101

SQL injection

Page 5: Web security 101

SQL injections

● Creating queries by string concatenation is “the wrong way”

● MySQL don't do multiple queries.● Let DB do validation - use parametrized queries ● ORM frameworks lift the burden

● It is easy to forget to validate inline SQL somewhere

Page 6: Web security 101

XSS

Page 7: Web security 101

XSS

● Escape HTML/JS/XML special characters on output

● Vulnerability can exist on client side (JS).● It can get hairy with JS, AJAX, JSONP etc ...

Page 8: Web security 101

CSRF

● Third party unauthorized request to web site ● Include unique token into each response and

validate on request.● Never update data with GET

<img src=”http://www.bank.lv/pay?to=kristaps&amount=100” />

Page 9: Web security 101

Storing passwords

● Do not expose DB / other credentials● MD5 is too “cheap”. SHA1 is not “expensive

enough”● Make hash functions slow.

● Multiple iterations ● Bcrypt

Page 10: Web security 101

Authorization vs Authentication

Autentication: authenticating user credentials.Usually done once per session.

Authorization: checks that user is authorized to do particular action.

Must be done on every request.

Page 11: Web security 101

Session fixation

● Session cookie stealing / guessing● Initialize sessions ● Tie sessions to IP address / User Agent● Expire / invalidate sessions.

Page 12: Web security 101

PHP specific problems

Page 13: Web security 101

register_globals ~50% of open source PHP app vulnerabilities

works only when register_globals are on

Page 14: Web security 101

safe_modeWrong place, wrong solution

Page 15: Web security 101

magic_quotesGives false sense of security and

no real protection

Page 16: Web security 101

display_errorsGives away too much information

Log your errors, do not display them

Page 17: Web security 101

One .php file as one scriptPHP engine has no “application” concept.

Class files, configuration files, etc should not be executable …

...everything that is not .php by default is dumped as plaintext in browser

Page 18: Web security 101

include and require accepts URLs as parameters

Remote code injection made dead easy

If you disable remote_url_fopen, you cannot open any URL (without CURL)

Page 19: Web security 101

All these settings should be disabled by defaultOn most hosting servers they are not

Page 20: Web security 101

Server securityenviroment matters

Page 21: Web security 101

TLS (SSL)

● Public-Private key infrastructure ● Server verification and data encryption● Ultimate trust to Certificate Authorities (CA) ● Don't use self-signed certificates. Roll out your

own CA .

Page 22: Web security 101

Secure / insecure protocols

● HTTP sends all information in plaintext● So does FTP/IMAP/POP3/STMP● Use HTTPS / SFTP / IMAPs / POP3s / STMP

over TLS ● DNS is built on trust. DNSSEC is not (yet)

working.

Page 23: Web security 101

[D]DoS

● DoS – “million” requests from one client● DDoS – “zillion” requests from “million” clients● Handle DoS at firewall level.● Try to survive DDoS at router level.

Page 24: Web security 101

Shared hosting

● Easy, fast, secure – pick two ● “Jail” each site ● Selinux / AppArmor to rescue● IDS / mod_security is slow● Test backups.

Page 25: Web security 101

Real life 100% secure system

Slide intentionally left blank

Page 26: Web security 101

Personal securityweakest chain link

Page 27: Web security 101

Passwords

Passwords are like underwear.You don't share them and you change them often.

KeepassX

Page 28: Web security 101

Think

● Don't use plaintext protocols over open WiFi● Secure your home router● Check URLs and filenames● Malware doesn't expose itself anymore

● Botnet● Information stealing

● Avoid buggy and insecure software (flash and acrobat reader).

Page 29: Web security 101

Securing digital communication

● Skype is sort-of secure● PGP● S/MIME

Page 30: Web security 101

Handling incidents

● Not all hackers all bad● Preserve evidence● Presume that attacker obtained maximum

information. ● System is compromised● Eliminate attack vectors● Offline backups help.

Page 31: Web security 101

Questions ?

Page 32: Web security 101

Futher reading

● www.owasp.org – knowledge● www.cert.lv – Latvia netsecurity team

Books● Stealing the Network: How to Own the Box by

R. Russel – hacking “fiction” book.● Art of Deception by Kevin Mitnick – hacker

“memoirs”