-
Notifications
You must be signed in to change notification settings - Fork 0
/
security_talk_techmeet_09
150 lines (86 loc) · 6.4 KB
/
security_talk_techmeet_09
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
techmeetup talk on security 2009-04
SLIDE: Introduction, name email, url
Hello. My name is tef and I would like to talk to you about computer security, especially web applications, I've worked as a security consultant and I've been interested in hacking from a young age.
SLIDE: Blank
Now I have introduced myself I would like to know a little bit more about the audience. Could you please raise your hand if you have:
-- had a virus on your computer/mobile phone
-- had an account or a password stolen
-- used a site that has been hacked - myspace, phpbb, wordpress
-- been hacked?
your own code or someone elses?
Hopefully you can see from this small (biased, unrepresentative) sample that nearly everyone has been affected by computer security at one point in their lives, but many people when writing a website think "It'll never happen to me".
It does. Personally I've found major bugs in popular websites such as b3ta and livejournal, but major web applications such as myspace, phpbb and drupal have had their share of problems too.
No one is immune, and if you have bugs people will find them and exploit them.
I don't intend to scare you, I aim to show you how to deal with these problems realistically.
To begin, I'd like to tell you what security is all about and why it is important:
SLIDE: Big letters: Money
If you can't keep your users trust, you will lose their business.
Information such as emails, passwords and a large audience make you
a target.
:: Something here about it costing money to do right, but that it's worth it in the long term?
SLIDE: Infection numbers for wordpress/PHPBB worm, overall incident numbers
Source: Sans/ISC
If you use off the shelf software that's popular you are more at risk. PHPBB and wordpress are prime examples.
Sometimes worms find their next victims by google. You might regret that SEO.
Running buggy software isn't the biggest risk. By far, humans are much buggier.
In the name of security, Wikipedia published lists of possible troll accounts as they had identified that trolls often use the same password on multiple accounts.
Trolls didn't pick secure passwords but used obvious ones, but so did a lot of innocent Wikipedia users. The staff had just handed to the trolls a list of accounts for which their password would work.
People make mistakes when writing code too:
SLIDE: Exploit numbers for the phpbb, bind, sendmail
Source: Secunia
phpbb, bind, sendmail,
:: SLIDE: ?
:: Newline after threat model?
Threat Models - Realistic considerations of security aka What's your threat model, how attackers think
What's your threat model?
The four most important words in security.
Slide: "WYTM" http://iang.org/ssl/wytm.html
To be able to prepare and test for problems you need to think about what you're defending against. A good start is to break down the likely attackers:
Slide: Trolls/Opportunistic Hackers/Automated Exploits
:: Bullet points?
Trolls are just going to annoy your users.
An opportunistic hacker is going to try and find interesting information.
Automated exploits are looking to infect your userbase.
This separation is useful for understanding who is likely to utilise different kinds of attacks, so I guess it's about time we get onto the vulnerabilities themselves.
Slide: OWASP Top 10
Source: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP is an organisation dedicated to web security, and this is their list of top ten vulnerabilities:
::Explain each one in English
I'm going to explain a few of these
To put into context, this is the SANS Top 10
Slide: SANS top 10
SANS is like OWASP, but dealing with internet security in general.
::Explain each one in English
Let's go back to the web vulnerabilities and take a look at a number of exploits.
Slide: XSS (big)
At number one we have cross site scripting errors, which essentially boils down to arbitrary javascript being inserted into pages. Javascript is a very powerful language, and the uses of XSS are endless.
If your blog has a comment feature, it is likely it will accept some markup language or a subset of html, but if an attacker can bypass this they can post any text they like to your page.
This code can be used to look at the cookies and send them back to the attacker, or to try and hijack the browser to install spyware.
Its a big problem with a small solution - you just need to sanitize any user text before returning it to the browser, and most modern frameworks or templates make this easy.
But you still need to test it to make sure it works.
At number two - "Injection flaws".
It's the same affair again. Instead of untrusted data being sent to the browser, this time it's untrusted data being sent to the database.
This was a bigger problem before Rails, Django and ORMs in general. Previously people carved up raw sql statements and all the problems they brought. Today this is a relatively solved problem for databases.
But there can still be problems when the database and the web app don't match up.
In many sites you can retrieve your password by submitting your email.
Webapps rarely care how long a piece of text is, and so you could submit
"victim@email.com (lots of spaces); attacker@naughy.biz"
Slide:"victim@email.com (lots of spaces); attacker@naughy.biz"
The database is more picky, and drops everything after a fixed number of characters (say 256). Now, in MS-SQL it truncates the whitespace.
So when you think you're sending "victim..@bla attacker@...", the database just gets "victim@email.com".
But the mail client is never as picky, it's happy to have such a long big of text, and so sends the reminder to both the victim and the attacker.
Moral: Databases move in mysterious ways.
Note:: If I have time I'll deal with cross site request forgery too (#5)
Again, no solution is complete without testing.
Slide: Testing
network testing - nmap, nessus
http testing - paxos, firebug, burp network suite
There are a plethora of tools out there, and a lot of it comes down to taste. Beware though, if you think interfaces designed by programmers were bad, wait until you see these tools.
I don't have enough time to cover all of these tools, but network testing is more about the platform you're running on (linux/apache), and http testing is your web app stack.
Final Slide:
Further information
OWASP
SANS/ISC
F_secure blog
I hope you've enjoyed my talk, and maybe tomorrow there will be fewer bugs out there.
Questions?