to be hacked or not to be hacked!

28
October 22, 2013 To be Hacked or not to be Hacked! Vincci Kwong and Gary Browning Indiana University South Bend Indiana Library Federation Annual Conference

Upload: vincci-kwong

Post on 16-May-2015

246 views

Category:

Technology


1 download

DESCRIPTION

You have an RFID system to secure library materials, but what about web applications implemented by your library? This session provides an introduction on how you can secure your PHP web applications in order to prevent a potential hacker attack.

TRANSCRIPT

Page 1: To be Hacked or not to be Hacked!

October 22, 2013

To be Hacked or

not to be Hacked!

Vincci Kwong and Gary BrowningIndiana University South Bend

Indiana Library Federation Annual Conference

Page 2: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

https://www.youtube.com/watch?v=lw7dt0AhXXI

October 22, 2013

Page 3: To be Hacked or not to be Hacked!

2013 ILF Annual Conference October 22, 2013

What are Web Applications?

Page 4: To be Hacked or not to be Hacked!

2013 ILF Annual Conference October 22, 2013

What is PHP?

• A server-side scripting language designed for web development

• Open source programming language• Powering over 80% of all websites• PHP code is as secure as the

programmer writes it

Page 5: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Why hack web applications?

• Stealing sensitive information • Defacement• Planting malware• Deceit• Blackmail• Link Spam• Worms• Phishing

October 22, 2013

Page 6: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Why secure web applications?

• Everyone can touch web applications!• It is hard to secure!!!

October 22, 2013

Page 7: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Am I being hacked?• Check your server access logs• Look for recently modified files• Look for files that shouldn’t be there• Scan through your files

October 22, 2013

Page 8: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Top 10 security issues for web applications1. Injection

2. Broken authentication and session management

3. Cross site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross site request forgeries (CSFR)

9. Using known vulnerable components

10. Unvalidated redirects and forwards

October 22, 2013

Page 9: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

What can I do?

• Write secure code!!• Use PHP Security Cheat Sheet• Use a web application scanner

October 22, 2013

Page 10: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Writing Secure Code

• Do not trust visitors to your website• Understand Register Globals• Error messages• SQL Injections• File Manipulation• XSS

October 22, 2013

Page 11: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Register Globals

• Feature removed as of PHP 5.4.0 !!!! • Variables from HTML forms were injected

into code automatically• Remember, PHP does not require

variable initialization

October 22, 2013

Page 12: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Example: Misuse with register_globals = on

<?php// define $authorized = true only if user is authenticatedif (authenticated_user()) {    $authorized = true;}

if ($authorized) {    include "/highly/sensitive/data.php";}?>

October 22, 2013

Page 13: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Example: Misuse with register_globals = on

<?php// define $authorized = true only if user is authenticatedif (authenticated_user()) {    $authorized = true;}

// Because we didn't first initialize $authorized as false, this might be// defined through register_globals, like from GET auth.php?authorized=1// So, anyone can be seen as authenticated!if ($authorized) {    include "/highly/sensitive/data.php";}?>

October 22, 2013

Page 14: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

SQL Injections

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). ...

http://en.wikipedia.org/wiki/SQL_injection

October 22, 2013

Page 15: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Example: SQL Injection

$proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");

From a web form, someone inputs the following:

USERNAME: ' OR 1=1 #

October 22, 2013

Page 16: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Example: SQL Injection

$proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");

SQL Query:

SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’

October 22, 2013

Page 17: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Example: SQL Injection$proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");

SQL Query:

SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’

This will return the entire list of usernames and passwords !!!!

Fix this using mysql_real_escape_string or mysqli_real_escape_string

October 22, 2013

Page 18: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

File Manipulation

some.web.address/index.php?index.html

October 22, 2013

Page 19: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

File Manipulation

some.web.address/index.php?.htaccess

October 22, 2013

Page 20: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

XSS(imagine the following code in your index.php file)

<?php

$name = $_GET['name'];

echo "Welcome $name<br>";

echo "<a href="http://librarysite.org/">Click to visit</a>";

?>

If someone entered the following on a web form, what would happen?

guest<script>alert('attacked')</script>

October 22, 2013

Page 21: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

XSSWould you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’?

mytrustedsite.org/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-trustedsite.com/";}</script>

October 22, 2013

Page 22: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

XSSWould you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’?

mytrustedsite.org/index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

October 22, 2013

Page 23: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Web Application Scanners

https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

Contains a list of Open Source and Commercial products

October 22, 2013

Page 24: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

It’s not in the Top 10, but…

• Unvalidated inputs

October 22, 2013

Page 25: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Reporting a hacked site!• Why do you think the website is being hacked?• What on the website is looking unusual? Did you

clear your browser’s cache?• Are you being redirected to another website? If

yes, note URL of the site.• Were you being asked to provide confidential

information?• Do patrons report receiving unusual email from

the library?• When did it happen?

October 22, 2013

Page 26: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Emergency contact list

• Library IT personnel• Director/Dean of the Library• Vendors• Patrons

October 22, 2013

Page 27: To be Hacked or not to be Hacked!

2013 ILF Annual Conference

Resources

• PHP Security Cheat Sheet - https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

• PHP Security Guide - http://phpsec.org/projects/guide/

• Securing PHP Web Applications - http://www.amazon.com/Securing-PHP-Applications-Tricia-Ballad/dp/0321534344

October 22, 2013

Page 28: To be Hacked or not to be Hacked!

2013 ILF Annual Conference October 22, 2013

Questions?

Feel free to contact us at• Vincci Kwong

• Email: [email protected]• Phone: 574-520-4444

• Gary Browning• Email: [email protected]• Phone: 574-520-5516