web vulnerabilities - building basic security awareness
TRANSCRIPT
Web VulnerabilitiesBeing Aware of Risks and Mitigation options
Gurpreet Luthra@_zenx_
Please enter your google credentials to access the photo album.
Phishing
Simple Google Search
Another Example --- Gym Membership
Spear Phishing
Strong Security
Useless!
Social Engineering
The clever manipulation of the natural human tendency to trust.
Social Engineering• Phishing
• Spear Phishing
• Vishing
• Baiting
• Tailgaiting
PROTECT
PROTECT
SSL / Digital Certificates
Personal Image or Message [Verified by Visa]
RSA / 2-Step Auth
OTP (ICICI or Facebook)
Log Referral Websites
Safe Browsing API (Google)https://developers.google.com/safe-browsing/
Phishing Detection Plugin
Social Engineering
“A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords!”
http://en.wikipedia.org/wiki/Social_engineering_(security)
Cookies
Gmail Cookies
ThoughtWorks Cookies
Cross Site Request Forgery (CSRF)
<img src="http://my-email.com/logout">
<img src="http://facebook.com/add_friend?uid=2345adbehd3332a23">
<img src=“http://intranet/report-app/mail?r=1&[email protected]” width=“1” height=“1” border=“0”/>
Cross Site Request Forgery (CSRF)
<body onload="document.getElementById('frm').submit()"> <form id="frm" action="http://my-mail.com/logout" method="post"> <input name="Log Me Out" value="Log Me Out" /> </form></body>
On website of http://www.attacker.com:
PROTECT
Check Referer
GET should not change state or have side effects
User auth for transactions + Captcha
Double submit cookies + CSRF Token
Separate Browser
Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) was among the twenty most-exploited security vulnerabilities of 2007, along with Cross-Site Scripting (XSS) and SQL Injection.
Also mentioned in the OWASP Top 10 Vulnerabilities of 2010.
OWASP Top 10• Injection (SQL, LDAP, etc)
• Cross Site Scripting (XSS)
• Broken Auth and Session Mgmt
• Insecure Direct Object Reference
• Cross Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL access
• Insufficient Transport Layer Protection
• Un-validated Redirects and Forwards
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
– Gene Spafford
Gurpreet Luthra@_zenx_
SAM WORM --- MySpace
<div style="background:url('javascript:alert(1)')">
<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">
No Javascript Allowed
Out of Quotes
SAM WORM --- MySpace
<div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')">
<div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java script:eval(document.all.mycode.expr)')">
“Javascript” word
More Quotes needed
SAM WORM --- MySpace
alert(eval('document.body.inne' + 'rHTML'));
No Problem. First post a GET in an Ajax request, and then take the hash and put it as part of a POST.
http://namb.la/popular/tech.html
Words like innerHTML – not allowed
Unique Hash needed to POST
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
– Gene Spafford
Gurpreet Luthra@_zenx_