Web Application Security

   Insufficient Transport Layer Protection  Authenticating over non-­‐SSL. Obviously bad Sending session IDs over non-­‐SSL Session hijacking Firesheep Not sending everything over SSL JavaScript injection Insecure Cryptographic Storage Obviously bad  Storing passwords in plaintext.  Still bad  Using unsalted hashes. Using raw hash function (MD5,SHA1,etc). Better but not great  Using a keyed hash function (HMAC-SHA1). Best Using a slow function (PBKDF2,bcrypt,scrypt).  Cross-Site Request Forger y  Confused deputy problem.  Classic example  Filelocker doesn’t have any CSRF protection. Joe is a Filelocker admin. I get Joe to visit a specially crafted form. Joe’s browser submits form along  with  his cookies. I not have admin  <form method="POST" action="[path to filelocker]/admin_interface/grant_user_permission?format=json"> <input type="hidden" name="us...

Most Important People Security (Increase Expenses) Developers (Increase Profits) Executives (Increase Profits) Sales (Increase Profits) Business Development (Increase Profits)

 Definition - What does Smurf Attack mean? A smurf attack is a type of denial of service attack in which a system is flooded with spoofed ping messages. This creates high computer network traffic on the victim’s network, which often renders it unresponsive. Smurfing takes certain well-known facts about Internet Protocol and Internet Control Message Protocol (ICMP) into account. ICMP is used by network administrators to exchange information about network state, and can also be used to ping other nodes to determine their operational status. The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo responses to the ping message are directed toward the victim’s IP address. Large number of pings and the resulting echoes can make the network unusable for real traffic. Techopedia explains Smurf Attack The following steps lead to a smurf attack: Huge numbers of ICMP requests a...

  Filter Input & Escape Output, always.  Use prepared statements, filter your query params.  Disable magic_quotes, register_globals, allow_url_fopen.  Give minimum permissions to daemons, processes, people.  Regenerate your session id’s and use tokens.  Use common sense.

Some jquery methods are unsafe, particularly .append() and the jquery selector $('') which can also create nodes $('<img>') will generate a img node. Only a few jquery methods should be passed unescaped input Safe methods .text() .attr() .prop() .val() Unsafe methods .html() $() .append*() .wrap*() .prepend*() .before() .after() .insert*()

Attack Get the data from the storage(cookie,passwd,etc). Storage your xss shellcode Unlimit the path.  Defense Don’t store sensitive data in local storage. Don't use local storage for session identifiers. Stick with cookies and use the HTTP Only and Secure flags.

Three Principles: Defense in Depth - Redundant safegaurds are valuable. Least Privilege - grant as little freedom as possible.  Least complicated - Complexity breeds mistakes.  (From Shiflett's Evolution of Web Security)   Trust Nothing, Assume Nothing Server Side Security  Install Suhosin patch.  Be smart about your passwords.  Disable register globals, magic quotes,etc.  Never run PHP/Apache/Nginx/etc as administrator.  Keep up with Patches.

Phishing - Getting information by simply asking for it. Baiting - Leaving infected media (USB Stick, CD’s, wireless networks, etc) that compromises a system. Tailgating - Entering a secured area by following someone.  Social Engineering - Tips  Don’t give out privileged information, ever.  Know who you’re talking to, ask to call them back, etc.  Common Sense helps a lot.  Never take anything for granted.  Don’t pick up disks/usb sticks/etc & insert them into your computer (PC, Mac,or even Linux)