Introduction to web security Tech Talk @ Georgia Tech 9 March 2011

1. Is it good to be paranoid ? introduction to web security Tech talk @ Georgia Tech, March 2011

2. Subramanyan Murali yahoo Mail Engineer Hacker, Photographer, Traveler @rmsguhan

3. par·a·noi·a nparanoia [pӕrəˈnoiə] a type of mental illness in which a person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her 3

4. in Yahoo!, they are just people who care a lot about web security  4

5. Q.What is the problem ?

6. Spammers want to do cheap advertising & unsolicited marketing

7. Phisherswant to steal user identity for personal benefit

8. Crackers want to break into your systems & profit

9. Jokers just want to watch the world burn 

11. A tech-savy user maybe aware …

12. … but to some cookies are still made of dough & chocolate chips

13. A.Keep it simple for normal users Make it hard for users with evil intentions

14. Users have a lot of trust on the web & share a lot of information

15. Every attack is unique & exploits weakness

16. Types of web attacks Phishing & Spamming Scamming Code Injection Forgery & spoofing

17. Cross(X)Side Scripting 17

18. XSS Filter all input that you are going to save Be aware of the data you are saving URL should save only urls Numbers should save only numbers Never open up your site based purely on trust

19. SQL / Shell Injection

20. http://xkcd.com/327/

21. <?php $user = $_GET[‘user’]; $message = $_GET[‘message’];function save_message($user, $message){ $sql = "INSERT INTO Messages ( user, message ) VALUES ( '$user', '$message’ )"; return mysql_query($sql);}?>

22. test');DROP TABLE Messages;test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …

23. Cross-Site Request Forgery

24. <imgsrc=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”>

25. <iframename="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message” method="POST” target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script>

26. Issue a unique token / crumb that only your server would know for that sessionCheck if the posted data has that token

27. For normal posts, use a time bound token <?phpfunction get_nonce() { return md5($secret . ":" . $user . ":" . ceil(time()/86400));}?>For more sensitive posts, use a token that is stored in user session

28. Click-jackinghttp://erickerr.com/like-clickjacking

29. Tab-Jackinghttp://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

30. New secure technology does not guarantee a secure application

31. As developers, we need to cautious

32. Resources http://www.owasp.org/index.php/Main_Page http://kilimanjaro.dk/blog/ http://www.smashingmagazine.com/author/philip-tellis/ http://code.google.com/edu/security/index.htm http://www.slideshare.net/joewalker/web-app-security http://www.slideshare.net/shiflett/evolution-of-web-security http://www.slideshare.net/txaypanya/owasp-top10-2010

33. Be paranoid, be smartThank you ! 