My talk at Paris Web 2009 about basic web security and how to avoid opening your site for attacks.

1. Basic housekeeping
Plugging obvious security
holes in web sites.
Chris9an Heilmann, Paris Web, Paris, October 2009

4. A few things to remember
about basic web security.

5. A bit of pimping...
Gérer la sécurité de vos applica9ons web (Salle 1)
Présenté par : Sébas9en Pauchet (WS Interac9ve),
Frank Taillandier (Académie de Toulouse)
a.k.a. Dirty Tricks with @DirtyF

6. The most annoying thing
is that the dangers on the
web are underes9mated.

8. Reasons for aRacks:
Spam injec9on.
Iden9ty theT.
Data mining.
Botnet / Zombies / DOS

9. A lot of clever terms are
used in security.
SQL injec9on XSS CSRF
ClickJacking Phishing

10. In the end, a lot is about
keeping your web
products clean.

11. This very much starts on
the server side.

12. Think about your folders.

17. Telling the world too
much.

18. You don’t want the admin
folders of your app to be
indexed by Google Search
Engines.

19. Your system might tell
more about your site than
you are aware of.

20. Error messages are only
needed in produc9on ‐ on
live servers they can tell
more than you want to.

21. Keep your server setup
secure.

22. hRp://yoursite.com/index.php?admin=true
hRp://phpsec.org/projects/phpsecinfo/

23. hRp://phpsec.org/projects/phpsecinfo/

24. Basic server measures:
Turn off folder browsing.
Stop bot indexing (robots.txt).
Secure your setup.
Turn off error messaging.
Disallow remote file
inclusion.
Delete old and orphan files.

25. The next danger is blindly
relying on soTware.

26. Predefined backdoors and
passwords.

27. admin/admin
admin/password
default/default
user/user
preset/preset
buil9n/buil9n

28. Plugins

29. Basic soTware measures:
Change every password.
Check for presets.
RTFM.
Keep Plugins up‐to‐date.
Check for security holes.
Don’t trust “easy setup”.
Upgrade.

30. Front end security issues.

31. This is not hard.
Don’t trust any user data.
HTML is not a database.
JavaScript is not a secure data
container.
Do not rely on JavaScript.

32. Frontend is public.
If you comment, comment on
the backend, do not
“comment out” func9onality.

33. Frontend is insecure.
Anything in the frontend is
executed and can be used to
steal all your cookies.
(frames, images, scripts, links...)

34. Filtering
hRp://us2.php.net/manual/en/book.filter.php

35. Whitelis9ng

36. Clickjacking.

38. Basic frontend measures:
Break frames.
Filter inputs.
Whitelist inputs.
Avoid hacks (expression()).
Avoid URL assembling.

39. Our users

40. Social engineering.

41. SocEng basics:
Show authority.
Create fake need of urgency.
Take over responsibility.

42. Condi9oning helps. :‐(

43. I approve
of this!

44. Social networks

48. Step 1: Log in yourself

49. Step 2: Get list of followers

51. Step 3: Set the trap

52. http://twitter.com/statuses/
user_timeline/codepo8.xml?
count=200

54. Step 4: Lure his followers

55. None
of this!

56. Predictability

57. Basic people measures:
Don’t allow for auto log‐in.
Share security responsibility
with the users.
Avoid stressful interfaces.
Be very open about your
communica9on.

58. Bot aRacks.

59. Captchas to the rescue?
hRp://caca.zoy.org/wiki/PWNtcha

60. Bot aRack measures.
Honeyponng.
Timed interfaces.
Cookie check / Crumbing.
Spike detec9on.
OpenID / third party logins.

61. Nothing beats being up‐
to‐date!

63. None
of this!

64. I approve
of this!

65. You learn a
lot from logs.

67. No strength in numbers.

68. Check your posts.

69. And query terms.

70. Some not‐so sci‐fi ideas...

71. Guest passes.

72. oAuth

73. OpenID

74. Caja/ADsafe

75. Caja limits and
secures web
standards.

76. Caja vs. “HTML”
★ Custom aRributes
★ Custom tags
★ Unclosed tags
★ <embed>
★ <iframe>
★ <link rel=‘…
★ javascript:void(0)
★ Radio buRons in IE
★ Rela9ve url’s

77. Caja vs “JavaScript”
★ eval()
★ new Func9on()
★ Strings as event handlers (node.onclick = '...';)
★ Names ending with double / triple underscores
★ with func9on (with (obj) { ... })
★ Implicit global variables (specify var variable)
★ Calling a method as a func9on
★ document.write
★ window.event
★ .onclick
★ OpenSocial gadgets.io.makeRequest return JS

78. Caja vs “CSS”
★ * hacks
★ _ hacks
★ IE condi9onals
★ Insert‐aTer clear fix
★ expression()
★ @import
★ Background images in IE

79. Throwaway logins.

80. New challenges.

81. Social Network aRacks

82. The mobile web.

83. Camera access.

84. Loca9on based services.

85. Biometric recogni9on.

86. Right now things are not
safe.

87. But you can help making
the web safer.

88. Keep it clean, keep it up‐
to‐date and be alert.

89. MERCI!
Chris9an Heilmann
hRp://wait‐9ll‐i.com
hRp://developer‐evangelism.com
hRp://twiRer.com/codepo8