is it good to be paranoid ?
DESCRIPTION
Introduction to web security Tech Talk @ Georgia Tech 9 March 2011TRANSCRIPT
![Page 1: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/1.jpg)
Is it good to be paranoid ?introduction to web security
Tech talk @ Georgia Tech, March 2011
![Page 2: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/2.jpg)
Subramanyan MuraliyahooMail Engineer Hacker, Photographer, Traveler @rmsguhan
![Page 3: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/3.jpg)
3
par·a·noi·a
• n paranoia [pӕrəˈnoiə]– a type of mental illness in which a
person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her
![Page 4: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/4.jpg)
in Yahoo!, they are just people who care a lot about
web security
4
![Page 5: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/5.jpg)
Q.What is the problem ?
![Page 6: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/6.jpg)
Spammers want to do cheap
advertising & unsolicited marketing
![Page 7: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/7.jpg)
Phishers want to steal user identity
for personal benefit
![Page 8: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/8.jpg)
Crackers want to break into your
systems & profit
![Page 9: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/9.jpg)
Jokers just want to watch the
world burn
![Page 10: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/10.jpg)
“It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”- Philip Tellis, Yahoo! Paranoid
http://www.smashingmagazine.com/author/philip-tellis/
![Page 11: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/11.jpg)
A tech-savy user maybe aware …
![Page 12: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/12.jpg)
… but to some cookies are still made of dough &
chocolate chips
![Page 13: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/13.jpg)
A.Keep it simple for normal
users Make it hard for users with
evil intentions
![Page 14: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/14.jpg)
Users have a lot of trust on the web & share a lot of
information
![Page 15: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/15.jpg)
Every attack is unique & exploits weakness
![Page 16: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/16.jpg)
Types of web attacks
• Phishing & Spamming • Scamming • Code Injection• Forgery & spoofing
![Page 17: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/17.jpg)
Cross(X) Side Scripting
17
![Page 18: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/18.jpg)
XSS
• Filter all input that you are going to save
• Be aware of the data you are saving – URL should save only urls – Numbers should save only numbers
• Never open up your site based purely on trust
![Page 19: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/19.jpg)
SQL / Shell Injection
![Page 20: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/20.jpg)
http://xkcd.com/327/
![Page 21: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/21.jpg)
<?php $user = $_GET[‘user’]; $message = $_GET[‘message’];
function save_message($user, $message){ $sql = "INSERT INTO Messages ( user, message ) VALUES ( '$user', '$message’ )"; return mysql_query($sql);}?>
![Page 22: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/22.jpg)
test');DROP TABLE Messages;
test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …
![Page 23: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/23.jpg)
Cross-Site Request Forgery
![Page 24: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/24.jpg)
<img
src=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”>
![Page 25: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/25.jpg)
<iframe name="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message” method="POST” target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script>
![Page 26: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/26.jpg)
Issue a unique token / crumb that only your server would know for that session
Check if the posted data has that token
![Page 27: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/27.jpg)
For normal posts, use a time bound token
<?phpfunction get_nonce() { return md5($secret . ":" . $user . ":" . ceil(time()/86400));}?>
For more sensitive posts, use a token that is stored in user session
![Page 28: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/28.jpg)
Click-jacking
http://erickerr.com/like-clickjacking
![Page 29: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/29.jpg)
Tab-Jacking
http://www.azarask.in/blog/post/a-new-type-of-phishing-
attack/
![Page 30: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/30.jpg)
New secure technology does not guarantee a
secure application
![Page 31: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/31.jpg)
As developers, we need to cautious
![Page 32: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/32.jpg)
Resources
• http://www.owasp.org/index.php/Main_Page• http://kilimanjaro.dk/blog/• http://www.smashingmagazine.com/author/philip-tellis/• http://code.google.com/edu/security/index.htm• http://www.slideshare.net/joewalker/web-app-security• http://www.slideshare.net/shiflett/evolution-of-web-
security• http://www.slideshare.net/txaypanya/owasp-top10-2010
![Page 33: Is it good to be paranoid ?](https://reader036.vdocuments.mx/reader036/viewer/2022062319/5583ac0ad8b42a36568b466e/html5/thumbnails/33.jpg)
Be paranoid, be smart
Thank you !