SlideShare une entreprise Scribd logo

Tuenti: Web Application Security

Tuenti
Tuenti

The document discusses web application security and summarizes the top 10 security issues according to OWASP (Open Web Application Security Project). It provides details on each issue, including examples, prevalence, impact, and recommendations for prevention. The top issues are injection, XSS, broken authentication and session management, insecure direct object references, CSRF, security misconfiguration, failure to restrict URL access, unvalidated redirects, insecure cryptographic storage, and insufficient transport layer protection.

Technologie
1  sur  78
Télécharger pour lire hors ligne
Web Application Security Guillermo Pérez bisho@tuenti.com BE arch & Security Lead Eng. bcndevcon 2011
Things to deal with... in web app security
Web App security ● Anonymous attackers ● Worldwide access ● Shared environment for all users ● Easy distribution, profitable ● On top of all other components security: ○ Network security ○ OS security ○ Server software security ○ Social Engineering ○ Even more! browsers, plugins, virus, user computer security, shared computers, open wifis...
How to achieve it?
Web App security Humans (developers) are the bigger risk Give tools, frameworks & policies so no developer has to ever think how to secure up things. Should be clear and the easiest path. But there is no perfect security...
Top risks?
Top 10 security issues in webapps From OWASP (risks != frequency) 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
1. Injection flaws Trick services to execute unintended commands to gain control or access unauthorized data. ● Several types: ○ SQL ○ OS execution ○ LDAP ○ XPath ○ NoSQL ○ uploads
1. Injection flaws ● Explotability: EASY ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ Keep untrusted data separate from commands ● How: ○ Use safe, parametrized apis vs writting code to be executed by interpreter. ○ Escape special chars depending on interpreter. ○ Data cast, whitelist input validation.
1. Injection flaws: SQL ● http://example.com/?id=' or '1'='1 ● Explicit cast, escaping IN-PLACE ○ mysqli_escape_string() ○ ... ● Use prepared statements ○ Provides data separation ○ Client-side implementations (PDO) ○ SELECT * FROM table where id=? ● Use safe apis for query generation ○ $mysqlService->select($table, $pk, $fields, $where...) ● Safe ORM framework ○ $storage->read($keys);
1. Injection flaws: OS ● Don't use OS execution :) ● Escape ○ escapeshellarg
1. Injection flaws: uploads ● Don't put them on public folder ● Don't use user-provided data for names ● Whitelist extensions ● Validate content ● Store separately from app (DB, separate servers) ● Ensure write permissions are the minimum possible
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
2. XSS Trick services to return browser-executable code to user/s. ● Several classifications: ○ Breaking context vs sub-context ○ Persistant vs non-persistent ○ Traditional vs DOM
2. XSS ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Escape untrusted data depending on context ○ HTTP-Only Cookie mitigation is useless ● How: ○ Escape everything (even safe vars) ○ Escape in TEMPLATES (context aware) ○ Other (URL params) in specialized safe apis ○ Unit test
2. XSS: Classification by context ● Breaking context: ○ <a href="?id<?=$_GET['id']?>"> ○ "<script> ... ○ Easy to detect & test ■ Unit-test templates with all injections for all vars and validate html ● Non breaking context: ○ <a href="<?=$_GET['url']?>"> ○ javascript: ... ○ HARD TO DETECT
2. XSS: Classification by persistance ● Persistant ○ Data gets stored in DB ○ Users will be hit by regular navigation ○ Easier to test (templates) ● Non persistant ○ A request with some params returns XSS ○ Users need to be trick to navigate into the malicious link ○ More frequent (No results for 'blah') ○ Somewhat harder to test (cover error messages, non-template based responses)
2. XSS: Classification by mode ● Traditional ○ Just by exploiting browser parsing ○ Easy to test ● DOM ○ Cheating on JS ■ data from server injected in DOM ● Use innerText ● Do not compose html in JS ■ parsing data from uri, forms as 'safe' ○ Pretty hard to test. Avoid missuse, provide safe apis.
2. XSS @tuenti ● Escape on templates ● Escape everything, even what doesn't need to be escaped: ○ <?=View::escape_unsafe($html)?> ● Link generation framework ● Tests for templates, controllers
2. XSS: HTML ● Never put untrusted data in: ○ <script> contents ○ HTML comments ○ tag/attribute names ○ <style> contents ● Contexts: Content, attributes, url params, urls, js... ● Rich formating ○ Use alternative markup lang ■ Markdown ■ Textile ○ Filter HTML (white listing, carefull!!!)
2. XSS: JS ● Encode with xNNN (" might break HTML that is parsed before) ● Prefer reading values from dom ● URL pieces are not safe ● Beware of double context: setInterval('...'), eval()
2. XSS: JSON ● Easy to escape (single context) ● Can put the load on the browser (harder to test) ● Avoid mixing contexts (json on html, or json with/for html) ● Eval json as js can trigger js execution ○ Safe, full json encoding in server (never use half- baked json templates!!!) ○ Use the slow json-parse.js vs json.js regexp validation ● Be aware of context. content-type!
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
3. Auth & Session Attack authentication and sessions to gain control over an account. ● Passwords ● Session issues
3. Auth & Session ● Explotability: AVERAGE ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ SSL, good session handling, detect auth brute force, avoid plain text passwords, strong password recovery, user sessions control (logout, history, close all), detect anomalous login patterns...
3. Auth & Session ● Passwords ○ Use SSL or digest auth ○ Enforce good passwords, rotation ○ Store passwords securely (constant time salted hashes) ○ fight phising (easy URL, educate users) ● Authentication ○ Don't make distintions between bad login / password ○ Reset to hide real logins, time-limited tokens, old password invalidate resets ○ Detect brute force, lock accounts ○ Watch misconfigurations ○ Specially on admin, secondary platforms
3. Auth & Session ● Sessions ○ Random Ids, >= 128 bit ○ Use SSL ○ Use secure=yes, httponly for cookies ○ No session fixation ○ No session ids in URLs ○ Change session id on priviledge scalation or switch between http->https ○ Expiration ○ Offer logout, history, close all ○ Do not send cookies to CDNs, non-principal sites
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
4. Direct object references Apps usually map backend objects to URLs. An attacker might bypass privacy and authentication by accessing directly to resources if don't do the appropiate checks. ● Trusted params ● Images
4. Direct object references ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Properly check privacy on all objects ○ Good policy on where to put the privacy check ○ Do not trust params. Sign params is an option ○ Hide real db keys (show pos X in search Y, /me) ○ Make urls hard to guess
4. Direct object references Sounds stupid... ...but happens!
4. Direct object references ● Never check privacy on controllers ● Never check privacy on storage layer ● Privacy in backend api methods ○ With entry point documentation ○ Clear responsibility for privacy! ○ Most of the time implicit with good api design ○ Good performance ○ Easy to use privacy framework
4. Direct object references ● Documentation /* * @epoint-changes-state YES * @epoint-privacy-control IMPLICIT * - Only deletes current user tag if exists. * @epoint-summary Deletes the current user's tag on a photo *... */ public function deleteMyTag($photoKey) { $userId = CurrentUser::getId(); ...
4. Direct object references ● Privacy framework api ○ TPrivacy::hasAnyOf / hasAllOf ○ + Privacy providers if (TPrivacy::hasAnyOf( CurrentUser::getId() == $photoOwner, array('TagApi', TagApi::IS_TAGGED, $photoKey), array('... ... )) {
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
5. CSRF Cross site request forgery [CSFR in tuenti :)] Trick a authenticated user to submit requests to a service and do actions without consent. The browser will send the cookies and the request might look legit. ● Image tags (get) ● Forms (post) ● ...
5. CSRF ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Require a non-predictable token param on all actions that modify state ○ Use POST for all actions that modify state ○ Use custom header in ajax requests ○ Check Origin header when available!!!
5. CSRF @tuenti: ● Before was check when using a post param ○ Default values caused us issues ● Now explicit annotation on controllers ○ @ChangesState ● Evangelize developers
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
6. Security misconfiguration Missing security updates, open proxies, open ports, default accounts, directory listing, forgotten hardening...
6. Security misconfiguration ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Develop install & configuration procedures ○ Document services and subscribe to updates ○ Hide services versions when possible ○ Separate components to minimize risks
6. Security misconfiguration @tuenti: ● we are big >1k servers ○ + possibilities for some issue ● But... ○ We use config management (pupet) ○ Good deployment procedures, documentation ○ Very isolated services ○ Few generic web components ○ Good systems team
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
7. URL access Attacker guesses URLs that lead to functionality, information.
7. URL access ● Explotability: EASY ● Prevalence: UNCOMMON ● Detectability: AVERAGE ● Impact: MODERATE ● Prevention: ○ Deny by default ○ Deploy by selection
7. URL access @tuenti ● Good deploy system ● Splited environments for production and dev ● Most non-public services restricted to vpn + centralized auth
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
8. Unvalidated redirects Use a service redirect to trick users into clicking on a link (belongs to valid service) and achieve more effective phising/virus downloads/revenue.
8. Unvalidated redirects ● Explotability: AVERAGE ● Prevalence: UNCOMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Don't expose destination URL as param, use references to a white list ○ Ensure end URLs are safe (Safe search, user reporting tools...)
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
9. Insecure crypto storage Some data is sensible enought to require being stored encripted/hashed, to protect it from being stolen. Unsalted hashes might be exploitable, backups might contain keys or cleartext, services might expose decrypt mecanisms, internal attacks might have access to keys.
9. Insecure crypto storage ● Explotability: DIFFICULT ● Prevalence: UNCOMMON ● Detectability: DIFFICULT ● Impact: SEVERE ● Prevention: ○ Keep backups encripted, don't store keys on same place. ○ Use salted hashes and constant time hashes ○ Ensure keys are protected ○ Don't offer full info (credit card XXXX 1234)
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
10. Transport layer protection An attacker might sniff traffic of your users to steal sessions to retrieve data, do spam...
10. Transport layer protection ● Explotability: DIFFICULT ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Ensure to use SSL on all requests & resources loaded. ○ Change session ids when switching to https. ○ If optional, try to detect shared IPs and auto-enable on those.
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection 11. Extras
11. Extras: Cross domain data leak Ajax is changing the web apps, with js-rich clients that request data. Beware of exposing JS / JSON user data through GET requests without CSRF tokens/headers! <script> tag is not Cross Domain safe! ● Require custom header (needs XMLhttpRequest) keep using GET ● Check origin header
11. Extras: Clickjacking Trick users to click/copy content on your page (by-passing CSRF) by using a hidden frame ● Use Frame-options ● Some anti-frame JS (hard) ○ top.location might not be accesible, cause JS error ○ redirections might be cancelled ○ Best (not pretty): blank page with link target _blank, if top. location == self.location, add content
11. Extras: Unicode ● Filter special unicode that can break design ● UTF encoding might bypass your XSS-filters ● UTF url encoding might bypass directory checks... ● NULL code %00 might bypass suffixes
11. Extras: HTTP/Mail Headers ● Are subject to CR/LF injection, leading to ○ XSS ○ Spam ○ redirection ○ ... ● Use safe api
11. Extras: People ● People is always the weakest link ● Phising ○ Educate ○ Good urls ○ Design ○ Referer analysis ○ React ● Self-inflicted JS injection ○ Educate ○ Filter content, be aware of surges
No input validation?
No input validation? Minimize malformed data, make it match business needs. NOT as primary method to avoid XSS, injection... ● Rules: ○ SERVER SIDE ○ Apply to all (form, url params, cookies, http headers) ○ Define whitelists of valid chars ○ Define length ○ Business on top of that
No input validation? ● Even thought, tuenti has a good validation system: ○ Based on annotations on controllers. ○ At data layer (storage definition) ● Makes exploits harder ● Good practice, clean code ● Explicit args in controllers
Other important aspects
Logging, stats, counters ● Very important for security ● Stats: ○ Detect issues, patterns to take measures. ● Logs ○ Analize issues. ● Counters ○ Detect & react to malicious activity
Error handling ● Sanitize error messages, use same templating system ● Do not provide information to users ● Control debug mode ● Dangers: ○ Log review tools (XSS) ○ As payload upload mecanism
Community ● Take care of community! ○ Thank security researchers ○ Reply fast ○ <24h fix policy ○ Tipically <2h! ○ Hall of FAME!!! ● How to report ○ Standard box security@tuenti.com + dns entries ○ Regular user support ○ Researchers know us
Web Security Future?
Browser XSS protections ● Reflexion XSS protection ○ Different implementations IE8, chrome ○ Adds issues, new problems ○ Non perfect, might improve?
Client side templates ● Data only requests are easier to escape ● It's harder to inject data into client-side templates (only persistent XSS) ● Templates might work in DOM mode ● SLOW in non recent browsers
Better JS ● More secure mashups ○ Google Caja... ● More enterprise JS ○ Dart, GWT, Closure, CoffeeScript
Plugins ... Apis ... Browsers ● Flash plugin will die! ● But new HTML5 apis will bring more issues ● Browsers extensions nightmare
Avoid cookies Using XMLHttpRequest with sid as param, from rich JS apps. Destination domain that does not have cookies. ● Decreases attack vectors on: ○ CSRF ○ Click jacking
SSL improvements ● HSTS ○ Force SSL ○ Certificate pinning ● False start ○ -30% handshake latency
Content Security Policy (Mozilla) ● Restricts a lot of attacking vectors ○ Forbids inline javascript ○ Forbids dynamic js code: eval, setTimeout(<string>) ○ Restricts inline data source (can be reverted for images for example) ○ Whitelist sources for each type of content (js, css, images, ajax...) ○ Configures frame permissions better ● Hard to implement in complex sites ○ twitter mobile is using it ○ Reports issues (to detect attacks, debug/testing phase)
? bisho@tuenti.com We are hiring! http://jobs.tuenti.com

Recommandé

Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
PHP Security Tips
PHP Security TipsPHP Security Tips
PHP Security TipsChris Tankersley
 
Xebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenXebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenPublicis Sapient Engineering
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Tuenti release process
Tuenti release processTuenti release process
Tuenti release processTuenti
 
Tuenti - de la idea a la web
Tuenti - de la idea a la webTuenti - de la idea a la web
Tuenti - de la idea a la webTuenti
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release WorkflowTuenti
 
Presentaciones tuenti
Presentaciones tuentiPresentaciones tuenti
Presentaciones tuentiMiriam_Guillemdiaz18
 

Recommandé

Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
PHP Security Tips
PHP Security TipsPHP Security Tips
PHP Security TipsChris Tankersley
 
Xebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenXebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenPublicis Sapient Engineering
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Tuenti release process
Tuenti release processTuenti release process
Tuenti release processTuenti
 
Tuenti - de la idea a la web
Tuenti - de la idea a la webTuenti - de la idea a la web
Tuenti - de la idea a la webTuenti
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release WorkflowTuenti
 
Presentaciones tuenti
Presentaciones tuentiPresentaciones tuenti
Presentaciones tuentiMiriam_Guillemdiaz18
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing AppAndreas Schranzhofer
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti
 
Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tuenti
 

Contenu connexe

Similaire à Tuenti: Web Application Security

Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 

Similaire à Tuenti: Web Application Security (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web Vulnerability
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 

Plus de Tuenti

Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti
 
Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tuenti
 
Tuenti Mobile Development
Tuenti Mobile DevelopmentTuenti Mobile Development
Tuenti Mobile DevelopmentTuenti
 
Tuenti - tu entidad
Tuenti - tu entidadTuenti - tu entidad
Tuenti - tu entidadTuenti
 
DTS s03e02 Handling the code
DTS s03e02 Handling the codeDTS s03e02 Handling the code
DTS s03e02 Handling the codeTuenti
 
DTS s03e04 Typing
DTS s03e04 TypingDTS s03e04 Typing
DTS s03e04 TypingTuenti
 
Tuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working togetherTuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working togetherTuenti
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for ScalabilityTuenti
 

Plus de Tuenti (8)

Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1
 
Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011
 
Tuenti Mobile Development
Tuenti Mobile DevelopmentTuenti Mobile Development
Tuenti Mobile Development
 
Tuenti - tu entidad
Tuenti - tu entidadTuenti - tu entidad
Tuenti - tu entidad
 
DTS s03e02 Handling the code
DTS s03e02 Handling the codeDTS s03e02 Handling the code
DTS s03e02 Handling the code
 
DTS s03e04 Typing
DTS s03e04 TypingDTS s03e04 Typing
DTS s03e04 Typing
 
Tuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working togetherTuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working together
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for Scalability
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Tuenti: Web Application Security

  • 1. Web Application Security Guillermo Pérez bisho@tuenti.com BE arch & Security Lead Eng. bcndevcon 2011
  • 2. Things to deal with... in web app security
  • 3. Web App security ● Anonymous attackers ● Worldwide access ● Shared environment for all users ● Easy distribution, profitable ● On top of all other components security: ○ Network security ○ OS security ○ Server software security ○ Social Engineering ○ Even more! browsers, plugins, virus, user computer security, shared computers, open wifis...
  • 5. Web App security Humans (developers) are the bigger risk Give tools, frameworks & policies so no developer has to ever think how to secure up things. Should be clear and the easiest path. But there is no perfect security...
  • 7. Top 10 security issues in webapps From OWASP (risks != frequency) 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 8. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 9. 1. Injection flaws Trick services to execute unintended commands to gain control or access unauthorized data. ● Several types: ○ SQL ○ OS execution ○ LDAP ○ XPath ○ NoSQL ○ uploads
  • 10. 1. Injection flaws ● Explotability: EASY ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ Keep untrusted data separate from commands ● How: ○ Use safe, parametrized apis vs writting code to be executed by interpreter. ○ Escape special chars depending on interpreter. ○ Data cast, whitelist input validation.
  • 11. 1. Injection flaws: SQL ● http://example.com/?id=' or '1'='1 ● Explicit cast, escaping IN-PLACE ○ mysqli_escape_string() ○ ... ● Use prepared statements ○ Provides data separation ○ Client-side implementations (PDO) ○ SELECT * FROM table where id=? ● Use safe apis for query generation ○ $mysqlService->select($table, $pk, $fields, $where...) ● Safe ORM framework ○ $storage->read($keys);
  • 12. 1. Injection flaws: OS ● Don't use OS execution :) ● Escape ○ escapeshellarg
  • 13. 1. Injection flaws: uploads ● Don't put them on public folder ● Don't use user-provided data for names ● Whitelist extensions ● Validate content ● Store separately from app (DB, separate servers) ● Ensure write permissions are the minimum possible
  • 14. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 15. 2. XSS Trick services to return browser-executable code to user/s. ● Several classifications: ○ Breaking context vs sub-context ○ Persistant vs non-persistent ○ Traditional vs DOM
  • 16. 2. XSS ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Escape untrusted data depending on context ○ HTTP-Only Cookie mitigation is useless ● How: ○ Escape everything (even safe vars) ○ Escape in TEMPLATES (context aware) ○ Other (URL params) in specialized safe apis ○ Unit test
  • 17. 2. XSS: Classification by context ● Breaking context: ○ <a href="?id<?=$_GET['id']?>"> ○ "<script> ... ○ Easy to detect & test ■ Unit-test templates with all injections for all vars and validate html ● Non breaking context: ○ <a href="<?=$_GET['url']?>"> ○ javascript: ... ○ HARD TO DETECT
  • 18. 2. XSS: Classification by persistance ● Persistant ○ Data gets stored in DB ○ Users will be hit by regular navigation ○ Easier to test (templates) ● Non persistant ○ A request with some params returns XSS ○ Users need to be trick to navigate into the malicious link ○ More frequent (No results for 'blah') ○ Somewhat harder to test (cover error messages, non-template based responses)
  • 19. 2. XSS: Classification by mode ● Traditional ○ Just by exploiting browser parsing ○ Easy to test ● DOM ○ Cheating on JS ■ data from server injected in DOM ● Use innerText ● Do not compose html in JS ■ parsing data from uri, forms as 'safe' ○ Pretty hard to test. Avoid missuse, provide safe apis.
  • 20. 2. XSS @tuenti ● Escape on templates ● Escape everything, even what doesn't need to be escaped: ○ <?=View::escape_unsafe($html)?> ● Link generation framework ● Tests for templates, controllers
  • 21. 2. XSS: HTML ● Never put untrusted data in: ○ <script> contents ○ HTML comments ○ tag/attribute names ○ <style> contents ● Contexts: Content, attributes, url params, urls, js... ● Rich formating ○ Use alternative markup lang ■ Markdown ■ Textile ○ Filter HTML (white listing, carefull!!!)
  • 22. 2. XSS: JS ● Encode with xNNN (" might break HTML that is parsed before) ● Prefer reading values from dom ● URL pieces are not safe ● Beware of double context: setInterval('...'), eval()
  • 23. 2. XSS: JSON ● Easy to escape (single context) ● Can put the load on the browser (harder to test) ● Avoid mixing contexts (json on html, or json with/for html) ● Eval json as js can trigger js execution ○ Safe, full json encoding in server (never use half- baked json templates!!!) ○ Use the slow json-parse.js vs json.js regexp validation ● Be aware of context. content-type!
  • 24. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 25. 3. Auth & Session Attack authentication and sessions to gain control over an account. ● Passwords ● Session issues
  • 26. 3. Auth & Session ● Explotability: AVERAGE ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ SSL, good session handling, detect auth brute force, avoid plain text passwords, strong password recovery, user sessions control (logout, history, close all), detect anomalous login patterns...
  • 27. 3. Auth & Session ● Passwords ○ Use SSL or digest auth ○ Enforce good passwords, rotation ○ Store passwords securely (constant time salted hashes) ○ fight phising (easy URL, educate users) ● Authentication ○ Don't make distintions between bad login / password ○ Reset to hide real logins, time-limited tokens, old password invalidate resets ○ Detect brute force, lock accounts ○ Watch misconfigurations ○ Specially on admin, secondary platforms
  • 28. 3. Auth & Session ● Sessions ○ Random Ids, >= 128 bit ○ Use SSL ○ Use secure=yes, httponly for cookies ○ No session fixation ○ No session ids in URLs ○ Change session id on priviledge scalation or switch between http->https ○ Expiration ○ Offer logout, history, close all ○ Do not send cookies to CDNs, non-principal sites
  • 29. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 30. 4. Direct object references Apps usually map backend objects to URLs. An attacker might bypass privacy and authentication by accessing directly to resources if don't do the appropiate checks. ● Trusted params ● Images
  • 31. 4. Direct object references ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Properly check privacy on all objects ○ Good policy on where to put the privacy check ○ Do not trust params. Sign params is an option ○ Hide real db keys (show pos X in search Y, /me) ○ Make urls hard to guess
  • 32. 4. Direct object references Sounds stupid... ...but happens!
  • 33. 4. Direct object references ● Never check privacy on controllers ● Never check privacy on storage layer ● Privacy in backend api methods ○ With entry point documentation ○ Clear responsibility for privacy! ○ Most of the time implicit with good api design ○ Good performance ○ Easy to use privacy framework
  • 34. 4. Direct object references ● Documentation /* * @epoint-changes-state YES * @epoint-privacy-control IMPLICIT * - Only deletes current user tag if exists. * @epoint-summary Deletes the current user's tag on a photo *... */ public function deleteMyTag($photoKey) { $userId = CurrentUser::getId(); ...
  • 35. 4. Direct object references ● Privacy framework api ○ TPrivacy::hasAnyOf / hasAllOf ○ + Privacy providers if (TPrivacy::hasAnyOf( CurrentUser::getId() == $photoOwner, array('TagApi', TagApi::IS_TAGGED, $photoKey), array('... ... )) {
  • 36. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 37. 5. CSRF Cross site request forgery [CSFR in tuenti :)] Trick a authenticated user to submit requests to a service and do actions without consent. The browser will send the cookies and the request might look legit. ● Image tags (get) ● Forms (post) ● ...
  • 38. 5. CSRF ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Require a non-predictable token param on all actions that modify state ○ Use POST for all actions that modify state ○ Use custom header in ajax requests ○ Check Origin header when available!!!
  • 39. 5. CSRF @tuenti: ● Before was check when using a post param ○ Default values caused us issues ● Now explicit annotation on controllers ○ @ChangesState ● Evangelize developers
  • 40. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 41. 6. Security misconfiguration Missing security updates, open proxies, open ports, default accounts, directory listing, forgotten hardening...
  • 42. 6. Security misconfiguration ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Develop install & configuration procedures ○ Document services and subscribe to updates ○ Hide services versions when possible ○ Separate components to minimize risks
  • 43. 6. Security misconfiguration @tuenti: ● we are big >1k servers ○ + possibilities for some issue ● But... ○ We use config management (pupet) ○ Good deployment procedures, documentation ○ Very isolated services ○ Few generic web components ○ Good systems team
  • 44. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 45. 7. URL access Attacker guesses URLs that lead to functionality, information.
  • 46. 7. URL access ● Explotability: EASY ● Prevalence: UNCOMMON ● Detectability: AVERAGE ● Impact: MODERATE ● Prevention: ○ Deny by default ○ Deploy by selection
  • 47. 7. URL access @tuenti ● Good deploy system ● Splited environments for production and dev ● Most non-public services restricted to vpn + centralized auth
  • 48. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 49. 8. Unvalidated redirects Use a service redirect to trick users into clicking on a link (belongs to valid service) and achieve more effective phising/virus downloads/revenue.
  • 50. 8. Unvalidated redirects ● Explotability: AVERAGE ● Prevalence: UNCOMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Don't expose destination URL as param, use references to a white list ○ Ensure end URLs are safe (Safe search, user reporting tools...)
  • 51. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 52. 9. Insecure crypto storage Some data is sensible enought to require being stored encripted/hashed, to protect it from being stolen. Unsalted hashes might be exploitable, backups might contain keys or cleartext, services might expose decrypt mecanisms, internal attacks might have access to keys.
  • 53. 9. Insecure crypto storage ● Explotability: DIFFICULT ● Prevalence: UNCOMMON ● Detectability: DIFFICULT ● Impact: SEVERE ● Prevention: ○ Keep backups encripted, don't store keys on same place. ○ Use salted hashes and constant time hashes ○ Ensure keys are protected ○ Don't offer full info (credit card XXXX 1234)
  • 54. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 55. 10. Transport layer protection An attacker might sniff traffic of your users to steal sessions to retrieve data, do spam...
  • 56. 10. Transport layer protection ● Explotability: DIFFICULT ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Ensure to use SSL on all requests & resources loaded. ○ Change session ids when switching to https. ○ If optional, try to detect shared IPs and auto-enable on those.
  • 57. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection 11. Extras
  • 58. 11. Extras: Cross domain data leak Ajax is changing the web apps, with js-rich clients that request data. Beware of exposing JS / JSON user data through GET requests without CSRF tokens/headers! <script> tag is not Cross Domain safe! ● Require custom header (needs XMLhttpRequest) keep using GET ● Check origin header
  • 59. 11. Extras: Clickjacking Trick users to click/copy content on your page (by-passing CSRF) by using a hidden frame ● Use Frame-options ● Some anti-frame JS (hard) ○ top.location might not be accesible, cause JS error ○ redirections might be cancelled ○ Best (not pretty): blank page with link target _blank, if top. location == self.location, add content
  • 60. 11. Extras: Unicode ● Filter special unicode that can break design ● UTF encoding might bypass your XSS-filters ● UTF url encoding might bypass directory checks... ● NULL code %00 might bypass suffixes
  • 61. 11. Extras: HTTP/Mail Headers ● Are subject to CR/LF injection, leading to ○ XSS ○ Spam ○ redirection ○ ... ● Use safe api
  • 62. 11. Extras: People ● People is always the weakest link ● Phising ○ Educate ○ Good urls ○ Design ○ Referer analysis ○ React ● Self-inflicted JS injection ○ Educate ○ Filter content, be aware of surges
  • 64. No input validation? Minimize malformed data, make it match business needs. NOT as primary method to avoid XSS, injection... ● Rules: ○ SERVER SIDE ○ Apply to all (form, url params, cookies, http headers) ○ Define whitelists of valid chars ○ Define length ○ Business on top of that
  • 65. No input validation? ● Even thought, tuenti has a good validation system: ○ Based on annotations on controllers. ○ At data layer (storage definition) ● Makes exploits harder ● Good practice, clean code ● Explicit args in controllers
  • 67. Logging, stats, counters ● Very important for security ● Stats: ○ Detect issues, patterns to take measures. ● Logs ○ Analize issues. ● Counters ○ Detect & react to malicious activity
  • 68. Error handling ● Sanitize error messages, use same templating system ● Do not provide information to users ● Control debug mode ● Dangers: ○ Log review tools (XSS) ○ As payload upload mecanism
  • 69. Community ● Take care of community! ○ Thank security researchers ○ Reply fast ○ <24h fix policy ○ Tipically <2h! ○ Hall of FAME!!! ● How to report ○ Standard box security@tuenti.com + dns entries ○ Regular user support ○ Researchers know us
  • 71. Browser XSS protections ● Reflexion XSS protection ○ Different implementations IE8, chrome ○ Adds issues, new problems ○ Non perfect, might improve?
  • 72. Client side templates ● Data only requests are easier to escape ● It's harder to inject data into client-side templates (only persistent XSS) ● Templates might work in DOM mode ● SLOW in non recent browsers
  • 73. Better JS ● More secure mashups ○ Google Caja... ● More enterprise JS ○ Dart, GWT, Closure, CoffeeScript
  • 74. Plugins ... Apis ... Browsers ● Flash plugin will die! ● But new HTML5 apis will bring more issues ● Browsers extensions nightmare
  • 75. Avoid cookies Using XMLHttpRequest with sid as param, from rich JS apps. Destination domain that does not have cookies. ● Decreases attack vectors on: ○ CSRF ○ Click jacking
  • 76. SSL improvements ● HSTS ○ Force SSL ○ Certificate pinning ● False start ○ -30% handshake latency
  • 77. Content Security Policy (Mozilla) ● Restricts a lot of attacking vectors ○ Forbids inline javascript ○ Forbids dynamic js code: eval, setTimeout(<string>) ○ Restricts inline data source (can be reverted for images for example) ○ Whitelist sources for each type of content (js, css, images, ajax...) ○ Configures frame permissions better ● Hard to implement in complex sites ○ twitter mobile is using it ○ Reports issues (to detect attacks, debug/testing phase)
  • 78. ? bisho@tuenti.com We are hiring! http://jobs.tuenti.com