1. Web Security
Gerald Z. Villorente
Lorma Colleges San Fernando, La Union
2. if [ “$SLIDE” -eq “intro” ]; then
echo “I'm Gerald Z. Villorente”
fi
● Senior Web Developer, Kite Systems Ltd.
Hong Kong / Philippines
● Drupal Developer, Cable Network
News (CNN) Travel
Hong Kong / Atlanta, USA
● System Administrator, InternetJail
Oregon, USA
● Drupal Phil. Users Group (DPUG) member
● Freelancer
3. Agenda
● Security levels
● Aspect of Data Security
● Most common Web application threats and
counter measures
● Principle of Secure Development
● Best Practices
● Tools
4. What is a Web Application?
• Any application that is served commonly via
http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as
host/server
5. What is a Web Application?
• Any application that is served commonly via
http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as
host/server
6. What is a Web Application?
• Any application that is served commonly via
http or https protocol
• Usually running under port 80 or port 443
• Served from a remote computer acting as
host/server
7. What is Web Security?
• A.k.a “Cyber Security”, involves protecting all
informations by preventing, detecting, and
responding to attack
• Is a state of being free from damage and being
compromised
• Is a condition of being protected against danger
or loss
8. What is Web Security?
• A.k.a “Cyber Security”, involves protecting all
informations by preventing, detecting, and
responding to attack
• Is a state of being free from damage and being
compromised
• Is a condition of being protected against danger
or loss
9. What is Web Security?
• A.k.a “Cyber Security”, involves protecting all
informations by preventing, detecting, and
responding to attack
• Is a state of being free from damage and being
compromised
• Is a condition of being protected against danger
or loss
14. Security Levels
• Server level
- Ensure you have installed the latest operating
system security patches.
- Keep your web server software up-to-date
- Limit access from the Internet to your servers.
Use firewall software to block access to any
port but the following:
* 80
* 443 (SSL, only if your application uses it)
* 22 (SSH, SCP)
* 21 (not recomended)
• Network level
• Application level
• User level
15. Security Levels
• Server level
• Network level
- Place servers that your users do not directly interact
with (e.g., a back-end database server) in a private
network that is inaccessible from the Internet. If that
is not possible, then use firewall software to block
access from any computer other than your web
server.
• Application level
• User level
16. Security Levels
• Server level
• Network level
• Application level
- Never store passwords in clear text. Instead, use a
hashing algorithm such as MD5 or SHA-256 to create a
signature of the user's password for storage.
- Generate a unique signature for the user based on the
login and password and store that in the cookie.
- Carefully check any parameters you pass to SQL
statements in your application. Validate all user inputs.
- Purge unused/unnecessary user data from your system
regularly.
• User level
17. Security Levels
• Server level
• Network level
• Application level
• User level
- Protecting yourself is to recognize the risks and
become familiar with some of the terminology
associated with them.
- Keep your personal information in private
- Use complex password
- Keep your computer away from viruses, worms,
keyloggers, trojans, malwares, etc
18. Aspects of Data Security
• Privacy
- keeping your information private
• Integrity
- knowing that the information has not been
changed
• Authenticity
- knowing who sent the information
19. Aspects of Data Security
• Privacy
- keeping your information private
• Integrity
- knowing that the information has not been
changed
• Authenticity
- knowing who sent the information
20. Aspects of Data Security
• Privacy
- keeping your information private
• Integrity
- knowing that the information has not been
changed
• Authenticity
- knowing who sent the information
21. Aspects of Data Security
• Privacy
- keeping your information private
• Integrity
- knowing that the information has not been
changed
• Authenticity
- knowing who sent the information
30. Most Common Security Threats
Cross Site Scripting
- Injecting Javascript or other scripts that will run
on behalf of other user. This code usually steals cookies
(authenticated credentials) of the
person who “sees” the infected web page.
Ex:
<script>alert(“This site has been hacked!”);</script>
Preventions:
1. Filter all foreign data
- $filter_user_input = htmlentities($post['userinput']);
2. Always assume data to be invalid until it is proved valid.
3. Use BBCode – [b]bold[/b] vs <b>bold</b>
XSS Cheat Sheet
31. Most Common Security Threats
SQL Injection
- an attack where an attacker is able to execute
arbitrary sql code against the database
Ex:
// legit
$sort = 'ASC';
// malicious injection
$sort = '; TRUNCATE USERS';
// actual query
$query = “SELECT * FROM users ORDER BY membership_date
$sort”;
// output query
SELECT * FROM users ORDER BY membership_date; TRUCATE
USERS
32. Most Common Security Threats
SQL Injection (cont.)
Possible damage:
1. Corrupt data by executing truncate()
2. Alter current data (e.g change admin password)
Vectors:
1. Dynamic queries getting values from unsanitized user-submitted
data
Prevention(MySQL):
1. Enclose user-submitted values with mysql_real_escape_string()
2. Harden the environment by reducing sql account permissions,
remove unneeded system stored procedures, and audit
password strength
33. Most Common Security Threats
Improper Error Handling
- errors are not properly handled by system code
34. Most Common Security Threats
Parameter Tampering
- based on the manipulation of parameters exchanged
between client and server in order to modify application
data, such as user credentials and permissions, price and
quantity of products, etc. Usually, this information is stored
in cookies, hidden form fields, or URL Query Strings, and
is used to increase application functionality and control.
Ex:
http://www.attackbank.com/savepage.asp?nr=147&status=read
Attack
http://www.attackbank.com/savepage.asp?nr=147&status=del
35. Most Common Security Threats
Denial-of-Service
- an attack to make a computer resources
unavailable to its intended users
Resources:
1. Bandwidth
2. CPU
Preventions:
1. Firewall
2. Router & Switches
3. Intrusion Prevention Systems (IPS)
4. DoS Defense System (DDS)
36. Most Common Security Threats
Remote File Inclusion
- an attack where attacker executes a script of
his liking from against the target web
application
Possible Damage:
1. Expose / Modify variable values of the script
doing the include
2. Expose stored credentials (e.g
username/password from a web app
configuration file
Vector:
User-controllable value of variable called by
include() or require()
37. Most Common Security Threats
Remote File Inclusion
Preventions(PHP):
1. Disable register_globals
2. Disable allow_url_open
3. Disable allow_url_include
4. Do not include from a dynamic variable with
user controllable value
38. Most Common Security Threats
Form Spoofing
- an attack where an HTML form is mimicked or
copied and then submitted from a location
different from original
Possible Damage:
1. Bypass client-side validation
2. Mass data insertion resulting to flood (e.g
guestbook, forum, etc.)
39. Most Common Security Threats
Form Spoofing
Vectors:
1. No forms tokens present, thus all request
thrown to the accepting script is considered
valid
Preventions:
1. Tokenize the form
2. (Optional) Check referrer
40. The Principles of Secure
Development
1. Input Validation
2. Output Validation
3. Error Handling
4. Authentication and Authorisation
5. Session Management
6. Secure Communications
7. Secure Storage
8. Secure Resource Access
41. Know your tools
● Each language is different and has different
strengths and weaknesses
* PHP
* Python
* .NET
* ASP
* Ruby
* Scala
* Java
42. Best Practices
1. Never ever use WAMP, XAMP stack in
production
2. Avoid spaghetti code
3. Don't re-invent the wheel
4. Naming conventions
5. Use case-sensitive
6. Secure the filesystem
43. if [ “$SLIDE” -eq “end” ]; then
echo -n “Any question? [Y/n]”
read QTN
if [ "$QTN" == "N" -o "$QTN" == "n" ]; then
echo "Thank You!"
exit 1
elif [ "$QTN" == "Y" -o "$QTN" == "y" ]; then
echo “Ok I'll try to answer them.”
else
echo “Email me if you have. Thanks”
fi
fi
f70c89933a2f18cfd69af64ed32e9141 - f25d38b18f6da9feff9a76e0cfe6c245
![if [ “$SLIDE” -eq “intro” ]; then
echo “I'm Gerald Z. Villorente”
fi
● Senior Web Developer, Kite Systems Ltd.
Hong Kong / Philippines
● Drupal Developer, Cable Network
News (CNN) Travel
Hong Kong / Atlanta, USA
● System Administrator, InternetJail
Oregon, USA
● Drupal Phil. Users Group (DPUG) member
● Freelancer](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)