that looks vuln



common (web) application security issues,

and how to mitigate them



injection attacks

Allowing user input to leak to somewhere where it will be interpreted as code.


mandatory XKCD 327 link:
http://xkcd.com/327/


SQL

Username: "drevil' OR '1' = '1"

SELECT * FROM users WHERE is_admin = '1' and name ="drevil OR '1'='1';

Shell

www.mysite.com/viewcontent.php?filename=my_great_content.txt;ls

injection attacks: mitigation

Validate all external input. 

Only allow exactly the kind of values you expect.

Disallowing common "dangerous" characters,

have maximum length


Always use context-aware escaping on output

SQL-safe escapes for sql,

HTML-safe escape for html etc.

There is no one-size-fits all here

Buffer overflow/invalid pointers


Very common coding mistake in languages with no safety guarantees

http://0pointer.de/


Use a safe language

(although it is not a guarantee, you might still use libraries/third-party tools that are vulnerable)

Impose explicit size limits in APIs
(there are most likely implicit ones anyway)



no crypto


Sensitive data should be encrypted.

If it is stored encrypted, it should be transmitted encrypted.

There is no good performance reason to not use SSL everywhere. 


Think "why should this be in cleartext",
not the other way around


incorrectly used crypto

Worse than no crypto, now the attacker knows where the sensitive data is.

Examples

unsalted passwords

broken random numbers in initialization

TOR with exit relay instead of end-end encryption

Mitigation

Don't roll your own.

Use NaCL or similar

WRONG crypto: mitigation

Don't roll your own!

Use high-level well known and trusted packages like

error handling

information leakage 


Sending too much data in errors back to clients can reveal important informaiton to an attacker.

(But don't overdo it, if done right, it can be perfectly fine to say why an error happened)

no/Broken access control

Lock down sensitive endpoints

Don't put session keys in urls so they might get logged

Negotiate per-session secrets

Implement timeouts for sessions



cross site scripting

(XSS)


Injected Javascript can take control over users action on a vulnerable website


Mitigation

Prevent injection at both input and output

Use CSP headers

csrf

Cross Site Request Forgery

Assuming that a logged-in browser can be trusted

Example:

   <img src="http://bank.example.com/withdraw?account=Alice&amount=1000000&for=Mallory">


CSRF mitigation

Secret tokens in all requests (hidden form value)

MAC/HMAC

Automatic logout



keep up to date


OWASP top 10 list

https://www.owasp.org/index.php/Top_10_2013-Top_10


Watch CCC security nightmares,

don't repeat the mistakes of others



that looks vuln

By cortex

Made with Slides.com

that looks vuln

  • 1,498

More from cortex