common (web) application security issues,
and how to mitigate them
Allowing user input to leak to somewhere where it will be interpreted as code.
mandatory XKCD 327 link:
http://xkcd.com/327/
SQL
Username: "drevil' OR '1' = '1"
SELECT * FROM users WHERE is_admin = '1' and name ="drevil OR '1'='1';
Shell
www.mysite.com/viewcontent.php?filename=my_great_content.txt;ls
Validate all external input.
Only allow exactly the kind of values you expect.
Disallowing common "dangerous" characters,
have maximum length
Always use context-aware escaping on output
SQL-safe escapes for sql,
HTML-safe escape for html etc.
There is no one-size-fits all here
http://0pointer.de/
Use a safe language
(although it is not a guarantee, you might still use libraries/third-party tools that are vulnerable)
Impose explicit size limits in APIs
(there are most likely implicit ones anyway)
Sensitive data should be encrypted.
If it is stored encrypted, it should be transmitted encrypted.
There is no good performance reason to not use SSL everywhere.
Worse than no crypto, now the attacker knows where the sensitive data is.
Examples
unsalted passwords
broken random numbers in initialization
TOR with exit relay instead of end-end encryption
Mitigation
Don't roll your own.
Use NaCL or similar
Don't roll your own!
Use high-level well known and trusted packages like
Sending too much data in errors back to clients can reveal important informaiton to an attacker.
(But don't overdo it, if done right, it can be perfectly fine to say why an error happened)
Lock down sensitive endpoints
Don't put session keys in urls so they might get logged
Negotiate per-session secrets
Implement timeouts for sessions
Injected Javascript can take control over users action on a vulnerable website
Mitigation
Prevent injection at both input and output
Use CSP headers
Cross Site Request Forgery
Assuming that a logged-in browser can be trusted
Example:
<img src="http://bank.example.com/withdraw?account=Alice&amount=1000000&for=Mallory">
Secret tokens in all requests (hidden form value)
MAC/HMAC
Automatic logout
OWASP top 10 list
https://www.owasp.org/index.php/Top_10_2013-Top_10
Watch CCC security nightmares,
don't repeat the mistakes of others