Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.

1. Bill Condo / @mavrck
Modern Web Security
Attacks & Improvements
4/2/2014 | Dayton Web Developers

2. Bill Condo / @mavrck
Who here is responsible
for a website?

3. Bill Condo / @mavrck
Who here has published code
updates live in the last month?

4. Bill Condo / @mavrck
Are they secure?

5. Bill Condo / @mavrck
What We’ll Cover
• Common Threats
• Easy Improvements
• Bonus: Passwords

6. Bill Condo / @mavrck
CommonThreats
• Cross Site Scripting
• SQL Injection
• Path Disclosure
• Cross Site Request Forgery
• Information Disclosure

7. Bill Condo / @mavrck
• Denial of Service
• Code Execution
• Memory Corruption
• Arbitrary File
• Local File Include
• Remote File Include
• Buffer overflow

8. Bill Condo / @mavrck
Cross-site scripting (XSS)
• In a nutshell, websites that allow external code to sent with a
response to a user’s browser.
• Typically this is javascript that is inserted into a query string or form
field that is allowed to run.
• Opens up cookie and sensitive data

9. Bill Condo / @mavrck
SQL Injection
• Allowing user input to directly be inserted into database queries,
opening the possibility of unexpected data, and database corruption
and data leakage.
• (original) statement = "SELECT * FROM users WHERE id ='" + id + “';"
• (input) 0’; DROP TABLE users
• (final) statement = "SELECT * FROM users WHERE id =‘0'; DROP TABLE users;"

10. Bill Condo / @mavrck
http://xkcd.com/327/

11. Bill Condo / @mavrck
Path Disclosure
• Allowing an attacker to see the path to the web root.
/home/site.com/public/index.php
• This could allow viewing of private files, and provides a nugget
of knowledge that can be combined to allow full access.
• http://site.com/index.php?page=about
• http://site.com/index.php?page=../config

12. Bill Condo / @mavrck
Cross Site Request Forgery (CSRF)
• Exploits a website’s unauthenticated functionality from an
authenticated user. This is commonly from features driven from url
parameters that doesn’t have sufficient verification in place.
• http://site.com/send-message.php?from=bill&to=brad&message=hi
• May also be exploited by malicious code injected into a page.

13. Bill Condo / @mavrck
Information Disclosure
• Releasing secure information to an untrusted environment. This
can be operating environment, customer data, or trade secrets.
• Path that the website runs at, database info, service versions, etc.
• Credit card data, private account info (address, phone),
and customer history.
• Business logic, processes, and long-term business plans.

14. Bill Condo / @mavrck

15. Bill Condo / @mavrck

16. Bill Condo / @mavrck
Easy Improvements
• Secure Your Environment
• Secure Your Website
• Establish Audits

17. Bill Condo / @mavrck
Secure your Environment
• Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual
Private Server (VPS) such as Digital Ocean, Linode, Rackspace, AWS, etc.
You don’t want to share security concerns
with the world.
• Turn of the displaying of errors and debugging info in production, and
redirect them to log files.
• Turn on automatic updates for security patches.
• Turn off broadcasting of service versions and extensions.
• Turn off modules that aren’t required.

18. Bill Condo / @mavrck
Sorry, We’re Not Sharing Security…

19. Bill Condo / @mavrck
Thanks for letting me know…

20. Bill Condo / @mavrck
Secure Your Website
• Sanitize user input. Always.
• Escape and sanitize database queries. Better yet, use an established
package for prepared statements.
• Store sensitive data outside of the webroot with proper permissions.
• SSL where possible.
• Sandbox user uploads and treat with suspicion.

21. Bill Condo / @mavrck
Establish Audits
• Black Box: Security/Vulnerability Scanners, Penetration Tests
• White Box: Source Code Analyzers, Code Tests
• Password Testing

22. Bill Condo / @mavrck
More Security Info
• http://www.webappsec.org
• http://www.owasp.org

23. Bill Condo / @mavrck
Stretch.
Last minute bucket. We’re in overtime.

24. Bill Condo / @mavrck
Bonus: Password Security
• Terminology
• Landscape/Problems
• Best Practices
• Getting Policy Buy-in

25. Bill Condo / @mavrck
Password Terminology
• Encrypting - The process of encoding messages or information in
such a way that only authorized parties can read it*. Encryption
typically involves a private key and can be performed two way.
• Hashing - Password hashing is a one way conversion of an input into
a representative string. (i.e. nothing = 4fhk348fhsk48rfk4d3)
• Salting - A unique string of characters (hopefully per user) that helps
keep the password hashes different for users that have the same
password.
*http://en.wikipedia.org/wiki/Encryption

26. Bill Condo / @mavrck
• Entropy (Strength) - A measure of the uncertainty associated with a
random variable. (i.e. Password Strength)
• Rainbow Tables - Pre-calculated lookup values that match a string
with a value for a known encrypted algorithm.

27. Bill Condo / @mavrck
http://xkcd.com/936/

28. Bill Condo / @mavrck
Problems

29. Bill Condo / @mavrck
State of Passwords
• Most people share between sites
• Most people don’t use secure passwords
• Secure passwords, with high entropy are impossible to remember
• Most people don’t use a password manager

30. Bill Condo / @mavrck
Lack of Transparency
• Web Apps & Sites don’t disclosure their password policies,
encryption strength, and their isn’t a standard body to police who’s
following best practices and who’s being risky.
• Users often don’t find out what data was compromised from an
attack, and frequently don’t find out about an breach at all until it
reaches the news cycle.

31. Bill Condo / @mavrck
Forgotten Trail
• With e-commerce, we often have to create an account, provide
payment details, and then may never shop there again. However, the
data persists.
• Users typically don’t keep a master list of sites they have an account
on, or have purchased from. Each account can act as a nugget of
knowledge, slowly building up to enough data for concern.

32. Bill Condo / @mavrck
Best Practices
Worst Practices

33. Bill Condo / @mavrck
Don’t help the enemy
• Don’t: Policies that enforce things such as “first character must by
upper case” and “must end in a special character”. Allows masking.
• Don’t: To an extent, disclosing the minimum requirements for lower
case, upper case, numeric, and special characters.

34. Bill Condo / @mavrck
Garbage in, garbage out
• Don’t: Having no password policy at all.
• Don’t: Allowing common passwords like ‘password’, ‘123456’.
• Don’t: Allowing common dictionary words.

35. Bill Condo / @mavrck
Getting Policy Buy-in

36. Bill Condo / @mavrck
#1 Prevent PR Issues

37. Bill Condo / @mavrck
#2 Cost vs Risk
• Doing security correctly is less expensive upfront. The opportunity
cost is minimal compared the reduction in risk.
Cost * Risk = Likelihood Cost
• What does it cost to cleanup the mess: reset the passwords, scan
the servers, added support calls/requests, etc…

38. Bill Condo / @mavrck
#3 Predictability
• Help project/business managers in being able to minimize
unexpected security response events.
• Better understand how your week is going to go.

39. Bill Condo / @mavrck

40. Bill Condo / @mavrck
My Ask of You
• If you found this information useful, I ask two things of you:
• Follow me Twitter for development tips: @mavrck
• Back the Salt Mines Device Lab fundraiser for $1+:
http://igg.me/p/728005
• Also, we’re hiring at LMG. Grab a card if you’re currently
not next to your boss (otherwise email bill@lmgresults.com).

41. Bill Condo / @mavrck
Roaring Applause Here.
Thanks for your time.