SlideShare uma empresa Scribd logo

Web security

Transferir como PPTX, PDF
D
davidahaskins
EducaçãoTecnologia
1 de 42
Web Security By David Haskins
Hashing and Encryption • Types of hashes: – md5 (generally considered compromised) – SHA-1, SHA-2, SHA-3 – LANMAN (definitely compromised)
Hashing and Encryption • Hash of "hello Memphis PHP meetup group!": – a52cc137d1f59dc9265c59751cd3e624 • Hash of "1": – c4ca4238a0b923820dcc509a6f75849b • Hash of "10": – d3d9446802a44259755d38e6d163e820
Hashing and Encryption Properties of hashes: can be used to identify changes to data. are considered one-way: md5("my_string_here"); //exists unmd5("535f8bd2e548ffed92027c53d5a24b56"); //doesn't exist
Hashing and Encryption Encryption is reversible. Encryption requires a key to decrypt. Symmetric versus asymmetric key cryptography. Symmetric would work like: $key = 'secret'; $msg = encrypt("hidden message", $key); echo decrypt($msg, $key);
Hashing and Encryption The problem: How do you get the key to someone over the internet without some 12-year old hacker reading it?
Hashing and Encryption Asymmetric would work like: $encrypt_key = 'key_123'; $decrypt_key = 'key_456'; $msg = encrypt(“hidden message”, $encrypt_key); echo decrypt($msg, $decrypt_key);
Hashing and Encryption Asymmetric would be like: The point to remember, is that this will produce gibberish: echo decrypt($msg, $encrypt_key);
Hashing and Encryption In public key cryptography, there exist two keys: - a public key - a private key One is used for encryption, the other is used for decryption. The whole reason this stuff works is because I can encrypt a message with a public key, but it can only be decrypted with a private key.
Hashing and Encryption Small problem: Asymmetric cryptography is slow.
Hashing and Encryption Small problem: Asymmetric cryptography is slow. Solution: Use asymmetric cryptography to share a symmetric key. Then use symmetric cryptography.
HTTPS User Amazon server
HTTPS User Amazon server Send connection request on port 443
HTTPS User Amazon server Send connection request on port 443 Send public key
HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon.
HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon. Amazon decrypts symmetric key with Amazon's private key and sends response encrypted with symmetric key.
Hashes and Salting Remember hashes? They work like one-way encryption. $string = '1'; echo md5($string); //outputs 4ca4238a0b923820dcc509a6f75849b
Hashes and Salting We can use this for validating passwords.
Hashes and Salting The plain-text problem: $password = $_POST['password']; $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT l3m0ns 2 fred password123 3 david_TN m3mph!$ 4 sallyW omgPonies! 5 agent_007 1337h4x0r
Hashes and Salting Store the hash of the password instead of the plain-text: $password = md5($_POST['password']); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT cf5712b00855500691cff0e4b0566c68 2 fred 482c811da5d5b4bc6d497ffa98491e38 3 david_TN f145a55e591e1c6ed235ce456a5166f7 4 sallyW e2c29e21e004f9e71ef9db780884ede1 5 agent_007 81d3ebd158986fbdd6bd47177312c026
Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
Hashes and Salting Place a "salt" in the code. $salt = 's3kr3t'; $password = md5($_POST['password'] . $salt); If the user uses "password123", his password becomes "password123s3kr3t", which is much more complex. $query = "select id from user where password = '$password' and user = '$user'";
Hashes and Salting Store the hash of the password and a unique salt: $password = md5($_POST['password'] . $salt); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password Salt 1 cypherTXT cf5712b00855500691cff0e4b0566c68 bawex 2 fred 482c811da5d5b4bc6d497ffa98491e38 msefz 3 david_TN f145a55e591e1c6ed235ce456a5166f7 juftv 4 sallyW e2c29e21e004f9e71ef9db780884ede1 irqhj 5 agent_007 81d3ebd158986fbdd6bd47177312c026 coowo
SQL injection
SQL injection $password = $_POST*‘password’+; $id = $_SESSION*‘id’+; $query = “update user set password = ‘$password’ where id = $id”;
SQL injection // assume $password = ‘secret_password’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ where id = 7
SQL injection // assume $password = ‘secret_password’--’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ --’where id = 7
SQL injection //wrong solution: $password = str_replace(“’”,”’”,$password); $query = “update user set password = ‘$password’ where id = $id”; Depending on web server encoding and database encoding, you may still be vulnerable
SQL injection //correct solution: Use prepared statements $query = “update user set password = ? where id = ?”; $stmt = $dbh->prepare($query); $stmt->bindParam(1,$password); $stmt->bindParam(2,$id);
Command injection function safe_query($query){ $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
Command injection function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
Command injection Another interesting option: Assume $query: select * from article where id = 7; rm –rf /; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
Command injection Solution to preventing command injection:
Command injection Solution to preventing command injection: DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE
Command injection If you’re going to do it anyway, use escapeshellcmd(). $code_that_will_get_me_fired = escapeshellcmd($query); shellexec(“echo $code_that_will_get_me_fired >> record_queries.txt ”);
File upload attack Users can upload images (.jpg, .gif, .bmp, etc).
File upload attack Make sure users can’t upload .php, .pl, .asp, etc. files. Use a whitelist, rather than a blacklist to enforce this control. The uploaded directory shouldn’t have any execute permissions.

Recomendados

2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQLHung-yu Lin
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Daily notes
Daily notesDaily notes
Daily notesmeghendra168
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanGregg Donovan
 
Potential Friend Finder
Potential Friend FinderPotential Friend Finder
Potential Friend FinderRichard Schneeman
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 

Recomendados

2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQLHung-yu Lin
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Daily notes
Daily notesDaily notes
Daily notesmeghendra168
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanGregg Donovan
 
Potential Friend Finder
Potential Friend FinderPotential Friend Finder
Potential Friend FinderRichard Schneeman
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus PerlFlavio Poletti
 
Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Fwdays
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRSTVictor Ramiro
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Damien Seguy
 
Living with garbage
Living with garbageLiving with garbage
Living with garbagelucenerevolution
 
Insertcustomer
InsertcustomerInsertcustomer
Insertcustomeramirthalingam m
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helperslicejack
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!Luís Cobucci
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconGiovanni Fernandez-Kincade
 
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Cliff Seal
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Ulf Wendel
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Cod
CodCod
CodStan Adrian
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 
Togaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsTogaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsBalu Subramanian
 
Unit testing
Unit testingUnit testing
Unit testingdavidahaskins
 

Mais conteúdo relacionado

Mais procurados

주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Fwdays
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Damien Seguy
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helperslicejack
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!Luís Cobucci
 
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Cliff Seal
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Ulf Wendel
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 

Mais procurados (20)

주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus Perl
 
Emil Bay "Password Hashing"
Emil Bay "Password Hashing"Emil Bay "Password Hashing"
Emil Bay "Password Hashing"
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortals
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRST
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
 
Living with garbage
Living with garbageLiving with garbage
Living with garbage
 
Insertcustomer
InsertcustomerInsertcustomer
Insertcustomer
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helper
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
Temporary Cache Assistance (Transients API): WordCamp Birmingham 2014
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008Mysqlnd Async Ipc2008
Mysqlnd Async Ipc2008
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Cod
CodCod
Cod
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 

Destaque

Togaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsTogaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsBalu Subramanian
 

Destaque (6)

Togaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-componentsTogaf v9-m2-togaf9-components
Togaf v9-m2-togaf9-components
 
Unit testing
Unit testingUnit testing
Unit testing
 
Agile development
Agile developmentAgile development
Agile development
 
Togaf v9-m3-intro-adm
Togaf v9-m3-intro-admTogaf v9-m3-intro-adm
Togaf v9-m3-intro-adm
 
Quatorze juillet
Quatorze juilletQuatorze juillet
Quatorze juillet
 
Scan
ScanScan
Scan
 

Semelhante a Web security

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?ConFoo
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统yiditushe
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinTobias Zander
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioningSource Ministry
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuHasin Hayder
 

Semelhante a Web security (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security Stance
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjects
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
veracruz
veracruzveracruz
veracruz
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
 
Service discovery and configuration provisioning
Service discovery and configuration provisioningService discovery and configuration provisioning
Service discovery and configuration provisioning
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
 

Último

ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 

Último (20)

ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 

Web security

  • 2. Hashing and Encryption • Types of hashes: – md5 (generally considered compromised) – SHA-1, SHA-2, SHA-3 – LANMAN (definitely compromised)
  • 3. Hashing and Encryption • Hash of "hello Memphis PHP meetup group!": – a52cc137d1f59dc9265c59751cd3e624 • Hash of "1": – c4ca4238a0b923820dcc509a6f75849b • Hash of "10": – d3d9446802a44259755d38e6d163e820
  • 4. Hashing and Encryption Properties of hashes: can be used to identify changes to data. are considered one-way: md5("my_string_here"); //exists unmd5("535f8bd2e548ffed92027c53d5a24b56"); //doesn't exist
  • 5. Hashing and Encryption Encryption is reversible. Encryption requires a key to decrypt. Symmetric versus asymmetric key cryptography. Symmetric would work like: $key = 'secret'; $msg = encrypt("hidden message", $key); echo decrypt($msg, $key);
  • 6. Hashing and Encryption The problem: How do you get the key to someone over the internet without some 12-year old hacker reading it?
  • 7. Hashing and Encryption Asymmetric would work like: $encrypt_key = 'key_123'; $decrypt_key = 'key_456'; $msg = encrypt(“hidden message”, $encrypt_key); echo decrypt($msg, $decrypt_key);
  • 8. Hashing and Encryption Asymmetric would be like: The point to remember, is that this will produce gibberish: echo decrypt($msg, $encrypt_key);
  • 9. Hashing and Encryption In public key cryptography, there exist two keys: - a public key - a private key One is used for encryption, the other is used for decryption. The whole reason this stuff works is because I can encrypt a message with a public key, but it can only be decrypted with a private key.
  • 10. Hashing and Encryption Small problem: Asymmetric cryptography is slow.
  • 11. Hashing and Encryption Small problem: Asymmetric cryptography is slow. Solution: Use asymmetric cryptography to share a symmetric key. Then use symmetric cryptography.
  • 14. HTTPS User Amazon server Send connection request on port 443 Send public key
  • 15. HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon.
  • 16. HTTPS User Amazon server Send connection request on port 443 Send public key The browser generates a symmetric key, encrypts it with Amazon's public key and sends it to Amazon. Amazon decrypts symmetric key with Amazon's private key and sends response encrypted with symmetric key.
  • 17.
  • 18. Hashes and Salting Remember hashes? They work like one-way encryption. $string = '1'; echo md5($string); //outputs 4ca4238a0b923820dcc509a6f75849b
  • 19. Hashes and Salting We can use this for validating passwords.
  • 20. Hashes and Salting The plain-text problem: $password = $_POST['password']; $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT l3m0ns 2 fred password123 3 david_TN m3mph!$ 4 sallyW omgPonies! 5 agent_007 1337h4x0r
  • 21. Hashes and Salting Store the hash of the password instead of the plain-text: $password = md5($_POST['password']); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password 1 cypherTXT cf5712b00855500691cff0e4b0566c68 2 fred 482c811da5d5b4bc6d497ffa98491e38 3 david_TN f145a55e591e1c6ed235ce456a5166f7 4 sallyW e2c29e21e004f9e71ef9db780884ede1 5 agent_007 81d3ebd158986fbdd6bd47177312c026
  • 22. Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
  • 23. Hashes and Salting Rainbow tables plain text hash a 0cc175b9c0f1b6a831c399e269772661 b 92eb5ffee6ae2fec3ad71c777531578f c 4a8a08f09d37b73795649038408b5f33 … … aa 4124bc0a9335c27f086f24ba207a4912 ab 187ef4436122d1cc2f40dc2b92f0eba0 ac e2075474294983e013ee4dd2201c7a73 … … zzzzzzzzzzzzzzzzzz 0d057201bcd27c92eaa9efc6a9ce08f0
  • 24. Hashes and Salting Place a "salt" in the code. $salt = 's3kr3t'; $password = md5($_POST['password'] . $salt); If the user uses "password123", his password becomes "password123s3kr3t", which is much more complex. $query = "select id from user where password = '$password' and user = '$user'";
  • 25. Hashes and Salting Store the hash of the password and a unique salt: $password = md5($_POST['password'] . $salt); $user = $_POST['user']; $query = "select id from user where password = '$password' and userName = '$user'"; ID UserName Password Salt 1 cypherTXT cf5712b00855500691cff0e4b0566c68 bawex 2 fred 482c811da5d5b4bc6d497ffa98491e38 msefz 3 david_TN f145a55e591e1c6ed235ce456a5166f7 juftv 4 sallyW e2c29e21e004f9e71ef9db780884ede1 irqhj 5 agent_007 81d3ebd158986fbdd6bd47177312c026 coowo
  • 27. SQL injection $password = $_POST*‘password’+; $id = $_SESSION*‘id’+; $query = “update user set password = ‘$password’ where id = $id”;
  • 28. SQL injection // assume $password = ‘secret_password’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ where id = 7
  • 29. SQL injection // assume $password = ‘secret_password’--’; // assume $id = 7; $query = “update user set password = ‘$password’ where id = $id”; Sent to the database: update user set password = ‘secret_password’ --’where id = 7
  • 30. SQL injection //wrong solution: $password = str_replace(“’”,”’”,$password); $query = “update user set password = ‘$password’ where id = $id”; Depending on web server encoding and database encoding, you may still be vulnerable
  • 31. SQL injection //correct solution: Use prepared statements $query = “update user set password = ? where id = ?”; $stmt = $dbh->prepare($query); $stmt->bindParam(1,$password); $stmt->bindParam(2,$id);
  • 32.
  • 33. Command injection function safe_query($query){ $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
  • 34. Command injection function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); $database = “ABC_DB"; $username = ‘IDEF42; $password = ‘JKLM873’; $destination = "localhost"; //connect mysql_connect($destination, $username, $password) or die("Unable to connect to database: ". mysql_error()); //choose database mysql_select_db($database) or die ("Unable to select database [$database]: " . mysql_error()); //submit query $result = mysql_query($query) or die("Unable to modify database [$database]: " . mysql_error()); return $result; }
  • 35. Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
  • 36. Command injection Assume $query: select * from article where id = 7; cp /backup/*.tgz .; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
  • 37. Command injection Another interesting option: Assume $query: select * from article where id = 7; rm –rf /; function safe_query($query){ shellexec(“echo $query >> record_queries.txt ”); …blah, blah, blah… return $result; }
  • 38. Command injection Solution to preventing command injection:
  • 39. Command injection Solution to preventing command injection: DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE DON’T ALLOW SHELL ACCESS IN YOUR CODE
  • 40. Command injection If you’re going to do it anyway, use escapeshellcmd(). $code_that_will_get_me_fired = escapeshellcmd($query); shellexec(“echo $code_that_will_get_me_fired >> record_queries.txt ”);
  • 41. File upload attack Users can upload images (.jpg, .gif, .bmp, etc).
  • 42. File upload attack Make sure users can’t upload .php, .pl, .asp, etc. files. Use a whitelist, rather than a blacklist to enforce this control. The uploaded directory shouldn’t have any execute permissions.