O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Is it good to be paranoid ?

2.217 visualizações

Publicada em

Introduction to web security
Tech Talk @ Georgia Tech
9 March 2011

  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

Is it good to be paranoid ?

  1. 1. Is it good to be paranoid ?<br />introduction to web security<br />Tech talk @ Georgia Tech, <br />March 2011<br />
  2. 2. Subramanyan Murali<br />yahoo<br />Mail Engineer <br />Hacker, Photographer, Traveler <br />@rmsguhan<br />
  3. 3. par·a·noi·a<br />nparanoia [pӕrəˈnoiə]<br />a type of mental illness in which a person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her<br />3<br />
  4. 4. in Yahoo!, they are just people who care a lot about web security <br />4<br />
  5. 5. Q.What is the problem ? <br />
  6. 6. Spammers want to do cheap advertising & unsolicited marketing<br />
  7. 7. Phisherswant to steal user identity for personal benefit<br />
  8. 8. Crackers want to break into your systems & profit <br />
  9. 9. Jokers just want to watch the world burn <br />
  10. 10. “It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”<br /><ul><li>Philip Tellis, Yahoo! Paranoid</li></ul>http://www.smashingmagazine.com/author/philip-tellis/ <br />
  11. 11. A tech-savy user maybe aware …<br />
  12. 12. … but to some cookies are still made of dough & chocolate chips <br />
  13. 13. A.Keep it simple for normal users Make it hard for users with evil intentions <br />
  14. 14. Users have a lot of trust on the web & share a lot of information <br />
  15. 15. Every attack is unique & exploits weakness <br />
  16. 16. Types of web attacks<br />Phishing & Spamming <br />Scamming <br />Code Injection<br />Forgery & spoofing <br />
  17. 17. Cross(X)Side Scripting <br />17<br />
  18. 18. XSS<br />Filter all input that you are going to save <br />Be aware of the data you are saving <br />URL should save only urls<br />Numbers should save only numbers <br />Never open up your site based purely on trust<br />
  19. 19. SQL / Shell Injection<br />
  20. 20. http://xkcd.com/327/<br />
  21. 21. <?php $user = $_GET[‘user’]; $message = $_GET[‘message’];function save_message($user, $message){  $sql = "INSERT INTO Messages (            user, message          ) VALUES (            '$user', '$message’          )";   return mysql_query($sql);}?><br />
  22. 22. test');DROP TABLE Messages;test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …<br />
  23. 23. Cross-Site Request Forgery<br />
  24. 24. <imgsrc=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”><br />
  25. 25. <iframename="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message”      method="POST”      target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script><br />
  26. 26. Issue a unique token / crumb that only your server would know for that sessionCheck if the posted data has that token<br />
  27. 27. For normal posts, use a time bound token <?phpfunction get_nonce() {  return md5($secret . ":"  . $user . ":"  . ceil(time()/86400));}?>For more sensitive posts, use a token that is stored in user session <br />
  28. 28. Click-jackinghttp://erickerr.com/like-clickjacking<br />
  29. 29. Tab-Jackinghttp://www.azarask.in/blog/post/a-new-type-of-phishing-attack/<br />
  30. 30. New secure technology does not guarantee a secure application<br />
  31. 31. As developers, we need to cautious<br />
  32. 32. Resources<br />http://www.owasp.org/index.php/Main_Page<br />http://kilimanjaro.dk/blog/<br />http://www.smashingmagazine.com/author/philip-tellis/<br />http://code.google.com/edu/security/index.htm<br />http://www.slideshare.net/joewalker/web-app-security<br />http://www.slideshare.net/shiflett/evolution-of-web-security<br />http://www.slideshare.net/txaypanya/owasp-top10-2010<br />
  33. 33. Be paranoid, be smartThank you ! <br />

×