Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is it good to be paranoid ?

2,184 views

Published on

Introduction to web security
Tech Talk @ Georgia Tech
9 March 2011

  • Login to see the comments

  • Be the first to like this

Is it good to be paranoid ?

  1. 1. Is it good to be paranoid ?<br />introduction to web security<br />Tech talk @ Georgia Tech, <br />March 2011<br />
  2. 2. Subramanyan Murali<br />yahoo<br />Mail Engineer <br />Hacker, Photographer, Traveler <br />@rmsguhan<br />
  3. 3. par·a·noi·a<br />nparanoia [pӕrəˈnoiə]<br />a type of mental illness in which a person has fixed & unreasonable ideas that he/she is very important, or that other people are being unfair or un-friendly to him/her<br />3<br />
  4. 4. in Yahoo!, they are just people who care a lot about web security <br />4<br />
  5. 5. Q.What is the problem ? <br />
  6. 6. Spammers want to do cheap advertising & unsolicited marketing<br />
  7. 7. Phisherswant to steal user identity for personal benefit<br />
  8. 8. Crackers want to break into your systems & profit <br />
  9. 9. Jokers just want to watch the world burn <br />
  10. 10. “It’s necessary to build an application that is user friendly, high performing, accessible and secure, all while executing partially in an un-trusted environment that you, the developer, have no control over”<br /><ul><li>Philip Tellis, Yahoo! Paranoid</li></ul>http://www.smashingmagazine.com/author/philip-tellis/ <br />
  11. 11. A tech-savy user maybe aware …<br />
  12. 12. … but to some cookies are still made of dough & chocolate chips <br />
  13. 13. A.Keep it simple for normal users Make it hard for users with evil intentions <br />
  14. 14. Users have a lot of trust on the web & share a lot of information <br />
  15. 15. Every attack is unique & exploits weakness <br />
  16. 16. Types of web attacks<br />Phishing & Spamming <br />Scamming <br />Code Injection<br />Forgery & spoofing <br />
  17. 17. Cross(X)Side Scripting <br />17<br />
  18. 18. XSS<br />Filter all input that you are going to save <br />Be aware of the data you are saving <br />URL should save only urls<br />Numbers should save only numbers <br />Never open up your site based purely on trust<br />
  19. 19. SQL / Shell Injection<br />
  20. 20. http://xkcd.com/327/<br />
  21. 21. <?php $user = $_GET[‘user’]; $message = $_GET[‘message’];function save_message($user, $message){  $sql = "INSERT INTO Messages (            user, message          ) VALUES (            '$user', '$message’          )";   return mysql_query($sql);}?><br />
  22. 22. test');DROP TABLE Messages;test'), ('user2', 'Cheap medicine at ...'), ('user3', 'Cheap medicine at …<br />
  23. 23. Cross-Site Request Forgery<br />
  24. 24. <imgsrc=“http://www.mybiz.com/post_message?message=Cheap+medicine+at+http://evil.com/” style="position:absolute;left:-999em;”><br />
  25. 25. <iframename="pharma” style="display:none;"></iframe><form id="pform” action=“http://www.mybiz.com/post_message”      method="POST”      target="pharma”><input type="hidden" name="message" value="Cheap medicine at ..."></form><script>document.getElementById('pform').submit();</script><br />
  26. 26. Issue a unique token / crumb that only your server would know for that sessionCheck if the posted data has that token<br />
  27. 27. For normal posts, use a time bound token <?phpfunction get_nonce() {  return md5($secret . ":"  . $user . ":"  . ceil(time()/86400));}?>For more sensitive posts, use a token that is stored in user session <br />
  28. 28. Click-jackinghttp://erickerr.com/like-clickjacking<br />
  29. 29. Tab-Jackinghttp://www.azarask.in/blog/post/a-new-type-of-phishing-attack/<br />
  30. 30. New secure technology does not guarantee a secure application<br />
  31. 31. As developers, we need to cautious<br />
  32. 32. Resources<br />http://www.owasp.org/index.php/Main_Page<br />http://kilimanjaro.dk/blog/<br />http://www.smashingmagazine.com/author/philip-tellis/<br />http://code.google.com/edu/security/index.htm<br />http://www.slideshare.net/joewalker/web-app-security<br />http://www.slideshare.net/shiflett/evolution-of-web-security<br />http://www.slideshare.net/txaypanya/owasp-top10-2010<br />
  33. 33. Be paranoid, be smartThank you ! <br />

×