Podcast: Play in new window | Download

XSS, CSRF, user input sanitiation oh my!

News/Follow-Ups – 00:51

Google Wave is no longer

Geek Tools – 05:26

Peel and Stick Whiteboard

Web Apps – 07:10

Sipgate - http://sipgate.com/ – SIP phone service for your team

Web Security Overview – 15:29

Episode 80: Web Security Overview Pt. 1

• Typical Attacks
  • Client-side manipulation
    • HTTP is stateless so to conduct states tokens are usually sent to the client and echoed back to the server
    • Eg. Price of a product in a hidden form field
    • Bottom line, all validations should be made on the server side
• SQL Injection
  • Most common attack of 2010 according to Open Web Application Security Project
  • Classic, (or 1=1) authentication attack
  • Escaping
  • Blacklist
  • Whitelist
  • Prepared statements
• Cross-Site Scripting (XSS)
  • Second most common vulnerability
  • roughly 80% of all security vulnerabilities documented by Symantec as of 2007
  • Client side?
    • Javascript
    • Java
    • Activex
    • Flash
    • VBScript
    • Or even HTML ( think iframe )
  • What can you do about it?
    • Sanitize user input
    • Tie cookie session data to an specific IP address
    • Modern browsers, IE6 Firefox 2.0+, Safari 4, and Chrome have a cookie flag called HttpOnly which makes the cookie unavailable to client side scripts.
• Cross-Site Request Forgery (CSRF)
  • AKA Session Hijacking
  • Forces a logged on victim’s browser to send a HTTP request to the server
  • Most common way to prevent this
    • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker’s site can’t put the right token in its submissions.
    • This is done in most modern web-frameworks
• Password Security
• Tools to test your site for vulnerabilities
  • Nikto
  • Skipfish (Google)
  • Nessus