SlideShare a Scribd company logo

Why Web Security Matters!

P
Philippe De Ryck

The document emphasizes the importance of web security, highlighting vulnerabilities like network sniffing and SQL injection. It advocates for the use of HTTPS to protect against network-level attacks and details best practices for secure web applications, including the use of prepared statements to thwart SQL injection exploits. Overall, it encourages developers to be proactive about implementing security measures and understanding web security fundamentals.

Technology
Related topics:
Information SecurityWeb Security Overview
1 of 41
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Why Web Security Matters! Philippe De Ryck @PhilippeDeRyck
2 Years Ago in the “News” … 2 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
The Agenda for Today 3
About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § Focus on (client-side) Web security § Responsible for the Web Security training program § Dissemination of knowledge and research results § Target audiences include industry and researchers § Main author of the Primer on Client-Side Web Security § 7 attacker models, broken down in 10 capabilities § 13 attacks and their countermeasures § Overview of security best practices
Who Uses Portable Computers? 5
And Who Are You Most Afraid Of? 6
7 https://www.flickr.com/photos/jeepersmedia/16091161616/ http://deredactie.be/cm/vrtnieuws/binnenland/1.2163105 http://www.clickx.be/nieuws/134342/telenet-laat-je-surfen-via-de-modem-van-je-buren/ http://www.engadget.com/2010/07/01/starbucks-begins-offering-free-one-click-wifi-access-in-us-and-c/
What Happens when You Submit a Form 8 GET login.html 200 OK Html page Fill out form POST login.php username: Philippe password: ... 200 OK Html page Open site
Form Data on the Network 9
You May Think an Attacker Needs This … 10
While He Actually Only Needs This … 11
Network Sniffing Is Straightforward 12 § Sniffing can be a completely passive attack § Just listen to the traffic and analyze it later § HTTPS protects you against network-based attacks § It encrypts the traffic, so that nobody else can read it
So Problem Solved Then? 13
So Problem Solved Then? 14
So Problem Solved Then? 15 http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
There Is More besides Sniffing 16 Here you go Fake HTML page GET index.html 200 OK Html page Open site
There Is More besides Sniffing 17 § Instead of this … § You get this ...
SSL Stripping 18 § Instead of this … § You get this …
SSL Stripping 19 GET http://websec.be 200 OK Response page POST http://www.websec.be GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… websec.be
Preventing SSL Stripping with HSTS 20 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000;
HTTPS Is Really Worth the Effort 21 § An attacker on the network level can § Read all unprotected traffic, regardless of which application § Modify content from the browser to the server § Modify content form the server to the browser § Remove HTTPS if only used for specific pages or form submissions • This attack is called SSL Stripping and is very dangerous § Essentially take full control of the Web page § All of these attacks are invisible for most users § Even security experts fall for these if not paying attention § But a correct HTTPS deployment counters all of this …
How to Deploy HTTPS Correctly 22 § Configure your HTTPS with a valid certificate § These used to be expensive, but now there are free options § Let’s encrypt is backed by the EFF and offers free HTTPS certs § Deploy your entire website over HTTPS § Partial HTTPS still leaves you vulnerable against numerous attacks § The performance impact is very limited nowadays § Many major sites have switched to full HTTPS § Use state-of-the-art security techniques § HTTP Strict Transport Security (HSTS)
Back to the Video with Weird Usernames 23 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
Verifying a User’s Credentials 24 GET login.html 200 OK Html page POST login.php username: Philippe password: … 200 OK Html page Lookup User Check Password Load User Info
Communicating with a Database 25 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) ID username password email role 1 Administrator au28sj348aj2 administrator@gmail.com admin 2 Philippe secret philippe.deryck@cs.kuleuven.be Editor 3 … … … …
Communicating with a Database 26 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: philippe Password: secret SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘ Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
Communicating with a Database 27 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: superman Password: kryptonite SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
Communicating with a Database 28 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator Password: luckyguess SELECT * FROM users WHERE username = ‘administrator‘AND password = ‘luckyguess‘
Communicating with a Database 29 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’-- Administrator– au28sj348aj2– administrator@gmail.com – admin
Communicating with a Database 30 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: ‘ OR ‘1’ = ‘1’-- Password: SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’-- Administrator – au28sj348aj2– administrator@gmail.com – admin Philippe – secret – philippe.deryck@cs.kuleuven.be – editor …
SQL Injection Attacks Are Problematic 31 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
SQL Injection Attacks Are Problematic 32 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack § The problem stretches beyond login forms § Everywhere where data is used in a query, injection exists § The payload that is injected can be anything … UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘ Email: philippe@gmail.com Username: philippe’; DROP DATABASE website;-- UPDATE users SET email = ‘philippe@gmail.com‘ WHERE username = ‘philippe‘; DROP DATABASE website;--
SQL Injection Attacks Are Problematic 33 https://xkcd.com/327/
Prepared Statements against SQL Injection 34 § An injection attack is caused by confusing data and code § The database cannot distinguish the query and the data anymore § It does not know what the intended behavior of the query was § Prepared statements declare the query up front § Data is inserted separately, and will never be interpreted as code SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’ SELECT * FROM users WHERE username = ‘administrator’--
Preventing SQL Injection Attacks 35 § The only correct defense is using Prepared Statements § Every language supports prepared statements § Is only a small effort to do this right in the application’s code § Escaping is often considered as an alternative defense § Dangerous characters (like ‘ and --) are replaced with safe versions § This approach is less effective and more error prone § Defending against SQL injection is technically not difficult § But it requires explicit action from the developer
Why Web Security Matters!
A Quick Recap … 37 § Mobile computers and Wifi networks have changed the Web § Enabler of astonishing scenarios and applications § But security has become a lot more important as well § Network-level attacks have become much easier § Anyone sitting nearby can target a wireless user § Users are not necessarily the victim, but their employer may be § HTTPS offers protection against network-level attacks § Realize that it is important, and switch everything to HTTPS § Deploy it correctly, and keep your configuration up to date
A Quick Recap … 38 § SQL injection is a very old vulnerability § But it’s still very relevant today, as aptly illustrated in this talk § SQL injection can be very harmful § One of the major sources of data leaks § Can even give the attacker full control over your database § Preventing SQL injection is not difficult § Requires a bit of effort from the developer, but not very much § But you need to explicitly protect against these attacks
Managing Your Application’s Security 39 § You are not a security expert, and nobody expects you to be § Be knowledgeable about basic Web security concepts § Be involved in building the threat model of your application § Be aware of the contemporary Web security landscape § Find trustworthy people for the technical security aspects § Instruct your contractor to explicitly take security into account § Ask for evidence that they are knowledgeable about security § Verify the list of technical goals with a knowledgeable person
Managing Your Application’s Security 40 § Make security goals an explicit requirement § Contractors should deliver projects that follow current best practices § Plenty of resources available, for example from OWASP § Think about liability, and see if you can transfer it § Verify the security of your applications § Many companies can perform security reviews of your applications § Should be mandatory for critical systems • Passing a security review as a final requirement before delivering a project
Why Web Security Matters! Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://distrinet.cs.kuleuven.be/events/websecurity/ @PhilippeDeRyck

More Related Content

PDF
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
PDF
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
PDF
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
PDF
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
PPTX
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
PDF
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
CODE BLUE
 
PDF
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
CODE BLUE
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 

What's hot (20)

PDF
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
PDF
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
PDF
Security Theatre - PHP UK Conference
xsist10
 
PDF
Persistant Cookies and LDAP Injection
MaulikLakhani
 
PPTX
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
PDF
Security Theatre - Benelux
xsist10
 
PDF
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
PDF
Identity theft: Developers are key - JFokus 2017
Brian Vermeer
 
PDF
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
PDF
When Insiders ATT&CK!
MITRE ATT&CK
 
PPTX
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
PDF
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
PPTX
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
PDF
Web Security
Gerald Villorente
 
PDF
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PDF
Attacker's Perspective of Active Directory
Sunny Neo
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Security Theatre - PHP UK Conference
xsist10
 
Persistant Cookies and LDAP Injection
MaulikLakhani
 
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
Security Theatre - Benelux
xsist10
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
Identity theft: Developers are key - JFokus 2017
Brian Vermeer
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
When Insiders ATT&CK!
MITRE ATT&CK
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Web Security
Gerald Villorente
 
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Attacker's Perspective of Active Directory
Sunny Neo
 
Ad

Similar to Why Web Security Matters! (20)

PDF
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
PDF
Owasp top 10 2013
Edouard de Lansalut
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PDF
Drupal Security Seminar
Calibrate
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PPTX
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
PDF
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
PDF
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
PPTX
Widespread security flaws in web application development 2015
mahchiev
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
PDF
Security and Privacy on the Web in 2015
Francois Marier
 
PPTX
6 - Web Application Security.pptx
AlmaOraevi
 
PDF
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
PPTX
In The Middle of Printers –The (In)Security of Pull Printing Solutions
SecuRing
 
PPT
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
PPT
SQLSecurity.ppt
LokeshK66
 
PPT
SQLSecurity.ppt
CNSHacking
 
PPT
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Owasp top 10 2013
Edouard de Lansalut
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Drupal Security Seminar
Calibrate
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Widespread security flaws in web application development 2015
mahchiev
 
Secure coding guidelines
Zakaria SMAHI
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Security and Privacy on the Web in 2015
Francois Marier
 
6 - Web Application Security.pptx
AlmaOraevi
 
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
SecuRing
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
SQLSecurity.ppt
LokeshK66
 
SQLSecurity.ppt
CNSHacking
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Ad

More from Philippe De Ryck (7)

PDF
Are you botching the security of your AngularJS applications? (DevFest 2016)
Philippe De Ryck
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
PDF
Securing your EmberJS Application
Philippe De Ryck
 
PDF
Securing your AngularJS Application
Philippe De Ryck
 
PDF
Getting Single Page Application Security Right
Philippe De Ryck
 
PDF
Subresource Integrity
Philippe De Ryck
 
PDF
HTTPS, Here and Now
Philippe De Ryck
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Philippe De Ryck
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Securing your EmberJS Application
Philippe De Ryck
 
Securing your AngularJS Application
Philippe De Ryck
 
Getting Single Page Application Security Right
Philippe De Ryck
 
Subresource Integrity
Philippe De Ryck
 
HTTPS, Here and Now
Philippe De Ryck
 

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
Sensors and Actuators in IoT Systems using pdf
jeffinmathew654
 
PPTX
Telecom Fraud Prevention Guide | Hyperlink InfoSystem
danielle hunter
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Chapter 2 Digital Image Fundamentals.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
HCSP-Presales-Campus Network Planning and Design V1.0 Training Material-Witho...
fahmeedakram1
 
PDF
How Onsite IT Support Drives Business Efficiency, Security, and Growth.pdf
Captain IT
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
CIFDAQ's Market Wrap: Ethereum Leads, Bitcoin Lags, Institutions Shift
CIFDAQ
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
KodekX | Application Modernization Development
KodekX
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Sensors and Actuators in IoT Systems using pdf
jeffinmathew654
 
Telecom Fraud Prevention Guide | Hyperlink InfoSystem
danielle hunter
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Chapter 2 Digital Image Fundamentals.pdf
Getnet Tigabie Askale -(GM)
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
HCSP-Presales-Campus Network Planning and Design V1.0 Training Material-Witho...
fahmeedakram1
 
How Onsite IT Support Drives Business Efficiency, Security, and Growth.pdf
Captain IT
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
CIFDAQ's Market Wrap: Ethereum Leads, Bitcoin Lags, Institutions Shift
CIFDAQ
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 

Why Web Security Matters!

  • 1. Why Web Security Matters! Philippe De Ryck @PhilippeDeRyck
  • 2. 2 Years Ago in the “News” … 2 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
  • 3. The Agenda for Today 3
  • 4. About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § Focus on (client-side) Web security § Responsible for the Web Security training program § Dissemination of knowledge and research results § Target audiences include industry and researchers § Main author of the Primer on Client-Side Web Security § 7 attacker models, broken down in 10 capabilities § 13 attacks and their countermeasures § Overview of security best practices
  • 5. Who Uses Portable Computers? 5
  • 6. And Who Are You Most Afraid Of? 6
  • 8. What Happens when You Submit a Form 8 GET login.html 200 OK Html page Fill out form POST login.php username: Philippe password: ... 200 OK Html page Open site
  • 9. Form Data on the Network 9
  • 10. You May Think an Attacker Needs This … 10
  • 11. While He Actually Only Needs This … 11
  • 12. Network Sniffing Is Straightforward 12 § Sniffing can be a completely passive attack § Just listen to the traffic and analyze it later § HTTPS protects you against network-based attacks § It encrypts the traffic, so that nobody else can read it
  • 13. So Problem Solved Then? 13
  • 14. So Problem Solved Then? 14
  • 15. So Problem Solved Then? 15 http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
  • 16. There Is More besides Sniffing 16 Here you go Fake HTML page GET index.html 200 OK Html page Open site
  • 17. There Is More besides Sniffing 17 § Instead of this … § You get this ...
  • 18. SSL Stripping 18 § Instead of this … § You get this …
  • 19. SSL Stripping 19 GET http://websec.be 200 OK Response page POST http://www.websec.be GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… websec.be
  • 20. Preventing SSL Stripping with HSTS 20 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000;
  • 21. HTTPS Is Really Worth the Effort 21 § An attacker on the network level can § Read all unprotected traffic, regardless of which application § Modify content from the browser to the server § Modify content form the server to the browser § Remove HTTPS if only used for specific pages or form submissions • This attack is called SSL Stripping and is very dangerous § Essentially take full control of the Web page § All of these attacks are invisible for most users § Even security experts fall for these if not paying attention § But a correct HTTPS deployment counters all of this …
  • 22. How to Deploy HTTPS Correctly 22 § Configure your HTTPS with a valid certificate § These used to be expensive, but now there are free options § Let’s encrypt is backed by the EFF and offers free HTTPS certs § Deploy your entire website over HTTPS § Partial HTTPS still leaves you vulnerable against numerous attacks § The performance impact is very limited nowadays § Many major sites have switched to full HTTPS § Use state-of-the-art security techniques § HTTP Strict Transport Security (HSTS)
  • 23. Back to the Video with Weird Usernames 23 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
  • 24. Verifying a User’s Credentials 24 GET login.html 200 OK Html page POST login.php username: Philippe password: … 200 OK Html page Lookup User Check Password Load User Info
  • 25. Communicating with a Database 25 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) ID username password email role 1 Administrator au28sj348aj2 [email protected] admin 2 Philippe secret [email protected] Editor 3 … … … …
  • 26. Communicating with a Database 26 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: philippe Password: secret SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘ Philippe – secret – [email protected] – editor
  • 27. Communicating with a Database 27 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: superman Password: kryptonite SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
  • 28. Communicating with a Database 28 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator Password: luckyguess SELECT * FROM users WHERE username = ‘administrator‘AND password = ‘luckyguess‘
  • 29. Communicating with a Database 29 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’-- Administrator– au28sj348aj2– [email protected] – admin
  • 30. Communicating with a Database 30 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: ‘ OR ‘1’ = ‘1’-- Password: SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’-- Administrator – au28sj348aj2– [email protected] – admin Philippe – secret – [email protected] – editor …
  • 31. SQL Injection Attacks Are Problematic 31 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
  • 32. SQL Injection Attacks Are Problematic 32 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack § The problem stretches beyond login forms § Everywhere where data is used in a query, injection exists § The payload that is injected can be anything … UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘ Email: [email protected] Username: philippe’; DROP DATABASE website;-- UPDATE users SET email = ‘[email protected]‘ WHERE username = ‘philippe‘; DROP DATABASE website;--
  • 33. SQL Injection Attacks Are Problematic 33 https://xkcd.com/327/
  • 34. Prepared Statements against SQL Injection 34 § An injection attack is caused by confusing data and code § The database cannot distinguish the query and the data anymore § It does not know what the intended behavior of the query was § Prepared statements declare the query up front § Data is inserted separately, and will never be interpreted as code SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’ SELECT * FROM users WHERE username = ‘administrator’--
  • 35. Preventing SQL Injection Attacks 35 § The only correct defense is using Prepared Statements § Every language supports prepared statements § Is only a small effort to do this right in the application’s code § Escaping is often considered as an alternative defense § Dangerous characters (like ‘ and --) are replaced with safe versions § This approach is less effective and more error prone § Defending against SQL injection is technically not difficult § But it requires explicit action from the developer
  • 37. A Quick Recap … 37 § Mobile computers and Wifi networks have changed the Web § Enabler of astonishing scenarios and applications § But security has become a lot more important as well § Network-level attacks have become much easier § Anyone sitting nearby can target a wireless user § Users are not necessarily the victim, but their employer may be § HTTPS offers protection against network-level attacks § Realize that it is important, and switch everything to HTTPS § Deploy it correctly, and keep your configuration up to date
  • 38. A Quick Recap … 38 § SQL injection is a very old vulnerability § But it’s still very relevant today, as aptly illustrated in this talk § SQL injection can be very harmful § One of the major sources of data leaks § Can even give the attacker full control over your database § Preventing SQL injection is not difficult § Requires a bit of effort from the developer, but not very much § But you need to explicitly protect against these attacks
  • 39. Managing Your Application’s Security 39 § You are not a security expert, and nobody expects you to be § Be knowledgeable about basic Web security concepts § Be involved in building the threat model of your application § Be aware of the contemporary Web security landscape § Find trustworthy people for the technical security aspects § Instruct your contractor to explicitly take security into account § Ask for evidence that they are knowledgeable about security § Verify the list of technical goals with a knowledgeable person
  • 40. Managing Your Application’s Security 40 § Make security goals an explicit requirement § Contractors should deliver projects that follow current best practices § Plenty of resources available, for example from OWASP § Think about liability, and see if you can transfer it § Verify the security of your applications § Many companies can perform security reviews of your applications § Should be mandatory for critical systems • Passing a security review as a final requirement before delivering a project
  • 41. Why Web Security Matters! Philippe De Ryck [email protected] /in/philippederyck https://distrinet.cs.kuleuven.be/events/websecurity/ @PhilippeDeRyck