Presenter : Chris Shiflett
Twitter: @shiflett
Site: shiflet.org / analog.coop

photo credit: Chris Shiflett

Security is always a hot topic, and in today’s world it’s always good to have a fresh look at web security on the first day of the Webstock 2010 workshops. Chris Shiflett is currently part of a web development co-op Analog and has a keen interest in PHP and web security.  He is also a webstock veteran and author of Essential PHP Security.

At risk of missing any of the important points, please check out the full presentation at the end of my notes.

Fundamentals

• Defense in depth, use all safeguards available, use owasp.org.
• Least privilege, lock the system down as much as possible.
• Least complicated, complexity allows mistakes to happen.

Golden Rule, ok more like a golden acronym – FI EO

• Filter input – ensure any inputs are what you expect and no more.
• Escape output – ensure data going out is not misinterpreted.

List of common exploits

• Cross-Site Scripting – an XSS flaw occurs whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites and possibly introduce worms.
• Cross-Site Request Forgeries – a CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
• SQL Injection – injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
• Session Fixation – attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person’s session identifier.
• Session Hijacking – session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.
• Email Injection – similar to SQL injection.
• Remote Code Injection – similar to SQL injection.

In a lot of  these attacks it is rather trivial to get the basics right by following the golden acronym FIEO, but all posible defences should be used for defence in depth.  The full presentaion goes into the ways to “Stop It”. Also do your own research to pick up on latest trends.  A rather concise resource was mentioned by @nzrob see www.owasp.org Top 10 vulnerabilities which gives large amount option to protect your application.

The full presentation can be found here,  http://shiflett.org/evolution-of-web-security.pdf.

Tips

• Specify character encoding and make sure it is consistant from front to back end.
• Get users to reconfirm password for important actions like changing password.
• Good understanding of http and session management helps with prevention.
• Keep source code short and concise.  Complexity breeds flaws.
• Human peception can also lead to perceved security breaches – see SmugMug example.
• Host static files on separate subdomain to limit session token exposure.

Final thoughs were around trending of user behaviour to identifying abnormalities and maybe using something like https://panopticlick.eff.org/ for uniquely identifying users from bots.

Chris did an excellent job in presenting the information in an easily ledgible format and good concrete examples. I am gutted I prioritised another talk over his “Security-Centered Design” talk at the Webstock conference but I’ll be sure to catch up on it when the video is available and post the link here if I remember.

Be Safe :)

After a mad dash from the airport we made it just in time for the first session on the day. We did luck out on the good seats. But not even the neck wrenching all day long could take away from the sessions content.

I was amazed at the amount of ground that was covered by Russ Weakley. Fast paced and action packed till the last bell rang at 5pm.

Areas of particular interest to me, no i might hear you say du!, but my css and html skills have been hacked togeter like a IE 5 stylesheet.

• I’m slowly getting my head around Inline, Block and Terminal Block elements. I’ll have to go check out that last one again.
• Selectors are your friend, esp descendant selectors save you from needing to assign classes unnecessarily
• Try and use your site without a mouse, for basic accessibility testing
• Check out http://maxdesign.com.au for some css goodness and examples
• display:inline = inflow, display:block = out of flow
• CSS Sprites, have all your icons in one gif file to save round trips to the server. Use ample white space(100px) to avoid strange effects when font size gets increased.
• User more of “em” unit to make site more fluid when font size in the browser gets changed.
• Russ finally got me to make sense of “li” elements for navigation and how easy they are to work with.
• Also see “Sliding Door” for nice and neat little tabs with rounded corners. a and span elements are your friends here.
• Tables in forms are _bad_ for accessablility
• Build for standard compliant browser ALWAYS!!!, you can add IE specific hacks in at IE only style sheet.
• When doing a printable stylesheet see “media” attribute of the link element.

So at the end of a long day im calling it a wrap. The sooner i go to bed the sooner i can go and have a coffee at Delux

Double Margin Float bug is quite bizarre – Russ(Sounding like the Steve Irwin of CSS)