Date post: | 16-May-2015 |
Category: |
Technology |
Upload: | vincci-kwong |
View: | 244 times |
Download: | 1 times |
October 22, 2013
To be Hacked or
not to be Hacked!
Vincci Kwong and Gary BrowningIndiana University South Bend
Indiana Library Federation Annual Conference
2013 ILF Annual Conference
https://www.youtube.com/watch?v=lw7dt0AhXXI
October 22, 2013
2013 ILF Annual Conference October 22, 2013
What are Web Applications?
2013 ILF Annual Conference October 22, 2013
What is PHP?
• A server-side scripting language designed for web development
• Open source programming language• Powering over 80% of all websites• PHP code is as secure as the
programmer writes it
2013 ILF Annual Conference
Why hack web applications?
• Stealing sensitive information • Defacement• Planting malware• Deceit• Blackmail• Link Spam• Worms• Phishing
October 22, 2013
2013 ILF Annual Conference
Why secure web applications?
• Everyone can touch web applications!• It is hard to secure!!!
October 22, 2013
2013 ILF Annual Conference
Am I being hacked?• Check your server access logs• Look for recently modified files• Look for files that shouldn’t be there• Scan through your files
October 22, 2013
2013 ILF Annual Conference
Top 10 security issues for web applications1. Injection
2. Broken authentication and session management
3. Cross site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross site request forgeries (CSFR)
9. Using known vulnerable components
10. Unvalidated redirects and forwards
October 22, 2013
2013 ILF Annual Conference
What can I do?
• Write secure code!!• Use PHP Security Cheat Sheet• Use a web application scanner
October 22, 2013
2013 ILF Annual Conference
Writing Secure Code
• Do not trust visitors to your website• Understand Register Globals• Error messages• SQL Injections• File Manipulation• XSS
October 22, 2013
2013 ILF Annual Conference
Register Globals
• Feature removed as of PHP 5.4.0 !!!! • Variables from HTML forms were injected
into code automatically• Remember, PHP does not require
variable initialization
October 22, 2013
2013 ILF Annual Conference
Example: Misuse with register_globals = on
<?php// define $authorized = true only if user is authenticatedif (authenticated_user()) { $authorized = true;}
if ($authorized) { include "/highly/sensitive/data.php";}?>
October 22, 2013
2013 ILF Annual Conference
Example: Misuse with register_globals = on
<?php// define $authorized = true only if user is authenticatedif (authenticated_user()) { $authorized = true;}
// Because we didn't first initialize $authorized as false, this might be// defined through register_globals, like from GET auth.php?authorized=1// So, anyone can be seen as authenticated!if ($authorized) { include "/highly/sensitive/data.php";}?>
October 22, 2013
2013 ILF Annual Conference
SQL Injections
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). ...
http://en.wikipedia.org/wiki/SQL_injection
October 22, 2013
2013 ILF Annual Conference
Example: SQL Injection
$proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");
From a web form, someone inputs the following:
USERNAME: ' OR 1=1 #
October 22, 2013
2013 ILF Annual Conference
Example: SQL Injection
$proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");
SQL Query:
SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’
October 22, 2013
2013 ILF Annual Conference
Example: SQL Injection$proceed = mysql_query("SELECT Username, Password, AccessLVL FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");
SQL Query:
SELECT Username, Password, AccessLVL FROM Users WHERE Username = ’’ OR 1=1 #’ and Password = ’’
This will return the entire list of usernames and passwords !!!!
Fix this using mysql_real_escape_string or mysqli_real_escape_string
October 22, 2013
2013 ILF Annual Conference
File Manipulation
some.web.address/index.php?index.html
October 22, 2013
2013 ILF Annual Conference
File Manipulation
some.web.address/index.php?.htaccess
October 22, 2013
2013 ILF Annual Conference
XSS(imagine the following code in your index.php file)
<?php
$name = $_GET['name'];
echo "Welcome $name<br>";
echo "<a href="http://librarysite.org/">Click to visit</a>";
?>
If someone entered the following on a web form, what would happen?
guest<script>alert('attacked')</script>
October 22, 2013
2013 ILF Annual Conference
XSSWould you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’?
mytrustedsite.org/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-trustedsite.com/";}</script>
October 22, 2013
2013 ILF Annual Conference
XSSWould you trust this URL if you saw the link on a website (assume you are familiar with ‘mytrustedsite.org’?
mytrustedsite.org/index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
October 22, 2013
2013 ILF Annual Conference
Web Application Scanners
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
Contains a list of Open Source and Commercial products
October 22, 2013
2013 ILF Annual Conference
It’s not in the Top 10, but…
• Unvalidated inputs
October 22, 2013
2013 ILF Annual Conference
Reporting a hacked site!• Why do you think the website is being hacked?• What on the website is looking unusual? Did you
clear your browser’s cache?• Are you being redirected to another website? If
yes, note URL of the site.• Were you being asked to provide confidential
information?• Do patrons report receiving unusual email from
the library?• When did it happen?
October 22, 2013
2013 ILF Annual Conference
Emergency contact list
• Library IT personnel• Director/Dean of the Library• Vendors• Patrons
October 22, 2013
2013 ILF Annual Conference
Resources
• PHP Security Cheat Sheet - https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
• PHP Security Guide - http://phpsec.org/projects/guide/
• Securing PHP Web Applications - http://www.amazon.com/Securing-PHP-Applications-Tricia-Ballad/dp/0321534344
October 22, 2013
2013 ILF Annual Conference October 22, 2013
Questions?
Feel free to contact us at• Vincci Kwong
• Email: [email protected]• Phone: 574-520-4444
• Gary Browning• Email: [email protected]• Phone: 574-520-5516