Web Programming Step by Step, 2nd Edition

Lecture 27: Web Security

Reading: Ch. 15

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, and Victoria Kirst. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Valid HTML5 Valid CSS

Our current view of security

group hug

The real world

orcs (dorks?)

Attackers' goals

burglar

Why would an attacker target my site?

Tools that attackers use

firebug

Assume that the attacker knows about web dev and has the same tools you have:

Some kinds of attacks

burglar

Information leakage

information leakage

when the attacker can look at data, files, etc. that he/she should not be allowed to see

Man-in-the-middle attack

man in the middle

when the attacker listens on your network and reads and/or modifies your data

Secure HTTP (HTTPS)

https

Session hijacking

firesheep

when the attacker gets a hold of your session ID and masquerades as you

HTML injection

a flaw where a user is able to inject arbitrary HTML content into your page

8-ball

Injecting HTML content

8ball.php?question=<em>lololol</em>

Cross-site scripting (XSS)

a flaw where a user is able to inject and execute arbitrary JavaScript code in your page

8ball.php?question=<script type='text/javascript'>alert('pwned');</script>

Securing against HTML injection / XSS

htmlspecialchars returns an HTML-escaped version of a string
$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

Another XSS example

Buy-a-Grade

SQL injection

grades

a flaw where the user is able to inject arbitrary SQL into your query

A SQL injection attack

Too true...

bobby tables xkcd comic

Securing against SQL injection

quote returns a SQL-escaped version of a string
$username = $db->quote($_POST["username"]);
$password = $db->quote($_POST["password"]);
$query = "SELECT name, ssn, dob FROM users
WHERE username = $username AND password = $password";

Practice problem: Hack turnin page

Breaking the turnin page