Web Programming Step by Step

Lecture 24
Web Security

Except where otherwise noted, the contents of this presentation are Copyright 2010 Marty Stepp, Jessica Miller, and Kevin Wallace.

Valid XHTML 1.1 Valid CSS!

1. The "security mindset"

CSE <= 190M

group hug

The real world

orcs (dorks?)

2. Some basic web attacks

HTML injection

a flaw where a user is able to inject arbitrary HTML content into your page


Injecting HTML content


Cross-site scripting

a flaw where a user is able to inject and execute arbitrary JavaScript code in your page

8ball.php?question=<script type='text/javascript>alert('pwned');</script>

Securing against HTML injection

htmlspecialchars returns an HTML-escaped version of a string
$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

SQL injection

a flaw where the user is able to inject arbitrary SQL commands into your query


A SQL injection attack

Too true...

bobby tables xkcd comic

Securing against SQL injection

mysql_real_escape_string returns a SQL-escaped version of a string
$username = mysql_real_escape_string($_REQUEST["username"]);
$password = mysql_real_escape_string($_REQUEST["password"]);
$query = "SELECT name, ssn, dob FROM users
WHERE username = '$username' AND password = '$password'";

3. Breaking and securing an example page

Practice problem: Hack Marty's turnin