.init

Web 2.0 Security
Steffen Ullrich, GeNUA mbH

about:me

about:presentation

Web 2.0

What's this "Web 2.0" thing anyway?

User View

Technical View

Simple Overview Picture

Complex Overview Picture

Main Problems

Statistics I

Statistics II

.next

Targets Of Attack

Targets and Methods of the Attacker

Targets

Methods

Kinds Of Session Hijacking

SQL Injection

SQL Injection

Introduction

Examples

SQL Injection Picture

Analysis

SQL Escaping

SQL Escaping #2

SQL Parameter Binding

XSS

XSS

Introduction

What Can It Do?

Main Problem

Types Of XSS

Components Involved In XSS

Reflected XSS

Picture Reflected XSS

Analysis

(Server Side) Stored XSS

Picture Server Side Stored XSS

(Local) DOM XSS

Example

Picture local DOM XSS

CSRF

CSRF

Introduction

Example

Picture CSRF Session Riding

Analysis

Complex Example

Complex Example

Hijack Via DNS + XSS

Picture DNS+XSS Combo

Cookie Policy

Analysis

Variant

Components

.next

Misplaced Trust

Misplaced Trust

3rd Party Script

Picture Trust 3rd Party Script

Analysis

Misplaced Trust In Middleware

Misplaced Trust In Server-Local Data

Picture Local Scripts

Analysis

Same Origin Policy

Frame Policy

UI Redressing

UI Redressing

Introduction

Clickjacking

Picture Clickjacking

Analysis

BREAK

BREAK

.next

Summary of Defense Strategies

"Best Effort" vs. "Best Security"

Protection against Hijacking

Protection of Session

Session Theft

Riding, Fixation, Prediction

Separate by Trust

Validation

Validation

Why

Input Validation at Server

Check Origin and Target of Request

Validation of Form Fields

Validation of File Upload

Validation Before Forwarding

Validation of Server Output

Validation of Target in Client

Validation of Origin in Client

Validation of Input in Client

Normalization

Normalization

What's That?

Normalizing HTML

Normalizing XHTML

Normalizing Image, Audio, Video

Normalizing PDF

Normalizing Word..

Normalizing Other Media

Escaping and Encoding

Escaping and Encoding

What's That?

Contextspecific Escaping

HTML Context - Text

HTML Context - Attributes

HTML Context - areas

XHTML Context

CSS Context

Javascript Context

URL Context

Content-type

Content-type

What's that?

Content-type - HTTP Response

Content-type - HTTP Request

Dual Content Types

Workarounds

Charsets

Charsets

What's That?

Charset Unicode

Charsets - HTTP Response

Charsets - HTTP Request

Dual Charset

Places for Charset

BREAK

BREAK

.next

Authorization Theft

Authorization Theft

Introduction

Password Guessing

Read/Replace Within Hihacked Session

Read Autocompleted Data

Access Data As MITM

Attack Server Directly

Authentication Bypass

Authentication Bypass

Introduction

Use Back Door

Bypass via LDAP Injection

Bypass via SQL Injection

SSO Vulnerability

Server Permission Bypass

Server Permission Bypass

Introduction

Picture Permission Bypass

Bypass via Path Traversal

Bypass via Alternate File Names

Network Segmentation Bypass

Network Segmentation Bypass

Introduction

DNS Rebinding

How it Works

Picture DNS Rebinding

Analysis

Code Injections

OS Command Injection

RFI/LFI - Remote/Local File Inclusion

HTML Injection

XPath Injection

Session Hijacking

Session Fixation

Picture Session Fixation

Session Id in URL

Overwrite Cookie from Subdomain

Session-Id Leak via Referer

Non-Cookie Session-Id Leak via XSS

Way Too Open

Open Access

Open Redirector

Open URL Proxy

Proxy/Cache Pollution

HTTP Request Smuggling

Variants

HTTP Response Splitting

Even More Attacks

Even More Attacks

window.postMessage

HPP - HTTP Parameter Pollution

OSRF - Origin Site Request Forgery

Server DOS

Client DOS

Past, Present and Future

Past, Present and Future

.next

Picture Architecture

Client Side

Client Side

Past

Present

Future

The Good

The Bad

HTML5

HTML5 CSP

CSP Current Usage

HTML5 CORS

Server Side

Server Side

Past

Present

Future

Future II

Resources

Resources

Books, Web Pages

Blogs

More Questions?