Friday, May 19, 2006

Talk on Web security

Mike Andrews gave a long but light talk at Google, "How to Break Web Software".

It is a nice overview of a lot of Web development security issues. It is good for a refresher if you've seen all this before and should be required watching for any web developer that hasn't.

The advice basically comes down to one thing: Never trust the client.

Whether it is form input, URLs, cookies, or XML from AJAX apps, always assume that anything that anything from the web browser needs to be validated, filtered, and verified.

One interesting tidbit from the talk was that a lot of security issues come from the way Javascript in HTML mixes code and data; cross-site scripting (XSS) attacks are the biggest issue right now, bigger than SQL injection.

Mike expected web security issues to get worse with increased use of AJAX, both because it moves more processing out to untrusted clients and because there is a lot more data flying back and forth between client and server.

5 comments:

Jokerr said...

Good video. I really enjoyed the way that he presented the material. As you said, a definate "must".

Dr Nic said...

"6.5 billion people on the web"...

I didn't think there were 6.5 billion people on the planet yet :)

Greg Linden said...

Just barely, but I think there are.

How many people are on Earth?

But, right, the vast majority of these are not on the Web.

Sakke said...

The way he presents hid 'findings' is rather anoying.
He gives alot of examples where he acts as if its a real problem, like the stealing of a session id on a site like google, he tells it like the hacker can just open the account from this person and do whatever he wants, bet hi 'forgets' to say that sites like google also check the ip-adres, not only the cookie.
He might be a former professor in it-security or so, but he doesn't say anything new.
He gives all these foolish examples of how JavaScript can be abused, while the fix is very simple.
- Don't give sql/java trough HTML-params (and make it impossible by using a switch-case where all acceptable sql are in)
- dissable javascript in comment/guestbook-systems (is easy in php with 'htmlspecialchars')

Mike Andrews said...

Thanks for the writeup greg :) I'm slowing going around finding links to either the talk or the book and responding where I can.

Greg: A lot of the talk, as you correctly pointed out, was focused on vulnerabilities based on Javascript. That's not to say they are the *only* ones, but they are certainly common. The reason I focused on these was because I was asked by Google to "go deep" on one topic as the audience would like that. Perhaps I should have evened things out more. Even then I over-ran (I couldnt see the clock at the back of the room ;o)

Dr Nic: Yeah, I know I screwed up there - and in a lot of other places as well when I reviewed the video :*) What I *ment* to say was that there's the *potental* of 6.5b people on the net, then link to the actual stats which were on the slides, and talk about net penetration and how it's a good thing. However, I got a bit flustered and forgot the message that I was trying to say :) Not great, especially as it out there for the world to see, but just one of the facts of life.

Sakke: Unfortunatly, a lot of these things are real problems. Although Google (and a lot of othe apps) checks the IP address, it should be relied upon (proxies like AOL allow many uses to look like they are coming from the same IP address, or they can be spoofed/hijacked). You are dead right in your solutions though - if only more people would listen :) Hopefully, the above comments give you an understanding of why I focused on Javascript vulnerabilities - there are a *load* of other attacks and I don't think they are "foolish" - just have a look at securityfocus.com for the number of apps/companies that fall foul to them :) And yes, I do have better attacks, but as I said at the begining of the presentation I don't talk about them until they are known to be fixed.