Another great lecture from Google TechTalks.
This lecture is given by Neil Daswani, who has a Ph.D. from Stanford and currently works at Google as a security engineer. He is also an author of a book entitled "Foundations of Security: What Every Programmer Needs to Know", which teaches you state-of-the-art software security design principles, methodology, and concrete programming techniques you need to build secure software systems.
Neil talks about top three web application vulnerabilities that cybercriminals use to steal money. These three vulnerabilities are:
- SQL Injection attacks,
- Cross-Site Request Forgery (XSRF) attacks, and
- Cross-Site Script Inclusion (XSSI) attacks.
I was surprised that he did not cover plain, old Cross-Site Scripting (XSS) attacks, but jumped right to dynamic XSS. You'll have to get familiar with this type attack on your own. See the XSS Faq and XSS Cheat Sheet for more information!
Interesting points from the lecture:
- [01:48] Years ago cybercriminals were teenagers writing viruses and worms, today they are organized crime looking for stealing money.
- [03:19] Intermediate goals to stealing money are data theft, extortion and malware distribution.
- [04:02] Russian Business Network (RBN) is an example of organized cybercrime.
- [09:00] Attack #1: SQL Injection.
- [16:30] Preventing SQL injections.
- [17:00] Don't blacklist (filter) characters in queries. Whitelist (allow) well-defined set of safe values for each field.
- [18:30] Take a look at mod_security if you use Apache web server. Mod_security is a Web Application Firewall. It allows you to define a set of rules the web application must follow.
- [19:30] Prepared statements and bind variables help to avoid SQL injections.
- [23:00] Other mitigations strategies include - limiting web application user's privileges on the sql server, hardenining database server and host operating system.
- [23:45] Second order SQL injections (link to pdf) abuse data that is already in the database.
- [23:55] Blind SQL injection (link to pdf) is a technique to reverse engineer the structure of the database.
- [24:25] Attack #2: Cross-Site Request Forgery (XSRF).
- [26:00] How XSRF Works.
- [31:30] Drive-By-Pharming (pdf) is an XSRF technique where the attacker changes DNS settings of a users broadband router (fact - 50% of home users do not change default router password).
- [34:00] Preventing XSRF.
- [34:20] Check Referer HTTP header. That doesn't always work because the user might be using a proxy.
- [36:15] Validate the user by asking him to provide his password or any other token only the user has knowledge of.
- [37:15] Validate requests via "Action Tokens" which add special tokens to forms to distinguish them from forged forms.
- [38:30] Attack #3: Cross-Site Script Inclusion (XSSI).
- [39:10] How XSSI works.
- [41:20] Dynamic script inclusion example.
- [47:25] Trends.
- [50:12] Open Web Application Security Project (OWASP) Top 10 vulnerabilities in 2007 (link).
- [53:55] Google has some material on Web Security at code.google.com/edu.
Happy hacking and until next time!