========== Talk on Web Security by Victor Costan ========== [4:10pm] oshani: slides: http://6.470.scripts.mit.edu/lectures/security/html/all.html [4:10pm] oshani: scribe: oshani [4:11pm] oshani: Application vulnerabilities: bugs in the program code [4:11pm] oshani: ... easier to check and fix [4:12pm] oshani: Integration vulnerabilities: things that creep over time [4:13pm] oshani: How to prevent and recover from attacks [4:13pm] oshani: keep logs, encrypted backups [4:15pm] oshani: How to avoid application vulnerabilities [4:15pm] oshani: ... best practices (don't use passwords which are obvious, don't share passwords, etc) [4:18pm] oshani: plaintext passwords are bad [4:19pm] oshani: use POST instead GET [4:19pm] oshani: don't send passwords back, thinking it'll improve useability [4:20pm] RalphS left the chat room. (Quit: leaving ...) [4:22pm] oshani: don't put the plaintext passwords in the database; add a salt (a random number) to the hash of the password; (essentially a different hashing algorithm) [4:22pm] oshani: don't show passwords in the logs [4:22pm] oshani: ... filter the logs [4:24pm] oshani: Access Control: don't have obvious URLs [4:25pm] oshani: Victor gives a personal example of a security breach that he had in the past [4:27pm] oshani: Easy fix: have HTTP basic/digest authentication [4:27pm] oshani: the next step is to have OpenID [4:31pm] oshani: Hidden fields are bad because you can edit the amount for the value (even put negative values) [4:31pm] oshani: Victor is showing a demo to illustrate that we should not trust cookies [4:33pm] oshani: If you need to use cookies: sign the cookies! [4:33pm] oshani: (slide 22) [4:36pm] oshani: Shows another security flaw in a site where negative values can be input [4:37pm] oshani: Fuming: this seems like an application flow [4:37pm] oshani: Victor: Yes. These types of errors can be avoided by proper testing [4:37pm] oshani: Next: Integration Vulnerabilities [4:39pm] oshani: SQL injection (slide 26) [4:42pm] oshani: Source code leak: has happened to FB [4:43pm] oshani: Web Security Models [4:43pm] oshani: ... to prevent XSS and CSRF [4:44pm] oshani: can be prevented by enforcing the same origin principle [4:45pm] oshani: but there are some holes in this which are widely exploited (for e.g. in mashups) [4:45pm] oshani: slide 33 [4:47pm] oshani: How to create a CSRF attack [4:48pm] oshani: ... slides (34-37) [4:49pm] oshani: CSRF fix is to have a token posted with your request [4:50pm] oshani: XSS is when a user visits a legitimate site and put some malicious content [4:50pm] oshani: ... can happen if the site has lots of user-generated content [4:51pm] oshani: How to prevent XSS: there are automated tools that try all possible cases to find a vulnerability [4:52pm] oshani: ... shows an example where there's some code which will submit the user cookie jar to some remote server [4:54pm] lkagal left the chat room. (Quit: lkagal) [4:56pm] oshani: Leaking data via AJAX: a biggest example is myspace