Jeff Walter - Adobe - Event Organizer
Brent Shaffer - Adobe - security basics 101 - Matrix Architect - He writes sdk's and the night's presenter
Framework/language does a lot, but not everything.
Your site is vulnerable.
Friends may embarrass you, bots, hactivists.
Many attacks easy to prevent.
Bot hacked github repository, spun up servers to mine bitcoin. brand new developer.
All inputs are evil! don't trust your users' cookies, parammeters, http headers.
All servers are evil - good assumption for end-users.
Whitelists better than blacklists (???). I need to learn more about this!
Don't store passwords in plain text.
Dont store your passwords in source code.
Dont leak error messages -
.Openwest conference -
Cross site scripting - xss
Javascript injected that will run on behalf of another user. steals cookies. exploits user's trust. 84% of all website vulnerabilities were this type. Chrome has dev tool ability to stop these types of attacks.
Defense?
Validate user input when storing. Escape when using variables in output - based off the content type its being used in. Escaping html for a variable in JavaScript will not save you.
Use templating language or markup language if you want user-input rich text, i.e. markdown, textile, rst(restructured text).
Code Injection - comes in many forms, i.e. command-line injection, sql-injection, html/javascript.
Access filesystem using "upwards" paths
Access everything if system commands are being used
Commands like exec, passthru, and system are often used to execute bash commands
Commands like eval are used to dynamically evaluate PHP code.
Defense?
Strip upwards paths
ensure all files are relative to a safe "root"
be strict on validation, output-escaping, use with extreme caution
SQL injection - sanitize your inputs! use "bound variables", use ORMs/Database Abstraction Layers when possible
cross site request forgery - csrf (pronounced sea surf)
Exploits the browsers running on the client, exploits a site's trust in its users
Victim is logged into vulnerable website. Attacker has victim make a request to vulnerable website without them knowing.
The infamous "Samy Worm" - Attack on myspace, w/in 20 hours over a million users ran the attack
Defense?
Validate the referrer. The http referrer header says which url initiated the request. this blocks any referrer that isn't you. only works if a whitelist can be constructed for where the requests will come from.
Use a csrf-token
a token that is generated for each request based on the client's session ID. Each form submits this back to the website. Very difficult for an attacker to spoof.
<input type="hidden" name="csrf" value="eanorsytnoiarenstoiearnst">
session hijacking
similar to csrf
Attacker obtains the victim's cookie, and is then able to perform actions on their behalf. Typically done for websites not secured with SSL/HTTPS. Open networks and insecure networks (WEP) commonly found in public areas make it possible to view other traffic on the same router. Plugins make this incredibly easy, like FireSheep, Cookie Cadger, DroidSheep. Sniffing is easy with tools like WireShark.
Defense?
use ssl/https throughout all site
Honeypot is a secret field that a normal user wont see/use, but a bot will and if used the whole request would be rejected.
Rate limiting helps to block Denial of Service (DOS).
