big security for big data
If you can't read please download the document
TRANSCRIPT
PowerPoint Presentation
Big Security for Big Data
Ari Elias-BachrachDefensium llc
March 2014
About Me
Ari Elias-Bachrach
Application Security nerd, OWASP fanboy
Help Development understand security
Help security understand development
Often get calls from developers that start with help!
Your Data Is Important
This Talk Will Cover Some Important Security Controls
Beyond SQL Injection
Cross-Site Scripting
Access Control
//code...
For Years People Have Been Warned About SQL Injection
String id = Request.QueryString("SomeID")string sql = "SELECT Product FROM myTable WHERE id = '" + id + "'";
5'; drop table myTable; #
SELECT Product FROM myTable WHERE id = '5'; drop table myTable; #'
The Solution Is To Use Prepared Statements
String id = Request.QueryString("SomeID")string sql = "SELECT Product FROM myTable WHERE id = ?";
Statement = connection.prepareStatement(sql)
Statement.setString(1, id)
Many New RDBMS' Do Not Use SQL
Mongo does not use SQL, so it's not vulnerable to SQL Injection.... right?
Many New RDBMS' Do Not Use SQL
The fundamental problem that led to SQL injection is the lack of separation between commands and variables
VariablesCommandTextInstructionsNot parsedParsed
Mongo Can Still be Vulnerable With PHP
$collection->find(array( "username" => $_GET['username'], "passwd" => $_GET['passwd']));
username=user&passwd[$ne]=foo
Mongo Can Still be Vulnerable With PHP
$collection->find(array( "username" => user, "passwd" => array("$ne" => foo)));
username=user&passwd[$ne]=foo
Separate Variables and Commands
Return to the fundamental rule:Separate Variables and Commands Strong typing can be one way to do this
$collection->find(array( "username" => (string)$_GET['username'], "passwd" => (string)$_GET['passwd']));
Separate Variables and Commands
Whatever system you may be working on in the future, remember this law:Separate Variables and Commands
Separate Variables and Commands
--http://us.php.net/manual/en/mongodb.execute.php
Separate Variables and Commands
Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems
Attacker can make your users execute arbitrary code as if it was sent from your website
Client side attack
//code...
Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems
Bob
Hi Bob
Hi Request.QueryString("name")
Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems
name=...
Hi ...
Http://server/page.jsp?name=...
This code is now executed in the domain of the website that sent it, and it can access that page's DOM
Cross-Site Scripting (XSS) Occurs When An Attacker Can Execute Code on Your User's Systems
So What?
Change page contents
Steal Cookies
Redirect to another page
Change form actions
The Solution is To Properly Encode All Untrusted Outputs
&&''"//
The Solution is To Properly Encode All Untrusted Outputs
Hi
http://server/page.asp?name=alert(document.cookie)
Encoding is Context Dependent
"&&//
Can you execute code here without using the six characters encoded as part of HTML encoding?
foo onmouseover=alert(document.cookie)
Encoding is Context Dependent
Different contexts call for different encoding rules
hereHTML context
Attribute context
x='here'JavaScript context