Experimental music, photography, and adventures

Web security workshop

Thursday, December 20th, 2007

I’ve been busy the past two days attending the SANS 519 Web Application Security workshop. The lecturer was at Purdue University, but the class was broadcast digitally to several other locations, including one at Indiana University here in Bloomington. Here’s a breakdown of the topics.

Day One:

  • Introduction
  • Nikto and Apache mod_security
  • Understandint unicode exploits
  • Cryptography
  • Authentication
  • Access Control
  • Session Management
  • Logs and analysis

Day Two:

  • Input Validation
  • SQL Injection
  • Blind SQL Injection
  • Cross-site scripting
  • Phishing
  • HTTP Response Splitting
  • Secure credit card handling and PCI standards
  • Cross-site request forgery

I already had some familiarity with almost all of these topics, but this workshop went into a lot more depth in many areas. The demonstrations of exploits were particularly helpful, and scary. At one point, the lecturer uploaded netcat to a server and started executing commands — using SQL injection on a search form. And while I knew cookies and headers and so forth could be forged, I didn’t realize how easy it could be, or how many different ways this could compromise a server or application.

While some of the things we covered are easily dealt with (if you use PHP or .NET’s built-in session management, you automatically get hard-to-predict session ids, for instance), I’m glad they gave us that background information. I’ll be taking a test for a certificate in a few weeks.

I have to admit, I was a bit skeptical that a two-day security workshop would be worthwhile — most training I’ve attended hasn’t been that great — but this was really an eye-opening experience and will certainly help me to write more secure applications.

5 Responses to “Web security workshop”

  1. furiousball Says:

    I’d be interested to attend something like this. The perception is that PHP is a non-secure language, the truth being that any language is easy to hack, it’s the programmer that matters.

  2. Apertome Says:

    I don’t quite know what you mean when you say “the perception is that PHP is a non-secure language.” The perception among who, those who prefer Microsoft technologies? I seriously haven’t perceived that there’s a general perception that PHP is insecure.

    Anyway, you said it: it comes down to the programmer, much more than the language.

  3. Noah-it-all Says:

    Was this comment-bait for me, Apertome?

    As a hard-core security guy (who has taught classes similar to the one Apertome went to, on Systems security, not Web App security) and as a programming language tinkerer, I can say that among PHP, ASP/.NET, Ruby/Rails, Python, Perl or NewLISP, there really isn’t any difference in security fundamentally based on what language is used. Indeed, it’s how it’s applied.

    SQL Injection is still one of the most powerful vulnerabilities out there. More popular applications have a lot of exposure and have for the most part fixed these problems. I’m talking about things like Joomla, phpBB, and phpMyAdmin. But, for every well-audited application, there remains a myriad of lesser-known FOSS web/database apps. Couple that with the relative ease of writing custom (and insecure) in-house web-apps. You’ve got a recipe for serious carnage.

    I could talk about Info-Sec (application, network, and system security), Physical security, and social engineering all week. The fact that your eyes were opened to the potential impact of these vulnerabilities means you got your money’s worth — or your employer’s money’s worth, as the case may be.

    If you’re interested in other security stuff, you should see if you can escape to Cali for a few days with myself and a few others sometime next September (date not yet posted). We’re thinking of attending ToorCon, hosted by David Hulton (a.k.a. h1kari, creator of the BSD-Airtools wireless scanner suite). My friends and I tired of DefCon ages ago. ToorCon looks like a more mature convention, with both an “attack” and a “defense” track.

  4. Dan Says:

    I had a staff member in that class. He was very impressed with the content, and he came back with lots of ideas.

  5. Jett Says:

    Amazing. This is a cycling blog and most of us can participate in a completely separate subject. But then, I guess I shouldn’t be surprised how many computer guys who ride bikes and write about it on the web.

    Our development team was asked to look at security issues with our webapp and came back with “No recommendations”. I forwarded the Wikipedia page on “SQL Injection” and they promptly changed their mind. We have code that looks almost exactly like their examples ;-).

Ear to the Breeze is proudly powered by WordPress
Entries (RSS) and Comments (RSS).