We did talk about Web-2.0 Security

On Tuesday our CIO, Johann-Peter Hartmann, gave a Web-seminar about security issues in the Web 2.0 era. We had about 140 participants and some very good questions in the following Q&A Session. We would like to thank you for the response and also we´d like to thank Jürgen from MySQL, our webinar-host.

We uploaded our slides as promised. To download them, click here.

If you missed the Web-Seminar you get a chance to see the recording of it here.
But be aware: It´s in german!!!

For english readers/speakers: Johann held an english security talk some time ago. Find it here

We already heard that some participants found some quite severe security issues right after listening to Johann´s talk. Therefore we strongly recommend to all of you to have a look at it.


Web-2.0 Security

Hi Folks,

This is an announcement for a webinar in German. Therefore only written in German. If you are interested in the security topic be sure to see the english webinar, which is stored here.

Web-2.0-Anwendungen absichern

Die verbesserte Einsatztauglichkeit der Web-2.0-Anwendungen wird auf
Kosten von neuen Sicherheitsproblemen erworben. Sowohl die mächtige
Logik im JavaScript als auch der permanente Login auf vielen Sites
bergen Risiken, die anders und gezielt beantwortet werden müssen.
Dieses Webseminar gibt einen Überblick, bewertet die Probleme und
stellt Lösungswege vor.

Wenn Sie Web 2.0- und AJAX-Anwendungen entwickeln, ist dieser Vortrag genau das Richtige für Sie! Hier erfahren Sie:

  • Welche neuen Sicherheitsrisiken es für Webanwendungen gibt
  • Welche Bedeutung XSS hat
  • Ursprünge und Typen von JavaScript-Malware
  • Wege zur Absicherung Ihrer LAMP-Anwendungen für Web 2.0


The Chorizo! International PHP Conference Quiz

On this years conference we did start a quiz regarding security.

For those who were not able to visit the Conference I’d like to show the questions asked.

Which of the following code lines does really protect against Cross-Site-Scripting?

[ ] echo ‚<a href="index.php?name=‘.addslashes($_GET[’name‘]).’">name</a>‘;

[ ] echo ‚<a href="index.php?name=‘.strip_tags($_GET[’name‘]).’">name</a>‘;

[ ] echo ‚<a href="index.php?name=‘.preg_replace(‚|\W|‘, “, $_GET[’name‘]).’">Name</a>";

In which code line did we hide a Remote Code Execution?

[ ] include(dirname(__FILE__).’/lang/lang_‘.$_GET[‚lang‘].‘.php‘);

[ ] preg_replace(‚/_NAME_/msiUe‘, "htmlentities(\"$_GET[name]\")", ‚Hello Mr _NAME_ ! ‚);

[ ] eval("echo ‚Hello Mr ".htmlentities($_GET[’name‘], ENT_QUOTES)."‘;");

Which tag can not contain JavaScript?

[ ] <img />

[ ] <br />

[ ] <style></style>

[ ] <meta></meta>

[ ] each of the here named tags can contain JavaScript

What is not possible to happen if your website contains a Cross-Site-Scripting-Vulnerability?

[ ] It is possible to take over the user-logins by using the so named Session-Riding.

[ ] Your website visitor´s intranet can be scanned.

[ ] Every pressed key of your sites user´s can be logged by third parties.

[ ] Your user´s harddisks can be formatted.


Announcing Chorizo! Intranet Edition and Chorizo! Security Audits

Live from the International PHP Conference this year, we have some announcements to make: first of all, we’re now officially releasing the Chorizo! Intranet Edition. That’s basically the full Chorizo! software package for your internal corporate environment, installed on one of your servers. Furthermore, you can scan an unlimited number of your own websites (we won’t charge you for every server!) and create your own users inside the usermanagement. Besides that, of course Morcilla, the PHP security extension that detects deep security bugs directly on your server is included. The Intranet Edition is available for a license fee of EUR 5.800,– including VAT (16% currently) for one installation. Support and updates are available for 20% of the license fee per year. If you’re interested, just drop us an e-mail.

Second, we’re launching an array of Professional Services: Security Audits. You can get them in different flavours, like the Chorizo! PenTest, the Chorizo! Standard Audit and Chorizo! Extended Audit. Automatic security scanning is good, but to get hardened web applications, Security Audits are your friends. You can download the product paper or drop us an e-mail for an offer. Clients already include the financial and logistics industry.

Chorizo available for French customers: win an iPod Nano!

Today, we’re announcing a reselling partnership between Mayflower GmbH and Waterproof S.A.R.L., makers of PHP IDE PHPEdit and a French based company. They’re reselling the Chorizo! software to their customers and in their local country France. You can view the product page on their website.

If you happen to be on Forum PHP in Paris from 9th to 10th of November 2006, don’t forget to step by Waterproof’s booth – we’re raffling a black iPod Nano 2 GB and five commercial licenses of Chorizo!. Just be prepared for the PHP Security Quiz ;-).

Furthermore, if you might be on International PHP Conference, don’t forget to step by our booth – we’re also raffling a black iPod Nano via a PHP Security Quiz and several commercial licenses.

PS: you might want to notice that XSS attacks are one of the most frequent attacks against web applications. See the recent announcement from EOF Project this weekend.

MySQL Webinar: LAMP – Security for the Web2.0

It has only been two years since Tim O’Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, this presentation is for you.

In this presentation, Johann-Peter Hartmann, CTO, Mayflower GmbH will discuss:

  • The changes of security risks in web applications
  • Why XSS plays the leading part of AJAX exploits
  • The origination and types of javascript malware
  • Ways to secure your LAMP stack applications for the Web 2.0

The webinar will take place on Nov., 9th 2006 and is free. You can register on the mysql.com site. The presentation will be in English. Exact timeline: Thursday November 9, 2006, 10:00 am PST, 1:00 pm EST, 18:00 GMT (the presentation will be approximately 45 minutes long followed by Q&A)

Buy one XSS, get a CSRF for free

Cross Site Request Forging (see http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information) has been around for a while now. It misuses the trust of a web application that every request sent by the browser is wanted by its user.
For example, if you know that i am logged in to our blog admin backend most of the time, and you know its url and software, you could trick me into visiting a special prepared url. That url contains a small javascript that automatically submits a fake form to our admin backend, and short time later everybody is surprised to read on our blog that Mayflower will leave the domain of web application development and open a butcher’s shop instead.

Since the authors of our blog software are smart people, they implemented a CSRF protection. And not only them, even we not as smart PHProjekt developers implemented one.
There are three popular ways to protect your software against CSRF:

Web2.0 Security: Warum im Web2.0 Gefahren lauern

Web2.0 (In)Security
Aus dem Symantec Internet Security Threat Report: 69% aller Vulnerabilities passieren in Webapplikationen. Die Mitre Corporation CVE Datenbank bestätigt: 21,5% aller Lücken sind XSS Lücken.

Johann-Peter Hartmann, CTO Mayflower GmbH, zeigte auf der AJAX in Action in Frankfurt dieser Woche, warum insbesondere Web2.0 und XSS besonders weh tun: bis zu 100% der üblichen MVC (Model, View, Controller) Struktur können im Browser stattfinden. Daneben erfolgt eine professionelle GUI-Erstellung in Webapplikationen mit JavaScript-Widgets und entsprechender Komponenten-Libraries.

All das sorgt dafür, dass mehr und mehr JavaScript innerhalb von Webapplikationen stattfindet und damit mehr und mehr Logik auf den Client verlagert wird. Als Folge dessen entstehen neue Angriffsvektoren, ausgelöst durch die Verwendung von mächtigen JS-Toolkits, der JSON-Datenformatübertragung und sogar bei der Verwendung von RSS.

Die neu aufgelegten Slides zum Vortrag (Stand: 2012) finden Sie auf Slideshare zum anschauen und herunterladen.

Und wann sichern Sie Ihre Website?