MySQL Webinar: LAMP – Security for the Web2.0

It has only been two years since Tim O’Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, this presentation is for you.

In this presentation, Johann-Peter Hartmann, CTO, Mayflower GmbH will discuss:

  • The changes of security risks in web applications
  • Why XSS plays the leading part of AJAX exploits
  • The origination and types of javascript malware
  • Ways to secure your LAMP stack applications for the Web 2.0

The webinar will take place on Nov., 9th 2006 and is free. You can register on the mysql.com site. The presentation will be in English. Exact timeline: Thursday November 9, 2006, 10:00 am PST, 1:00 pm EST, 18:00 GMT (the presentation will be approximately 45 minutes long followed by Q&A)

SQL injections for dummies – and how to fix them (Update)

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about „SQL injections“, a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

Everybody should know that you shouldn’t pass variables from outside unfiltered to i.e. mysql_query. Of course, sometimes this can slip through because we are human and humans make errors. The initial development of Chorizo! was driven by our own need to make it easier for our developers to detect potential security issues and fix them in a second. With Morcilla, our server-side PHP extension, life will be much easier, especially when you turn display_errors = Off in your php.ini settings which won’t give a hint to potential attackers that a modified GET variable produced a SQL error. With Morcilla, we look inside the server and can detect SQL injection possibilities although display_errors was set to off. Oh, and yes, we display the line and name of the file on the server where the error has happened.

Check out the following video (or directly on chorizo-scanner.com) to see how it can detect SQL injections in seconds.

Furthermore, we produced a short video that explains the XSS plugin to detect XSS vulnerabilities inside the HTML code, HTML attributes and CSS.

The proxy mode of Chorizo – and a sneak peak to Morcilla, Chorizo’s little sister.

Morcilla, the server side PHP extension for Chorizo!Web applications nowadays use AJAX features to provide a very comfortable interface to their users. XmlHttpRequest is the technique that is used to pull data from the server in the background.

Have you ever asked yourself how to track down security issues in your XmlHttpRequests without losing too much time? Well, Chorizo gives you the answer: the proxy mode. By using Chorizo! in this (preferred) mode, you can assure that every request your application makes (whether it is a XmlHttpRequest call or a Flash client that pulls data from a PHP script in the background) will be tracked by Chorizo! and thus scanned for security flaws.

There’s also a so-called „CGI browsing mode“ where you just enter the start URL of your site and then Chorizo! tries to rewrite all the links it can find in the HTML page, this CGI mode doesn’t give you the full advantage. Imagine you have JavaScript in your page that is building the links with variables etc. – Chorizo! can’t successfully rewrite all those links. If you combine the proxy mode together with the „Scan while browsing“ background scanning mode, you unlock the full potential with the application.

It might be interesting to note that the proxy itself was written in PHP :-) We measured it is able to make up to 100 scans/second. In order to secure your server for a DOS attack ;-), we implemented a heuristic that automatically reduces the number of parallel scans if the server doesn’t respond fast enough.

If you want to give it a try, here’s a sneak peak (screenshots!) about Morcilla, our upcoming server-side PHP extension which will only be available in the commercial accounts.

Stacking up the free accounts: recursive scans

Chorizo’s standard account already contains recursive scans from the current URL. This means that Chorizo! is able to follow URLs from forms etc. automatically until a recursive level that you are able to set.

From now on, the free accounts also benefit from this feature which makes it very handy to scan sites more deeply. However, we limited the recursion depth to 1, so Chorizo! is able to follow all links etc. on the current page. The standard account is able to scan up to a depth of 3.

To give you a number: some time ago I scanned a popular PHP OpenSource CRM application with one scan through „Scan the current page“. With a recursion depth of 3, this lead to more than 10,000 scan requests.

If you want to give it a try, just register on the webpage for the free account.

3,500 users in 2 days. Awaiting the birth of the bloody alien sausage.

Geez! What a week. Right after the announces at several newstickers and websites (on heise security German and heise Security English, an extensive German review at dynamic-webpages.de and one in French at nexen.net) on Monday, more than 3,500 users (and counting) registered at our small security sausage tool and created hundreds of thousands security scans on their servers! We try to commoditize PHP security by providing you with free accounts – just go to the Chorizo homepage and register for a free acount. The train is rolling… and we’re ready to stack up the commercial accounts with some more features soon.

Finally, one spoiler: Let’s wait for the birth of Morcilla (link to Wikipedia), Chorizo!’s small sister. You wanna know what’s behind Morcilla? Imagine if Chorizo! would be able to look "behind the scenes" on your server during a security scan …

Stay tuned! There’s more coming up.