Webmontag Köln: AJAX Security, die Slides

Webmontag war gestern in Köln. Scheee wars. Proppenvoll, mit sicherlich über 100 Leuten. Und mal wieder fest gestellt, wie klein die Welt doch ist, viele bekannte Leute getroffen und vielleicht dem Einen oder Anderen einen Denkanstoß gegeben, wie man seine Applikationen schrittweise verbessern kann. Ein Dank auch an René Bredlau, der mir den Kölner Webmontag schmackhaft gemacht hatte.

Die Slides zum Vortrag finden sich hier zum Download. Im Wesentlichen handelt es sich dabei um die Folien des Vortrags von meinem Kollegen Johann-Peter Hartmann, gehalten u.a. auf der AJAX in Action und der PHP Konferenz im letzten Jahr. In der Tonspur, die ich auf Anfrage gerne im persönlichen Gespräch nachreiche, wurden die beschriebenen Fakten noch um einige aktuelle Beispiele von mir ergänzt.

The Chorizo! International PHP Conference Quiz

On this years conference we did start a quiz regarding security.

For those who were not able to visit the Conference I’d like to show the questions asked.

Which of the following code lines does really protect against Cross-Site-Scripting?

[ ] echo ‚<a href="index.php?name=‘.addslashes($_GET[’name‘]).’">name</a>‘;

[ ] echo ‚<a href="index.php?name=‘.strip_tags($_GET[’name‘]).’">name</a>‘;

[ ] echo ‚<a href="index.php?name=‘.preg_replace(‚|\W|‘, “, $_GET[’name‘]).’">Name</a>";

In which code line did we hide a Remote Code Execution?

[ ] include(dirname(__FILE__).’/lang/lang_‘.$_GET[‚lang‘].‘.php‘);

[ ] preg_replace(‚/_NAME_/msiUe‘, "htmlentities(\"$_GET[name]\")", ‚Hello Mr _NAME_ ! ‚);

[ ] eval("echo ‚Hello Mr ".htmlentities($_GET[’name‘], ENT_QUOTES)."‘;");

Which tag can not contain JavaScript?

[ ] <img />

[ ] <br />

[ ] <style></style>

[ ] <meta></meta>

[ ] each of the here named tags can contain JavaScript

What is not possible to happen if your website contains a Cross-Site-Scripting-Vulnerability?

[ ] It is possible to take over the user-logins by using the so named Session-Riding.

[ ] Your website visitor´s intranet can be scanned.

[ ] Every pressed key of your sites user´s can be logged by third parties.

[ ] Your user´s harddisks can be formatted.


Announcing Chorizo! Intranet Edition and Chorizo! Security Audits

Live from the International PHP Conference this year, we have some announcements to make: first of all, we’re now officially releasing the Chorizo! Intranet Edition. That’s basically the full Chorizo! software package for your internal corporate environment, installed on one of your servers. Furthermore, you can scan an unlimited number of your own websites (we won’t charge you for every server!) and create your own users inside the usermanagement. Besides that, of course Morcilla, the PHP security extension that detects deep security bugs directly on your server is included. The Intranet Edition is available for a license fee of EUR 5.800,– including VAT (16% currently) for one installation. Support and updates are available for 20% of the license fee per year. If you’re interested, just drop us an e-mail.

Second, we’re launching an array of Professional Services: Security Audits. You can get them in different flavours, like the Chorizo! PenTest, the Chorizo! Standard Audit and Chorizo! Extended Audit. Automatic security scanning is good, but to get hardened web applications, Security Audits are your friends. You can download the product paper or drop us an e-mail for an offer. Clients already include the financial and logistics industry.

Use information disclosure to gather PHP configuration statistics

Damien Seguy from nexen.net sent an e-mail with a notice about his newest statistics project: „PHP configuration statistics“. He gathered output of around 12,000 public available phpinfo() scripts.

Some of the results of his investigations:

Here are some funny and not so funny stats.

  • PHP admins likes to compile PHP in Summer
  • Register global is not dead
  • memory_limit is not used
  • PHP apps handle 100 Mb files

The first part of his article is online in English. Thank you Damien!

The not so funny side: please secure your phpinfo() output scripts! Either by using not so common script names like phpinfo.php, by protecting it through .htaccess or other mechanisms or by simply not uploading a phpinfo() script on your server.

Chorizo available for French customers: win an iPod Nano!

Today, we’re announcing a reselling partnership between Mayflower GmbH and Waterproof S.A.R.L., makers of PHP IDE PHPEdit and a French based company. They’re reselling the Chorizo! software to their customers and in their local country France. You can view the product page on their website.

If you happen to be on Forum PHP in Paris from 9th to 10th of November 2006, don’t forget to step by Waterproof’s booth – we’re raffling a black iPod Nano 2 GB and five commercial licenses of Chorizo!. Just be prepared for the PHP Security Quiz ;-).

Furthermore, if you might be on International PHP Conference, don’t forget to step by our booth – we’re also raffling a black iPod Nano via a PHP Security Quiz and several commercial licenses.

PS: you might want to notice that XSS attacks are one of the most frequent attacks against web applications. See the recent announcement from EOF Project this weekend.

MySQL Webinar: LAMP – Security for the Web2.0

It has only been two years since Tim O’Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, this presentation is for you.

In this presentation, Johann-Peter Hartmann, CTO, Mayflower GmbH will discuss:

  • The changes of security risks in web applications
  • Why XSS plays the leading part of AJAX exploits
  • The origination and types of javascript malware
  • Ways to secure your LAMP stack applications for the Web 2.0

The webinar will take place on Nov., 9th 2006 and is free. You can register on the mysql.com site. The presentation will be in English. Exact timeline: Thursday November 9, 2006, 10:00 am PST, 1:00 pm EST, 18:00 GMT (the presentation will be approximately 45 minutes long followed by Q&A)

Code Inclusions on a Silver Plate

Looking for code inclusions?
The versatile google cluster has a solution for this, like for many other tasks.

This search

lang:php \secho\([^)]*_REQUEST[^)]*\);

lets You find various places where some variable from the superglobal $_REQUEST is printed with echo. By the same means, you can easily find places where such a variable is directly included in an SQL query, for instance with

lang:php \smysql_query\([^)]*_REQUEST[^)]*\);


This alone yields 50 results for each query, but it may be varied with printf() instead of echo() or just leaving out the () with echo. Further, there are some more superglobals, most important $_GET and $_POST.

If that’s not enough, there are some more code search engines, like Krugle or Koders. Even though the llatter does not allow queries like the above, even there inclusions can be found between examples of how to prevent such security flaws.

Looking at the sites of the search hits yields quite a bunch of well-known projects/sites, so this is not just gray theory.

Buy one XSS, get a CSRF for free

Cross Site Request Forging (see http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information) has been around for a while now. It misuses the trust of a web application that every request sent by the browser is wanted by its user.
For example, if you know that i am logged in to our blog admin backend most of the time, and you know its url and software, you could trick me into visiting a special prepared url. That url contains a small javascript that automatically submits a fake form to our admin backend, and short time later everybody is surprised to read on our blog that Mayflower will leave the domain of web application development and open a butcher’s shop instead.

Since the authors of our blog software are smart people, they implemented a CSRF protection. And not only them, even we not as smart PHProjekt developers implemented one.
There are three popular ways to protect your software against CSRF:

Web2.0 Security: Warum im Web2.0 Gefahren lauern

Web2.0 (In)Security
Aus dem Symantec Internet Security Threat Report: 69% aller Vulnerabilities passieren in Webapplikationen. Die Mitre Corporation CVE Datenbank bestätigt: 21,5% aller Lücken sind XSS Lücken.

Johann-Peter Hartmann, CTO Mayflower GmbH, zeigte auf der AJAX in Action in Frankfurt dieser Woche, warum insbesondere Web2.0 und XSS besonders weh tun: bis zu 100% der üblichen MVC (Model, View, Controller) Struktur können im Browser stattfinden. Daneben erfolgt eine professionelle GUI-Erstellung in Webapplikationen mit JavaScript-Widgets und entsprechender Komponenten-Libraries.

All das sorgt dafür, dass mehr und mehr JavaScript innerhalb von Webapplikationen stattfindet und damit mehr und mehr Logik auf den Client verlagert wird. Als Folge dessen entstehen neue Angriffsvektoren, ausgelöst durch die Verwendung von mächtigen JS-Toolkits, der JSON-Datenformatübertragung und sogar bei der Verwendung von RSS.

Die neu aufgelegten Slides zum Vortrag (Stand: 2012) finden Sie auf Slideshare zum anschauen und herunterladen.

Und wann sichern Sie Ihre Website?