Johann-Peter Hartmann spricht auf heise Security Konferenz

Johann-Peter Hartmann, technischer Leiter der Mayflower GmbH, spricht im Rahmen der Sicherheitskonferenzen des heise-Verlages.
Im Rahmen immer komplexerer Webanwendungen werden auch die Möglichkeiten für Angriffe immer zahlreicher. Mit neuen Technologien, wie beispielsweise AJAX, und der neuen Mitmachkultur im Web2.0 entstehen Sicherheitsprobleme für Anbieter und Nutzer, die sich aktuell erst erahnen lassen.

Johann-Peter Hartmann wird in seinem Vortrag die Themen XSS und Sicherheit bei Verwendung von AJAX-Applikationen intensiv erläutern und Lösungswege aufzeigen. Des Weiteren wird das Thema User-Generated-Content aus Security-Sicht erörtert. Freuen Sie sich auf interessante Vorträge in:

24. April 2007, Düsseldorf, Hilton Hotel
03. Mai 2007, Frankfurt, Radisson SAS Hotel
09. Mai 2007, Hamburg, Dorint Sofitel
15. Mai 2007, München, Dorint Novotel

Melden Sie sich hier an

We did talk about Web-2.0 Security

On Tuesday our CIO, Johann-Peter Hartmann, gave a Web-seminar about security issues in the Web 2.0 era. We had about 140 participants and some very good questions in the following Q&A Session. We would like to thank you for the response and also we´d like to thank Jürgen from MySQL, our webinar-host.

We uploaded our slides as promised. To download them, click here.

If you missed the Web-Seminar you get a chance to see the recording of it here.
But be aware: It´s in german!!!

For english readers/speakers: Johann held an english security talk some time ago. Find it here

We already heard that some participants found some quite severe security issues right after listening to Johann´s talk. Therefore we strongly recommend to all of you to have a look at it.

Weiterlesen

Webmontag Köln: AJAX Security, die Slides

Webmontag war gestern in Köln. Scheee wars. Proppenvoll, mit sicherlich über 100 Leuten. Und mal wieder fest gestellt, wie klein die Welt doch ist, viele bekannte Leute getroffen und vielleicht dem Einen oder Anderen einen Denkanstoß gegeben, wie man seine Applikationen schrittweise verbessern kann. Ein Dank auch an René Bredlau, der mir den Kölner Webmontag schmackhaft gemacht hatte.

Die Slides zum Vortrag finden sich hier zum Download. Im Wesentlichen handelt es sich dabei um die Folien des Vortrags von meinem Kollegen Johann-Peter Hartmann, gehalten u.a. auf der AJAX in Action und der PHP Konferenz im letzten Jahr. In der Tonspur, die ich auf Anfrage gerne im persönlichen Gespräch nachreiche, wurden die beschriebenen Fakten noch um einige aktuelle Beispiele von mir ergänzt.

Performant DOJO

When your rich internet applications become more complex and mature, you learn that there are some rules to obey to achieve a sucessful dojo project. What does successful mean ?

  • easy extendible
  • good client performance
  • easy maintainable, readable code
  • economical memory usage

Our rules ;)

1. Build dojo from SVN
Its seems to be disturbing to your own work that the dojo team has comitted a fix last night that breaks a api. But, these fixes don’t come from nothing, means the chance is there that you had a warning like "xy is deprecated and will be replaced by zz" when you read the console output. You read the console messages, don’t you?
All in all its much faster on the major dojo release dates to have it all there, instead of fixing it all on one day. It is much likely that this will cost You a remarkable amount of time.

2. Use dojos compression
The compression & buildsystem is a important thing that will help you to reduce the time the whole dojo system requires to load and initially execute. A important factor if you are not using a one page Ajax application model or limited ressources.

3. good XHTML matters
Dojo parses a lot of information to get all that markup transformed into CSS styled widgets that have all that magic functionality inside. So far it is important to produce correct markup, without ANY style attributes (use class and css by id), tables only where they are required and the minimum set of (X)HTML nodes.
Examples that use only 60 Nodes (XHTML) with div/span based layout perform better than the same code with table based HTML 4.01, style attribute using markup and 185 Nodes. Simply because you tell the same story with less characters.

4. (X)HTML event attributes -> NO NO NO
XHTML Attributes do not need to be noted down in the markup, they can be added programmatically. In any HTML / JS contect you can choose to add them by js code, may it be dojos event connect or the pure javascript methods that add event functionality to the dom.
Its much more likely to find all the connected and used events when you are doing that by code in ONE place and not ditributed over the whole project.

5. Dont use javascript global scope in your project

When you develop the application code using dojo and maybe a bit of DOM, avoid using variables outside your function scope. Why ?

  • The variables outside the function scope are slower to access
  • references to dom nodes are much likely not to get garbage collected and you will need more RAM to execute your application code over time.

You can use objects to create your application code and informations like the actual used browser (i know its implemented in dojo .. just say for fast accesses sake)  can be stored in a objects member variable instead of beeing globalized around. If you are generating these objects using prototype of objects you will save some more memory on you application.

So far, these are the basics i have learned to make my life in the dojo easy and effective.
Besides you are much likely to be at home in time at the evening and able to meet timelines because refactoring and changes to dojo are not that big things and cost not too much time. Hope that helps in any way.

MySQL Webinar: LAMP – Security for the Web2.0

It has only been two years since Tim O’Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, this presentation is for you.

In this presentation, Johann-Peter Hartmann, CTO, Mayflower GmbH will discuss:

  • The changes of security risks in web applications
  • Why XSS plays the leading part of AJAX exploits
  • The origination and types of javascript malware
  • Ways to secure your LAMP stack applications for the Web 2.0

The webinar will take place on Nov., 9th 2006 and is free. You can register on the mysql.com site. The presentation will be in English. Exact timeline: Thursday November 9, 2006, 10:00 am PST, 1:00 pm EST, 18:00 GMT (the presentation will be approximately 45 minutes long followed by Q&A)

Interview mit Thomas Bachem, Chief Architect sevenload.de

[English readers: this is the start of a new series called „/dev/video“ (current project name, may change without further notice) which targets PHP and other web application developers and covers interviews with public projects and tech talk between Mayflower employees and other people. The series will be both in English and German, this first video is in German with Thomas Bachem, Chief Architect at sevenload.de, one of Germany’s hottest Web2.0 startups.]

Ich hatte am Montag die Gelegenheit, den Brückentag dazu zu nutzen, den neuen Camcorder (Sony DCR DVD-205) auszuprobieren und den Auftakt zu einer neuen Serie zu starten – wer das PHP Magazin gelesen hat, wird den Artikel zu sevenload.de gesehen haben. Am Montag traf ich Deutschlands wohl heißestes Web2.0 Startup im Bereich der Foto- und Video-Portale (entwickelt auf Basis von PHP und MySQL sowie lighttpd als Webserver) und schnappte mir Thomas Bachem, um ein wenig mehr über die Technik dahinter zu erfahren. Ich habe noch keine Ahnung, ob diese Serie funktionieren wird, seht es daher bitte als Versuch, und nicht traurig sein, wenn es nix wird – unsere Kunden wollen ja auch, dass wir tolle Software für sie entwickeln, und nicht ständig zum Camcorder greifen. :-) Da aber bald die International PHP Conference ansteht und ich dort die Gespräche mit interessanten Menschen auf Video festhalten möchte, wird es wohl so schnell nicht langweilig werden.

Warum Videos? Nun, zum einen gibt es das noch nicht im PHP Bereich, und ich bin froh, mal wieder der Erste (nach dem weltweit ersten PHP Kongress und dem weltweit ersten Print-Magazin zu PHP :-) ) sein zu können, und hoffe, dass es viele Nachahmer findet. Camcorder sind sehr erschwinglich geworden. Darüber hinaus habe ich aus den zahlreichen Schulungen und Vorträgen, die ich in den vergangenen sechs Jahren gehalten habe (Schulungen allein mit über 300 Personen), immer wieder empfohlen, dass der Austausch unter Developern sehr wichtig für die eigene Arbeit im Tagesgeschäft ist. Ob man nun die zahlreichen Mailinglisten verfolgt, planet-php.net und andere Blogs/RSS-Aggregatoren nutzt, unzählige Newsgroups konsumiert oder einfach einem netten Usergroup-Treffen fröhnt oder unterwegs via iPod den neuesten Pro::PHP Podcast konsumiert, eine gelungene Mischung ist meines Erachtens nach wichtig, um sich weiter fortzubilden.

Daher Videos als eine nette Ergänzung. Manchmal werde ich Leute aus anderen Projekten interviewen, manchmal wird es aber auch nur eine spannende Diskussion sein, die sich in der Mittagspause bei uns intern zusammen spinnt und auf Video fest gehalten werden wird.

Viel Spaß :-) Übrigens, was ich noch empfehlen kann: Channel9 bei Microsoft.

Web2.0 Security: Warum im Web2.0 Gefahren lauern

Web2.0 (In)Security
Aus dem Symantec Internet Security Threat Report: 69% aller Vulnerabilities passieren in Webapplikationen. Die Mitre Corporation CVE Datenbank bestätigt: 21,5% aller Lücken sind XSS Lücken.

Johann-Peter Hartmann, CTO Mayflower GmbH, zeigte auf der AJAX in Action in Frankfurt dieser Woche, warum insbesondere Web2.0 und XSS besonders weh tun: bis zu 100% der üblichen MVC (Model, View, Controller) Struktur können im Browser stattfinden. Daneben erfolgt eine professionelle GUI-Erstellung in Webapplikationen mit JavaScript-Widgets und entsprechender Komponenten-Libraries.

All das sorgt dafür, dass mehr und mehr JavaScript innerhalb von Webapplikationen stattfindet und damit mehr und mehr Logik auf den Client verlagert wird. Als Folge dessen entstehen neue Angriffsvektoren, ausgelöst durch die Verwendung von mächtigen JS-Toolkits, der JSON-Datenformatübertragung und sogar bei der Verwendung von RSS.

Die neu aufgelegten Slides zum Vortrag (Stand: 2012) finden Sie auf Slideshare zum anschauen und herunterladen.

Und wann sichern Sie Ihre Website?

Understanding successful tracing of security vulnerabilities

Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and feature list here). The server side extension enable Chorizo! to have a look inside your server. Unlike other tools, you can now detect and eliminate security vulnerabilities very easily – the videos showed how to fix a local file inclusion bug within an instant.

But sometimes it’s not very easy to check if a vulnerability occured where Morcilla told you it occured. Take, for example, MySQL’s mysql_query() function. If we detect a SQL injection in the line where mysql_query happened, it may lead to irritation if you imagine the mysql_query()/pdo_query() function was called inside your SQL abstraction layer you’re using – modern applications use that. So you probably don’t know at first sight where the call was made that enabled an attacker to slip in.

In order to pinpoint this issue, it is neccessary that you get a deeper look to the callstack of all the functions that were involved calling the SQL abstraction layer. Here’s a screenshot how it looks in the upcoming version of our PHP extension:

As you can see, the mysql_query() call in this example was made at /home/www/morcilla/sqlinject/test2.php on line 10. But there were previous function and class method calls that may have led to this SQL injection because they didn’t filter the input value properly.

If you’re interested which further features the PHP extension brings to you in combination with the security scanner or if you have comments and suggestions, just write us an e-mail!

Detect and fix security vulnerabilities on server side within seconds.

(See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla )

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

See the video how it works (Google Video, YouTube). Check out the plugin help page. And finally, register for the Standard Version which includes Morcilla at no extra costs.

Garvin Hicking from s9y weblog project says:

„Chorizo features a large ruleset for virtually all ‚usual suspects‘ of
web application security issues. Being able to run background checks
while developing an application is an immense timesaver – especially for
open-source developers like me, who are already swamped with support and
bugfixing, we can now enjoy discovering possible security issues while
working.“

Virtual Data Grid: becoming reality soon

TurboAjaxIf you use Dojo, have a look at the fabulous widgets called TurboWidgets from TurboAjax.com: it’s available for non-commercial and commercial usage. One of the great widgets (besides Theme support where you can also create your own corporate theme look and feel) is a data grid which can be customized in a wide variety.

As I’ve discovered in the TurboWidget forums, they’re working on a virtual data grid. Imagine you want to display a list of 100,000 or more items which can be a major pita especially when working with slow internet connectivity. The solution is a real virtual data grid. They showcase a demo here. Release date will be hopefully by end of July, and I’m looking forward to it. :-)

As you can see in the screenshots, while scrolling down the grid will be empty or displaying „…“ ….

… while loading the data. After finished loading, it shows the normal grid data:

Unfortunately, we have to wait until end of July, but I hope the guys from TurboAjax will have it ready soon. :-) Combined with a XMLHttpRequest based PHP backend (which will be triggered by the Grid’s data model) this will be a very userfriendly solution for displaying large data sets.