Web Application Security

(Security with Apache)

Length: 6 hours (half-day versions available)

Prerequisites: Attendees should have basic familiarity with Perl and some experience developing dynamic content applications (such as CGI programs) for the web,
or should be managers of dynamic content applications projects.

If you had told sysadmins in 1990 that you were going to host a network server that would run a complex program like Perl at the behest of an anonymous remote user, they would have said you were mad. But that's exactly what happens every day on the web whenever you generate dynamic content with CGI scripts, servlets, or any other mechanism. Programs of formidable complexity and power are executed thousands of times every day on your systems, by unknown users in unknown locations with no supervision. If these programs are not written with great care, they can be subverted and used to steal your information or vandalize your machine.

The tutorial will include a number of case studies of programs that appear safe but aren't, and show why `eyeball' methods of program verification are ineffective. It will spend some time discussing common problems and oversights and show how they can be avoided. The tutorial will show the complete details of Perl's unique `tainting' feature, which can detect many of these problems automatically.

We will also examine the common programming error of trusting the browser, including improper use of cookies and client-side data validation. We will take a close look at the authentication systems commonly used on the web, and at their strengths and weaknesses. Along the way the tutorial will present important basic principles of security with an emphasis on developing a sound security policy that is effective for your situation.

Part I: Deception and Disaster

1. Introduction
   • Who Am I?
   • What is this Talk About?
   • Outline
   • Essential Questions of Security
   • What is this talk not about?
   • Kinds of Attacks
2. Overview of HTTP
   • The Server
   • The Browser
   • The Request-Response Cycle
   • Request Structure
   • Response Structure
   • Server responds
3. CGI is the World's Biggest Security Hole
   • What is CGI?
   • Why is this the World's Biggest Security Hole?
   • Disaster Example (NCSA HTTPD finger Service Gateway)
   • The Two Stances
   • Why must you be a Prussian?
   • Prussian Stance
   • perl -T to the rescue!
   • Perl version of finger gateway
   • `Insecure Dependency'
   • Taint Checking
   • Taint Laundering
   • Full-Text Search
   • How to Untaint
   • Laundering
   • Problems with Tainting
   • Summary
4. Do Not Trust the Browser
   • Browser-side Validation with maxlength etc.
   • hidden
   • select
   • Browser Lying Techniques
   • An Easy Mistake
   • The Edit-the-Form Hack
   • HTTP_REFERER for Validation
   • The Third Browser
   • At the Frontiers of the Standards
   • Javascript Password Checking
   • Summary
5. Authentication
   • Basic Authentication and How it Works
   • The Web is Sessionless
   • Cookies
   • IP Address Checking: Useful and Stupid Uses; Spoofing
   • Hostname Checking
   • Java Applets
6. Securing the Machine Itself
   • Use Low Permissions
   • chroot
   • `Sacrificial Lamb'
   • Anonymous FTP
   • perl.exe
   • Backup Files
   • Mystery URL
7. Summary

Part II: The Gory Details

1. Introduction
   • Who Am I?
   • What is this Talk About?
   • Outline
   • Essential Questions of Security
   • What is this talk _not_ about?
   • Kinds of Attacks
   • The Two Stances
2. Overview of HTTP
3. A Detailed Guide to perl -T
   • Tainted Data
   • Operations Which Produce Tainted Data
   • Operations Which Do Not Produce Tainted Data
   • Overview of Unsafe Operations
     • Writing the Disk
     • Reading the Disk
     • Accessing the Network
     • eval
     • Program Environment
     • Process Control
     • System Interaction
     • Running Programs
       • Program Execution
       • system
       • PATH
       • The Shell
       • Shell Environment Variables
       • Avoiding the Shell
   • Miscellaneous Notes About Tainting
     • Granularity
     • Detecting Tainted Data
     • Subtle Tainting Problem: Hash Keys
     • Subtle Tainting Problem: exit()
4. Laundering Case Studies
   • system
   • Email
5. Browser Disasters
   • Function Errors
   • Torture-Testing
   • Path Disasters
     • Example
     • Short List
     • Short Case Studies
       • Adult Check
       • Hangman
       • Shopping Application Update
     • News Flash
6. Cryptographic Methods
   • Very Brief History of Cryptography
   • Public-Key Cryptography
   • Public-Key Methods in Practice
   • Digesting and Digital Signatures
   • Two-Second Explanation of SSL
7. Authentication Revisited
   • Checksumming for Authentication
   • Digest Authentication
     • Elements of Digest Authentication
     • Attacks: Replaying and Man in the Middle
     • Limitations
8. Internal Security
   • Quality Control and Content Staging
   • File Permissions
   • Enforcing CPU Limits
9. Summary

Variations

The three-hour version of Web Application Security has the sections Overview of HTTP, CGI the World's Biggest Security Hole, A Detailed Guide to perl -T, Do Not Trust the Browser, Authentication, and Securing the Machine Itself.

The three-hour version Security with Apache is the same, except that the very long section on using Perl's tainting feature is severely abbreviated, and replaced with Cryptographic Methods and Authentication Revisited.

Return to: Universe of Discourse main page | Perl Paraphernalia | Other Classes and Talks