1. Trang chủ
  2. » Công Nghệ Thông Tin

IT training secure development for mobile apps how to design and code secure mobile applications with PHP and javascript glasser 2014 10 13

460 115 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 460
Dung lượng 4,82 MB

Nội dung

Secure Development for Mobile Apps How to Design and Code Secure Mobile Applications with PHP and JavaScript J.D Glaser Foreword by Jeremiah Grossman Secure Development for Mobile Apps How to Design and Code Secure Mobile Applications with PHP and JavaScript OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Advances in Biometrics for Secure Human Authentication and Recognition Dakshina Ranjan Kisku, Phalguni Gupta, and Jamuna Kanta Sing (Editors) ISBN 978-1-4665-8242-2 Anonymous Communication Networks: Protecting Privacy on the Web Kun Peng ISBN 978-1-4398-8157-6 Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks Mohssen Mohammed and Al-Sakib Khan Pathan ISBN 978-1-4665-5727-7 Conflict and Cooperation in Cyberspace: The Challenge to National Security Panayotis A Yannakogeorgos and Adam B Lowther ISBN 978-1-4665-9201-8 Conducting Network Penetration and Espionage in a Global Environment Bruce Middleton ISBN 978-1-4822-0647-0 Core Software Security: Security at the Source James Ransome and Anmol Misra ISBN 978-1-4665-6095-6 Data Governance: Creating Value from Information Assets Neera Bhansali ISBN 978-1-4398-7913-9 Developing and Securing the Cloud Bhavani Thuraisingham ISBN 978-1-4398-6291-9 Effective Surveillance for Homeland Security: Balancing Technology and Social Issues Francesco Flammini, Roberto Setola, and Giorgio Franceschetti ISBN 978-1-4398-8324-2 Enterprise Architecture and Information Assurance: Developing a Secure Foundation James A Scholz ISBN 978-1-4398-4159-4 Information Security Fundamentals, Second Edition Thomas R Peltier ISBN 978-1-4398-1062-0 Intrusion Detection in Wireless Ad-Hoc Networks Nabendu Chaki and Rituparna Chakiv ISBN 978-1-4665-1565-9 Intrusion Detection Networks: A Key to Collaborative Security Carol Fung and Raouf Boutaba ISBN 978-1-4665-6412-1 Iris Biometric Model for Secured Network Access Franjieh El Khoury ISBN 978-1-4665-0213-0 Managing Risk and Security in Outsourcing IT Services: Onshore, Offshore and the Cloud Frank Siepmann ISBN 978-1-4398-7909-2 PCI Compliance: The Definitive Guide Abhay Bhargav ISBN 978-1-4398-8740-0 Responsive Security: Be Ready to Be Secure Meng-Chow Kang ISBN 978-1-4665-8430-3 Security and Privacy in Smart Grids Yang Xiao ISBN 978-1-4398-7783-8 Security for Service Oriented Architectures Walter Williams ISBN 978-1-4665-8402-0 Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity J.J Stapleton ISBN 978-1-4665-9214-8 The Complete Book of Data Anonymization: From Planning to Implementation Balaji Raghunathan ISBN 978-1-4398-7730-2 The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture Kerry Ann Anderson ISBN 978-1-4822-2007-0 The State of the Art in Intrusion Prevention and Detection Al-Sakib Khan Pathan ISBN 978-1-4822-0351-6 Trade Secret Theft, Industrial Espionage, and the China Threat Carl Roper ISBN 978-1-4398-9938-0 AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: orders@crcpress.com Secure Development for Mobile Apps How to Design and Code Secure Mobile Applications with PHP and JavaScript J D Glaser Foreword by Jeremiah Grossman CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2015 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Version Date: 20140521 International Standard Book Number-13: 978-1-4822-0904-4 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com This book is dedicated to my wife, Wendy, who is simply beautiful Contents F o r e w o r d xv I n t r o d u c t i o n xvii I n d u s t r y A n a ly s i s xix P r e fa c e xxiii A c k n o w l e d g m e n t s xxv B i o g r ap h y xxvii Pa r t I C h ap t e r I n t r o d u c t i o n to M o bi l e S e c u r i t y D e v e l o p m e n t Understanding Secure Web Development What This Book Is What This Book Is Not Prerequisite Technologies Applying Architecture Tools to Security Creating Consistent Reusable Code from Project to Project Mobile Application Using HTML5, AJAX, and jQuery Mobile Mobile App—A Social Mashup Client Technologies Client Application Layout Server Application Evolution of Security Measures SQL Injection to XSS to CSRF Battle for Output Context New Technologies HTML5 Bad Practices Invite Holes Security as Add-on Lack of Information Lack of Consistency A New Mindset for Web Application Security 3 5 5 6 6 7 8 8 9 10 vii viii C o n t en t s C h ap t e r 2 W e b A pp l i c at i o n A t ta c k S u r fa c e 15 Attack Vectors Common Threats SQL Injection Cross-Site Scripting Cross-Site Request Forgery Session Hijacking Defending Input and Output Streams: First Glance GET Requests POST Requests COOKIE Data Session Fixation Cross-Site Request Forgery Theory of Input Filtering and Output Escaping Input Validation Input Filtering Output Escaping You Must Know Where Your Data Is Displayed 15 16 16 17 18 18 19 19 20 21 21 21 25 26 26 28 28 C h ap t e r PHP S e c u r i t y A n t i - Pat t e r n s 37 Anti-Pattern #1 Not Matching Data Character Set to Filter Character Set Not Designing with Content Security Policy Anti-Pattern One Size Fits All Anti-Pattern Misinformation Anti-Patterns The Mantra Anti-Pattern Critical Data Type Understanding and Analysis Single Data Type Anti-Pattern All Incoming HTTP Data Are Strings Validation by Type Process Input Same as Output Anti-Pattern The Assumed Clean Anti-Pattern Improper mysql_real_escape_string() Usage Filtering versus Escaping versus Encoding Only One Output Context Anti-Pattern Lack of Planning Anti-Patterns Lack of Consistency Anti-Patterns Lack of Testing Anti-Patterns Parameter Omission Anti-Pattern Design Practices Anti-Patterns No Clear Separation of HTML and PHP Code Anti-Pattern Too Many Database Function Calls Misleading Filtering Anti-Pattern Too Many Quotes Anti-Pattern Raw Request Variables as Application Variables Common Direct URL Input Anti-Pattern Poor Error Management Practices Poor Cryptography Practices Poor Cookie Expiration Poor Session Management Overcoming Anti-Patterns: Patterns, Testing, Automation 37 37 38 38 38 39 40 40 45 47 49 50 50 51 52 52 52 53 53 56 56 57 58 58 59 59 60 61 62 62 63 416 Secure D e v el o p m en t f o r M o bil e A pp s $pdoStmt->bindValue(":firstNname", $ppResponseDetails["FIRSTN AME"], PDO::PARAM_STR); $pdoStmt->bindValue(":lastName", $ppResponseDetails["LASTNAME"], PDO::PARAM_STR); $pdoStmt->bindValue(":email", $ppResponseDetails["EMAIL"], PDO::PARAM_STR); $pdoStmt->bindValue(":transactionID", $ppResponseDetails["TRANSACTIONID"], PDO::PARAM_STR); $pdoStmt->bindValue(":userID", $_SESSION['user_id'], PDO::PARAM_INT); $pdoStmt->bindValue(":grand_total", $grandTotalPrice, PDO::PARAM_STR); $pdoStmt->execute(); //save all the items and qty per transaction code $pdoStmt = $db->conn->prepare("INSERT INTO purchase_details (transaction_id, product_code, qty, price) VALUES ($transactionID, $itemCode, $qty, $price)"); //save all the items and qty per transaction code //each transaction captures data used at time of purchase //this may not equal what is in main database //later as product prices/desc change foreach($_SESSION['purchaseList'] as $entry=>$item) { $pdoStmt->bindValue(":transactionID", $ppResponseDetails["TRANSACTIONID"], PDO::PARAM_STR); $pdoStmt->bindValue(":itemCode", $item['productCode'], PDO::PARAM_STR); $pdoStmt->bindValue(":qty", $item['qty'], PDO::PARAM_STR); $pdoStmt->bindValue(":price", $item['price'], PDO::PARAM_ STR); //insert item details $pdoStmt->execute(); } } } else { $purchaseMsg = "Transaction Failed"; } } ?> Purchase Result

Secure A JA X Sh o ppin g C a r t 417 Conclusion This sample shows how to complete all the aspects of processing a purchase transaction in a secure manner while greatly reducing the risk of man-in-the-middle, XSS, or SQL injection attack The final implementation detail of displaying a confirmation message that items will be physically shipped, or a download link for a purchased file, are left to the reader for implementation depending on the situation 22 C ommon Facebo ok C an vas Vulner abilit y P o ints The Facebook API changes quickly and it is difficult to keep up with the changes With that in mind, here are a few implementation issues that are common to games and requests which involve exchanging messages, transferring coordinates for games or maps, and saving data The ideas presented below are not API dependent or application specific They are designed to address points of vulnerability that often get overlooked Saving Facebook RealTime Updates via PDO Because SQL injection is still a prevalent problem, and instances of mysql_query() with unescaped data are still being implemented either by default or out of habit, it is time to move over to PDO prepared statements Here is an example of saving a RealTime Update response received as a JSON object and saving to PDO via Prepared Statements //incoming facebook JSON data $data = '{ "id": "598723445213777", "user": { "name": "Hercules Poirot", "id": "42783321168" }, "application": { "name": "Find Crook", "namespace": "findcrooknow", "id": "873354634522" } }'; //decode into array $object = json_decode($data, true); try { $query = "INSERT INTO user_data (id, name, user_id, app_name, name_space, app_id) 419 420 Secure D e v el o p m en t f o r M o bil e A pp s VALUES (:id, :name, :userID, :appName, :nameSpace, appID)"; $stmt = $this->conn->prepare($query); //bind and escape each value $stmt->bindValue(":id", $object['id']); $stmt->bindValue(":name", $object['user']['name']); $stmt->bindValue(":userID", $object['user']['id']); $stmt->bindValue(":appName",$object['application']['name']); $stmt->bindValue(":nameSpace", $object['application'] ['namespace']); $stmt->bindValue(":appID", $object['application']['id']); //execute with values bound in bindValues() return $stmt->execute(); } catch(PDOException $ex) { $this->conn->rollBack(); $this->logErr( $ex->getMessage() ); return FALSE; } ?> Reflecting JSON Coordinates Sending X and Y coordinates of one kind or another is a common practice The fact that a coordinate is a number often causes it to get overlooked as a vulnerable point Explicit number conversion or explicit casting is fast and should be preferred over filtering where applicable Cast and conversion options include intval(), floatval(), doubleval(), (int), (float), and (double) An example of sanitizing map points: $outputJSON = json_encode($json); C o m m o n Fac eb o o k C a n va s V ul ner a bilit y P o in t s 21 Reflecting Messages When content is taken from one Facebook user and sent to another Facebook user to be posted on their canvas from your server, use inline PHP and escape for HTML context, and remember to not double encode or recode data 



Reflecting URLs Make sure that URL data is being properly escaped before sending on to trusting users, and make sure the attribute value is quoted

Ngày đăng: 05/11/2019, 13:15

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN