hackers steal money

Another great lecture from Google TechTalks.

This lecture is given by Neil Daswani, who has a Ph.D. from Stanford and currently works at Google as a security engineer. He is also an author of a book entitled "Foundations of Security: What Every Programmer Needs to Know", which teaches you state-of-the-art software security design principles, methodology, and concrete programming techniques you need to build secure software systems.

Neil talks about top three web application vulnerabilities that cybercriminals use to steal money. These three vulnerabilities are:

  • SQL Injection attacks,
  • Cross-Site Request Forgery (XSRF) attacks, and
  • Cross-Site Script Inclusion (XSSI) attacks.

I was surprised that he did not cover plain, old Cross-Site Scripting (XSS) attacks, but jumped right to dynamic XSS. You'll have to get familiar with this type attack on your own. See the XSS Faq and XSS Cheat Sheet for more information!

Interesting points from the lecture:

  • [01:48] Years ago cybercriminals were teenagers writing viruses and worms, today they are organized crime looking for stealing money.
  • [03:19] Intermediate goals to stealing money are data theft, extortion and malware distribution.
  • [04:02] Russian Business Network (RBN) is an example of organized cybercrime.
  • [09:00] Attack #1: SQL Injection.
  • [16:30] Preventing SQL injections.
  • [17:00] Don't blacklist (filter) characters in queries. Whitelist (allow) well-defined set of safe values for each field.
  • [18:30] Take a look at mod_security if you use Apache web server. Mod_security is a Web Application Firewall. It allows you to define a set of rules the web application must follow.
  • [19:30] Prepared statements and bind variables help to avoid SQL injections.
  • [23:00] Other mitigations strategies include - limiting web application user's privileges on the sql server, hardenining database server and host operating system.
  • [23:45] Second order SQL injections (link to pdf) abuse data that is already in the database.
  • [23:55] Blind SQL injection (link to pdf) is a technique to reverse engineer the structure of the database.
  • [24:25] Attack #2: Cross-Site Request Forgery (XSRF).
  • [26:00] How XSRF Works.
  • [31:30] Drive-By-Pharming (pdf) is an XSRF technique where the attacker changes DNS settings of a users broadband router (fact - 50% of home users do not change default router password).
  • [34:00] Preventing XSRF.
  • [34:20] Check Referer HTTP header. That doesn't always work because the user might be using a proxy.
  • [36:15] Validate the user by asking him to provide his password or any other token only the user has knowledge of.
  • [37:15] Validate requests via "Action Tokens" which add special tokens to forms to distinguish them from forged forms.
  • [38:30] Attack #3: Cross-Site Script Inclusion (XSSI).
  • [39:10] How XSSI works.
  • [41:20] Dynamic script inclusion example.
  • [47:25] Trends.
  • [50:12] Open Web Application Security Project (OWASP) Top 10 vulnerabilities in 2007 (link).
  • [53:55] Google has some material on Web Security at code.google.com/edu.

Happy hacking! (just kidding ;) )


July 18, 2008, 16:10

Don't forget social engineering.

July 18, 2008, 16:42

Great video. A must-read for every web developer.

/-/ Permalink
July 18, 2008, 16:46

haha "don't forget" team cymru.

July 18, 2008, 18:25

good article.

July 18, 2008, 20:49

I've got two questions that might somewhat deflate the presentation:

#1 In the SQL injection 'union' attack (clever!) how did the attacker know the columns names and types... inside job? Surely probing on that by an attacker would leave massive traces

#2. In the XSS attack, surely the site would not announce itself as 'evil.org' ... would the name be utterly shrouded, or would there be a placeholder name, and if so... what would Alice be aware of it? ah the zero-size iframe... clever again

Joe Permalink
July 18, 2008, 22:00

To John H:
Every database platform has known system tables that can be queried to learn about the tables/columns/types. It's a good idea to limit web account access to only stored procedures with specific roles.

wtf Permalink
July 18, 2008, 22:43

I cringed every time he said 'bad guys'. Just call them what they are, 'criminals.' Otherwise great presentation.

JOhn thomas Permalink
July 18, 2008, 23:13

How strong is your online kung fu? Use privacy services like www.Ultimate-Anonymity.com to remain invisible to threats.


July 19, 2008, 14:14

Nice breakdown of the video.
Article linked at Vedetta

July 20, 2008, 04:30

So this is all covered in only 1 of the many chapters in the Web Application Hackers Handbook. There is so much more to it than just XSS and SQL Injection, have you considered traversal attacks or XQuery attacks.

Read the book, seriously, it will change how you code.

July 24, 2008, 12:12

Real link: http://www.youtube.com/watch?v=jC6Q1uCnbMo

leo Permalink
December 30, 2008, 10:35

if i wil give u creadi card detials then wht u will give me

Leave a new comment

(why do I need your e-mail?)

(Your twitter handle, if you have one.)

Type the word "rocket_70": (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.