- ROOTCON 10/Trainings/ROOTCON 10...• Authentication is only as strong as your user management...

WebApplicationSecurity

Expertadvice.Experienceadvantage.ProactiveSecuritySolutionsThroughCutting-EdgeResearch.

www.pandoralabs.net

Expertadvice.Experienceadvantage.ProactiveSecuritySolutionsThroughCutting-EdgeResearch.

WeareaSecurity-as-a-Service

company

Providingbusinesseswithon-demandthreatdetection&intelligenceresourcesand

capabilities,for24x7protection.

WeMakeITSecurewww.pandoralabs.net

Whoweare.Whyweexist.PANDORA SECURITY LABS

WeBuildSecuritySoftwareWhatdowereallydo?

Security Information & Event Manager Web Application Firewall & CDN

www.webranger.io

& WE ARECOOKINGMORE!

www.pandoralabs.net

#pandoralabs


OurCapabilitiesSolutionswecreatedfromourcapabilitiestocomplementyouneeds:

• DefensiveTechnologies• OffensiveIntelligence• AdministrativeExpertise

ThreatScout

Pandora SOC

SENSORUTMs

LOGAGENTSWAFs

ANALYTICSSIEM

CORRELATIONINTEL

OPERATIONSFORENSICS

24x7MONITORIRT/ERT

#pandoralabs


DevelopingSecureWebAppsTipsintodevelopingasecurewebapplication.

WebApplicationSecurityPANDORA SECURITY LABS

AlwaysUseTLS• TransportLayerSecurity• Latestversion1.2• Ensuresthatdataisencryptedasittravelsthewire• Ensuresintegrityusingmessageauthenticationcode• Let’sEncryptprojectprovidesfreeSSLcertificatesforTLS• UsetoolslikeSSLTestbyQualys toverifyTLSconfiguration

PANDORA SECURITY LABS WebApplicationSecurity

AlwaysUseTLS

Letmedemo:Wireshark plaintext

SSLLabs


Neverstoreplaintextpasswords

Hash passwordswhenyoustoretheminthedatabase

Provisionyourcodeanddatabasesuchthatthehashingalgorithmcanbechanged

ALWAYS hashwithuniquesaltsperrecord,thispreventsrainbowtableattacks


Never storeplaintextpasswords

Letmedemo:Googletheplaintextofhash

Hashwithsaltlogic


UseStrongAuthentication

Strongauthentication(suchastokens,certificates,etc.)providesahigherlevelofsecuritythanusernameandpasswords.

Thegeneralizedformofstrongauthenticationis“somethingyouknow,somethingyouhold”.



When tousestrongauthentication:•Forhighvaluetransactions•Whereprivacyisastrongorlegallycompelledconsideration(suchashealthrecords,governmentrecords,etc)•Whereaudittrailsarelegallymandatedandrequireastrongassociationbetweenapersonandtheaudittrail,suchasbankingapplications•Administrativeaccessforhighvalueorhighrisksystems



Bestpractices:• Authenticationisonlyasstrongasyourusermanagementprocesses•Usethemostappropriateformofauthenticationsuitableforyourassetclassification•Re-authenticatetheuserforhighvaluetransactionsandaccesstoprotectedareas(suchaschangingfromusertoadministrativelevelaccess)•Authenticatethetransaction,nottheuser•Passwordsaretriviallybrokenandareunsuitableforhighvaluesystems.


EnforceGoodSessionManagement

Sessionmanagementisbyitsnaturecloselytiedtoauthentication,butthisdoesnotmeanusersshouldbeconsideredauthenticateduntilthewebapplicationhastakenpositiveactiontotieasession

withatrustedcredentialorotherauthenticationtoken.

Ifpossible,tieasessiontoaspecificIP.Forcere-authenticateiftheIPchanges.Thisistopreventhijackingandreplayattacks.

Enforcesessiontimeouts.


EnforceGoodSessionManagement

Ensurethatunauthenticatedusersdoesnothaveanyorhaveminimalprivilegesonly.

Ensureallunprotectedpagesuseasfewresourcesaspossible.

Ensurethatsessiontokensareuser-unique,non-predictable,andresistanttoreverseengineering.


UseParameterizedQueries/StoredProcedures• Injectionhappenswhendataissuppliedfromonecomponenttoanother• Hackers"inject"theircodetoruninsteadofyours• Example:SQLinjectionattackStringquery="SELECT*FROMproductsWHEREname='"+request.getParameter("id")+"'";

• CodeexpectsaniceparameterintheURL• http://example.com/products?id=123• Hackercouldinsteadsupplythis:http://example.com/products?id=';+DROP+TABLE+'products';


UseParameterizedQueries/StoredProceduresExample:StringprodId=request.getParameter(“productId");Stringquery="SELECTproduct_status FROMproduct_data WHEREproduct_id = ?";

PreparedStatement pstmt =connection.prepareStatement(query);pstmt.setString(1,prodId);ResultSet results=pstmt.executeQuery();


SanitizeandValidateUserInput

Alwaysassumethedatais“evil”

ALWAYSsanitizeinput!(attheBACKEND notfrontend!)

Encodealluserinputbeforeusingit

Cleanupquotes,semi-colons,parentheses,etc.



Datashouldbe:• StronglyTypedatalltimes• LengthCheckedandFieldsLengthMinimized• Rangedcheckifnumeric• Unsignedunlessrequiredtobesigned• Syntaxorgrammarshouldbecheckedpriortofirstuseorinspection• Sanitized



Coding guidelines should use some form of visible tainting on inputfrom the client or untrusted sources, such as third party connectorsto make it obvious that the input is unsafe:

taintedPostcode =getParameter(“postCode”);validation=NewValidation();postCode =validation.isPostcode(taintPostcode);



Letmedemoanoldvulnerability:Wordpress


UseAnti-CSRFTokens

Anti-csrf tokensaddsauniquetokenthatmustbeincludedwiththedatasubmission.

<%using(Html.Form("UserProfile","SubmitUpdate")){%><%=Html.AntiForgeryToken()%>

<%}%>

Theoutputwillbesomethinglike:

<formaction="/UserProfile/SubmitUpdate"method="post"><inputname="__RequestVerificationToken"type="hidden"value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs"/>

</form>

UseAnti-CSRFTokenspublicclassUserProfileController :Controller{publicViewResult Edit(){returnView();

}[ValidateAntiForgeryToken]publicViewResult SubmitUpdate(){

//Gettheuser'sexistingprofiledata(implementationomitted)ProfileData profile=GetLoggedInUserProfile();

//Updatetheuserobjectprofile.EmailAddress =Request.Form["email"];profile.FavoriteHobby =Request.Form["hobby"];SaveUserProfile(profile);

ViewData["message"]="Yourprofilewasupdated.";returnView();

}}


LogRelevantData

• Auditable – allactivitiesthataffectuserstateorbalancesareformallytracked

• Traceable – it’spossibletodeterminewhereanactivityoccursinalltiersoftheapplication

• Highintegrity– logscannotbeoverwrittenortamperedbylocalorremoteusers

• Auditlogsarelegallyprotected– protectthem


LogRelevantData

Datafromlogscanbeusedtomonitoryourapplication

Never logconfidentialdata!

HaveanSIEM collectlogsandtohelpyououtmonitoryourapplications


Never Disclose InformationviaErrorMessages• Stacktracesshowtheinnerworkingsofanapplication

• Donotgiveattackersclueaboutyourapplication(ie.Invalidusername/password)

• Usegenericerrormessages

• Donotsendthe“username”inyourpasswordresetemails


Never Disclose InformationviaErrorMessagesExample with Tomcat:

InCATALINA_HOME/conf/web.xml,addthefollowingentry.

<error-page><exception-type>java.lang.Throwable</exception-type><location>/error.jsp</location>

</error-page>


Never Disclose InformationviaErrorMessagesExample in.NET:

IntheWeb.config fileat theapplication’s root,add thefollowing entry.

<configuration><compilationdebug="true"/></configuration>

Also,consider having ageneric error page:

<customErrors mode="On"defaultRedirect="YourErrorPage.htm"/>


NeverDisclose InformationviaErrorMessages

Letmedemo:Joomla


SecureYourComponents

• Realities:• Wedidnotwritethecodeforeverycomponentinourstack• Wereusecode,components,andlibraries

• Usedependencyinjectiontoolstomanagelibraries• Maven,NuGet,CocoaPods,Npm

• Softwareshouldalwaysbekeptuptodate• VulnerabilityAssessment/PenetrationTestingcancatchoutdatedcomponents• Alwayschecktheissuetrackerorrepositoryofalibrary/componentbeforeusingit



• CheckyourcomponenthasvulnerabilitiesbytheirCommonVulnerabilityEnumeration(CVE)• https://cve.mitre.org/cve/cve.html



cve.mitre.org


EmploySecurityTesting

UseOWASP Top10andOWASPTestingGuide

OWASPZap



1. Injection2. BrokenAuthenticationandSessionManagement3. Cross-SiteScripting(XSS)4. InsecureDirectObjectReferences5. SecurityMisconfiguration6. SensitiveDataExposure7. MissingFunctionLevelAccessControl8. Cross-SiteRequestForgery(CSRF)9. UsingComponentswithKnownVulnerabilities10. Unvalidated RedirectsandForwards



NotanOWASP Fanboi?

WebAppSecurityPANDORA SECURITY LABS


• CWE/SANSTop25DangerousSoftwareErrors



1. ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')2. ImproperNeutralizationofSpecialElementsusedinanOSCommand('OSCommandInjection')3. BufferCopywithoutCheckingSizeofInput('ClassicBufferOverflow')4. ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')5. MissingAuthenticationforCriticalFunction6. MissingAuthorization7. UseofHard-codedCredentials8. MissingEncryptionofSensitiveData9. UnrestrictedUploadofFilewithDangerousType10. RelianceonUntrustedInputsinaSecurityDecision11. ExecutionwithUnnecessaryPrivileges12. Cross-SiteRequestForgery(CSRF)13. ImproperLimitationofaPathnametoaRestrictedDirectory('PathTraversal')



14. DownloadofCodeWithoutIntegrityCheck15. IncorrectAuthorization16. InclusionofFunctionalityfromUntrustedControlSphere17. IncorrectPermissionAssignmentforCriticalResource18. UseofPotentiallyDangerousFunction19. UseofaBrokenorRiskyCryptographicAlgorithm20. IncorrectCalculationofBufferSize21. ImproperRestrictionofExcessiveAuthenticationAttempts22. URLRedirectiontoUntrustedSite('OpenRedirect')23. UncontrolledFormatString24. IntegerOverfloworWraparound25. UseofaOne-WayHashwithoutaSalt


WeEnsureWebsiteSecurity

www.webranger.io

SecuringYourWebsitesThroughWebRanger

WebRanger

INTELLIGENCEDETECTIONTHR T &

SecuringYourWebsitewithWebRangerWebRanger


1.AwarenessiskeyAwarenessisthegreatest agent forchangeandaction.


Awarenessisthegreatest agent forchangeandaction.


2.AccesscontrolandperformanceWAF &CDN toprovideaccesscontrolandperformanceboosttoyoursite


WebApplicationFirewall(WAF)toblock threatsaccessingyourwebsite


3.EncryptedcommunicationEnsuring yourusersthatyouarecommunicatingsecurely withthem


GetyourFREE SSLcertificatetoenableyousitetoutilizeHTTPS

WebRangerWeb Application SecurityWeb Application Security by PandoraSecurity Labs that protects your web appusing all best defensive solutions in 1:WAF + Threat Analytics + 24x7 Analysts.

PEOPLESECURITYANALYSTS

PROCESSTHREAT

ANALYTICS

PRODUCTANALYTICSWAF&CDN

SSL


FREE

HowdoesWebRangerworktoprotectyourwebsite?

1. Attackersattackyourwebsite 2.WebRanger identifiesanomalyandsendsdatatotheanalyticssystem

3.TheanalyticssystemcorrelatesdataandsendsthealertstoSOC

4.TheSOCdeterminesifalertisatruealertandinformstheclient

6.Truealertsarethencommunicatedtotheclienteitherviaphoneoremail

7.ClientviewsWebRanger Consoleforthealertsandattacksresolved

5.PandoraSOCcommandstheWAFtoblocktheattack

8.Attackswithsamepatternsareblocked

WebRanger

AnalyticsSystem PandoraSOC


FREE PAID

WeEnsureWebsiteSecurity

WebRanger.ioSignupforFREE


Expertadvice.Experienceadvantage.

ProactiveSecuritySolutionsThroughCutting-EdgeResearch.

WebApplicationSecurity

www.pandoralabs.net

- ROOTCON 10/Trainings/ROOTCON 10...• Authentication is only as strong as your user management...

Documents

Transcript of - ROOTCON 10/Trainings/ROOTCON 10...• Authentication is only as strong as your user management...