OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken...
Transcript of OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken...
![Page 1: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/1.jpg)
OWASP Thailand
OWASP AppSec AsiaOctober 21, 2008
Proxy Caches and Web Application Security
Using the Recent Google Docs 0-Day as an Example
Tim Bass, CISSPChapter Leader, OWASP Thailand+66832975101, [email protected]
![Page 2: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/2.jpg)
2OWASP
OWASP Worldwide Community
2www.owasp.org
![Page 3: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/3.jpg)
3OWASP
My Contact Info and Web Places
www.linkedin.com/in/timbassLinkedIn
www.unix.comThe UNIX and Linux Forums
www.acisonline.netACIS Professional Center
blog.isc2.orgBlog – The (ISC)2 Blog
www.thecepblog.comBlog – The CEP Blog
+66832975101Mobile, Thailand
Tim BassMe
![Page 4: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/4.jpg)
4OWASP
Our Agenda
First, A Brief Review of the OWASP Top 10#7. Broken Authentication and Session Management
Second, A Funny Thing Happened in GoogleDocs
Third, Proxy Caches are a Serious Threat Poorly written session management code is the vulnerabilitySimple testing scenario(s)… and a warning ….
![Page 5: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/5.jpg)
5OWASP
OWASP Top 10 2007
1. Cross Site Scripting (XSS)2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
http://www.owasp.org/index.php/Top_10
![Page 6: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/6.jpg)
6OWASP
OWASP Top 10 2007
1. Cross Site Scripting (XSS)2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
http://www.owasp.org/index.php/Top_10
![Page 7: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/7.jpg)
7OWASP
Brief OWASP Top 10 Review
7. Broken Authentication and Session Management
![Page 8: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/8.jpg)
8OWASP
7. Broken Authentication and Session Management
DescriptionFlaws in HTTP authentication and session management frequently involve the failure to protect credentials and session tokens through their lifecycle.
Affected EnvironmentsAll web application frameworks are vulnerable to authentication and session management flaws
![Page 9: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/9.jpg)
9OWASP
7. Broken Authentication and Session Management
VulnerabilitiesFlaws in main authentication mechanismPassword managementSession Timeout
ThreatsProxy caches (discussed in this presentation)
![Page 10: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/10.jpg)
10OWASP
7. Broken Authentication and Session Management
Verifying SecurityApplications should properly authenticate users and protect their session credentialsIneffective: Automated scanning toolsEffective: Combination of code reviews and testing
ProtectionMaintain secure communications and credential storageUse single authentication mechanism where applicableCreate a new session upon authenticationEnsure the logout link destroys all pertinent dataDo not expose credentials in URL or logsUpdate: Test against aggressive proxy scenarios
![Page 11: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/11.jpg)
11OWASP
7. Broken Authentication and Session Management
Example OWASP References
1. http://www.owasp.org/index.php/Guide_to_Authentication2. http://www.owasp.org/index.php/Reviewing_Code_for_Authentication3. http://www.owasp.org/index.php/Testing_for_authentication
OWASP has so many web application security tools, papers and guides, all FREE for you to use!
![Page 12: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/12.jpg)
12OWASP
Our Agenda
First, A Brief Review of the OWASP Top 107. Broken Authentication and Session Management
Second, A Funny Thing Happened in GoogleDocs
Third, Proxy Caches are a Serious Threat Poorly written session management code is the vulnerabilitySimple testing scenario(s)… and a warning ….
![Page 13: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/13.jpg)
13OWASP
GoogleDocs Account Before…..
![Page 14: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/14.jpg)
14OWASP
A Typical Day in GoogleDocs …..
![Page 15: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/15.jpg)
15OWASP
GoogleDocs Account After …..
![Page 16: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/16.jpg)
16OWASP
GoogleDocs Account After …..
![Page 17: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/17.jpg)
17OWASP
Mr. Wodnizki says ….
![Page 18: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/18.jpg)
18OWASP
Mr. Wodnizki says …. “I deleted all ….”
![Page 19: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/19.jpg)
19OWASP
Google teamwork …
![Page 20: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/20.jpg)
20OWASP
Google says …. “We’ve fixed the code…..”
![Page 21: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/21.jpg)
21OWASP
Our Agenda
First, A Brief Review of the OWASP Top 107. Broken Authentication and Session Management
Second, A Funny Thing Happened in GoogleDocs
Third, Proxy Caches are a Serious Threat Poorly written session management code is the (flaw) vulnerabilitySimple testing scenario(s)… and a warning ….
![Page 22: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/22.jpg)
22OWASP
Proxy Caches are a Serious Everyday Threat
Proxy caches, combined with poorly written session management code, can easily lead to serious security flaws.Web application developers have no control over proxy caches in the Internet. Developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies.
Caches are the Threat. Bad Code is the Flaw.
![Page 23: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/23.jpg)
23OWASP
Developers Must Assume a Full Time Proxy Cache Threat Exists
Web developers cannot know whether their content is consumed directly or via a (transparent) proxy cache. Developers cannot assume that the HTTP responses will be delivered to the intended client. Moreover, developers cannot be sure that the target browser even receives the intended content.
For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there’s no guarantee it will be consumed by the intended web browser.
![Page 24: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/24.jpg)
24OWASP
Developers Must Assume a Full Time Proxy Cache Threat Exists
For example, this fact-of-life on the Internet can result in multiple web clients being sent the same Set-Cookie HTTP headers.Caching proxy servers should obtain a fresh cookie for the each new client request.
Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients – but they can and do.
![Page 25: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/25.jpg)
25OWASP
SSL is Critical, But Not Foolproof
SSL must be used on ALL web transactions that require confidentiality and privacy.However, SSL is not foolproof.
For example, web developers may not correctly set the "Encrypted Sessions Only" cookie property. Incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.
![Page 26: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/26.jpg)
26OWASP
SSL is Critical, But Not Foolproof
SSL must be used on ALL web transactions that require confidentiality and privacy.However, SSL is not foolproof.
For example, web developers may not correctly set the "Encrypted Sessions Only" cookie property. Incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.
![Page 27: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/27.jpg)
27OWASP
Testing Scenario- Single Server, Single Cache
WEBSERVER
WEBCLIENT
WEBCLIENT
WEBCLIENT
VeryAggressive
ProxyCache
Simple Test Scenario (HTTP and HTTPS)
![Page 28: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/28.jpg)
28OWASP
Testing Scenario- Test Third Party Web Apps
GoogleDocs!
WEBCLIENT
WEBCLIENT
WEBCLIENT
Your VeryAggressive
ProxyCache
Anyone can build and test against their own aggressive proxy!
Illustrative Purposes Only
![Page 29: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/29.jpg)
29OWASP
Some Takeaways of this Presentation
Criminals can easily configure aggressive caches and look for vulnerabilities in web application session management code, including unencrypted cookies.Criminals can then seek to attack from ISPs that have aggressive proxy cache management policies.
This means that all (risk critical) web applications should be completely tested against an aggressiveproxy cache to insure that criminals cannot exploit a basic configuration in the Internet.
- This is huge.
![Page 30: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/30.jpg)
30OWASP
References
Blog Posts
A New Security Breach in Google Docs Revealed
http://www.thecepblog.com/2008/09/15/a-new-security-breach-in-google-docs-revealed/
Proxy Caches are a Challenging Threat to Internet Security
http://www.thecepblog.com/2008/10/05/proxy-caches-are-a-challenging-threat-to-internet-security/
Automated HTTPS Cookie Hijacking
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
![Page 31: OWASP AppSec Asia October 21, 2008 · First, A Brief Review of the OWASP Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third,](https://reader031.fdocuments.us/reader031/viewer/2022011914/5fbc8a7ac0c9c14458580f99/html5/thumbnails/31.jpg)
31OWASP
Thank You!