Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high...
Transcript of Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high...
![Page 1: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/1.jpg)
Writing Secure CFMLPete Freitag, Foundeo Inc.
foundeofoundeo.com | hackmycf.com | fuseguard.com
Thursday, May 16, 13
![Page 2: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/2.jpg)
About Me
• 15 Years ColdFusion Experience
• 7 Years Foundeo Inc. Consulting & Products
• cf.Objective() Sponsor
• blog: petefreitag.com
• twitter: @pfreitag
Thursday, May 16, 13
![Page 3: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/3.jpg)
Agenda
• File Upload Vulnerabilities
• Path Traversals
• Cross Site Scripting
• Authentication
• Encryption
• SQL Injection (in 60 Seconds)
Thursday, May 16, 13
![Page 4: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/4.jpg)
File UploadsProceed with caution
(cc) http://www.flickr.com/photos/zigazou76/3702501888/
Thursday, May 16, 13
![Page 5: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/5.jpg)
File Uploads Rule #1
Never trust a MIME type
Thursday, May 16, 13
![Page 6: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/6.jpg)
Never trust a MIME
• CF9 and below use the MIME type passed by the browser / client.
• Hacker can send any MIME type.
• CF10 does a server side file inspection (when strict=true, default).
• We can still get around this.
Thursday, May 16, 13
![Page 7: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/7.jpg)
File Uploads Rule #2Always Validate The File Extension
Thursday, May 16, 13
![Page 8: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/8.jpg)
Always validate file extension
• CF10 allows you to specify a file extension list in the accept attribute.
• You can also validate cffile.ServerFileExt
• Do both.
Thursday, May 16, 13
![Page 9: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/9.jpg)
File Uploads Rule #3Never upload directly to webroot
Thursday, May 16, 13
![Page 10: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/10.jpg)
Don't upload to web root
• File can be executed before it's validated.
• Upload outside root, eg GetTempDirectory ram://, s3, etc.
Thursday, May 16, 13
![Page 11: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/11.jpg)
Additional Tips
• Ensure upload directory can only serve static files.
• Consider keeping files outside webroot and serve with cfcontent or mod_xsendfile
• Specify mode on unix (eg 640 rw-r-----)
Thursday, May 16, 13
![Page 12: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/12.jpg)
Path Traversal Vulnerabilities
Thursday, May 16, 13
![Page 13: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/13.jpg)
Path Traversals
• Avoid file paths derived from user input.
• Strip and validate any variables used in paths.
• Beware of null bytes
Thursday, May 16, 13
![Page 14: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/14.jpg)
Cross Site Scripting
Thursday, May 16, 13
![Page 15: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/15.jpg)
XSS Vulnerable
<cfoutput> Hello #url.name#</cfoutput>
hello.cfm?name=<script>...</script>
Thursday, May 16, 13
![Page 16: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/16.jpg)
XSS
• XSS holes give attackers a CMS to create any content.
• Can be used to steal sessions
• Phish for passwords or other info.
Thursday, May 16, 13
![Page 17: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/17.jpg)
Preventing XSS
• Strip out dangerous characters
• < > ' " ( ) ; #
• Escape dangerous characters
• CF10/Railo4 EncodeForHTML, etc.
Thursday, May 16, 13
![Page 18: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/18.jpg)
Preventing XSS
Context Method
HTML encodeForHTML(variable)
HTML Attribute encodeForHTMLAttribute(variable)
JavaScript encodeForJavaScript(variable)
CSS encodeForCSS(variable)
URL encodeForURL(variable)
Thursday, May 16, 13
![Page 19: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/19.jpg)
XSS in HTML
• Preventing XSS when allowing users to enter HTML is difficult.
• AntiSamy
• ScrubHTML
Thursday, May 16, 13
![Page 20: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/20.jpg)
XSS Utils• Encoders
• ESAPI: http://www.petefreitag.com/item/788.cfm
• OWASP Encoder: http://owasp-java-encoder.googlecode.com
• Sanitizers
• AntiSamy: http://www.petefreitag.com/item/760.cfm
• ScrubHTML: https://github.com/foundeo/cfml-security
Thursday, May 16, 13
![Page 21: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/21.jpg)
Content-Security-Policy
• HTTP Response Header dictates what assets can be loaded. For example:
• script-src 'self';
• script-src 'self' cdn.example.com;
• script-src 'none';
• script-src 'unsafe-inline';
Thursday, May 16, 13
![Page 22: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/22.jpg)
CSP Directives• default-src
• script-src
• style-src
• img-src
• connect-src
• font-src
• object-src
• media-src
• frame-src
• sandbox
• report-uri
Thursday, May 16, 13
![Page 23: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/23.jpg)
CSP Browser Support
• X-Webkit-CSP (Chrome 14+, Safari 6+)
• X-Content-Security-Policy (Firefox 4+, IE10)
• IE10 support limited to sandbox directive.
• Unprefixed Content-Security-Policy Chrome 25+
Thursday, May 16, 13
![Page 24: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/24.jpg)
CSP
• content-security-policy.com
Thursday, May 16, 13
![Page 25: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/25.jpg)
AuthenticationLots of room for error
Thursday, May 16, 13
![Page 26: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/26.jpg)
Authentication
• Store passwords hashed and salted
• Builtin, Consider SHA-512
• Don't use weak algorithms, eg MD5
• Consider an adaptive one way function
• bcrypt
• scrypt
• PBKDF2
Thursday, May 16, 13
![Page 27: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/27.jpg)
Salt
• Cryptographically Random
• Unique for each credential
• Generate new when credential changes
• Sufficient length
Thursday, May 16, 13
![Page 28: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/28.jpg)
Timing Attacks
<cfquery name="user"> SELECT id, salt, password FROM user WHERE username = <cfqueryparam value="#form.username#"></cfquery><cfif user.recordcount AND Hash(user.salt & form.password, "SHA-512") IS user.password> <cfreturn true><cfelse> <cfreturn false></cfif>
Thursday, May 16, 13
![Page 29: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/29.jpg)
Authentication
• Prevent dictionary attacks
• Ban IP or lock user after X attempts within Y seconds.
• Require strong passwords
• Consider limiting 1 login attempt per user per second, beware DOS
• Requires keeping an audit log
Thursday, May 16, 13
![Page 30: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/30.jpg)
Remember Me Cookies
• Not recommended for high security apps
• Don't base the token on the password
• Charles Miller Approach
• Store random crypto token in DB with user id, timestamp, validity bit
• Invalidate token when used and generate a new one.
• Hash and Salt the token in the DBThursday, May 16, 13
![Page 31: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/31.jpg)
Forgot Password
• Should be just as secure as your login code (rate limit, block after repeat fails)
• Use security questions but don't rely solely on them.
Thursday, May 16, 13
![Page 32: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/32.jpg)
Session Fixationbank OfInsecurityAttacker generates a session on public computer
records the session id values, and leaves browser open
Thursday, May 16, 13
![Page 33: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/33.jpg)
Session Fixationbank OfInsecurityAttacker generates a session on public computer
records the session id values, and leaves browser open
bank OfInsecurityUser logs into site
Thursday, May 16, 13
![Page 34: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/34.jpg)
Session Fixationbank OfInsecurityAttacker generates a session on public computer
records the session id values, and leaves browser open
bank OfInsecurityUser logs into site
Attacker uses recorded session id to steal session
Thursday, May 16, 13
![Page 35: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/35.jpg)
Session Fixation
• Phishing: Click here to update your account:
• http://example.com/?cfid=1&cftoken=2
Thursday, May 16, 13
![Page 36: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/36.jpg)
Preventing Session Fixation
• Call SessionRotate upon successful login
• Does not rotate JSESSIONID, but does invalidate CSRF tokens.
• Call SessionInvalidate upon logout, or suspicious action
• getPageContext().getSession().invalidate()
Thursday, May 16, 13
![Page 37: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/37.jpg)
Session Hijacking
• Require SSL for authenticated users
• Use secure and httponly cookies
• Don't send session ids in url
• Beware of cflocation
Thursday, May 16, 13
![Page 38: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/38.jpg)
Session Cookie Settings
component { this.name = "sessionExample"; this.sessionManagement = true; this.sessionTimeout = CreateTimeSpan(0,0,20,0);
this.sessioncookie.httponly = true; this.sessioncookie.secure = true; this.sessioncookie.domain="example.com"; this.sessioncookie.timeout=-1; }
Thursday, May 16, 13
![Page 39: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/39.jpg)
Authentication Resources
• http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication
• http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Thursday, May 16, 13
![Page 40: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/40.jpg)
Encryption
• Protect the Private Key
• Hardware Security Module
• Offload encryption and key storage to hardware device
• Keys should be stored encrypted, and ideally separated from the web and DB server.
• Leverage java keystores, MS DPAPI
Thursday, May 16, 13
![Page 41: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/41.jpg)
Encryption
• Don't use weak encryption algorithms or try to invent your own (eg CFMX_COMPAT)
• May need to install unlimited strength jurisdiction policy for stronger keys
• GenerateSecretKey("AES", 256)
• http://www.petefreitag.com/item/803.cfm
Thursday, May 16, 13
![Page 42: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/42.jpg)
Last but not leastSQL Injection
Thursday, May 16, 13
![Page 43: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/43.jpg)
SQL Injection
<cfquery name="news"> SELECT id, title, story FROM news WHERE id = #url.id#</cfquery>
news.cfm?id=1;delete+from+news
Thursday, May 16, 13
![Page 44: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/44.jpg)
SQL Injection
• The solution - use cfqueryparam whenever possible.
• Validate and sanitize when you can't
• ORDER BY column
• SELECT TOP 10
• ORM: make sure HQL statements are parameterized
Thursday, May 16, 13
![Page 45: Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •](https://reader034.fdocuments.us/reader034/viewer/2022052021/6035fe2b6776193c225a3b9a/html5/thumbnails/45.jpg)
Questions?Thank You
foundeo.com | hackmycf.com | fuseguard.com
Thursday, May 16, 13