Modern Web Application Defense

Modern
Web
Applica0on
Defense
with
OWASP
Tools
OWASP
AppSec
2014
1

• Frank
Kim
– SANS
Ins0tute
• Curriculum
About
Lead,
Applica0on
Security
• Author,
Secure
Coding
in
Java
2

Cross-‐Site
Scrip0ng
(XSS)
• Occurs
when
unvalidated
data
is
rendered
in
the
browser
• Types
of
XSS
– Reflected
– Stored
– Document
Object
Model
(DOM)
based
3

Contextual
Output
Encoding
• OWASP
ESAPI
– hWps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Encoder e = ESAPI.encoder();
e.encodeForHTML(string);
e.encodeForURL(string);
e.encodeForJavaScript(string);
• OWASP
Java
Encoder
– hWps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
Encode.forHtml(value);
Encode.forUri(value);
Encode.forJavaScript(value);
4

HWpOnly
Flag
• Ensures
that
the
Cookie
cannot
be
accessed
via
client
side
scripts
(e.g.
JavaScript)
• Configure
in
web.xml
as
of
Servlet
3.0
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
• Programma0cally
– Since
Servlet
3.0
Cookie cookie = new Cookie("mycookie", "test");
cookie.setHttpOnly(true);
– Before
Servlet
3.0
String cookie = "mycookie=test; Secure; HttpOnly";
response.addHeader("Set-Cookie", cookie);
5

Content
Security
Policy
• Helps
mi0gate
XSS
– Originally
developed
by
Mozilla
– Currently
a
W3C
Candidate
Recommenda0on
• hWp://www.w3.org/TR/CSP
• CSP
headers
– Content-Security-Policy
• Star0ng
in
Firefox
23
and
Chrome
25
– X-Content-Security-Policy
• Experimental
header
supported
in
IE
10
and
older
Firefox
versions
– X-WebKit-CSP
• Experimental
header
supported
in
Safari
and
older
Chrome
versions
6

CSP
Requirements
• No
inline
scripts
– Can't
put
code
in
<script>
blocks
– Can't
do
inline
event
handlers
like
<a onclick="javascript">
• No
inline
styles
– Can't
write
styles
inline
7

CSP
Direc0ves
• default-‐src
• script-‐src
• object-‐src
• style-‐src
• img-‐src
• media-‐src
• frame-‐src
• font-‐src
• connect-‐src
8

CSP
Examples
1)
Only
load
resources
from
the
same
origin
X-Content-Security-Policy: default-src 'self'
2)
Example
from
mikewest.org
x-content-security-policy:
default-src 'none';
style-src https://mikewestdotorg.hasacdn.net;
frame-src
https://www.youtube.com
http://www.slideshare.net;
script-src
https://mikewestdotorg.hasacdn.net
https://ssl.google-analytics.com;
img-src 'self'
https://mikewestdotorg.hasacdn.net
https://ssl.google-analytics.com data:;
font-src https://mikewestdotorg.hasacdn.net 9

Report
Only
• Facebook
Example
x-content-security-policy-report-only:
allow *;
script-src https://*.facebook.com
http://*.facebook.com
https://*.fbcdn.net
http://*.fbcdn.net
*.facebook.net
*.google-analytics.com
*.virtualearth.net
*.google.com
127.0.0.1:*
*.spotilocal.com:*;
options inline-script eval-script;
report-uri https://www.facebook.com/csp.php 10

Content
Security
Policy
Demo
11

Strict-‐Transport-‐Security
• Tells
browser
to
only
talk
to
the
server
via
HTTPS
– First
0me
your
site
accessed
via
HTTPS
and
the
header
is
used
the
browser
stores
the
cer0ficate
info
– Subsequent
requests
to
HTTP
automa0cally
use
HTTPS
• Supported
browsers
– Implemented
in
Firefox
and
Chrome
– Currently
an
IETF
drag
Strict-Transport-Security: max-age=seconds
[; includeSubdomains]
12

X-‐Frame-‐Op0ons
• Prevents
Clickjacking
– HTTP
Response
Header
supported
by
modern
browsers
• Three
op0ons
– DENY
• Prevents
any
site
from
framing
the
page
– SAMEORIGIN
• Allows
framing
only
from
the
same
origin
– ALLOW-‐FROM
origin
• Allows
framing
only
from
the
specified
origin
• Only
supported
by
IE
(based
on
my
tes0ng)
• Firefox
Bug
690168
-‐
"This
was
an
uninten0onal
oversight"
13

Using
Secure
Headers
• OWASP
Secure
Headers
Project
– hWps://www.owasp.org/index.php/
OWASP_Secure_Headers_Project
• Security
Header
Injec0on
Module
(SHIM)
– Developed
by
Eric
Johnson
&
Aaron
Cure
14

Cross-‐Site
Request
Forgery
(CSRF)
15
Vic0m
browser
mybank.com
1)
Vic0m
signs
on
to
mybank
2)
Vic0m
visits
aWacker.com
3)
Page
contains
CSRF
code
4)
Browser
sends
<form
ac0on=hWps://mybank.com/transfer.jsp
the
request
to
mybank
method=POST>
<input
name=recipient
value=aWacker>
<input
name=amount
value=1000>
</form>
<script>document.forms[0].submit()</script>
POST
/transfer.jsp
HTTP/1.1
Cookie:
<mybank
authen0ca0on
cookie>
recipient=aWacker&amount=1000
aWacker.com

OWASP
1-‐Liner
• Deliberately
vulnerable
applica0on
– Intended
for
demos
and
training
– Created
by
John
Wilander
@johnwilander
• More
informa0on
at
– hWps://www.owasp.org/index.php/OWASP_1-‐
Liner
16

Normal
JSON
Message
{"id":0,"nickName":"John",!
"oneLiner":"I LOVE Java!",!
"timestamp":"2013-05-27T17:04:23"}!
18

Forged
JSON
Message
!
{"id": 0, "nickName": "John",!
"oneLiner": "I hate Java!",!
"timestamp": "20111006"}//=dummy!
19

CSRF
AWack
Form
<form id="target" method="POST"!
action="https://local.1-liner.org:8444/ws/
vulnerable/oneliners" !
enctype="text/plain" !
style="visibility:hidden">!
!
<input type="text" !
name='{"id": 0, "nickName": "John",!
"timestamp": "20111006"}//' !
value="dummy" />!
!
<input type="submit" value="Go" />!
</form>!
20

CSRF
AWack
Form
<form id="target" method="POST"!
action="https://local.1-liner.org:8444/ws/
vulnerable/oneliners" !
enctype="text/plain" !
style="visibility:hidden">!
!
<input type="text" !
name='{"id": 0, "nickName": "John",!
"timestamp": "20111006"}//' !
value="dummy" />!
!
<input type="submit" value="Go" />!
</form>!
21

Forged
JSON
Message
!
{"id": 0, "nickName": "John",!
"timestamp": "20111006"}//=dummy!
22

CSRF
Defense
• Must
include
something
random
in
the
request
– Use
an
an0-‐CSRF
token
• OWASP
CSRFGuard
– WriWen
by
Eric
Sheridan
@eric_sheridan
– Can
inject
an0-‐CSRF
token
using
• JSP
Tag
library
-‐
for
manual,
fine
grained
protec0on
• JavaScript
DOM
manipula0on
-‐
for
automated
protec0on
requiring
minimal
effort
– Filter
that
intercepts
requests
and
validates
tokens
23

CSRFGuard
JSP
Tags
• Tags
for
token
name
and
value
<form name="test1" action="protect.html">!
<input type="text" name="text" value="text"/>!
<input type="submit" name="submit" value="submit"/>!
<input type="hidden" name="<csrf:token-name/>"!
value="<csrf:token-value/>"/> !
</form>
• Tag
for
name/value
pair
(delimited
with
"=")
<a href="protect.html?<csrf:token/>">protect.html</a>!
• Convenience
tags
for
forms
and
links
as
well
<csrf:form>
and
<csrf:a>!
!
Examples
from
hWps://www.owasp.org/index.php/CSRFGuard_3_Token_Injec0on
24

CSRFGuard
DOM
Manipula0on
• Include
JavaScript
in
every
page
that
needs
CSRF
protec0on
<script src="/securish/JavaScriptServlet"></script>!
• JavaScript
used
to
hook
the
open
and
send
methods
XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;!
XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {!
// store a copy of the target URL!
this.url = url; !
this._open.apply(this, arguments);!
}!
!
XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;!
XMLHttpRequest.prototype.send = function(data) {!
if(this.onsend != null) {!
// call custom onsend method to modify the request!
this.onsend.apply(this, arguments);!
}!
this._send.apply(this, arguments);!
}!
25

Protec0ng
XHR
Requests
• CSRFGuard
sends
two
HTTP
headers
XMLHttpRequest.prototype.onsend = function(data) {!
if(isValidUrl(this.url)) {!
this.setRequestHeader("X-Requested-With", !
"OWASP CSRFGuard Project")!
this.setRequestHeader("OWASP_CSRFTOKEN", !
"EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");!
}!
};!
26

JSON
CSRF
Protec0on
Demo
27

Summary
• Many
tools
to
choose
from
– ESAPI,
Java
Encoder,
Secure
Headers
Project,
CSRFGuard,
1-‐Liner,
Zed
AWack
Proxy
(ZAP)
• Look
to
use
Secure
HTTP
Response
Headers
like
– Content
Security
Policy
– Strict-‐Transport-‐Security
– X-‐Frame-‐Op0ons
28

Frank
Kim
vim@sans.org
@sansappsec

Modern Web Application Defense

Modern Web Application Defense

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Modern Web Application Defense

Similar to Modern Web Application Defense (20)

Recently uploaded

Recently uploaded (20)

Modern Web Application Defense