Hacking and Compliance in a Web 2.0 World <ul><li>Damon P. Cortesi, CISSP </li></ul><ul><li>Director @ Alchemy Security </...
$ whoami <ul><li>Connecticut >> Chicago >> Seattle (2006) </li></ul><ul><li>@dacort on Twitter ( http://tweetstats.com ) <...
$ cat ~/.plan <ul><li>Web 2.0 Security </li></ul><ul><ul><li>Things you still need to watch out for. </li></ul></ul><ul><l...
Web 2.0 Frameworks <ul><li>Rails, Django, CakePHP </li></ul><ul><li>Rapid Development, Data abstraction </li></ul><ul><li>...
The “kind of” - XSS <ul><li>As of Django 1.0 (Sep 2008), HTML is auto-escaped </li></ul><ul><ul><li>YAYYYYYYYYYYYY! </li><...
Define Briefly <ul><li>SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary code. ...
XSS - The Bad, The Ugly <ul><li>XSS 101 - Executes user input in browser context </li></ul><ul><ul><li>Typical test:  “><s...
XSS Scenarios <ul><li>Arbitrary JavaScript Execution </li></ul><ul><li>Page/HTML inserts, deletes </li></ul><ul><li>Browse...
Fixing XSS <ul><li>Primarily - HTML/URL Encoding, Proper Escaping </li></ul><ul><ul><li><%= h “<b>dacort</b>” %>   &lt;b&g...
More XSS Prevention <ul><li>Secure Cookie Flag (GMail, again...) </li></ul><ul><ul><li>https://site.com </li></ul></ul><ul...
Cross-Site Request Forgery <ul><li>Browsing circa 1998 </li></ul><ul><ul><li>One window. One site. </li></ul></ul><ul><li>...
CSRF++ <ul><li>Daily browsing - authenticated to many sites at once </li></ul><ul><li>GET style attacks </li></ul><ul><ul>...
CSRF GET <ul><li><img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” ...
CSRF POST
GMail Analysis <ul><li>GMail Create Filter (GET URL) </li></ul><ul><ul><li>“at” variable == “GMAIL_AT” cookie value </li><...
Third-Party Components <ul><li>You installed what?? </li></ul><ul><li>Drupal Plugins </li></ul><ul><li>Wordpress Plugins <...
What to Look For? <ul><li>Find input vectors </li></ul><ul><ul><li>Request.[Cookies|Form|QueryString] </li></ul></ul><ul><...
Poor Design = Poor Security <ul><li>Example Startup FreeMail (names changed ... ) </li></ul><ul><li>RSS feed for your Inbo...
Flash Security <ul><li>Flash - Fantastic base on which to build dynamic sites </li></ul><ul><li>crossdomain.xml - Allows F...
Some Other Things... <ul><li>Keeping systems/software up-to-date </li></ul><ul><ul><li>Rails < 2.1.1? -- SQL Injection bug...
And a few more... <ul><li>Multiple layers of restriction </li></ul><ul><ul><li>Have a phpMyAdmin Internet-accessible? </li...
One last thing ... <ul><li>Not always some über-technical buffer overflow sploit... </li></ul><ul><li>Access database on u...
Password Security 250 passwords later... 5 Minutes Later
Switching Gears <ul><li>Compliance </li></ul>
We <3 Our Data <ul><li>Some of that data is restricted, though! </li></ul><ul><li>Personally Identifiable Information (PII...
Planning and Process <ul><li>44 states have data breach notification laws </li></ul><ul><ul><li>Name, address, email </li>...
Data Breach/Privacy Policy <ul><li>Data Breach Laws are why services such as Twitter and Evernote have this in their Priva...
PCI <ul><li>PCI only applies to you if you “store, process, or transmit cardholder data.” </li></ul><ul><li>Want the PCI c...
PCI If You Have To <ul><li>Cardholder data is defined as the primary account number (“PAN,” or credit card number) and oth...
Thanks <ul><li>[email_address] </li></ul>http://xkcd.com/327/
Upcoming SlideShare
Loading in …5
×

StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 World

3,928
-1

Published on

Damon Cortesi of Alchemy Security presents the most effective ways to plug the most common holes found in web services. Learn about XSS, SQL injection, and why you should care about these things now instead of later.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,928
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
71
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 World

    1. 1. Hacking and Compliance in a Web 2.0 World <ul><li>Damon P. Cortesi, CISSP </li></ul><ul><li>Director @ Alchemy Security </li></ul><ul><li>Stats Nut | Security Geek | Builder of Tools </li></ul>
    2. 2. $ whoami <ul><li>Connecticut >> Chicago >> Seattle (2006) </li></ul><ul><li>@dacort on Twitter ( http://tweetstats.com ) </li></ul><ul><li>Security Consultant, recently self-employed </li></ul><ul><li>Destroyer of Web Apps and Dual-Cores </li></ul>
    3. 3. $ cat ~/.plan <ul><li>Web 2.0 Security </li></ul><ul><ul><li>Things you still need to watch out for. </li></ul></ul><ul><li>E-commerce Startups and Compliance </li></ul><ul><ul><li>What is this PCI thing you speak of? </li></ul></ul><ul><ul><li>Privacy Policy and Data Breach Notification Laws. </li></ul></ul><ul><li>And maybe if we’re lucky...demo time. </li></ul>
    4. 4. Web 2.0 Frameworks <ul><li>Rails, Django, CakePHP </li></ul><ul><li>Rapid Development, Data abstraction </li></ul><ul><li>Alleviates common security pain points </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Cross-Site Scripting (kind of ...) </li></ul></ul><ul><ul><li>Typical challenges still present </li></ul></ul>
    5. 5. The “kind of” - XSS <ul><li>As of Django 1.0 (Sep 2008), HTML is auto-escaped </li></ul><ul><ul><li>YAYYYYYYYYYYYY! </li></ul></ul><ul><li>Does Rails? ------------------------- No </li></ul><ul><li>Does Google App Engine? -------- No </li></ul><ul><ul><li>Really? Yup, really. (No domain-wide cookies, phew!) </li></ul></ul><ul><li>Does ASP.NET ---------------------- On built-in controls </li></ul><ul><ul><li>Also has built-in request validation </li></ul></ul>
    6. 6. Define Briefly <ul><li>SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary code. </li></ul><ul><ul><li>dpc’ OR ‘a’=’a </li></ul></ul><ul><ul><li>xp_cmdshell </li></ul></ul><ul><li>XSS - Unsanitized data being re-displayed and interpreted in the browser. </li></ul><ul><ul><li><script>alert(document.cookie);</script> </li></ul></ul>
    7. 7. XSS - The Bad, The Ugly <ul><li>XSS 101 - Executes user input in browser context </li></ul><ul><ul><li>Typical test: “><script>alert(‘dcash’)</script> </li></ul></ul><ul><li>“site:appspot.com search” on Google </li></ul><ul><ul><li>156,000 Results </li></ul></ul><ul><ul><li>First 30 results, at least 4 XSS-vulnerable apps </li></ul></ul><ul><ul><li>So...why is this bad? </li></ul></ul>“ ><script>alert(‘dcash’)</script>
    8. 8. XSS Scenarios <ul><li>Arbitrary JavaScript Execution </li></ul><ul><li>Page/HTML inserts, deletes </li></ul><ul><li>Browser control, exploit download </li></ul><ul><li>Cookie monsters </li></ul>
    9. 9. Fixing XSS <ul><li>Primarily - HTML/URL Encoding, Proper Escaping </li></ul><ul><ul><li><%= h “<b>dacort</b>” %> &lt;b&gt;dacort&lt;/b&gt; </li></ul></ul><ul><li>Validation && Sanitization - Regexes </li></ul><ul><ul><li>Rails Routes </li></ul></ul><ul><ul><ul><li>‘ :controller/show/:id’, :id => /d+/, :action ... </li></ul></ul></ul><ul><ul><li>ActiveRecord validates_format_of </li></ul></ul>
    10. 10. More XSS Prevention <ul><li>Secure Cookie Flag (GMail, again...) </li></ul><ul><ul><li>https://site.com </li></ul></ul><ul><ul><li>(Inject link to image on http ://site.com ) </li></ul></ul><ul><ul><li>Uses HTTPS cookie if “secure” flag not set </li></ul></ul><ul><li>HTTPOnly Cookie Flag </li></ul><ul><ul><li>Can’t be accessed using <script> </li></ul></ul><ul><ul><li>Use innerText , not innerHTML </li></ul></ul>
    11. 11. Cross-Site Request Forgery <ul><li>Browsing circa 1998 </li></ul><ul><ul><li>One window. One site. </li></ul></ul><ul><li>Browsing circa 2008 </li></ul>
    12. 12. CSRF++ <ul><li>Daily browsing - authenticated to many sites at once </li></ul><ul><li>GET style attacks </li></ul><ul><ul><li><img src=” http://x.com/message/123/delete ”/> </li></ul></ul><ul><ul><ul><li>Cookies sent with this request </li></ul></ul></ul><ul><li>POST style attacks </li></ul><ul><ul><li>Generally combined with JavaScript </li></ul></ul><ul><ul><li>Due to lack of form tokens </li></ul></ul><ul><li>GMail Hack (There’s a new one!!) </li></ul>
    13. 13. CSRF GET <ul><li><img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/> </li></ul><ul><li>No tokens? Logged in? Valid message? </li></ul><ul><ul><li>“Pwned” </li></ul></ul><ul><li>POST requests not the solution </li></ul>
    14. 14. CSRF POST
    15. 15. GMail Analysis <ul><li>GMail Create Filter (GET URL) </li></ul><ul><ul><li>“at” variable == “GMAIL_AT” cookie value </li></ul></ul><ul><ul><li>Using CSRF (or XSS?) on malicious page </li></ul></ul><ul><ul><li>Steal GMAIL_AT, submit GET request above </li></ul></ul>
    16. 16. Third-Party Components <ul><li>You installed what?? </li></ul><ul><li>Drupal Plugins </li></ul><ul><li>Wordpress Plugins </li></ul><ul><ul><li>Themes, too! </li></ul></ul><ul><li>ASP.NET Components </li></ul><ul><li>Is that code secure? </li></ul><ul><li>Does it execute commands? </li></ul><ul><li>Does it utilize network? </li></ul><ul><li>Funky encoding... </li></ul>
    17. 17. What to Look For? <ul><li>Find input vectors </li></ul><ul><ul><li>Request.[Cookies|Form|QueryString] </li></ul></ul><ul><ul><li>$_GET, $_POST, $_REQUEST (<-- careful) </li></ul></ul><ul><ul><li>params[:id] </li></ul></ul><ul><li>Make sure output is protected </li></ul><ul><ul><li>Encoding to browser, Escaping to database, etc </li></ul></ul>
    18. 18. Poor Design = Poor Security <ul><li>Example Startup FreeMail (names changed ... ) </li></ul><ul><li>RSS feed for your Inbox </li></ul><ul><ul><li>Google does it, why can’t we? </li></ul></ul><ul><li>No authentication </li></ul><ul><li>No SSL </li></ul><ul><li>No security </li></ul>
    19. 19. Flash Security <ul><li>Flash - Fantastic base on which to build dynamic sites </li></ul><ul><li>crossdomain.xml - Allows Flash to access data on different domains </li></ul><ul><li>BAD : <allow-access-from domain=&quot;*&quot;/> </li></ul><ul><li>Can ultimately allow for compromise of user data (cookies) if trusted domain is vulnerable to XSS, etc </li></ul>
    20. 20. Some Other Things... <ul><li>Keeping systems/software up-to-date </li></ul><ul><ul><li>Rails < 2.1.1? -- SQL Injection bug </li></ul></ul><ul><ul><ul><li>JumpBox (Server Provisioning) uses Rails 2.1.0 </li></ul></ul></ul><ul><ul><li>Curious - How do you manage security updates? </li></ul></ul><ul><li>Infrastructure Security </li></ul><ul><ul><li>Do _you_ know your external network presence? </li></ul></ul><ul><ul><li>Have all _your_ default passwords been changed? </li></ul></ul>
    21. 21. And a few more... <ul><li>Multiple layers of restriction </li></ul><ul><ul><li>Have a phpMyAdmin Internet-accessible? </li></ul></ul><ul><ul><li>Do you ... </li></ul></ul><ul><ul><ul><li>Restrict access by IP address? </li></ul></ul></ul><ul><ul><ul><li>Rename the default location? </li></ul></ul></ul><ul><ul><ul><li>Have authentication enabled? </li></ul></ul></ul><ul><li>Process . Process . Process . </li></ul>
    22. 22. One last thing ... <ul><li>Not always some über-technical buffer overflow sploit... </li></ul><ul><li>Access database on unprotected share </li></ul><ul><li>demo/demo password </li></ul><ul><li>Email on confirmation page </li></ul><ul><li>Are people thinking securely? </li></ul>
    23. 23. Password Security 250 passwords later... 5 Minutes Later
    24. 24. Switching Gears <ul><li>Compliance </li></ul>
    25. 25. We <3 Our Data <ul><li>Some of that data is restricted, though! </li></ul><ul><li>Personally Identifiable Information (PII) </li></ul><ul><li>Data Breach Notification Laws </li></ul><ul><li>Payment Card Industry (Credit Cards, PCI) </li></ul><ul><li>So you’re building a web service... </li></ul><ul><ul><li>...what do you need to know? </li></ul></ul>
    26. 26. Planning and Process <ul><li>44 states have data breach notification laws </li></ul><ul><ul><li>Name, address, email </li></ul></ul><ul><ul><li>Social Security Number </li></ul></ul><ul><ul><li>Passport ID, License Number </li></ul></ul><ul><li>If you are compromised and the above is unencrypted and compromised - you must notify data owners. </li></ul>
    27. 27. Data Breach/Privacy Policy <ul><li>Data Breach Laws are why services such as Twitter and Evernote have this in their Privacy Policy. </li></ul><ul><ul><li>If Evernote learns of a security system breach we may attempt to notify you and provide information on protective steps, if available, through the e-mail address that you supplied during registration or posting a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing. -- http://evernote.com/about/privacy/ </li></ul></ul><ul><ul><li>We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on this Site in the most expedient time possible and without unreasonable delay. -- http://twitter.com/privacy </li></ul></ul>
    28. 28. PCI <ul><li>PCI only applies to you if you “store, process, or transmit cardholder data.” </li></ul><ul><li>Want the PCI compliance monkey off your back? </li></ul><ul><li>“ It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else do it for you.” </li></ul><ul><li>And if you must store, process, or transmit ... call us. </li></ul>
    29. 29. PCI If You Have To <ul><li>Cardholder data is defined as the primary account number (“PAN,” or credit card number) and other data obtained as part of a payment transaction, including the following data elements: </li></ul><ul><ul><li>PAN </li></ul></ul><ul><ul><li>Cardholder Name </li></ul></ul><ul><ul><li>Expiration Date </li></ul></ul><ul><ul><li>Service Code </li></ul></ul><ul><ul><li>Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks </li></ul></ul>
    30. 30. Thanks <ul><li>[email_address] </li></ul>http://xkcd.com/327/

    ×