Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Gergely Nemeth
Surviving Web Security
github.com/gergely | twitter.com/nthgergo | gergely@risingstack.com
TRACE - NODE.JS MONITORING
https://trace.risingstack.com
WHAT DO THEY HAVE IN COMMON?
WHAT DO THEY HAVE IN COMMON?
TOGETHER, ALMOST 1 BILLION USER ACCOUNTS COMPROMISED
https://haveibeenpwned.com
2014/2015 In Retrospect
Lots of high-profile vulnerabilities such as
Shellshock
Hearthbleed
an average of
158 days time-to-
fix security issues
in some industries security tickets may be
open for more
than 2 years
XSS affects 47%
CRFS affects 24%
of all web apps.
Enter Attack Trees
ATTACK TREES
“formal, methodical way of
describing the security of systems,
based on varying attacks”
Bruce Schneier
ATTACK TREES
Open safe
Pick lock Learn combo Cut open Bad setup
Find it written Learn from target
Blackmail Eavesdrop Brib...
ATTACK TREES
to get the most out of attack
trees, you have to combine
them with knowledge on the
attackers
ATTACK TREES
Open safe (P)
Pick lock (I) Learn combo (P) Cut open (P) Bad setup (I)
Find it written (I) Learn from target ...
An Example Attack Tree
of a Trace Account
EXAMPLE ATTACK TREE OF A TRACE ACCOUNT
Get access to account
Modify credentials
in the database
Learn password
Get access
...
EXAMPLE ATTACK TREE OF A TRACE ACCOUNT
Secure the Transport
Layer
SECURE TRANSPORT LAYER
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Soci...
SECURE TRANSMISSION - SSL
HTTP is a clear-text
protocol
SECURE TRANSMISSION - SSL
Vulnerable against
man-in-the-middle
attacks
SECURE TRANSMISSION - SSL
HTTP is a clear-text
protocol - Always use
HTTPS
Defend Against Brute-
force attacks
BRUTE-FORCE ATTACKS
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
...
BRUTE-FORCE PROTECTION
var email = req.body.email
var limit = new Limiter({ id: email, db: db })
limit.get(function(err, l...
BRUTE-FORCE PROTECTION - TIMING ATTACKS
// the bad solution
if (userEnteredPassword === passwordFromDb) {
return true
}
re...
BRUTE-FORCE PROTECTION - TIMING ATTACKS
T R A C E T R A C E
T R A C E T R I C K
x
PASSWORDS - EQUALITY CHECK
Always use fixed-
time comparison
BRUTE-FORCE PROTECTION - TIMING ATTACKS
// the good solution
var cryptiles = require('cryptiles')
if (cryptiles.fixedTimeC...
Defend Against SQL
Injection Attacks
SQL INJECTION
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engine...
DATA VALIDATION - SQL INJECTION
This attack vector consists of
injection of a partial or
complete SQL query via user
input
DATA VALIDATION - SQL INJECTION
select username, password from users where
username=$username
can become:
select username,...
DATA VALIDATION - SQL INJECTION
Defend against it with
parameterized queries /
prepared statements
DATA VALIDATION - SQL INJECTION
// paramaterized
query( "select name from emp where emp_id=$1",
[123] )
// prepared
query(...
Defend Against Session
Hijack
SESSION HIJACK
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engin...
Securing Cookies
COOKIES - COOKIE FLAGS
- secure - this attribute tells the browser to only send the cookie if the
request is being sent ov...
Unwanted Javascript
DATA VALIDATION - XSS
- Reflected Cross Site Scripting occurs when the attacker injects
executable JavaScript code into th...
DATA VALIDATION - XSS
Defend against it
with input validation
SECURITY HEADERS
- Strict-Transport-Security enforces secure (HTTP over SSL/TLS)
connections to the server
- X-Frame-Optio...
Handling Dependencies
HANDLING DEPENDENCIES
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Socia...
HANDLING DEPENDENCIES
You are what
you require
HANDLING DEPENDENCIES
Use retire.js / the
NSP CLI
https://nodesecurity.io
HANDLING DEPENDENCIES
Update your
dependencies
frequently
https://greenkeeper.io
Environment Setup
RESTRICT DATABASE ACCESS
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
So...
ENVIRONMENT SETUP
Put your databases inside
a VPN with your
application servers
ENVIRONMENT SETUP
Be careful with
default passwords
ENVIRONMENT SETUP
At least 6.000+ Redis
instances are
compromised now
The Human Factor
95% of all security
incidents involve
human error
We are the
weakest link
Security must
be part of the
agile workflow
Stories should
include acceptance
criteria for security
Given an unauthenticated
user
When tries to view her profile
Then redirected to the login
EXAMPLE STORY
Developers should
implement features
with security
requirements in mind
Developers should
implement features
with security
requirements in mind
LIKE
OWASP TOP 10
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Injection
Weak authentication and
session management
XSS
Insecur...
Security is part
of your job!
Upcoming SlideShare
Loading in …5
×

Surviving Web Security

525 views

Published on

A talk given at #fullstackcon 2016

Published in: Internet
  • Login to see the comments

  • Be the first to like this

Surviving Web Security

  1. 1. Gergely Nemeth Surviving Web Security github.com/gergely | twitter.com/nthgergo | gergely@risingstack.com
  2. 2. TRACE - NODE.JS MONITORING https://trace.risingstack.com
  3. 3. WHAT DO THEY HAVE IN COMMON?
  4. 4. WHAT DO THEY HAVE IN COMMON? TOGETHER, ALMOST 1 BILLION USER ACCOUNTS COMPROMISED https://haveibeenpwned.com
  5. 5. 2014/2015 In Retrospect
  6. 6. Lots of high-profile vulnerabilities such as Shellshock Hearthbleed
  7. 7. an average of 158 days time-to- fix security issues
  8. 8. in some industries security tickets may be open for more than 2 years
  9. 9. XSS affects 47% CRFS affects 24% of all web apps.
  10. 10. Enter Attack Trees
  11. 11. ATTACK TREES “formal, methodical way of describing the security of systems, based on varying attacks” Bruce Schneier
  12. 12. ATTACK TREES Open safe Pick lock Learn combo Cut open Bad setup Find it written Learn from target Blackmail Eavesdrop Bribe Listen to convo Get target to say
  13. 13. ATTACK TREES to get the most out of attack trees, you have to combine them with knowledge on the attackers
  14. 14. ATTACK TREES Open safe (P) Pick lock (I) Learn combo (P) Cut open (P) Bad setup (I) Find it written (I) Learn from target (P) Blackmail (I) Eavesdrop (I) Bribe (P) Listen to convo (P) Get target to say (I)
  15. 15. An Example Attack Tree of a Trace Account
  16. 16. EXAMPLE ATTACK TREE OF A TRACE ACCOUNT Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  17. 17. EXAMPLE ATTACK TREE OF A TRACE ACCOUNT
  18. 18. Secure the Transport Layer
  19. 19. SECURE TRANSPORT LAYER Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  20. 20. SECURE TRANSMISSION - SSL HTTP is a clear-text protocol
  21. 21. SECURE TRANSMISSION - SSL Vulnerable against man-in-the-middle attacks
  22. 22. SECURE TRANSMISSION - SSL HTTP is a clear-text protocol - Always use HTTPS
  23. 23. Defend Against Brute- force attacks
  24. 24. BRUTE-FORCE ATTACKS Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  25. 25. BRUTE-FORCE PROTECTION var email = req.body.email var limit = new Limiter({ id: email, db: db }) limit.get(function(err, limit) { })
  26. 26. BRUTE-FORCE PROTECTION - TIMING ATTACKS // the bad solution if (userEnteredPassword === passwordFromDb) { return true } return false
  27. 27. BRUTE-FORCE PROTECTION - TIMING ATTACKS T R A C E T R A C E T R A C E T R I C K x
  28. 28. PASSWORDS - EQUALITY CHECK Always use fixed- time comparison
  29. 29. BRUTE-FORCE PROTECTION - TIMING ATTACKS // the good solution var cryptiles = require('cryptiles') if (cryptiles.fixedTimeComparison( userEnteredPassword, passwordFromDb) ) { return true } return false
  30. 30. Defend Against SQL Injection Attacks
  31. 31. SQL INJECTION Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  32. 32. DATA VALIDATION - SQL INJECTION This attack vector consists of injection of a partial or complete SQL query via user input
  33. 33. DATA VALIDATION - SQL INJECTION select username, password from users where username=$username can become: select username, password from users where username=john or 1=1
  34. 34. DATA VALIDATION - SQL INJECTION Defend against it with parameterized queries / prepared statements
  35. 35. DATA VALIDATION - SQL INJECTION // paramaterized query( "select name from emp where emp_id=$1", [123] ) // prepared query( { name:"emp_name", text:"select name from emp where emp_id=$1", values:[123] })
  36. 36. Defend Against Session Hijack
  37. 37. SESSION HIJACK Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  38. 38. Securing Cookies
  39. 39. COOKIES - COOKIE FLAGS - secure - this attribute tells the browser to only send the cookie if the request is being sent over HTTPS. - HttpOnly - this attribute is used to help prevent attacks such as cross- site scripting, since it does not allow the cookie to be accessed via JavaScript.
  40. 40. Unwanted Javascript
  41. 41. DATA VALIDATION - XSS - Reflected Cross Site Scripting occurs when the attacker injects executable JavaScript code into the HTML response with specially crafted links - Stored Cross Site Scripting occurs when the application stores user input which is not correctly filtered. It runs within the user’s browser under the privileges of the web application.
  42. 42. DATA VALIDATION - XSS Defend against it with input validation
  43. 43. SECURITY HEADERS - Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server - X-Frame-Options provides clickjacking protection - X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers - Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections
  44. 44. Handling Dependencies
  45. 45. HANDLING DEPENDENCIES Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  46. 46. HANDLING DEPENDENCIES You are what you require
  47. 47. HANDLING DEPENDENCIES Use retire.js / the NSP CLI https://nodesecurity.io
  48. 48. HANDLING DEPENDENCIES Update your dependencies frequently https://greenkeeper.io
  49. 49. Environment Setup
  50. 50. RESTRICT DATABASE ACCESS Get access to account Modify credentials in the database Learn password Get access to database Social engineering Get access to DMZ Listen on the transport layer Brute force Bypass access control SQL Injection Session hijack Insecure dependency
  51. 51. ENVIRONMENT SETUP Put your databases inside a VPN with your application servers
  52. 52. ENVIRONMENT SETUP Be careful with default passwords
  53. 53. ENVIRONMENT SETUP At least 6.000+ Redis instances are compromised now
  54. 54. The Human Factor
  55. 55. 95% of all security incidents involve human error
  56. 56. We are the weakest link
  57. 57. Security must be part of the agile workflow
  58. 58. Stories should include acceptance criteria for security
  59. 59. Given an unauthenticated user When tries to view her profile Then redirected to the login EXAMPLE STORY
  60. 60. Developers should implement features with security requirements in mind
  61. 61. Developers should implement features with security requirements in mind LIKE OWASP TOP 10
  62. 62. https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet Injection Weak authentication and session management XSS Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  63. 63. Security is part of your job!

×