Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

1,741 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,741
On SlideShare
0
From Embeds
0
Number of Embeds
1,112
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • OWASP Testing Guide v3 V4 is not finalize
  • Decision maker
  • Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

    1. 1. Protecting Web Applications with ESAPIand AppSensorManuel Lopez Arredondomanuel.lopez@owasp.org
    2. 2. “The cost of cybercrime is greater than thecombined effect on the global economy oftrafficking in marijuana, heroin and cocaine”|http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_traffickinghttp://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
    3. 3. Why Security is important?Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.
    4. 4. Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.Why Security is important?
    5. 5. Why Security is important?
    6. 6. Mission DrivenNonprofit | World Wide | UnbiasedOWASP does not endorse or recommendcommercial products or servicesWhat is OWASP6
    7. 7. Community Driven30,000 Mail List Participants200 Active Chapters in 70 countries1600+ Members, 56 Corporate Supporters69 Academic SupportersWhat is OWASP7
    8. 8. OWASP Guadalajara ChapterWhat do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environmentsMeetings Workshops Conference News Letter Page Visit3 1 1 3 2,528+https://www.owasp.org/index.php/GuadalajaraMarch 2012 – Till Date
    9. 9. Quality Resources200+ Projects15,000+ downloads of tools, documentation250,000+ unique visitors800,000+ page views (monthly)What is OWASP9
    10. 10. 50%10% 40%Quality Resources10
    11. 11. OWASP Top Ten (2010 Edition)
    12. 12. A1 – Injection• Tricking an application into including unintended commands in the data sent toan interpreterInjection means…• Take strings and interpret them as commands• SQL, OS Shell, LDAP, XPath, Hibernate, etc…Interpreters…• Many applications still susceptible (really don’t know why)• Even though it’s usually very simple to avoidSQL injection is still quite common• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS level accessTypical Impact
    13. 13. SQL Injection – IllustratedFirewallHardened OSWeb ServerApp ServerFirewallDatabasesLegacySystemsWebServicesDirectoriesHumanResrcsBillingCustom CodeAPPLICATIONATTACKNetworkLayerApplicationLayerAccountsFinanceAdministrationTransactionsCommunicationKnowledgeMgmtE-CommerceBus.FunctionsHTTPrequestSQLqueryDB TableHTTPresponse"SELECT * FROMaccounts WHEREacct=‘’ OR1=1--’"1. Application presents a form tothe attacker2. Attacker sends an attack in theform data3. Application forwards attack tothe database in a SQL queryAccount SummaryAcct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-02934. Database runs query containingattack and sends encrypted resultsback to application5. Application decrypts data asnormal and sends results to theuserAccount:SKU:Account:SKU:
    14. 14. A2 – Cross-Site Scripting (XSS)• Raw data from attacker is sent to an innocent user’s browserOccurs any time…• Stored in database• Reflected from web input (form field, hidden field, URL, etc…)• Sent directly into rich JavaScript clientRaw data…• Try this in your browser – javascript:alert(document.cookie)Virtually every web application has this problem• Steal user’s session, steal sensitive data, rewrite web page, redirect user tophishing or malware site• Most Severe: Install XSS proxy which allows attacker to observe and direct alluser’s behavior on vulnerable site and force user to other sitesTypical Impact
    15. 15. Cross-Site Scripting IllustratedApplication withstored XSSvulnerability32Attacker sets the trap – update my profileAttacker enters amalicious script into a webpage that stores the dataon the server1Victim views page – sees attacker profileScript silently sends attacker Victim’s session cookieScript runs inside victim’sbrowser with full access tothe DOM and cookiesCustom CodeAccountsFinanceAdministrationTransactionsCommunicationKnowledgeMgmtE-CommerceBus.Functions
    16. 16. Project Leader: Chris Schmidt, Chris.Schmidt@owasp.orgPurpose: A free, open source, web application security control librarythat makes it easier for programmers to write lower-risk applicationshttps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_APIEnterprise Security API16
    17. 17. ESAPI - Vision Build a common set of security controls fortodays most popular programming languages. Have interfaces in common across programminglanguages as much as possible and natural. Provide at least a simple reference implementationfor each security control to serve as example if notuseful in itself. Easily extensible Provide functionality that is most often needed,but lacking (or inconsistent) in various frameworks/ languages.
    18. 18. Using ESAPI (1 of 3) Getting started https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Download: http://code.google.com/p/owasp-esapi-java/ ESAPI Cheat Sheet:https://www.owasp.org/index.php/ESAPI_Cheat_Sheet ESAPI Swingset: http://code.google.com/p/owasp-esapi-java-swingset/
    19. 19. Using ESAPI (2 of 3) Getting help ESAPI User mailing list (focuses on Java version):https://lists.owasp.org/mailman/listinfo/esapi-user ESAPI Developer mailing list:https://lists.owasp.org/mailman/listinfo/esapi-dev ESAPI Project page: http://www.esapi.org/ (comingsoon)
    20. 20. Using ESAPI (3 of 3) Getting involved Many other language implementations, allplaying catch up ESAPI for Java version needs help with userdocumentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Portto use ESAPI 2.0
    21. 21. Enterprise Security APICustom Enterprise Web ApplicationEnterprise Security APIAuthenticatorUserAccessControllerAccessReferenceMapValidatorEncoderHTTPUtilitiesEncryptorEncryptedPropertiesRandomizerExceptionHandlingLoggerIntrusionDetectorSecurityConfigurationExisting Enterprise Security Services/Libraries
    22. 22. Potential Enterprise ESAPI CostSavings
    23. 23. Basic ESAPI Approach – Examples In Java:String input = request.getParameter( "input" );// Throws ValidationException or IntrusionException// if problemString cleaned =ESAPI.validator().getValidInput("Secure inputexample",input,"SafeString", //regex spec200, // max lengyhfalse, // no nullstrue); //canonicalizeString safeHTML =ESAPI.encoder().encoderForHTML(cleaned);
    24. 24.  In PHP:$cleanTmp = array(); // local in scope$cleanParams = array(); // local in scope$cleanTmp[username] =ESAPI::getValidator()->getValidInput("Secure input example",$input,"SafeString",200, false, true);$cleanParams[username] =ESAPI::getEncoder()->encodeForHTML($cleanTmp[username]);Basic ESAPI Approach – Examples
    25. 25. OWASP ESAPI Project ScorecardFeature Set vs. ProgrammingLanguageAuthentication 2.0 1.4 1.4 1.4 2.0plannedIdentity 2.0 1.4 1.4 1.4 2.0plannedAccess Control 2.0 1.4 1.4 1.4 1.4 2.0plannedInput Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???Encryption 2.0 1.4 1.4 1.4 1.4 2.0Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0Intrusion Detection 2.0 1.4 1.4 1.4Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBDWAF 2.0
    26. 26. Source Code and JavadocOnline Now!http://code.google.com/p/owasp-esapi-java
    27. 27. AppSensorProject Leader(s): Michael Coates, John Melton, Colin WatsonPurpose: Defines a conceptual framework and methodology that offersprescriptive guidance to implement intrusion detection and automatedresponse into an existing application.Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)https://www.owasp.org/index.php/AppSensorCreate attack aware applications27
    28. 28. Detecting Attacksthe Right Way• Detect INSIDE the Application• Automatic Detection• Comprehensive• Minimize False Positives• Understand Business Logic• Immediate Response• No Manual Efforts Required
    29. 29. Detection PointsImplementing AppSensorApplication Log Server AppSensor BrainResponse Listener
    30. 30. VIDEO DEMO
    31. 31. Take aways• Open Source solutions• Low cost and low effort• Think out of the box for development teams• Techniques used on the Industry• OWASP Google Summer of Code 2013https://www.owasp.org/index.php/GSoC
    32. 32. Q & A
    33. 33. Backup
    34. 34. About OWASP• Online since December 1st 2001• Not-for-profit charitable organization• OPEN Everything at OWASP is radically transparent from our finances toour code.• INNOVATION OWASP encourages and supports innovation/experimentsfor solutions to software security challenges.• GLOBAL Anyone around the world is encouraged to participate in theOWASP community.• INTEGRITY OWASP is an honest and truthful, vendor agnostic, globalcommunity.• https://www.owasp.org/index.php
    35. 35. OWASP Success Story
    36. 36. OWASP Guadalajara ChapterWhat do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environmentsMeetings Workshops Conference News Letter Page Visit3 1 1 3 2,528+https://www.owasp.org/index.php/GuadalajaraMarch 2012 – Till Date
    37. 37. Application DevelopersNew attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons
    38. 38. Application Testers and Quality AssuranTesting guidePenetration testing toolsApplication Security Verification Standard Project
    39. 39. OWASP ZAP Proxy/ WebScarab / CSRF Tester
    40. 40. OWASP Testing Framework4. Web Application Penetration Testing•4.2 Information Gathering•4.3 Configuration Management Testing•4.4 Business logic testing•4.5 Authentication Testing•4.6 Authorization Testing•4.7 Session Management Testing•4.8 Data Validation Testing•4.9 Testing for Denial of Service•4.10 Web Services Testing•4.11 Ajax Testinghttp://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
    41. 41. Application Project Management and Staff45Define the processSDLCCode ReviewCode review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net
    42. 42. DownloadGet OWASP Books
    43. 43. Business advantages of beingassociated with OWASP• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organizations belief thatapplication security is important and that the organization is working to take necessary steps to properly addressapplication security risk in their businesses• The organization itself gets security benefit at reduced costs– Security code review tools are free– Lots of open & free security testing tools– Security guidelines & best practices• Opportunity to endorse organizations logo in OWASP events, conferences, & website• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the worldon owasp mailing lists and linked in group– If you are looking to expand your business in emerging market here is an opportunity to reach out• When organization becomes a supporter of a security community it helps employees, partners, suppliers andcustomers to understand the value & importance of security, and improves application security throughout thewhole supply chain• Membership options : https://www.owasp.org/index.php/Membership
    44. 44. Subscribe mailing listhttps://www.owasp.org/index.php/GuadalajaraChapter Leaders:Eduardo CernaMauel LopezJoin Us !
    45. 45. App Sensor DesignDemo AppEmbeddedAppSensorResponseAppSensor “Brain”App Logs

    ×