Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Top 10 Interactive Website Design Trends in 2024.pptx
Web security leeds sharp dot netnotts
1. Web Security
By John Staveley
Dot Net Notts 29/02/2016
https://uk.linkedin.com/in/johnstaveley/
@johnstaveley
2. Overview
Why Security?
– (case studies)
Who are the hackers?
How?
– (with solutions)
SecurityEssentials.sln
...and then on the server
Further resources
Summary
Questions
3. Who am I?
John Staveley
Mvc.net developer
Not a security expert!
4. Why Security? - Some headlines
ZdNet 2014, “Hundreds of millions of records have been
stolen this year through hacks and data breaches as a result
of poor, or flawed security.”
Davos 2015, “Every time we talked to a top 500 company
about cyber-security, they'd say to us: 'talk to my technology
guy', now the board of directors and the CEOs of the
companies pay attention. There is a new sense of urgency" –
Head of a security company
FSB 2013, 41% of small businesses are a victim of cyber
crime.
5. Why Security? - Some headlines
ZdNet 2014, “Hundreds of millions of records have been
stolen this year through hacks and data breaches as a result
of poor, or flawed security.”
Davos 2015, “Every time we talked to a top 500 company
about cyber-security, they'd say to us: 'talk to my technology
guy', now the board of directors and the CEOs of the
companies pay attention. There is a new sense of urgency" –
Head of a security company
FSB 2013, 41% of small businesses are a victim of cyber
crime.
6. Why Security? - Some example breaches
Sony – films, confidential email, payroll
Target – 110 million records lost including credit card details.
Current cost $110m
Home Depot – 56m credit card, 53m email addresses
JPMorgan – 10s of millions of customers data lost
BadUSB
ICloud celebrity pictures
Snapchat – 13Gb of data
Ebay – 145 million user records lost. $220m loss
Heartbleed
etc
10. Presentation Approach
OWASP Top 10
Not for profit
Cover all technologies
Reviewed every 3 years
Helps you prioritise
Chapter outline
What is the hack?
Who has been affected by it?
What are the mitigations/countermeasures?
Questions
DEMO
SecurityEssentials.sln
https://github.com/johnstaveley/SecurityEssentials
13. SQL Injection – What is it?
string strQry = "SELECT * FROM Users WHERE
UserName='" + txtUser.Text + "' AND Password='" +
txtPassword.Text + "'";
EXEC strQry
Put in username field: Admin' And 1=1 –
SELECT * FROM Users WHERE UserName='Admin'
And 1=1 --' AND Password=''
Put in password field: '; DROP TABLE Users --
SELECT * FROM Users WHERE UserName='' AND
Password=''; DROP TABLE Users –'
http://www.not-secure.com/products?Id=14
Havij
http://youtu.be/RBUOJpAfMn4?t=1m28s
15. Password Security
What is it? - Storage, Policy and entry
Password storage
Plain text = No security (http://plaintextoffenders.com/)
Base64 encoding = No security
Avoid Encryption – can be broken
Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)
Common hashes can be googled
Use a salt
Don't use RC4, MD4, MD5 and SHA-1
HashCat http://youtu.be/pTDGz7vN3NE?t=12s
Use PBKDF2, SCrypt, Bcrypt
Passwords Policy:
Enforce minimum complexity
Do not reject special characters
Validate passwords against a list of known bad passwords
Do not allow personal information in the password
Password Entry:
Don't disallow paste on a web page
16. Password Security - Examples
Case Study: Richard Pryce
Case Study: Ebay May 2014
Up to 145 million users affected
$200m loss
Poor password encryption blamed
Case Study: LinkedIn 2012
6.5 million user accounts stolen by Russian criminals
19. Session Hijacking – The how
Concept – Man In The Middle (MITM)
Opening up the browser
CSRF
Sensitive data exposure
DEMO: Session stealing using document.cookie=""
23. Weak account management – Case Study
News contained details Sarah Palin used Yahoo mail
Security Information
Birthday?
2 minutes on Wikipedia
Zip Code?
Wallisa only has 2 postcodes
Where did you meet your spouse?
High School
=> Password reset
24. Weak account management - Countermeasures (1)
Account enumeration - Can occur on registration, logon or
password reset forms
Success - “An account reset key has been emailed to you”
Failure - “That user account does not exist”
Success or Failure - “An account reset key has been
emailed to you”
Use Https ([RequireHttps]) to protect sensitive data
25. Weak account management - Countermeasures (2)
Brute force Logon - Do not lock out on incorrect logon –
DOS
Brute force Registration/Password reset:
– CAPTCHA and/or throttling to prevent brute force
– http://anti-captcha.com/
Verify email address by sending an email
Re-challenge user on key actions e.g. prompt for old
password when entering new password
Log and send email when any account state changes
26. Weak account management - Countermeasures (3)
Password reset
Don't send new password out – DOS
Send email with expiring token (1 hour)
Security questions: Concise, Specific, has a large range of answers, low
discoverability, constant over time
Never roll your own membership provider or session
management – use the default one in the framework
Outsource the solution e.g. Azure Active Directory or
OpenId
SecurityEssentials.sln – Account Management process,
anti-enumeration, logging, email verification, email on
change, activity log, throttling, CAPTCHA, auto-complete
off, increase logon time failure
28. Cross site scripting (XSS) – What is it?
www.mysite.com/index?name=Guest
Hello Guest!
www.mysite.com/index?name=<b>Guest<b>
Hello Guest!
www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script>
Hello Guest!
www.mysite.com/index?name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
www.mysite.com/index?name=<script>Insert evil script here</script>
29. Cross site scripting (XSS) – What is it?
Encoded data vs unencoded
e.g. <b>Guest<b> vs <b>Guest</b>
Cookie theft!
<script>alert(document.cookies)</script>
Concept: Don't trust your users!
Reflected vs Persisted XSS
Attack Vector: Social Network, Email etc
30. Cross site scripting (XSS) – Examples
Case Study: Legal Helpdesk
Enabler:
Session stealing
DOS
Sensitive data exposure
Ebay, Sep 2014 – http://www.makeuseof.com/tag/ebay-security-breach-
reconsider-membership/
About.com, Oct 2014 – 99.98% of links susceptible
– Mar 2015 – still unpatched
31. Cross site scripting (XSS) - Countermeasures
Validate untrusted data – don't trust your users!
Sources of data – html post, urls, excel/csv import, import of
database
Mvc3 - “A potentially dangerous Request.Form value was
detected from the client”, except:
What if you want to post HTML? [AllowHTML]
Countermeasure: Encode reflected data
Mvc3 encodes Html by default
Except @Html.Raw(Model.MyStuff)
For 'safe' HTML fragments use WPL (AntiXSS) Library for
HTML, CSS, URL, JavaScript, LDAP etc
Concept: Black vs White listing
SecurityEssentials: Incorporation of AntiXSS Library
Comparison with ASP.Net web forms
33. Insecure direct object references – what is it?
www.mysite.com/user/edit/12345
// Insecure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
return View("Details", new UserViewModel(user);
}
// Secure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
// Establish user has right to edit the details
if (user.Id != UserIdentity.GetUserId())
{
HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have
permission to edit these details"));
return View("Error", error);
}
return View("Edit", new UserViewModel(user);
}
34. Insecure direct object references - Examples
Immobilise Jan 2015
Citigroup, 2011
– 200,000 customer details exposed
35. Insecure direct object references - Countermeasures
Check the user has permission to see a resource
– Don't expose internal keys externally
– Map keys to user specific temporary non-guessable ones to
prevent brute force
Frequently overlooked:
– Ajax calls
– Obfuscation of paths does not work
– Passing sensitive data in urls
SecurityEssentials.sln User edit
37. Security Misconfiguration – What is it?
Unnecessary features enabled e.g. FTP, SMTP on a web
server, ports opened
Default accounts and passwords still enabled and
unchanged
Errors reveal internal implementation e.g. Trace.axd
38. Security Misconfiguration - Examples
Webcams, Nov 2014
Secure Elmah, Google inurl:elmah.axd “error log for”
39. Security Misconfiguration - Countermeasures
Encrypt connection string
Server retail mode
Ensure application is set for production – automate using
MVC config transforms
SecurityEssentials.sln web.config
41. Sensitive Data exposure – What is it?
Email addresses
Contents of emails
Passwords
Auth token
Credit card details
Private pictures
42. Sensitive Data exposure - Examples
Snapchat Jan 2014
– Phone number upload feature brute forced
Tunisian ISP
– Login pages for Gmail, Yahoo, and Facebook
– Pulls the username and password, and encodes it with a weak
cryptographic algorithm
Wifi Pineapple
– https://www.youtube.com/watch?v=mf5ipnmvDxE
43. Sensitive Data exposure - Countermeasures
Use and enforce SSL/TLS – [RequireSSL]
www.startssl.com
Google: “SSL/TLS accounts for less than 1% of the CPU
load, less than 10KB of memory per connection and less
than 2% of network overhead.”
Encrypt sensitive data in storage
Disclosure via URL
Browser auto-complete
Don't store it! e.g. CVV code
SecurityEssentials forcing SSL, HSTS header, prevent
server information disclosure, web.config
45. Missing Function Level Access Control – What is it?
Checking the user has permission to be there
www.mysite.com/admin (Requires admin role!)
46. Missing Function Level Access Control - Countermeasures
Path level in web.config
Method level attribute e.g. [Authorize(Roles=”Admin”)]
Controller level Authorize attribute
Any point in code using identity features in .net
(System.Web.Security.Roles.IsUserInRole(userName,
roleName)
Use [NonAction]
Don't show links on UI to unauthorised functions
Don't make server side checks depend solely on
information provided by the attacker
Obfuscating links is no protection
Least Privilege
SecurityEssentials.sln unit tests
48. Cross-Site request forgery - What is it?
Attacker sends malicious link
<img src=”www.mysite.com/logoff” />
Requires to be logged on
49. Cross-Site request forgery - Examples
TP-Link Routers, Mar 2014
300,000 routers reprogrammed
DNS Servers changed
Exploit known for over a year
Brazil 2011, 4.5m DSL routers reprogrammed
50. Cross-Site request forgery - Countermeasures
Exploits predictable patterns, tokens add randomness to
request
@Html.AntiForgeryToken()
<input name="__RequestVerificationToken" type="hidden"
value="NVGfno5qe...... .......yYCzLBc1" />
Anti-forgery token
[ValidateAntiForgeryToken]
NB: Ajax calls
ASP.Net web forms
SecurityEssentials (controller and ajax)
51. 9 - Using components with known vulnerabilities
Case Study: WordPress, 2013
3 Year old admin module
10s of thousands of sites affected
No Brute force protection
Possible effects:
Circumvent access controls
SQL Injection, XSS, CSRF
Vulnerable to brute force login
NuGet – keep updated
Apply Windows Update
SecurityEssentials.sln NuGet
52. 10 - Unvalidated redirects and forwards – What is it?
Attacker presents victim with an (obfuscated) url e.g.
https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/
User logs into safe, trusted site
Redirects to nasty site, malicious content returned
Any redirecting url is vulnerable
MVC3 vulnerable
54. Form Overposting – What is it?
[HttpPost]
public ViewResult Edit(User user)
{ TryUpdateModel( … }
[HttpPost]
public ViewResult Edit([Bind(Include = "FirstName")] User user)
{ TryUpdateModel( … ,propertiesToUpdate, … }
55. Securing your site – Code Cheat sheet (1)
Don't trust your users!
Use an ORM
Use a strong account management process
Captcha/throttling
Defeat account enumeration
Hash passwords, encrypt data
Least Privilege
Use and enforce SSL
Encode all output
Secure direct object references
[Authorize]/[Authorize(Roles=””)] users
Conceal errors and trace
Use antiforgery tokens
56. Securing your site – Code Cheat sheet (2)
Keep components up to date
Validate redirects
Form overposting
DDOS
Headers
Train staff in social engineering
57. ...and once on the server
Apply a good SSL policy on the server:
https://www.ssllabs.com/projects/best-practices/
Poodle
Encrypt the connection string on the production server
Enable retail mode on the production server
Patch the server
Run www.asafaweb.com on your site to check security
standards are enforced
Ask who works as a developer?
Who works using Mvc?
Who has ever been hacked?
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
http://www.bbc.co.uk/news/30925696
the World Economic Forum has issued a report that warns failing to improve cyber security could cost the global economy $3tn
http://www.fsb.org.uk/news.aspx?rec=8083
Costs its members around £785 million per year
Average loss is £6000 per company
20 per cent of members have not taken any steps to protect themselves from a cyber crime
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
http://www.bbc.co.uk/news/30925696
the World Economic Forum has issued a report that warns failing to improve cyber security could cost the global economy $3tn
http://www.fsb.org.uk/news.aspx?rec=8083
Costs its members around £785 million per year
Average loss is £6000 per company
20 per cent of members have not taken any steps to protect themselves from a cyber crime
http://www.csoonline.com/article/2130877/data-protection/the-15-worst-data-security-breaches-of-the-21st-century.html
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
Memos leaked from Sony which criticised members of the government
Target - U.S. sales were “meaningfully weaker.” The company’s chief information officer, tasked with internal security, resigned three months into the new year.
Icloud - Over a hundred nude photos, some extremely explicit, were posted in total on the infamous discussion board 4chan
Snapchat - 13 gigabytes of data -- including photos and videos -- were pilfered by hackers, which eventually made its way to image sharing site 4chan.
Ebay – emails and postal addresses
Most companies conceal the attacks or are unaware of them
http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/
https://hackerslist.com/
Marketplace for people wanting to hire hackers, offers bounties. 500 hacking jobs have been put to the bid since the site&apos;s launch last year. Submitted anonymously by the site&apos;s users, hackers then seek to outbid each other to secure the work, which ranges from breaking into email accounts to taking down websites. The variety of jobs is far-ranging; from breaking into Gmail accounts to corporate email and taking down websites in revenge. Surprisingly, many jobs listed on the site are for the purpose of education -- with customers pleading for hackers to break into school systems in order to change grades. Other jobs include de-indexing pages and photos from search engines, acquiring client lists from competitors and retrieving lost passwords. There is a &apos;responsible use policy&apos; on the website.
http://xkcd.com/327/
http://www.csoonline.com/article/2128432/data-protection/sony-apologizes—details-playstation-network-attack.html
The initial attack was disguised as a purchase, so wasn&apos;t flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall,
http://www.scmagazine.com/researchers-discover-two-sql-injection-flaws-in-wordpress-security-plugin/article/369851/
Two SQL injection vulnerabilities in the All In One WordPress Security and Firewall plugin for blogging platform WordPress. The All In One WordPress Security and Firewall plugin “reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques,” according to WordPress.org. It has more than 400,000 downloads.
http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
http://www.business2community.com/tech-gadgets/russian-hackers-means-website-0979723#!bLWV8O
The attack is performed by the bot finding any blank fields that can be typed into, such as comment boxes, searches and other blank boxes. The bot then starts working to see if the site can be hacked into and secure information compromised, such as: Names, Addresses, Passwords, Credit card numbers.
http://youtu.be/pTDGz7vN3NE?t=12s
http://www.independent.co.uk/news/fine-for-boy-who-hacked-into-pentagon-1274204.html
16 at the time,found guilty and fined £1,200. Got a D grade in A-level computer science, downloaded material about artificial intelligence and battlefield management systems
http://www.bbc.co.uk/news/technology-27503290
Not disclosed how the hack took place. No financial data was lost. Took 3 months to disclose the breach.
http://en.wikipedia.org/wiki/2012_LinkedIn_hack
All accounts were decrypted
https://haveibeenpwned.com/
http://www.wired.com/2008/09/palin-e-mail-ha/
http://www.wired.com/2008/09/palin-e-mail-ha/
Story posted on 4Chan the stronghold of the Anonymous griefer collective
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all
Google account taken over and deleted, twitter account used to tweet racist remarks, iPhone, iPad and MacBook remotely wiped.
Could have used two factor authentication to prevent this.
Google display last 4 digits of CC number in clear, Apple uses the last 4 digits as security.
Apple requires billing address which the hacker got from doing a whoise search on his web domain
Apple issues a temporary password to mail account despite the caller not being able to answer security questions.
Apple email was used to hack gmail, which was used to reset twitter account.
Every time you order pizza you give the delivery boy everything you need to reset your account and take over your life.
Devices were wiped just to prevent him getting back in, everything was done for a 3 letter twitter handle.
The same process the hackers used has subsequently been verified on other accounts.
http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9
Find my phone login page was vulnerable whereas the other logins were not, combining this with a list of common passwords enabled the hack. The speech that outlined the vulnerability took place at the Def Con conference in Russia on Aug. 30,
Read more: http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9#ixzz3Qs0Hbh2H
Http://anti-captcha.com/
http://www.makeuseof.com/tag/ebay-security-breach-reconsider-membership/
http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
98m monthly visitors. A security researcher disclosed Monday that &quot;at least 99.88%&quot; of all topic links and all domains and sub-domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks. These attacks are open to anyone.
About.com have not responded even 3 months later. Search field on main page is also affected
http://m.bbc.co.uk/news/technology-30686697
Immobolise recommended by most of the uk police. person&apos;s name and address, as well as a list of valuables and a rough estimate of how much each item is worth. It is thought that more than four million people use the service. Fixed quickly
http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/
The hackers wrote a script that automatically repeated an insecure direct object reference attack tens of thousands of times to steal credit card information.
http://www.bbc.co.uk/news/technology-30896765
Xbox and PlayStation gaming networks offline over Christmas.2014
Database of 14,241 people who signed up was captured with usernames and passwords in plain text.
Hack was made over AJAX
http://www.bbc.co.uk/news/technology-30121159
Russian based site, subsequently taken down providing thousands of live feeds to web cams and baby monitors which still have the default passwords set.
Older versions of hardware had no or a default hardware and remote access was on be default.
The admin of the site did not consider himself a hacker has he&apos;d performed no hacking.
The manufacture changed the login process requiring users to change the password when they first logged in.
Foscam was the most commonly listed brand, followed by Linksys and then Panasonic.
This is not the first time problems with Foscam cameras have been highlighted. In 2013, a family based in Houston, Texas revealed that they had heard a voice shouting lewd comments at their two-year old child coming out of their Foscam baby monitor. They provided a software fix for this.
http://www.bbc.co.uk/news/technology-25572661
usernames and phone numbers for 4.6 million Snapchat accounts have been downloaded by hackers
http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/
Injected JavaScript is customized for each site&apos;s login form. Encodes the username and password with a weak crypto algorithm passed to a URL with a randomly generated five character key is added. The GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad
https://www.youtube.com/watch?v=mf5ipnmvDxE
http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html
D-Link, Micronet, Tenda, TP-Link and other manufacturers affected. administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks. CSRF techniques to attack routers when their administration interfaces
Meetup.com DDOS: http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/
In the time the servers were down 60000 meetups took plaece.
Meetup has refused to pay the small ransom as it believes doing so would make the perpetrators of the attacks demand more money.
Meetup confirms it’s now working with Cloudflare to help with the DDoS
DDOS ZdNet: http://www.zdnet.com/article/global-ddos-attacks-increase-90-percent-on-last-year/
Distributed denial-of-service (DDoS) attacks nearly doubled since 2013.
one campaign generating 106Gbps of malicious traffic
The exploitation of web vulnerabilities, the addition of millions of exploitable internet-enabled devices, and botnet building.
Rise in IoT and networked devices increases the ability to attack
United States and China continued as the lead source countries for DDoS traffic
Software-as-a-service and cloud-based technologies, came in as the second most targeted industry
http://youtu.be/mwoXrF5N_F8?t=17m54s
http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/
Demoed at black hat conf an ordinary USB pen drive can be turned into an automated hacking tool.
SB controller chips&apos; firmware offer no protection from reprogramming
The exploit if currently zero-day
A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.
There&apos;s no effective way to detect a corrupted USB device
There are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can&apos;t be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.