Web security leeds sharp dot netnotts

Web Security
By John Staveley
Dot Net Notts 29/02/2016
https://uk.linkedin.com/in/johnstaveley/
@johnstaveley

Overview

Why Security?
– (case studies)

Who are the hackers?

How?
– (with solutions)

SecurityEssentials.sln

...and then on the server

Further resources

Summary

Questions

Who am I?

John Staveley

Mvc.net developer

Not a security expert!

Why Security? - Some headlines

ZdNet 2014, “Hundreds of millions of records have been
stolen this year through hacks and data breaches as a result
of poor, or flawed security.”

Davos 2015, “Every time we talked to a top 500 company
about cyber-security, they'd say to us: 'talk to my technology
guy', now the board of directors and the CEOs of the
companies pay attention. There is a new sense of urgency" –
Head of a security company

FSB 2013, 41% of small businesses are a victim of cyber
crime.

Why Security? - Some example breaches

Sony – films, confidential email, payroll

Target – 110 million records lost including credit card details.
Current cost $110m

Home Depot – 56m credit card, 53m email addresses

JPMorgan – 10s of millions of customers data lost

BadUSB

ICloud celebrity pictures

Snapchat – 13Gb of data

Ebay – 145 million user records lost. $220m loss

Heartbleed

etc

Why Security? - and the rest...

Why Security?

Loss of reputation

Blacklisting

Litigation

Fines e.g. Data protection act, PCI compliance

What we will/won't cover

WILL:

Web application security (MVC)

WON'T:

Physical security

Network security

Trojans, Worms, Viruses

IDS, Firewalls, Honey pots

Internal threats

Advanced persistent threats

DDOS

Social Engineering

Presentation Approach

OWASP Top 10

Not for profit

Cover all technologies

Reviewed every 3 years

Helps you prioritise

Chapter outline

What is the hack?

Who has been affected by it?

What are the mitigations/countermeasures?

Questions

DEMO

SecurityEssentials.sln

https://github.com/johnstaveley/SecurityEssentials

SQL Injection – What is it?
string strQry = "SELECT * FROM Users WHERE
UserName='" + txtUser.Text + "' AND Password='" +
txtPassword.Text + "'";
EXEC strQry
Put in username field: Admin' And 1=1 –
SELECT * FROM Users WHERE UserName='Admin'
And 1=1 --' AND Password=''
Put in password field: '; DROP TABLE Users --
SELECT * FROM Users WHERE UserName='' AND
Password=''; DROP TABLE Users –'
http://www.not-secure.com/products?Id=14
Havij
http://youtu.be/RBUOJpAfMn4?t=1m28s

2 - Broken authentication and session management

Password security

Session Hijacking

Weak Account Management

Password Security

What is it? - Storage, Policy and entry

Password storage

Plain text = No security (http://plaintextoffenders.com/)

Base64 encoding = No security

Avoid Encryption – can be broken

Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)

Common hashes can be googled

Use a salt

Don't use RC4, MD4, MD5 and SHA-1

HashCat http://youtu.be/pTDGz7vN3NE?t=12s

Use PBKDF2, SCrypt, Bcrypt

Passwords Policy:

Enforce minimum complexity

Do not reject special characters

Validate passwords against a list of known bad passwords

Do not allow personal information in the password

Password Entry:

Don't disallow paste on a web page

Password Security - Examples

Case Study: Richard Pryce

Case Study: Ebay May 2014

Up to 145 million users affected

$200m loss

Poor password encryption blamed

Case Study: LinkedIn 2012

6.5 million user accounts stolen by Russian criminals

Password Security - Examples

https://haveibeenpwned.com/

SecurityEssentials.sln pwd: Hash, checking, strength

Session hijacking – The What

Session Hijacking – The how

Concept – Man In The Middle (MITM)

Opening up the browser

CSRF

Sensitive data exposure

DEMO: Session stealing using document.cookie=""

Session Hijacking - Countermeasures

Counter client code access of cookies (MITM): HttpOnly

Counter auth token 'Sniffing' – Use HttpsOnly (Anti-XSS)

<forms loginUrl="~/Account/Login" timeout="60" requireSSL="true"
slidingExpiration="false"/>

Private error logging/trace

Reducing session timeout reduces exposure

Track sessions - session invalidated during logoff?

SecurityEssentials.sln web.config with transforms

Weak account management – What is it?

Owning the account

Why?
– Sensitive data
– Admin privileges

Registration

Logon

Remember me

Password reset

Change account details

Logoff

Call Centre

Weak account management – Case Study

Weak account management – Case Study

News contained details Sarah Palin used Yahoo mail

Security Information

Birthday?

2 minutes on Wikipedia

Zip Code?

Wallisa only has 2 postcodes

Where did you meet your spouse?

High School

=> Password reset

Weak account management - Countermeasures (1)

Account enumeration - Can occur on registration, logon or
password reset forms

Success - “An account reset key has been emailed to you”

Failure - “That user account does not exist”

Success or Failure - “An account reset key has been
emailed to you”

Use Https ([RequireHttps]) to protect sensitive data


Brute force Logon - Do not lock out on incorrect logon –
DOS

Brute force Registration/Password reset:
– CAPTCHA and/or throttling to prevent brute force
– http://anti-captcha.com/

Verify email address by sending an email

Re-challenge user on key actions e.g. prompt for old
password when entering new password

Log and send email when any account state changes


Password reset

Don't send new password out – DOS

Send email with expiring token (1 hour)

Security questions: Concise, Specific, has a large range of answers, low
discoverability, constant over time

Never roll your own membership provider or session
management – use the default one in the framework

Outsource the solution e.g. Azure Active Directory or
OpenId

SecurityEssentials.sln – Account Management process,
anti-enumeration, logging, email verification, email on
change, activity log, throttling, CAPTCHA, auto-complete
off, increase logon time failure

3 – Cross Site Scripting (XSS)

Cross site scripting (XSS) – What is it?
www.mysite.com/index?name=Guest
Hello Guest!
www.mysite.com/index?name=<b>Guest<b>
Hello Guest!
www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script>
Hello Guest!
www.mysite.com/index?name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
www.mysite.com/index?name=<script>Insert evil script here</script>

Cross site scripting (XSS) – What is it?

Encoded data vs unencoded
e.g. <b>Guest<b> vs <b>Guest</b>

Cookie theft!
<script>alert(document.cookies)</script>

Concept: Don't trust your users!

Reflected vs Persisted XSS

Attack Vector: Social Network, Email etc

Cross site scripting (XSS) – Examples

Case Study: Legal Helpdesk

Enabler:

Session stealing

DOS

Sensitive data exposure

Ebay, Sep 2014 – http://www.makeuseof.com/tag/ebay-security-breach-
reconsider-membership/

About.com, Oct 2014 – 99.98% of links susceptible
– Mar 2015 – still unpatched

Cross site scripting (XSS) - Countermeasures

Validate untrusted data – don't trust your users!

Sources of data – html post, urls, excel/csv import, import of
database

Mvc3 - “A potentially dangerous Request.Form value was
detected from the client”, except:

What if you want to post HTML? [AllowHTML]

Countermeasure: Encode reflected data

Mvc3 encodes Html by default

Except @Html.Raw(Model.MyStuff)

For 'safe' HTML fragments use WPL (AntiXSS) Library for
HTML, CSS, URL, JavaScript, LDAP etc

Concept: Black vs White listing

SecurityEssentials: Incorporation of AntiXSS Library

Comparison with ASP.Net web forms

4 – Insecure Direct Object
References

Insecure direct object references – what is it?
www.mysite.com/user/edit/12345
// Insecure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
return View("Details", new UserViewModel(user);
}
// Secure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
// Establish user has right to edit the details
if (user.Id != UserIdentity.GetUserId())
{
HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have
permission to edit these details"));
return View("Error", error);
}
return View("Edit", new UserViewModel(user);
}

Insecure direct object references - Examples

Immobilise Jan 2015

Citigroup, 2011
– 200,000 customer details exposed

Insecure direct object references - Countermeasures

Check the user has permission to see a resource
– Don't expose internal keys externally
– Map keys to user specific temporary non-guessable ones to
prevent brute force

Frequently overlooked:
– Ajax calls
– Obfuscation of paths does not work
– Passing sensitive data in urls

SecurityEssentials.sln User edit

5 – Security Misconfiguration

Security Misconfiguration – What is it?

Unnecessary features enabled e.g. FTP, SMTP on a web
server, ports opened

Default accounts and passwords still enabled and
unchanged

Errors reveal internal implementation e.g. Trace.axd

Security Misconfiguration - Examples

Webcams, Nov 2014

Secure Elmah, Google inurl:elmah.axd “error log for”

Security Misconfiguration - Countermeasures

Encrypt connection string

Server retail mode

Ensure application is set for production – automate using
MVC config transforms

SecurityEssentials.sln web.config

Sensitive Data exposure – What is it?

Email addresses

Contents of emails

Passwords

Auth token

Credit card details

Private pictures

Sensitive Data exposure - Examples

Snapchat Jan 2014
– Phone number upload feature brute forced

Tunisian ISP
– Login pages for Gmail, Yahoo, and Facebook
– Pulls the username and password, and encodes it with a weak
cryptographic algorithm

Wifi Pineapple
– https://www.youtube.com/watch?v=mf5ipnmvDxE

Sensitive Data exposure - Countermeasures

Use and enforce SSL/TLS – [RequireSSL]

www.startssl.com

Google: “SSL/TLS accounts for less than 1% of the CPU
load, less than 10KB of memory per connection and less
than 2% of network overhead.”

Encrypt sensitive data in storage

Disclosure via URL

Browser auto-complete

Don't store it! e.g. CVV code

SecurityEssentials forcing SSL, HSTS header, prevent
server information disclosure, web.config

7 – Missing Function Level Access
Control

Missing Function Level Access Control – What is it?

Checking the user has permission to be there

www.mysite.com/admin (Requires admin role!)

Missing Function Level Access Control - Countermeasures

Path level in web.config

Method level attribute e.g. [Authorize(Roles=”Admin”)]

Controller level Authorize attribute

Any point in code using identity features in .net
(System.Web.Security.Roles.IsUserInRole(userName,
roleName)

Use [NonAction]

Don't show links on UI to unauthorised functions

Don't make server side checks depend solely on
information provided by the attacker

Obfuscating links is no protection

Least Privilege

SecurityEssentials.sln unit tests

8 – Cross Site Request Forgery

Cross-Site request forgery - What is it?

Attacker sends malicious link

<img src=”www.mysite.com/logoff” />

Requires to be logged on

Cross-Site request forgery - Examples

TP-Link Routers, Mar 2014

300,000 routers reprogrammed

DNS Servers changed

Exploit known for over a year

Brazil 2011, 4.5m DSL routers reprogrammed

Cross-Site request forgery - Countermeasures

Exploits predictable patterns, tokens add randomness to
request
@Html.AntiForgeryToken()
<input name="__RequestVerificationToken" type="hidden"
value="NVGfno5qe...... .......yYCzLBc1" />

Anti-forgery token
[ValidateAntiForgeryToken]

NB: Ajax calls

ASP.Net web forms

SecurityEssentials (controller and ajax)

9 - Using components with known vulnerabilities

Case Study: WordPress, 2013

3 Year old admin module

10s of thousands of sites affected

No Brute force protection

Possible effects:

Circumvent access controls

SQL Injection, XSS, CSRF

Vulnerable to brute force login

NuGet – keep updated

Apply Windows Update

SecurityEssentials.sln NuGet

10 - Unvalidated redirects and forwards – What is it?

Attacker presents victim with an (obfuscated) url e.g.
https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/

User logs into safe, trusted site

Redirects to nasty site, malicious content returned

Any redirecting url is vulnerable

MVC3 vulnerable

Unvalidated redirects and forwards - Countermeasures

MVC4 problem solved (for login):

Form Overposting – What is it?
[HttpPost]
public ViewResult Edit(User user)
{ TryUpdateModel( … }
[HttpPost]
public ViewResult Edit([Bind(Include = "FirstName")] User user)
{ TryUpdateModel( … ,propertiesToUpdate, … }

Securing your site – Code Cheat sheet (1)

Don't trust your users!

Use an ORM

Use a strong account management process

Captcha/throttling

Defeat account enumeration

Hash passwords, encrypt data

Least Privilege

Use and enforce SSL

Encode all output

Secure direct object references

[Authorize]/[Authorize(Roles=””)] users

Conceal errors and trace

Use antiforgery tokens

Securing your site – Code Cheat sheet (2)

Keep components up to date

Validate redirects

Form overposting

DDOS

Headers

Train staff in social engineering

...and once on the server

Apply a good SSL policy on the server:
https://www.ssllabs.com/projects/best-practices/

Poodle

Encrypt the connection string on the production server

Enable retail mode on the production server

Patch the server

Run www.asafaweb.com on your site to check security
standards are enforced

Further Resources

OWASP Top 10

Pluralsight courses

CEH Certification

ZdNet

Security Now Podcast

Summary

Hacks have been increasing in number and sophistication

OWASP Top 10

Specific solutions in Mvc

Web security leeds sharp dot netnotts

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Web security leeds sharp dot netnotts

Similar to Web security leeds sharp dot netnotts (20)

More from John Staveley

More from John Staveley (14)

Recently uploaded

Recently uploaded (20)

Web security leeds sharp dot netnotts

Editor's Notes