Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Vulnerabilities: How to Defend Against Them

145 views

Published on

In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web.

In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Vulnerabilities: How to Defend Against Them

  1. 1. UPCOMING COURSES Node.js 101 Nov 16 @ITESO UX Workshop Sessions: Qualitative Research Dec 2 @GDL Portable Stream and Batch: Processing with Apache Beam Dec 2 @GDL - In partnership w/ Google & Apache Software Foundation Vue.js Workshop Dec 9 @CDMX Grow your career: Free courses in Artificial Intelligence, Software Development, User Experience and More @WizelineAcademy /WizelineAcademy academy.wizeline.com Get notified about courses: tinyurl.com/WL-academy
  2. 2. Common Web Vulnerabilities and how to defend against them Martin Vigo @martin_vigo martinvigo.com
  3. 3. Martin Vigo Galicia, Spain Senior Product Security Engineer Web, Mobile, Authentication Research, bug bounties & Gin tonics @martin_vigo ⇹ martinvigo.com ⇹ martinvigo@gmail.com
  4. 4. Web & Mobile
  5. 5. Web VS Mobile common vulnerabilities
  6. 6. Injection
  7. 7. An attacker is able to execute arbitrary code on Flickr servers by just sending POST requests
  8. 8. SQL Injection Web Application userName=”admin” password=”qwerty” POST request query Database SELECT * FROM users WHERE username = ‘admin‘ AND password = ‘qwerty‘; String query = “SELECT * FROM users WHERE username = ‘“ + userName + “‘ AND password = ‘‘’ + password + ”‘;”
  9. 9. SQL Injection String query = “SELECT * FROM users WHERE username = ‘“ + userName + “‘ AND password = ‘‘’ + password + ”‘;” Web Application userName=”’ OR ‘1’=’1’ --” password=”” POST request query Database SELECT * FROM users WHERE username = ‘‘ OR ‘1’=’1’ --‘ AND password = ‘‘;
  10. 10. More advanced attacks ● Checking database version ○ SELECT @@version ● Blind SQLi ○ Trial/Error ■ SELECT * FROM users WHERE id = '5' OR '1'='1'; ■ SELECT * FROM users WHERE id = '5' AND '1'='2'; ○ Timing attacks ■ IF EXISTS (SELECT * FROM creditcards) waitfor delay '0:0:5' ● File upload + Remote Code Execution ○ ‘ UNION SELECT “<? system($_REQUEST[‘cmd’]); ?>”,2,3 INTO OUTFILE ‘/var/www/test/execcmd.php’ ● And more! ○ Check out SQLMap ● Other injection attacks ○ LDAP, OS Commands, etc.
  11. 11. Recommendations ● Assume all user input is bad ● Parameterized queries ○ Stored procedures ● Escaping ○ Single quotes are specially dangerous ● Pattern checkhitelists ○ Full names, phone numbers, emails ● Whitelists ● Protect the infrastructure ○ DB is run by low privilege user ○ DB sits on a separate environment stmt = “SELECT * FROM users WHERE username = ? AND password = ?; stmt.setString(1, userName); stmt.setString(2, password);
  12. 12. An attacker is able to execute arbitrary code on Flickr servers by just sending POST requests
  13. 13. Sensitive Data Exposure
  14. 14. LastPass, a popular, cloud based, password manager encrypts all passwords and claims zero-knowledge. An attacker is able to look at the encrypted data and obtain cleartext passwords
  15. 15. Crypto ● Cryptography is hard! ● Encoding != Encryption ● Multiple crypto algorithms ○ Many broken ○ Or tricky to implement securely ■ Insufficient Key length ■ Global keys ■ Null IVs ■ Insecure PRNGs Cleartext AES-ECB AES-CBC
  16. 16. Password storage ● In cleartext ○ Insecure ● Encrypted ○ Unnecessary risk ● Hashed with broken algorithms ○ Crackeable ● Unsalted ○ Rainbow tables ● Without using Key-derivation functions ○ Brute-forceable
  17. 17. Insecure communication ● HTTP ○ Cleartext protocol ○ No confidentiality, integrity or identification ● HTTPS ○ Weak cipher suites ■ POODLE, BEAST, Lucky 13 ○ Not enforced ■ SSLStrip ○ Mixed content ■ Cookies leak ● Certificates ○ Self signed ○ No host validation
  18. 18. Recommendations ● Crypto ○ Only use standards ○ 128 minimum key length ○ Non global, random, unique keys ● Password storage ○ Don’t store passwords! ○ Store hashes ■ MD5 broken, SHA1 deprecated ■ Salted per user ■ Use Key derivation functions ● Bcrypt, Script, PBKDF2 ● Communications ○ Only HTTPS ■ TLS 1.1 or above ○ Enforce it! ■ HSTS, CSP ○ Trusted, signed certs only ○ Key pinning
  19. 19. LastPass, a popular, cloud based, password manager encrypts all passwords and claims zero-knowledge. An attacker is able to look at the encrypted data and obtain cleartext passwords
  20. 20. XML External Entity (XXE)
  21. 21. An attacker is able to make one single GET request to Facebook and obtain the /etc/passwd file
  22. 22. XML ● It’s a Markup Language ● DTD defines the structure of the XML document ○ Can be a separate file and stored externally ● Entities are pointers to data ○ Can also point externally
  23. 23. XXE ● Targets XML parsers ○ Caused mostly by misconfiguration ● Attacker sends specially crafted XML payloads ○ References to external entities ● XML parsers present everywhere ○ Document formats (OOXML, ODF, PDF) ○ Image formats (SVG, EXIF Headers) ○ Configuration files ○ Networking Protocols (SOAP, SAML)
  24. 24. Remote File Read XXE Threats Remote Code Execution Denial of Service SSRF
  25. 25. Recommendations ● Know and audit your XML parsers ● DIsable DTDs completely ○ Disallow an inline DTD ○ Do not include external entities ○ Do not include parameter entities ○ Do not include external DTDs ● Validate and sanitize ● Great cheat sheet: www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
  26. 26. An attacker is able to make one single GET request to Facebook and obtain the /etc/passwd file
  27. 27. Cross-Site Scripting (XSS)
  28. 28. Samy Kamkar, a famous security researcher, was able to shut down the #1 site in the internet at the time, MySpace. He did that by simply updating his profile
  29. 29. Code VS Data <body> <div id="foo">Hello World!</div> </body> Tag name Attribute name Attribute value Text content Data Code
  30. 30. What if…? <body> <div id="">Hello World!</div> </body> Data Code We want to set id as foo”>bar
  31. 31. <body> <div id="foo”>bar">Hello World!</div> </body>Data Code
  32. 32. What if…? <body> <div id="foo”></div> </body> Data Code Attacker reflected input is </div><img src=x onerror=”alert(‘hacked!’)”><div>
  33. 33. <body> <div id="foo”></div><img src=x onerror=”alert(‘hacked!’)”><div></div> </body> Data Code Javascript handler Interpreted as Javascript code Invalid URI Triggers error Game over!
  34. 34. XSS Delivering malicious payloads to trick the browser into interpreting it as code instead of data allowing an attacker to execute arbitrary javascript code in the domain context. Martin Vigo @ Wizeline Academy 2017
  35. 35. XSS Threats ● Session hijacking ○ Steal cookies using document.cookie ● Phishing ○ Modify the UI and display fake login page ● Data leakage ○ Parse DOM and exfiltrate data with XHR requests to attacker’s domain ● Abuse HTML5 APIs ○ Access user’s geolocation, webcam, microphone, etc. ● Mining crypto currencies ○ Coinhive ● All this and much more! ○ Check out the BeEF Project!
  36. 36. Types ● Non-persistent XSS ○ Malicious payload is reflected off the server to the DOM ○ Usually delivered in URLs parameters ■ SPAM campaigns, Clickbaits, etc. ○ Usually obfuscated ■ https://www.google.com/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27 %68%61%63%6b%65%64%21%27%29%3c%2f%73%63%72%69%70%74%3e ■ http://bit.ly/2ihPpjZ ○ DOM-Based XSS is a special non-persistent case ● Persistent XSS ○ Malicious payload is stored server side ○ Payload is rendered everytime victim requests the page ○ Most dangerous one
  37. 37. How do we fix this?
  38. 38. Encoding & escaping ● Encode HTML special characters ○ Tells the browser it is data, not code ○ &lt;script&gt;alert('Hacked!')&lt;/script&gt; ● Be aware of the different contexts ○ And the different parsers! ■ And the different encodings! ● Use existing libraries that do all this for you!
  39. 39. Add security layers ● Use Content Security Policy ○ Instruct browser what is allowed and trusted origins ■ Content-Security-Policy: default-src ‘self’; script-src 'self' ● Serve the X-XSS-Protection header ○ Helps prevent reflected XSS ○ Protects old browsers that don’t support CSP ● Protect your sensitive cookies with httponly flag ○ Disables document.cookie
  40. 40. Samy Kamkar, a famous security researcher, was able to shut down the #1 site in the internet at the time, MySpace. He did that by simply updating his profile
  41. 41. Cross-Site Request Forgery (CSRF)
  42. 42. Millions of routers fully compromised after victims visited the router’s official forum site
  43. 43. Let’s talk about cookies! ● Key-value pairs that help store client side states ○ Used specially for authentication ● Cookies are assigned to domains ● Cookies are sent on every request ● Based on the domain
  44. 44. Consider this (fake) request example GET /tranfer?fromAccount=123456789&toAccount=987654321&amount=1000 HTTP/1.1 Host: www.bankofamerica.com Cookie: SID=EB68E4C2C74410C7A2288CE7878803CC
  45. 45. What if victim visits a malicious site? <img src=”https://www.bankofamerica.com/tranfer?fromAccount=123456789&toAccount=987654321&amount=1000”>
  46. 46. Cookies are sent along SID=EB68E4C2C74410C7A2288CE7878803CC <img src=”https://www.bankofamerica.com/tranfer? fromAccount=123456789&toAccount=987654321&amount=1000”>
  47. 47. CSRF ● Forces victims to make unsolicited requests ● Targets state changing requests ○ Because of Same Origin Policy ● Usually POST requests ○ In a RESTful world ● Takes advantage of how cookies work
  48. 48. How do we fix this?
  49. 49. CSRF Tokens ● Include a random value in the request ○ Called a “CSRF token” ● Unique per session ● Attacker can’t guess it ● Use it to validate the request POST /transfer HTTP/1.1 Host: www.bankofamerica.com Cookie: SID=EB68E4C2C74410C7A2288CE7878803CC Content-Length: 55 fromAccount=123456789&toAccount=987654321&amount=1000&CSRFToken=s4frwwd4543RFwcdwk
  50. 50. Millions of routers fully compromised after victims visited the router’s manufacturer forum site
  51. 51. Referal Leakage
  52. 52. External parties were receiving secret DropBox links in their servers that allowed full access to DropBox’s customer files
  53. 53. The Referer Header ● Contains the URL of a previous item which led to this request ○ Click on a link on google.com to martinvigo.com ○ martinvigo.com knows that the person came from Google ● Used for analytics, marketing and tracking and SPAM. No real practical use ● It is misspelled!
  54. 54. Threat ● Many sites hide sensitive information behind unique, non-bruteforceable URLs ○ Usually when authentication is not possible ○ Security relies on the secrecy of the URL ● Very common when sharing documents, links for flights checking, reset password links, etc. ● If the unique URL site contains a link to a different domain ○ It will send the Referer header containing the secret URL!
  55. 55. Recommendations ● As a user ○ Install a privacy browser plugin ○ removes the referer header among others ● As a developer ○ Avoid putting secrets in the URL ■ Session ids ■ CSRF tokens ■ Personal data ○ Add <meta name="referrer" content="no-referrer" /> to your pages containing secrets
  56. 56. External parties were receiving secret DropBox links in their servers that allowed full access to DropBox’s customer files
  57. 57. There is more, much more...
  58. 58. Cookie flags missing JSONP injection CORS with wildcard Open redirects TRACE method support Clickjacking Denial of Service Client side checks only URL bruteforcing Response splitting Missing bruteforce protections Username enumeration Caching sensitive data Insufficient entropy SSRF SOME attack File Path Traversal Unrestricted file upload Deserialization vulnerabilities IDOR vulnerabilities
  59. 59. Takeaways Think like a hacker All user input is malicious Add multiple security layers Follow standards, recommendations and best practices Read, learn, practice and apply Break stuff!
  60. 60. Resources ● Learn for free ○ SecurityTube megaprimers, Cybrary ○ Online university courses ■ Coursera ● Cryptography I by Dan Boneh ■ Udemy ● Read and practice ○ The Tangled Web, The Web Application Hacker's Handbook ● Vulnerable websites you can legally hack! ○ Webgoat, Google Gruyere, Juice Shop Project ● Join bug bounty programs ○ HackerOne, Bugcrowd, Synack
  61. 61. THANKS! martinvigo@gmail.com @martin_vigo martinvigo.com
  62. 62. Thank You! Survey: bit.ly/salesforce2017 Grow your career: Free courses in Artificial Intelligence, Software Development, User Experience and More @WizelineAcademy /WizelineAcademy academy.wizeline.com Get notified about courses: tinyurl.com/WL-academy
  63. 63. Media credits https://www.healthline.com/hlcmsresource/images/imce/intramuscular-injection_thumb.jpg https://www.thesun.co.uk/wp-content/uploads/2017/04/nintchdbpict0003153285141.jpg https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf http://www.starin.biz/blog/wp-content/uploads/2015/04/Technology-is-in-the-Background-but-it%E2%80%99s-the- Key-to-Communication.jpg https://thumbs.dreamstime.com/b/source-code-xml-vector-6491959.jpg https://www.barttech.co.uk/wp-content/uploads/2014/10/passwords.jpg https://sd.keepcalm-o-matic.co.uk/i/keep-calm-and-hate-js-1.png http://newworldbusinesscentre.co.uk/wp-content/uploads/2015/08/recommended-logo.png https://blogs.opera.com/news/wp-content/uploads/sites/2/2014/09/malicious-site-warning-opera-for-computers.pn g https://i.pinimg.com/originals/f2/a8/0e/f2a80ee8087d750080763918df53d2be.jpg https://hackadaycom.files.wordpress.com/2014/04/18mpenleoksq8jpg.jpg https://vignette.wikia.nocookie.net/yandere-simulator-fanon/images/a/a6/Question-mark-hi.png https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet http://images.huffingtonpost.com/2014-02-11-Bucket-thumb.jpg

×