Security Vulnerabilities: How to Defend Against Them

1. UPCOMING COURSES Node.js 101 Nov 16 @ITESO UX Workshop Sessions: Qualitative Research Dec 2 @GDL Portable Stream and Batch: Processing with Apache Beam Dec 2 @GDL - In partnership w/ Google & Apache Software Foundation Vue.js Workshop Dec 9 @CDMX Grow your career: Free courses in Artificial Intelligence, Software Development, User Experience and More @WizelineAcademy /WizelineAcademy academy.wizeline.com Get notified about courses: tinyurl.com/WL-academy

2. Common Web Vulnerabilities and how to defend against them Martin Vigo @martin_vigo martinvigo.com

3. Martin Vigo Galicia, Spain Senior Product Security Engineer Web, Mobile, Authentication Research, bug bounties & Gin tonics @martin_vigo ⇹ martinvigo.com ⇹ martinvigo@gmail.com

4. Web & Mobile

5. Web VS Mobile common vulnerabilities

6. Injection

7. An attacker is able to execute arbitrary code on Flickr servers by just sending POST requests

8. SQL Injection Web Application userName=”admin” password=”qwerty” POST request query Database SELECT * FROM users WHERE username = ‘admin‘ AND password = ‘qwerty‘; String query = “SELECT * FROM users WHERE username = ‘“ + userName + “‘ AND password = ‘‘’ + password + ”‘;”

9. SQL Injection String query = “SELECT * FROM users WHERE username = ‘“ + userName + “‘ AND password = ‘‘’ + password + ”‘;” Web Application userName=”’ OR ‘1’=’1’ --” password=”” POST request query Database SELECT * FROM users WHERE username = ‘‘ OR ‘1’=’1’ --‘ AND password = ‘‘;

10. More advanced attacks ● Checking database version ○ SELECT @@version ● Blind SQLi ○ Trial/Error ■ SELECT * FROM users WHERE id = '5' OR '1'='1'; ■ SELECT * FROM users WHERE id = '5' AND '1'='2'; ○ Timing attacks ■ IF EXISTS (SELECT * FROM creditcards) waitfor delay '0:0:5' ● File upload + Remote Code Execution ○ ‘ UNION SELECT “<? system($_REQUEST[‘cmd’]); ?>”,2,3 INTO OUTFILE ‘/var/www/test/execcmd.php’ ● And more! ○ Check out SQLMap ● Other injection attacks ○ LDAP, OS Commands, etc.

11. Recommendations ● Assume all user input is bad ● Parameterized queries ○ Stored procedures ● Escaping ○ Single quotes are specially dangerous ● Pattern checkhitelists ○ Full names, phone numbers, emails ● Whitelists ● Protect the infrastructure ○ DB is run by low privilege user ○ DB sits on a separate environment stmt = “SELECT * FROM users WHERE username = ? AND password = ?; stmt.setString(1, userName); stmt.setString(2, password);

12. An attacker is able to execute arbitrary code on Flickr servers by just sending POST requests

13. Sensitive Data Exposure

14. LastPass, a popular, cloud based, password manager encrypts all passwords and claims zero-knowledge. An attacker is able to look at the encrypted data and obtain cleartext passwords

15. Crypto ● Cryptography is hard! ● Encoding != Encryption ● Multiple crypto algorithms ○ Many broken ○ Or tricky to implement securely ■ Insufficient Key length ■ Global keys ■ Null IVs ■ Insecure PRNGs Cleartext AES-ECB AES-CBC

16. Password storage ● In cleartext ○ Insecure ● Encrypted ○ Unnecessary risk ● Hashed with broken algorithms ○ Crackeable ● Unsalted ○ Rainbow tables ● Without using Key-derivation functions ○ Brute-forceable

17. Insecure communication ● HTTP ○ Cleartext protocol ○ No confidentiality, integrity or identification ● HTTPS ○ Weak cipher suites ■ POODLE, BEAST, Lucky 13 ○ Not enforced ■ SSLStrip ○ Mixed content ■ Cookies leak ● Certificates ○ Self signed ○ No host validation

18. Recommendations ● Crypto ○ Only use standards ○ 128 minimum key length ○ Non global, random, unique keys ● Password storage ○ Don’t store passwords! ○ Store hashes ■ MD5 broken, SHA1 deprecated ■ Salted per user ■ Use Key derivation functions ● Bcrypt, Script, PBKDF2 ● Communications ○ Only HTTPS ■ TLS 1.1 or above ○ Enforce it! ■ HSTS, CSP ○ Trusted, signed certs only ○ Key pinning

19. LastPass, a popular, cloud based, password manager encrypts all passwords and claims zero-knowledge. An attacker is able to look at the encrypted data and obtain cleartext passwords

20. XML External Entity (XXE)

21. An attacker is able to make one single GET request to Facebook and obtain the /etc/passwd file

22. XML ● It’s a Markup Language ● DTD defines the structure of the XML document ○ Can be a separate file and stored externally ● Entities are pointers to data ○ Can also point externally

23. XXE ● Targets XML parsers ○ Caused mostly by misconfiguration ● Attacker sends specially crafted XML payloads ○ References to external entities ● XML parsers present everywhere ○ Document formats (OOXML, ODF, PDF) ○ Image formats (SVG, EXIF Headers) ○ Configuration files ○ Networking Protocols (SOAP, SAML)

24. Remote File Read XXE Threats Remote Code Execution Denial of Service SSRF

25. Recommendations ● Know and audit your XML parsers ● DIsable DTDs completely ○ Disallow an inline DTD ○ Do not include external entities ○ Do not include parameter entities ○ Do not include external DTDs ● Validate and sanitize ● Great cheat sheet: www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

26. An attacker is able to make one single GET request to Facebook and obtain the /etc/passwd file

27. Cross-Site Scripting (XSS)

28. Samy Kamkar, a famous security researcher, was able to shut down the #1 site in the internet at the time, MySpace. He did that by simply updating his profile

29. Code VS Data <body> <div id="foo">Hello World!</div> </body> Tag name Attribute name Attribute value Text content Data Code

30. What if…? <body> <div id="">Hello World!</div> </body> Data Code We want to set id as foo”>bar

31. <body> <div id="foo”>bar">Hello World!</div> </body>Data Code

32. What if…? <body> <div id="foo”></div> </body> Data Code Attacker reflected input is </div><img src=x onerror=”alert(‘hacked!’)”><div>

33. <body> <div id="foo”></div><img src=x onerror=”alert(‘hacked!’)”><div></div> </body> Data Code Javascript handler Interpreted as Javascript code Invalid URI Triggers error Game over!

34. XSS Delivering malicious payloads to trick the browser into interpreting it as code instead of data allowing an attacker to execute arbitrary javascript code in the domain context. Martin Vigo @ Wizeline Academy 2017

35. XSS Threats ● Session hijacking ○ Steal cookies using document.cookie ● Phishing ○ Modify the UI and display fake login page ● Data leakage ○ Parse DOM and exfiltrate data with XHR requests to attacker’s domain ● Abuse HTML5 APIs ○ Access user’s geolocation, webcam, microphone, etc. ● Mining crypto currencies ○ Coinhive ● All this and much more! ○ Check out the BeEF Project!

36. Types ● Non-persistent XSS ○ Malicious payload is reflected off the server to the DOM ○ Usually delivered in URLs parameters ■ SPAM campaigns, Clickbaits, etc. ○ Usually obfuscated ■ https://www.google.com/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27 %68%61%63%6b%65%64%21%27%29%3c%2f%73%63%72%69%70%74%3e ■ http://bit.ly/2ihPpjZ ○ DOM-Based XSS is a special non-persistent case ● Persistent XSS ○ Malicious payload is stored server side ○ Payload is rendered everytime victim requests the page ○ Most dangerous one

37. How do we fix this?

38. Encoding & escaping ● Encode HTML special characters ○ Tells the browser it is data, not code ○ <script>alert('Hacked!')</script> ● Be aware of the different contexts ○ And the different parsers! ■ And the different encodings! ● Use existing libraries that do all this for you!

39. Add security layers ● Use Content Security Policy ○ Instruct browser what is allowed and trusted origins ■ Content-Security-Policy: default-src ‘self’; script-src 'self' ● Serve the X-XSS-Protection header ○ Helps prevent reflected XSS ○ Protects old browsers that don’t support CSP ● Protect your sensitive cookies with httponly flag ○ Disables document.cookie

40. Samy Kamkar, a famous security researcher, was able to shut down the #1 site in the internet at the time, MySpace. He did that by simply updating his profile

41. Cross-Site Request Forgery (CSRF)

42. Millions of routers fully compromised after victims visited the router’s official forum site

43. Let’s talk about cookies! ● Key-value pairs that help store client side states ○ Used specially for authentication ● Cookies are assigned to domains ● Cookies are sent on every request ● Based on the domain

44. Consider this (fake) request example GET /tranfer?fromAccount=123456789&toAccount=987654321&amount=1000 HTTP/1.1 Host: www.bankofamerica.com Cookie: SID=EB68E4C2C74410C7A2288CE7878803CC

45. What if victim visits a malicious site? <img src=”https://www.bankofamerica.com/tranfer?fromAccount=123456789&toAccount=987654321&amount=1000”>

46. Cookies are sent along SID=EB68E4C2C74410C7A2288CE7878803CC <img src=”https://www.bankofamerica.com/tranfer? fromAccount=123456789&toAccount=987654321&amount=1000”>

47. CSRF ● Forces victims to make unsolicited requests ● Targets state changing requests ○ Because of Same Origin Policy ● Usually POST requests ○ In a RESTful world ● Takes advantage of how cookies work

48. How do we fix this?

49. CSRF Tokens ● Include a random value in the request ○ Called a “CSRF token” ● Unique per session ● Attacker can’t guess it ● Use it to validate the request POST /transfer HTTP/1.1 Host: www.bankofamerica.com Cookie: SID=EB68E4C2C74410C7A2288CE7878803CC Content-Length: 55 fromAccount=123456789&toAccount=987654321&amount=1000&CSRFToken=s4frwwd4543RFwcdwk

50. Millions of routers fully compromised after victims visited the router’s manufacturer forum site

51. Referal Leakage

52. External parties were receiving secret DropBox links in their servers that allowed full access to DropBox’s customer files

53. The Referer Header ● Contains the URL of a previous item which led to this request ○ Click on a link on google.com to martinvigo.com ○ martinvigo.com knows that the person came from Google ● Used for analytics, marketing and tracking and SPAM. No real practical use ● It is misspelled!

54. Threat ● Many sites hide sensitive information behind unique, non-bruteforceable URLs ○ Usually when authentication is not possible ○ Security relies on the secrecy of the URL ● Very common when sharing documents, links for flights checking, reset password links, etc. ● If the unique URL site contains a link to a different domain ○ It will send the Referer header containing the secret URL!

55. Recommendations ● As a user ○ Install a privacy browser plugin ○ removes the referer header among others ● As a developer ○ Avoid putting secrets in the URL ■ Session ids ■ CSRF tokens ■ Personal data ○ Add <meta name="referrer" content="no-referrer" /> to your pages containing secrets

56. External parties were receiving secret DropBox links in their servers that allowed full access to DropBox’s customer files

57. There is more, much more...

58. Cookie flags missing JSONP injection CORS with wildcard Open redirects TRACE method support Clickjacking Denial of Service Client side checks only URL bruteforcing Response splitting Missing bruteforce protections Username enumeration Caching sensitive data Insufficient entropy SSRF SOME attack File Path Traversal Unrestricted file upload Deserialization vulnerabilities IDOR vulnerabilities

59. Takeaways Think like a hacker All user input is malicious Add multiple security layers Follow standards, recommendations and best practices Read, learn, practice and apply Break stuff!

60. Resources ● Learn for free ○ SecurityTube megaprimers, Cybrary ○ Online university courses ■ Coursera ● Cryptography I by Dan Boneh ■ Udemy ● Read and practice ○ The Tangled Web, The Web Application Hacker's Handbook ● Vulnerable websites you can legally hack! ○ Webgoat, Google Gruyere, Juice Shop Project ● Join bug bounty programs ○ HackerOne, Bugcrowd, Synack

61. THANKS! martinvigo@gmail.com @martin_vigo martinvigo.com

62. Thank You! Survey: bit.ly/salesforce2017 Grow your career: Free courses in Artificial Intelligence, Software Development, User Experience and More @WizelineAcademy /WizelineAcademy academy.wizeline.com Get notified about courses: tinyurl.com/WL-academy

63. Media credits https://www.healthline.com/hlcmsresource/images/imce/intramuscular-injection_thumb.jpg https://www.thesun.co.uk/wp-content/uploads/2017/04/nintchdbpict0003153285141.jpg https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf http://www.starin.biz/blog/wp-content/uploads/2015/04/Technology-is-in-the-Background-but-it%E2%80%99s-the- Key-to-Communication.jpg https://thumbs.dreamstime.com/b/source-code-xml-vector-6491959.jpg https://www.barttech.co.uk/wp-content/uploads/2014/10/passwords.jpg https://sd.keepcalm-o-matic.co.uk/i/keep-calm-and-hate-js-1.png http://newworldbusinesscentre.co.uk/wp-content/uploads/2015/08/recommended-logo.png https://blogs.opera.com/news/wp-content/uploads/sites/2/2014/09/malicious-site-warning-opera-for-computers.pn g https://i.pinimg.com/originals/f2/a8/0e/f2a80ee8087d750080763918df53d2be.jpg https://hackadaycom.files.wordpress.com/2014/04/18mpenleoksq8jpg.jpg https://vignette.wikia.nocookie.net/yandere-simulator-fanon/images/a/a6/Question-mark-hi.png https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet http://images.huffingtonpost.com/2014-02-11-Bucket-thumb.jpg

Security Vulnerabilities: How to Defend Against Them

You are reading a preview.

Check these out next

Security Vulnerabilities: How to Defend Against Them

More Related Content

Slideshows for you (20)

Similar to Security Vulnerabilities: How to Defend Against Them (20)

More from Martin Vigo (11)

Recently uploaded (20)