5,185 views

Barcamp Perth 4.0 Web Security

The document discusses several topics including security controls for web applications, common security vulnerabilities like CSRF, and quotes about power and responsibility. It provides recommendations for implementing security controls through interfaces and reference implementations to avoid reinventing the wheel and introduces common security control types like authentication, authorization, input validation and output encoding.

Technology◦

“ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello

Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles

Economy Dropped The Dark Knight came out Heath Ledger died Obama was elected

One out of 11 minutes is spent Social networking

“ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”

http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG

“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twice as many days to detect fraud, compared to other age groups..” Javelin Strategy & Research 2010 Identity Fraud Survey Report

Grabbing your cookies Grabbing your history Discover your internal NAT’ed IP Port scan behind the firewall Exploit Intranet web-enabled devices

“ The attack works by including a link or script in a page that accesses a site to which the user is known (or supposed) to have been authenticated.”

<img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” />

Internet Management Interface (HTTPS) Admin

Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin

Internet Management Interface (HTTPS) 2. Browse the Net Admin

Internet Management Interface (HTTPS) 3. Check mail Admin

Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin

Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin

Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.aspx?t=now” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin

Internet Management Interface (HTTPS) 5. No more SAN. Admin

Time Magazine’s Top 100 Twitter ADSL Routers

Recommendations Don’t make changes upon receipt of GET requests, only POST Synchroniser Token Pattern <form action=“/action.php” method=“post”> <input type=“hidden” name=“CSRFToken” value=“OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTViMGYwMGEwOA==“ />

http://www.microsoft.com/security/sdl/benefits/costeffective.aspx

International Not-for-profit Open participation 130+ Chapters (incl. Perth!) Open source tools Open source collaborative projects

Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes.

There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.

There is a reference implementation for each security control. The logic is not organisation‐specific and the logic is not application‐specific. An example: string‐based input validation.

There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organisation. An example: enterprise authentication.

Authentication Access Control Input Validation Output encoding/escaping Cryptography Error handling and logging Communication security HTTP security Security configuration

Authenticator interface Public interface Authenticator { User login(HttpServlerRequest request, HttpServletResponse response) throws AuthenticationException; User getUser(long accountId); }

AccessController Interface Public interface AccessController { boolean isAuthorizedForURL(string url); }

HTTPUtilities Interface Public interface HTTPUtilities { String addCSRFToken(string href); void verifyCSRFToken(HttpServletRequest request) throws IntrusionException; }

“ With great power comes great responsibility”

Barcamp Perth 4.0 Web Security

1.
“ Con ungrande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
2.
Who are you?Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
3.
What are youon about?
4.
flickr.com/photos/jurvetson
5.
flickr.com/photos/meg
6.
flickr.com/photos/muehlinghaus
7.
flickr.com/photos/purpleslog
8.
flickr.com/photos/pixelfrenzy
9.
flickr.com/photos/kogakure
10.
flickr.com/photos/elfsternberg
11.
flickr.com/photos/a_mason
12.
flickr.com/photos/rzrxtion
13.
flickr.com/photos/bahkubean
14.
flickr.com/photos/kevinsteele
15.
flickr.com/photos/helfyland
16.
flickr.com/photos/meg
17.
flickr.com/photos/fbouly
18.
Economy Dropped TheDark Knight came out Heath Ledger died Obama was elected
19.
One out of11 minutes is spent Social networking
20.
“ The mostrecent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”
21.
flickr.com/photos/alancleaver
22.
23.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
24.
flickr.com/photos/sebastiagiralt
25.
flickr.com/photos/herry
26.
flickr.com/photos/23905174@N00
27.
3,800,000
28.
4,400,000
29.
$3,500,000,000
30.
“ 18 to24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twice as many days to detect fraud, compared to other age groups..” Javelin Strategy & Research 2010 Identity Fraud Survey Report
31.
flickr.com/photos/hmvh
32.
flickr.com/photos/negatyf
33.
Grabbing your cookiesGrabbing your history Discover your internal NAT’ed IP Port scan behind the firewall Exploit Intranet web-enabled devices
34.
(Ab)use case -example
35.
“ The attackworks by including a link or script in a page that accesses a site to which the user is known (or supposed) to have been authenticated.”
36.
<img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” />
37.
flickr.com/photos/8363028@N08
38.
(Ab)use case -example
39.
Internet Management Interface(HTTPS) Admin
40.
Internet Management Interface(HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
41.
Internet Management Interface(HTTPS) 2. Browse the Net Admin
42.
Internet Management Interface(HTTPS) 3. Check mail Admin
43.
Internet Management Interface(HTTPS) 3. Check mail CSRF-able Admin
44.
Internet Management Interface(HTTPS) 4. Receives mail from ex employee Admin
45.
Internet Management Interface(HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.aspx?t=now” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin
46.
Internet Management Interface(HTTPS) 5. No more SAN. Admin
47.
Time Magazine’s Top100 Twitter ADSL Routers
48.
flickr.com/photos/soloflight
49.
Recommendations Don’t makechanges upon receipt of GET requests, only POST Synchroniser Token Pattern <form action=“/action.php” method=“post”> <input type=“hidden” name=“CSRFToken” value=“OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTViMGYwMGEwOA==“ />
50.
flickr.com/photos/tambako
51.
flickr.com/photos/delhaye
52.
flickr.com/photos/sarflondondunc
53.
http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
54.
55.
56.
flickr.com/photos/fabiogis50
57.
flickr.com/photos/markop
58.
www.owasp.org
59.
flickr.com/photos/st3f4n
60.
flickr.com/photos/kolya
61.
62.
International Not-for-profit Openparticipation 130+ Chapters (incl. Perth!) Open source tools Open source collaborative projects
63.
64.
65.
66.
67.
68.
69.
Don’t write yourown security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes.
70.
There is aset of security control interfaces. They define for example types of parameters that are passed to types of security controls.
71.
There is areference implementation for each security control. The logic is not organisation‐specific and the logic is not application‐specific. An example: string‐based input validation.
72.
There are optionallyyour own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organisation. An example: enterprise authentication.
73.
Authentication Access ControlInput Validation Output encoding/escaping Cryptography Error handling and logging Communication security HTTP security Security configuration
74.
75.
Authenticator interface Publicinterface Authenticator { User login(HttpServlerRequest request, HttpServletResponse response) throws AuthenticationException; User getUser(long accountId); }
76.
AccessController Interface Publicinterface AccessController { boolean isAuthorizedForURL(string url); }
77.
HTTPUtilities Interface Publicinterface HTTPUtilities { String addCSRFToken(string href); void verifyCSRFToken(HttpServletRequest request) throws IntrusionException; }
78.
flickr.com/photos/st3f4n
79.
flickr.com/photos/onkel_wart
80.
flickr.com/photos/sophistechate
81.
flickr.com/photos/dalbera
82.
“ With greatpower comes great responsibility”

Editor's Notes

#2 With Great Power Comes Great Responsibility… <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/ilcello/3000073881/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/ilcello/&quot;>http://www.flickr.com/photos/ilcello/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div> http://en.wikipedia.org/wiki/Uncle_Ben#.22With_great_power_comes_great_responsibility.22
#3 Who is this guy?, I hear you thinking.. Well. Hi, I’m Christian Frichot and I’m VERY happy to be presenting here this morning. By Night I’m a drummer, by day I’m an information security specialist for a Bank and I’m 100% geek. (I’m not in management and still try and get my hands dirty as much as I can) <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/lwr/2728818878/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/lwr/&quot;>http://www.flickr.com/photos/lwr/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div> <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/jmilles/319926762/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/jmilles/&quot;>http://www.flickr.com/photos/jmilles/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#4 But what am I on about?
#5 Well I’ll be talking about the Internet… <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/jurvetson/916142/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/jurvetson/&quot;>http://www.flickr.com/photos/jurvetson/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#6 .. web applications.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/meg/&quot;>http://www.flickr.com/photos/meg/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#7 And Security.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/muehlinghaus/241755891/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/muehlinghaus/&quot;>http://www.flickr.com/photos/muehlinghaus/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div>
#8 Well.. Web Application security specifically. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/purpleslog/2880224058/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/purpleslog/&quot;>http://www.flickr.com/photos/purpleslog/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#9 Before I begin though I need to let you know that I’m probably less of a “hacker” (()) than most of you.. Whilst I still develop a bit, my current role only gives me freedom to tinker and help build process improving tools..so that’s a bit of…. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/pixelfrenzy/3772504547/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/pixelfrenzy/&quot;>http://www.flickr.com/photos/pixelfrenzy/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#10 Django…. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/kogakure/2225768345/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/kogakure/&quot;>http://www.flickr.com/photos/kogakure/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-sa/2.0/&quot;>CC BY-SA 2.0</a></div>
#11 Perl.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/elfsternberg/4198688510/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/elfsternberg/&quot;>http://www.flickr.com/photos/elfsternberg/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div>
#12 And Linux misc shhhhtuff.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/a_mason/4021444/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/a_mason/&quot;>http://www.flickr.com/photos/a_mason/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#13 First though lets talk about the Internet.. It’s ubiquitous, it’s enormous, it’s cute (()). <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/rzrxtion/2698016803/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/rzrxtion/&quot;>http://www.flickr.com/photos/rzrxtion/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#14 Really.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/bahkubean/549310317/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/bahkubean/&quot;>http://www.flickr.com/photos/bahkubean/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div>
#15 Damn… <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/kevinsteele/533314156/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/kevinsteele/&quot;>http://www.flickr.com/photos/kevinsteele/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nd/2.0/&quot;>CC BY-ND 2.0</a></div>
#16 Cute. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/helfyland/644620280/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/helfyland/&quot;>http://www.flickr.com/photos/helfyland/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nd/2.0/&quot;>CC BY-ND 2.0</a></div>
#17 And it’s FILLED with these.. Web applications.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/meg/&quot;>http://www.flickr.com/photos/meg/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#18 Lets not even mention this guy. NetNeilsen’s have reported on the fact that “Social Networking was the global phenomena of 2008” .. 2008.. That was ages ago now.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/fbouly/3568409530/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/fbouly/&quot;>http://www.flickr.com/photos/fbouly/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nd/2.0/&quot;>CC BY-ND 2.0</a></div>
#19 You remember what happened in 2008?
#20 “ Two Thirds of the world’s Internet population visit social networking or blogging sites” Back then Social networking use to consume 1 in every 15 minutes of global Internet time. (()) Now it’s 1 in every 11.
#21 And then the other week Facebook overtook Google as the most hit website… http://www.smartcompany.com.au/internet/20100318-how-facebook-overtook-google-in-the-us-and-why-your-business-needs-to-act.html
#22 .. And where there are people – there is crime. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/alancleaver/4121423119/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/alancleaver/&quot;>http://www.flickr.com/photos/alancleaver/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#23 In the old days cybercrime was very different.. Crackers were toying with exploitation of web servers for infamy. Usually leading to Defacement. Initially these attackers displayed a degree of “technical skill”.
#24 Things changed as the malware and exploitation industry matured.. Everything started to become available as “Kits” Mpack is one such web exploitation kit that could cost anywhere between $500 – 1000 US and is used to inject malicious code into web pages, either by iframes or PDFs or whatever – install keyloggers, or whatever the user wanted. Soon there was IcePack, FirePack, Traffic Pro and more. This screenshot is of the MPack management interface, so the implementers of the kit could monitor how many PCs they were infecting. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
#25 Whilst MPack was focusing on how to put malicious payloads onto computers, the other end of the malware world was also advancing. The Zeus malware, sometimes called a botnet, is a really nasty keylogger that is well known for evading anti virus and being one of the most effective bank targetting keyloggers out there.. What was happening was the consumerisation of malware construction, maintenance, deployment and implementation This decreased the technical skills required to perform complicated attacks. This is where terms like Script Kiddies and that would come from, people who didn’t necessarily have the knowledge to perform an attack, but knew how to use the tool. http://www.flickr.com/photos/sebastiagiralt/2251661156/
#26 The attackers started to realise that there was a lot of money to be made, not just by installing keyloggers but by stealing peoples identities. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/herry/3321548259/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/herry/&quot;>http://www.flickr.com/photos/herry/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#27 ID theft can lead to all sorts of impacts on consumers: - Using your credit card details - Opening of bank accounts - Taking out loans - Conducting business under your names. Now I know that ID theft is a misnomer because it’s impossible to steal an identity, so it’s often interchanged with identity fraud. There are numerous types including, not just the typical type to gain access to funds but: - Business/commercial identity theft – to use a business name to obtain credit - Criminal identity fraud – if you pose as another when apprehended for a crime - medical identity theft – to obtain access to medicare or drugs. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/23905174@N00/1594411528/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/23905174@N00/&quot;>http://www.flickr.com/photos/23905174@N00/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by/2.0/&quot;>CC BY 2.0</a></div>
#28 Some statistics on id theft in australia (()): - in 2008 about 23% of the population affected
#29 In 2009 26% were affected
#30 The cost of ID theft against Australia is reported to be 3.5 billion dollars annually
#31 Another interesting statistic
#32 But what has this got to do with web apps I’m building? More often than not malicious content that makes its way on to the Internet is not legitimately purchased by the attackers. You think they buy a slicehost Virtual Private Server and host their nasties on there? Supposedly 80% of all phishing sites are hosted on legitimate websites through compromise. Web application vulnerabilities lead to hijacking of legitimate content, for example through the use of file injection attacks. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/hmvh/58185411/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/hmvh/&quot;>http://www.flickr.com/photos/hmvh/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-sa/2.0/&quot;>CC BY-SA 2.0</a></div>
#33 But what about if I’m only developing internal apps? Particular types of vulnerabilities thrive in perimeterised networks. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/negatyf/361668397/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/negatyf/&quot;>http://www.flickr.com/photos/negatyf/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#34 Back in 2006 Jeremiah Grossman of WhiteHat Security presented on some of the things that can be done from the Internet against Internal networks through the browser, including: … Everything is web-enabled now. The perimeter is diminishing.
#35 For example… Cross Site Request Forgery attacks. .. Before I continue I’ll explain what cross site request forgery, or CSRF, attacks are. Simply put, a system vulnerable to this will change its state upon the receipt of a request, without any sort of verification (except for the automatically included authentication tokens such as cookies or Authorization HTTP headers).
#36 This is the definition from wiki
#37 If Bob’s bank keeps his authentication information in a cookie, and the cookie hasn’t expired, then the attempt above to load the image will submit the withdrawal form with this cookie, thus authorising the transaction without bob’s approval.
#38 This type of attack is known as a “confused deputy attack”. The deputy in the example is Bob’s web browser which is confused into misusing bob’s authority at mallory’s direction. http://www.flickr.com/photos/8363028@N08/4209230521/
#39 So lets get back to our example.
#40 Lets set the scene.. Here we have a really typical environment.. An admin who sits on an internal network segmented off from the Internet via all sorts of good stuff like firewalls and that. And on this internal network is the management interface for .. Lets say.. Their storage system .. Their SAN.
#41 The admin gets to work and opens a browser and logs into the interface on his SAN. The system is just using BASIC HTTP authentication, but even internally it’s over HTTPS so those credentials are protected from eavesdropping. ..
#42 The status on the SAN looks fine .. So he then does what he normally does and opens up a bunch of tabs to browse around the sites he normally visits.
#43 Maybe this company uses web-mail for their corporate mail ..
#44 I can’t remember if I mentioned that this interface here is susceptible to cross-site request forgeries.. Which means it will change its state upon the receipt of a request, without any sort of verification..
#45 So our admin sees there is an email from an ex employee and opens it up – and within it there is an embedded <img> tag.
#46 Because his browser had previously authenticated, when it submits this IMG request in the form of a HTTP GET to the management interface it includes the Authorization header
#47 Voila..
#48 You’re probably wondering whether or not these actually happen? 1 – 2009 – Moot, the 20-something year old founder of 4chan becomes “the world’s most influential person in government, science, technology and the arts” 2 – Mikeyy Mooney uses a combination of CSRF and XSS to get numerous people tweeting about his site, stalkdaily 3 – 2008 – Trojan utilises CSRF to modify the DNS server configuration of popular DNS routers.
#49 But don’t give up all hope.. There are some good recommendations to help reduce the likelihood of this attack. http://www.flickr.com/photos/soloflight/3010505750/
#50 1 – Although POSTs can also be automated via Actionscript, javascript, etc 2 – It’s generally accepted that the inclusion of a random nonce, or parameter included within the request and verified through session data is effective, because an attacker will be unlikely to know to include this “parameter” in their forged request.
#51 Confusing? Well I just try and think about all the legacy code out there and the poor chance that the developers would’ve had knowing what to do about these types of issues. http://www.flickr.com/photos/tambako/3593686294/
#52 When web developing firms started to take their application security seriously they used to have to bring in penetration testers, or security testers, to validate their systems at the end of the development lifecycle. These are typically known as.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/delhaye/2276967083/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/delhaye/&quot;>http://www.flickr.com/photos/delhaye/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div>
#53 Breakers. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/sarflondondunc/630250409/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/sarflondondunc/&quot;>http://www.flickr.com/photos/sarflondondunc/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div>
#54 It is commonly recognised that this is the most expensive time to rectify security faults. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
#55 Security therefore becomes much cheaper and effective during the earlier stages of the lifecycle. The requirements gathering, design and development phases. We like to think of people who assist security in the earlier phases as “builders”.
#56 This shift is happening .. Which means that the responsibility for these issues is also changing. Perhaps to people like yourselves (( ))
#57 But don’t worry – the sky is NOT falling. There are a lot of resources out there.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/fabiogis50/3749609312/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/fabiogis50/&quot;>http://www.flickr.com/photos/fabiogis50/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#58 Including (()) OWASP. .. Which unfortunately has nothing to do with wasps. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/markop/1401429588/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/markop/&quot;>http://www.flickr.com/photos/markop/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&quot;>CC BY-NC-ND 2.0</a></div>
#59 The Open Web Application Security Project is an “Open Community dedicated to enabling organisations and individuals to conceive, develop, acquire, operate and maintain applications that can be trusted” Open .. And security? .. I know that sounds like a ..
#60 Paradox..Historically security seemed to be based on secrets and degrees of trust and clearance.. We know generally acknowledge that security through obscurity.. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/st3f4n/4356185807/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/st3f4n/&quot;>http://www.flickr.com/photos/st3f4n/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#61 Just doesn’t work. <div xmlns:cc=&quot;http://creativecommons.org/ns#&quot; about=&quot;http://www.flickr.com/photos/kolya/1307365789/&quot;><a rel=&quot;cc:attributionURL&quot; href=&quot;http://www.flickr.com/photos/kolya/&quot;>http://www.flickr.com/photos/kolya/</a> / <a rel=&quot;license&quot; href=&quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&quot;>CC BY-NC-SA 2.0</a></div>
#62 So what does OWASP do? .. What’s it about?
#63 These projects include:
#64 The OWASP Guide – which “is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.”
#65 The Software Assurance Maturity Model, or SAMM – which “is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. “ (If you’re interested in this look out for an upcoming Australian Information Security Association presentation)..
#66 The OWASP Top Ten, which “represents a broad consensus about what the most critical web application security flaws are”
#67 WebGoat which “is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons”
#68 Webscarab, which “is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.”
#69 And finally the Enterprise Security API or ESAPI. The purpose is simple…
#70 ESAPI is NOT a framework, like Spring or Struts, it’s a set of foundational security controls.
#71 To allow for language-specific differences ESAPI is based on the follow design principles.
#74 These are the controls that are implemented.. And here is a an example using the ESAPI Locator class .. This allows you to retrieve singleton instances of a particular control
#75 This example shows utilising the input validator and output escaping to guard against SQL injection.
#76 To tie back to our previous example of our back end web management interface here are a few controls that ESAPI can bring. Including the Authenticator
#77 Access controller .. So with these two interfaces we no longer have to rely on HTTP Authorization headers
#78 And CSRF tokens.
#79 So where is the ESAPI project at at the moment? Well, the Java version is up to version 2.0 release candidate 6, which means they’ve got a full reference implementation. PHP is well underway with a number of completed controls, but there are some yet to be done. .NET is at around versin 0.2.1, but have implemented a number of controls They’re also working on Cold Fusion Python Javascript Haskell Force.com http://www.flickr.com/photos/st3f4n/2860706946/
#80 So don’t re-invent the wheel..well at least the security wheel. http://www.flickr.com/photos/onkel_wart/4038437003/
#81 And don’t be concerned.. http://www.flickr.com/photos/sophistechate/2758739495/
#82 You guys are empowered to build new ways in which we can communicate.. http://www.flickr.com/photos/dalbera/2738451853/
#83 Just remember what uncle ben didn’t say :P

Barcamp Perth 4.0 Web Security

More Related Content

Similar to Barcamp Perth 4.0 Web Security

Recently uploaded

Barcamp Perth 4.0 Web Security

Editor's Notes