“ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
What are you on about?
<ul><li>Economy Dropped </li></ul><ul><li>The Dark Knight came out </li></ul><ul><li>Heath Ledger died </li></ul><ul><li>O...
One out of 11 minutes is spent Social networking
“ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending Mar...
<ul><li>3,800,000 </li></ul>
<ul><li>4,400,000 </li></ul>
<ul><li>$3,500,000,000 </li></ul>
<ul><li>“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twic...
<ul><li>Grabbing your cookies </li></ul><ul><li>Grabbing your history </li></ul><ul><li>Discover your internal NAT’ed IP <...
(Ab)use case - example
<ul><li>“ The attack works by including a link or script in a page that accesses a site to which the user is known (or sup...
<ul><li><img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” /> </li></ul>
(Ab)use case - example
Internet Management Interface (HTTPS) Admin
Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
Internet Management Interface (HTTPS) 2. Browse the Net Admin
Internet Management Interface (HTTPS) 3. Check mail Admin
Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“
Internet Management Interface (HTTPS) 5. No more SAN. Admin
<ul><li>Time Magazine’s Top 100 </li></ul><ul><li>Twitter </li></ul><ul><li>ADSL Routers </li></ul>
Recommendations <ul><li>Don’t make changes upon receipt of GET requests, only POST </li></ul><ul><li>Synchroniser Token Pa...
<ul><li>International Not-for-profit </li></ul><ul><li>Open participation </li></ul><ul><li>130+ Chapters (incl. Perth!) <...
<ul><li>Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for ev...
<ul><li>There is a set of security control interfaces.  They define for example types of parameters that are passed to typ...
<ul><li>There is a reference implementation for each security control.  The logic is not organisation‐specific and the log...
<ul><li>There are optionally your own implementations for each security control.  There may be application logic contained...
<ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Input Validation </li></ul><ul><li>Output encodi...
Authenticator interface <ul><li>Public interface Authenticator { </li></ul><ul><li>User login(HttpServlerRequest request, ...
AccessController Interface <ul><li>Public interface AccessController { </li></ul><ul><li>boolean isAuthorizedForURL(string...
HTTPUtilities Interface <ul><li>Public interface HTTPUtilities { </li></ul><ul><li>String addCSRFToken(string href); </li>...
<ul><li>“ With great power comes great responsibility” </li></ul>
Upcoming SlideShare
Loading in …5

Barcamp Perth 4.0 Web Security


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • With Great Power Comes Great Responsibility… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/ilcello/3000073881/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/ilcello/&amp;quot;&gt;http://www.flickr.com/photos/ilcello/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt; http://en.wikipedia.org/wiki/Uncle_Ben#.22With_great_power_comes_great_responsibility.22
  • Who is this guy?, I hear you thinking.. Well. Hi, I’m Christian Frichot and I’m VERY happy to be presenting here this morning. By Night I’m a drummer, by day I’m an information security specialist for a Bank and I’m 100% geek. (I’m not in management and still try and get my hands dirty as much as I can) &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/lwr/2728818878/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/lwr/&amp;quot;&gt;http://www.flickr.com/photos/lwr/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt; &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/jmilles/319926762/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/jmilles/&amp;quot;&gt;http://www.flickr.com/photos/jmilles/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • But what am I on about?
  • Well I’ll be talking about the Internet… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/jurvetson/916142/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/jurvetson/&amp;quot;&gt;http://www.flickr.com/photos/jurvetson/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • .. web applications.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/meg/&amp;quot;&gt;http://www.flickr.com/photos/meg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • And Security.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/muehlinghaus/241755891/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/muehlinghaus/&amp;quot;&gt;http://www.flickr.com/photos/muehlinghaus/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • Well.. Web Application security specifically. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/purpleslog/2880224058/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/purpleslog/&amp;quot;&gt;http://www.flickr.com/photos/purpleslog/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • Before I begin though I need to let you know that I’m probably less of a “hacker” (()) than most of you.. Whilst I still develop a bit, my current role only gives me freedom to tinker and help build process improving tools..so that’s a bit of…. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/pixelfrenzy/3772504547/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/pixelfrenzy/&amp;quot;&gt;http://www.flickr.com/photos/pixelfrenzy/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • Django…. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kogakure/2225768345/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kogakure/&amp;quot;&gt;http://www.flickr.com/photos/kogakure/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-sa/2.0/&amp;quot;&gt;CC BY-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • Perl.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/elfsternberg/4198688510/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/elfsternberg/&amp;quot;&gt;http://www.flickr.com/photos/elfsternberg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • And Linux misc shhhhtuff.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/a_mason/4021444/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/a_mason/&amp;quot;&gt;http://www.flickr.com/photos/a_mason/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • First though lets talk about the Internet.. It’s ubiquitous, it’s enormous, it’s cute (()). &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/rzrxtion/2698016803/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/rzrxtion/&amp;quot;&gt;http://www.flickr.com/photos/rzrxtion/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • Really.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/bahkubean/549310317/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/bahkubean/&amp;quot;&gt;http://www.flickr.com/photos/bahkubean/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • Damn… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kevinsteele/533314156/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kevinsteele/&amp;quot;&gt;http://www.flickr.com/photos/kevinsteele/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • Cute. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/helfyland/644620280/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/helfyland/&amp;quot;&gt;http://www.flickr.com/photos/helfyland/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • And it’s FILLED with these.. Web applications.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/meg/&amp;quot;&gt;http://www.flickr.com/photos/meg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • Lets not even mention this guy. NetNeilsen’s have reported on the fact that “Social Networking was the global phenomena of 2008” .. 2008.. That was ages ago now.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/fbouly/3568409530/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/fbouly/&amp;quot;&gt;http://www.flickr.com/photos/fbouly/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • You remember what happened in 2008?
  • “ Two Thirds of the world’s Internet population visit social networking or blogging sites” Back then Social networking use to consume 1 in every 15 minutes of global Internet time. (()) Now it’s 1 in every 11.
  • And then the other week Facebook overtook Google as the most hit website… http://www.smartcompany.com.au/internet/20100318-how-facebook-overtook-google-in-the-us-and-why-your-business-needs-to-act.html
  • .. And where there are people – there is crime. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/alancleaver/4121423119/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/alancleaver/&amp;quot;&gt;http://www.flickr.com/photos/alancleaver/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • In the old days cybercrime was very different.. Crackers were toying with exploitation of web servers for infamy. Usually leading to Defacement. Initially these attackers displayed a degree of “technical skill”.
  • Things changed as the malware and exploitation industry matured.. Everything started to become available as “Kits” Mpack is one such web exploitation kit that could cost anywhere between $500 – 1000 US and is used to inject malicious code into web pages, either by iframes or PDFs or whatever – install keyloggers, or whatever the user wanted. Soon there was IcePack, FirePack, Traffic Pro and more. This screenshot is of the MPack management interface, so the implementers of the kit could monitor how many PCs they were infecting. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
  • Whilst MPack was focusing on how to put malicious payloads onto computers, the other end of the malware world was also advancing. The Zeus malware, sometimes called a botnet, is a really nasty keylogger that is well known for evading anti virus and being one of the most effective bank targetting keyloggers out there.. What was happening was the consumerisation of malware construction, maintenance, deployment and implementation This decreased the technical skills required to perform complicated attacks. This is where terms like Script Kiddies and that would come from, people who didn’t necessarily have the knowledge to perform an attack, but knew how to use the tool. http://www.flickr.com/photos/sebastiagiralt/2251661156/
  • The attackers started to realise that there was a lot of money to be made, not just by installing keyloggers but by stealing peoples identities. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/herry/3321548259/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/herry/&amp;quot;&gt;http://www.flickr.com/photos/herry/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • ID theft can lead to all sorts of impacts on consumers: - Using your credit card details - Opening of bank accounts - Taking out loans - Conducting business under your names. Now I know that ID theft is a misnomer because it’s impossible to steal an identity, so it’s often interchanged with identity fraud. There are numerous types including, not just the typical type to gain access to funds but: - Business/commercial identity theft – to use a business name to obtain credit - Criminal identity fraud – if you pose as another when apprehended for a crime - medical identity theft – to obtain access to medicare or drugs. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/23905174@N00/1594411528/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/23905174@N00/&amp;quot;&gt;http://www.flickr.com/photos/23905174@N00/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  • Some statistics on id theft in australia (()): - in 2008 about 23% of the population affected
  • In 2009 26% were affected
  • The cost of ID theft against Australia is reported to be 3.5 billion dollars annually
  • Another interesting statistic
  • But what has this got to do with web apps I’m building? More often than not malicious content that makes its way on to the Internet is not legitimately purchased by the attackers. You think they buy a slicehost Virtual Private Server and host their nasties on there? Supposedly 80% of all phishing sites are hosted on legitimate websites through compromise. Web application vulnerabilities lead to hijacking of legitimate content, for example through the use of file injection attacks. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/hmvh/58185411/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/hmvh/&amp;quot;&gt;http://www.flickr.com/photos/hmvh/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-sa/2.0/&amp;quot;&gt;CC BY-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • But what about if I’m only developing internal apps? Particular types of vulnerabilities thrive in perimeterised networks. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/negatyf/361668397/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/negatyf/&amp;quot;&gt;http://www.flickr.com/photos/negatyf/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • Back in 2006 Jeremiah Grossman of WhiteHat Security presented on some of the things that can be done from the Internet against Internal networks through the browser, including: … Everything is web-enabled now. The perimeter is diminishing.
  • For example… Cross Site Request Forgery attacks. .. Before I continue I’ll explain what cross site request forgery, or CSRF, attacks are. Simply put, a system vulnerable to this will change its state upon the receipt of a request, without any sort of verification (except for the automatically included authentication tokens such as cookies or Authorization HTTP headers).
  • This is the definition from wiki
  • If Bob’s bank keeps his authentication information in a cookie, and the cookie hasn’t expired, then the attempt above to load the image will submit the withdrawal form with this cookie, thus authorising the transaction without bob’s approval.
  • This type of attack is known as a “confused deputy attack”. The deputy in the example is Bob’s web browser which is confused into misusing bob’s authority at mallory’s direction. http://www.flickr.com/photos/8363028@N08/4209230521/
  • So lets get back to our example.
  • Lets set the scene.. Here we have a really typical environment.. An admin who sits on an internal network segmented off from the Internet via all sorts of good stuff like firewalls and that. And on this internal network is the management interface for .. Lets say.. Their storage system .. Their SAN.
  • The admin gets to work and opens a browser and logs into the interface on his SAN. The system is just using BASIC HTTP authentication, but even internally it’s over HTTPS so those credentials are protected from eavesdropping. ..
  • The status on the SAN looks fine .. So he then does what he normally does and opens up a bunch of tabs to browse around the sites he normally visits.
  • Maybe this company uses web-mail for their corporate mail ..
  • I can’t remember if I mentioned that this interface here is susceptible to cross-site request forgeries.. Which means it will change its state upon the receipt of a request, without any sort of verification..
  • So our admin sees there is an email from an ex employee and opens it up – and within it there is an embedded &lt;img&gt; tag.
  • Because his browser had previously authenticated, when it submits this IMG request in the form of a HTTP GET to the management interface it includes the Authorization header
  • Voila..
  • You’re probably wondering whether or not these actually happen? 1 – 2009 – Moot, the 20-something year old founder of 4chan becomes “the world’s most influential person in government, science, technology and the arts” 2 – Mikeyy Mooney uses a combination of CSRF and XSS to get numerous people tweeting about his site, stalkdaily 3 – 2008 – Trojan utilises CSRF to modify the DNS server configuration of popular DNS routers.
  • But don’t give up all hope.. There are some good recommendations to help reduce the likelihood of this attack. http://www.flickr.com/photos/soloflight/3010505750/
  • 1 – Although POSTs can also be automated via Actionscript, javascript, etc 2 – It’s generally accepted that the inclusion of a random nonce, or parameter included within the request and verified through session data is effective, because an attacker will be unlikely to know to include this “parameter” in their forged request.
  • Confusing? Well I just try and think about all the legacy code out there and the poor chance that the developers would’ve had knowing what to do about these types of issues. http://www.flickr.com/photos/tambako/3593686294/
  • When web developing firms started to take their application security seriously they used to have to bring in penetration testers, or security testers, to validate their systems at the end of the development lifecycle. These are typically known as.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/delhaye/2276967083/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/delhaye/&amp;quot;&gt;http://www.flickr.com/photos/delhaye/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • Breakers. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/sarflondondunc/630250409/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/sarflondondunc/&amp;quot;&gt;http://www.flickr.com/photos/sarflondondunc/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • It is commonly recognised that this is the most expensive time to rectify security faults. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
  • Security therefore becomes much cheaper and effective during the earlier stages of the lifecycle. The requirements gathering, design and development phases. We like to think of people who assist security in the earlier phases as “builders”.
  • This shift is happening .. Which means that the responsibility for these issues is also changing. Perhaps to people like yourselves (( ))
  • But don’t worry – the sky is NOT falling. There are a lot of resources out there.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/fabiogis50/3749609312/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/fabiogis50/&amp;quot;&gt;http://www.flickr.com/photos/fabiogis50/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • Including (()) OWASP. .. Which unfortunately has nothing to do with wasps. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/markop/1401429588/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/markop/&amp;quot;&gt;http://www.flickr.com/photos/markop/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  • The Open Web Application Security Project is an “Open Community dedicated to enabling organisations and individuals to conceive, develop, acquire, operate and maintain applications that can be trusted” Open .. And security? .. I know that sounds like a ..
  • Paradox..Historically security seemed to be based on secrets and degrees of trust and clearance.. We know generally acknowledge that security through obscurity.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/st3f4n/4356185807/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/st3f4n/&amp;quot;&gt;http://www.flickr.com/photos/st3f4n/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • Just doesn’t work. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kolya/1307365789/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kolya/&amp;quot;&gt;http://www.flickr.com/photos/kolya/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  • So what does OWASP do? .. What’s it about?
  • These projects include:
  • The OWASP Guide – which “is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.”
  • The Software Assurance Maturity Model, or SAMM – which “is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. “ (If you’re interested in this look out for an upcoming Australian Information Security Association presentation)..
  • The OWASP Top Ten, which “represents a broad consensus about what the most critical web application security flaws are”
  • WebGoat which “is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons”
  • Webscarab, which “is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.”
  • And finally the Enterprise Security API or ESAPI. The purpose is simple…
  • ESAPI is NOT a framework, like Spring or Struts, it’s a set of foundational security controls.
  • To allow for language-specific differences ESAPI is based on the follow design principles.
  • These are the controls that are implemented.. And here is a an example using the ESAPI Locator class .. This allows you to retrieve singleton instances of a particular control
  • This example shows utilising the input validator and output escaping to guard against SQL injection.
  • To tie back to our previous example of our back end web management interface here are a few controls that ESAPI can bring. Including the Authenticator
  • Access controller .. So with these two interfaces we no longer have to rely on HTTP Authorization headers
  • And CSRF tokens.
  • So where is the ESAPI project at at the moment? Well, the Java version is up to version 2.0 release candidate 6, which means they’ve got a full reference implementation. PHP is well underway with a number of completed controls, but there are some yet to be done. .NET is at around versin 0.2.1, but have implemented a number of controls They’re also working on Cold Fusion Python Javascript Haskell Force.com http://www.flickr.com/photos/st3f4n/2860706946/
  • So don’t re-invent the wheel..well at least the security wheel. http://www.flickr.com/photos/onkel_wart/4038437003/
  • And don’t be concerned.. http://www.flickr.com/photos/sophistechate/2758739495/
  • You guys are empowered to build new ways in which we can communicate.. http://www.flickr.com/photos/dalbera/2738451853/
  • Just remember what uncle ben didn’t say :P
  • Barcamp Perth 4.0 Web Security

    1. “ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
    2. Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
    3. What are you on about?
    4. flickr.com/photos/jurvetson
    5. flickr.com/photos/meg
    6. flickr.com/photos/muehlinghaus
    7. flickr.com/photos/purpleslog
    8. flickr.com/photos/pixelfrenzy
    9. flickr.com/photos/kogakure
    10. flickr.com/photos/elfsternberg
    11. flickr.com/photos/a_mason
    12. flickr.com/photos/rzrxtion
    13. flickr.com/photos/bahkubean
    14. flickr.com/photos/kevinsteele
    15. flickr.com/photos/helfyland
    16. flickr.com/photos/meg
    17. flickr.com/photos/fbouly
    18. <ul><li>Economy Dropped </li></ul><ul><li>The Dark Knight came out </li></ul><ul><li>Heath Ledger died </li></ul><ul><li>Obama was elected </li></ul>
    19. One out of 11 minutes is spent Social networking
    20. “ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”
    21. flickr.com/photos/alancleaver
    23. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
    24. flickr.com/photos/sebastiagiralt
    25. flickr.com/photos/herry
    26. flickr.com/photos/23905174@N00
    27. <ul><li>3,800,000 </li></ul>
    28. <ul><li>4,400,000 </li></ul>
    29. <ul><li>$3,500,000,000 </li></ul>
    30. <ul><li>“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twice as many days to detect fraud, compared to other age groups..” </li></ul>Javelin Strategy & Research 2010 Identity Fraud Survey Report
    31. flickr.com/photos/hmvh
    32. flickr.com/photos/negatyf
    33. <ul><li>Grabbing your cookies </li></ul><ul><li>Grabbing your history </li></ul><ul><li>Discover your internal NAT’ed IP </li></ul><ul><li>Port scan behind the firewall </li></ul><ul><li>Exploit Intranet web-enabled devices </li></ul>
    34. (Ab)use case - example
    35. <ul><li>“ The attack works by including a link or script in a page that accesses a site to which the user is known (or supposed) to have been authenticated.” </li></ul>
    36. <ul><li><img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” /> </li></ul>
    37. flickr.com/photos/8363028@N08
    38. (Ab)use case - example
    39. Internet Management Interface (HTTPS) Admin
    40. Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
    41. Internet Management Interface (HTTPS) 2. Browse the Net Admin
    42. Internet Management Interface (HTTPS) 3. Check mail Admin
    43. Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
    44. Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
    45. Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin
    46. Internet Management Interface (HTTPS) 5. No more SAN. Admin
    47. <ul><li>Time Magazine’s Top 100 </li></ul><ul><li>Twitter </li></ul><ul><li>ADSL Routers </li></ul>
    48. flickr.com/photos/soloflight
    49. Recommendations <ul><li>Don’t make changes upon receipt of GET requests, only POST </li></ul><ul><li>Synchroniser Token Pattern </li></ul><ul><ul><li><form action=“/action.php” method=“post”> </li></ul></ul><ul><ul><li><input type=“hidden” name=“CSRFToken” value=“OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTViMGYwMGEwOA==“ /> </li></ul></ul>
    50. flickr.com/photos/tambako
    51. flickr.com/photos/delhaye
    52. flickr.com/photos/sarflondondunc
    53. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
    56. flickr.com/photos/fabiogis50
    57. flickr.com/photos/markop
    58. www.owasp.org
    59. flickr.com/photos/st3f4n
    60. flickr.com/photos/kolya
    62. <ul><li>International Not-for-profit </li></ul><ul><li>Open participation </li></ul><ul><li>130+ Chapters (incl. Perth!) </li></ul><ul><li>Open source tools </li></ul><ul><li>Open source collaborative projects </li></ul>
    69. <ul><li>Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. </li></ul>
    70. <ul><li>There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls. </li></ul>
    71. <ul><li>There is a reference implementation for each security control. The logic is not organisation‐specific and the logic is not application‐specific. </li></ul><ul><li>An example: string‐based input validation. </li></ul>
    72. <ul><li>There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organisation. </li></ul><ul><li>An example: enterprise authentication. </li></ul>
    73. <ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Input Validation </li></ul><ul><li>Output encoding/escaping </li></ul><ul><li>Cryptography </li></ul><ul><li>Error handling and logging </li></ul><ul><li>Communication security </li></ul><ul><li>HTTP security </li></ul><ul><li>Security configuration </li></ul>
    75. Authenticator interface <ul><li>Public interface Authenticator { </li></ul><ul><li>User login(HttpServlerRequest request, HttpServletResponse response) throws AuthenticationException; </li></ul><ul><li>User getUser(long accountId); </li></ul><ul><li>} </li></ul>
    76. AccessController Interface <ul><li>Public interface AccessController { </li></ul><ul><li>boolean isAuthorizedForURL(string url); </li></ul><ul><li>} </li></ul>
    77. HTTPUtilities Interface <ul><li>Public interface HTTPUtilities { </li></ul><ul><li>String addCSRFToken(string href); </li></ul><ul><li>void verifyCSRFToken(HttpServletRequest request) throws IntrusionException; </li></ul><ul><li>} </li></ul>
    78. flickr.com/photos/st3f4n
    79. flickr.com/photos/onkel_wart
    80. flickr.com/photos/sophistechate
    81. flickr.com/photos/dalbera
    82. <ul><li>“ With great power comes great responsibility” </li></ul>