Web Security ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50

1/105

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

1 of 105 2/23/15, 1:54 PM

Web SecurityBrian Sletten ( @bsletten)

02/23/2015

!


2 of 105 2/23/15, 1:54 PM

2015 Greater Wisconsin Software SymposiumMarch 13-14 (Two day event)

Early bird discount ends 2/23

JUG Discount: $50 off use the promo code: nfjsusergroup50

http://nofluffjuststuff.com

3/105


3 of 105 2/23/15, 1:54 PM

Speaker QualificationsSpecialize in next-generation technologiesAuthor of 'Resource-Oriented Architecture Patterns for Webs of Data'Speaks internationally about REST, Semantic Web, Data Science, Security,Visualization, ArchitectureWorked in Defense, Finance, Retail, Hospitality, Video Game, Health Care,Telecommunications and Publishing IndustriesInternational Pop Recording Artist

···

·

·

4/105


4 of 105 2/23/15, 1:54 PM

AgendaIntroductionSecurity EngineeringSoftware SecurityWeb SecurityBooks

·····

5/105


5 of 105 2/23/15, 1:54 PM

Introduction


6 of 105 2/23/15, 1:54 PM

7/105


7 of 105 2/23/15, 1:54 PM

The Ones You've Heard Of...TJ MaxxTargetMichaelsKMartHome DepotJP Morgan

······

8/105


8 of 105 2/23/15, 1:54 PM

And...http://hackmageddon.com/2012-cyber-attacks-timeline-master-index/

http://hackmageddon.com/2013-cyber-attacks-timeline-master-index/http://hackmageddon.com/2014-cyber-attacks-timeline-master-index/

·https://paulsparrows.files.wordpress.com/2012/01/january-2012-cyber-attacks-timeline-part-1.pnghttps://paulsparrows.files.wordpress.com/2012/01/middle-east-cyber-war-timeline1.pnghttps://paulsparrows.files.wordpress.com/2012/02/february-2012-cyber-attacks-timeline-part-i.png

·

·

·

··

9/105


9 of 105 2/23/15, 1:54 PM

10/105


10 of 105 2/23/15, 1:54 PM

Credit: http://xkcd.com/936

11/105


11 of 105 2/23/15, 1:54 PM


12/105


12 of 105 2/23/15, 1:54 PM


13/105


13 of 105 2/23/15, 1:54 PM

Through 20 years of effort, we've successfullytrained everyone to use passwords that arehard for humans to remember, but easy forcomputers to guess.

“

”

http://xkcd.com/936/


14 of 105 2/23/15, 1:54 PM

Choose a password you can't remember, anddon't write it down.

“”

Ross J. Anderson


15 of 105 2/23/15, 1:54 PM


16/105


16 of 105 2/23/15, 1:54 PM

17/105


17 of 105 2/23/15, 1:54 PM

18/105


18 of 105 2/23/15, 1:54 PM

A name......is a name...is a name...is a name...is an attack vector

····

19/105


19 of 105 2/23/15, 1:54 PM

Where Does This Go?http://example.com&gibberish=1234@167772161

http://10.0.0.1

20/105


20 of 105 2/23/15, 1:54 PM

Do the Math!http://example.com&gibberish=1234@167772161

String: 10.0.0.1Binary: 00001010 . 00000000 . 00000000 . 00000001Integer: 167772161

(10 * 16777216) + (0 * 65536) + (0 * 256) + (1 * 1) = 167772161

21/105


21 of 105 2/23/15, 1:54 PM

How About?http://example.com\@coredump.cx

In Firefox, http://coredump.cx

22/105


22 of 105 2/23/15, 1:54 PM

Or Maybe...http://example.com;.coredump.cx

In IE, http://coredump.cx

Safari, it's an error.

Others, http://example.com/;.coredump.cx

23/105


23 of 105 2/23/15, 1:54 PM

The web is an information space. When youexplore it, you don't end up buying stuff,agreeing to anything, or - in this case, losingyour domain name...

“

”

Tim Berners-Lee


24 of 105 2/23/15, 1:54 PM

From: <[email protected]>Date: Fri Apr 11, 2003 19:31:28 US/EasternTo: [email protected]: Confirm Domain Transfer

A Transfer Request was submitted for the following domains.Click on the following link to confirm the domain transfer request for these domains.

https://secure.registerapi.com/order/trx/confirm.php?id=cesO...

Your Transfer Request Code IS: ces[...]cbIhttps://secure.registerapi.com/order/trx/confirm.php

Domains:WWW.ORG

If you did not request the transfer of these domains then DO NOT click on the above links. By not clicking you are preventing a domain registrar transfer from taking place.

Thank you, The Automated Domain Transfer System

25/105


25 of 105 2/23/15, 1:54 PM

Cross Site Request Forgery (CSRF)http://bank.example.com/withdraw?acct=Bob&amt=1000000&for=Fred

<img src="http://bank.example.com/withdraw?acct=Bob&amt=1000000 &for=Fred"/>

26/105


26 of 105 2/23/15, 1:54 PM

Role-Based Access Control<security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint>

27/105


27 of 105 2/23/15, 1:54 PM

Security Engineering


28 of 105 2/23/15, 1:54 PM

If you spend more on coffee than on ITsecurity, then you will be hacked. What'smore, you deserve to be hacked.

“

”

Richard Clarke, former U.S. Cybersecurity Czar


29 of 105 2/23/15, 1:54 PM

The main objective of secure system design is to make breaking the system

more costly than the value of the protected assets , where the 'cost' should be

measured in monetary value but also in more abstract terms such as effort or

reputation .

“

”

Christof Paar and Jan PelzlUnderstanding Cryptography: A Textbook for Students and Practitioners


30 of 105 2/23/15, 1:54 PM

Security Engineering...is about buildingsystems to remain dependable in the face ofmalice, error, or mischance.

“

”

Ross J. Anderson


31 of 105 2/23/15, 1:54 PM

Whoever thinks his problem can be solvedusing cryptography, doesn't understand hisproblem and doesn't understandcryptography.

“

”

Roger Needham/Butler Lampson


32 of 105 2/23/15, 1:54 PM

Vulnerability + Threat = Potential Security Breach

33/105


33 of 105 2/23/15, 1:54 PM

Indeed protocol vulnerabilities usually giverise to more, and simpler, attacks thancryptographic weaknesses do.

“

”

Ross J. Anderson


34 of 105 2/23/15, 1:54 PM

Systems Fail...People protect the wrong thingsProtect the right things the wrong way

··

35/105


35 of 105 2/23/15, 1:54 PM

There is all too often a cultural and physicalseparation between the softwaredevelopment staff and the informationsecurity staff in large enterprises.

“

”

van Wyk, Graff, Peters and BurleyEnterprise Software Security: A Confluence of Disciplines


36 of 105 2/23/15, 1:54 PM

Incentive MismatchPolicy makers don't have to live with the resultsPolicy makers don't suffer when things failHave political or CYA incentives

···

37/105


37 of 105 2/23/15, 1:54 PM

TSA14.7 billion (USD) on aggressive passenger screening100 million (USD) reinforcing cockpit doorsWe seem to be reverting w/ TSA Pre

···

38/105


38 of 105 2/23/15, 1:54 PM

Strictly speaking, strengthening anything butthe weakest link is useless.

“”

Bruce Schneier


39 of 105 2/23/15, 1:54 PM

40/105


40 of 105 2/23/15, 1:54 PM

41/105


41 of 105 2/23/15, 1:54 PM

Defense in DepthStrengthen potentially weakest linksStrengthen multiple potential weakest linksFailure of one may be blocked by success of another

···

42/105


42 of 105 2/23/15, 1:54 PM

Time Favors the AttackerWe design systems today that must survive in the futureThey need to find a single flaw, we must protect against all of them

··

43/105


43 of 105 2/23/15, 1:54 PM

Word StewSecrecyPrivacyConfidentialityIntegrityAuthenticity

·····

44/105


44 of 105 2/23/15, 1:54 PM

45/105


45 of 105 2/23/15, 1:54 PM

Only amateurs attack machines; professionalstarget people.

“”

Bruce Schneier


46 of 105 2/23/15, 1:54 PM

Software Security


47 of 105 2/23/15, 1:54 PM

Software security... is not security software.“ ”

Gary McGraw


48 of 105 2/23/15, 1:54 PM

Software security... the idea of engineeringsoftware so that it continues to functioncorrectly under malicious attack.

“

”

Gary McGraw


49 of 105 2/23/15, 1:54 PM

Problem is Getting WorseConnectivityExtensibilityComplexity

···

50/105


50 of 105 2/23/15, 1:54 PM

Bugs vs FlawsBugs : Implementation issueFlaws : Design problemRoughly 50/50Need to address both

····

51/105


51 of 105 2/23/15, 1:54 PM

Security is an emergent property of yoursystem.

“”

Gary McGraw


52 of 105 2/23/15, 1:54 PM

ApproachRisk ManagementTouchpointsKnowledge

···

53/105


53 of 105 2/23/15, 1:54 PM

54/105

Requirements and Use Cases

Architecture and Design Test Plans Code Tests and

Test Results

Feedbackfrom

Deployed Systems


54 of 105 2/23/15, 1:54 PM

55/105



Test Results

Feedbackfrom

Deployed Systems

ExternalReview


55 of 105 2/23/15, 1:54 PM

56/105



Test Results

Feedbackfrom

Deployed Systems

CodeReview Risk

Analysis

PenetrationTesting

SecurityOperations

Risk-basedSecurity

Tests

ExternalReview

RiskAnalysis

SecurityRequirements

AbuseCases


56 of 105 2/23/15, 1:54 PM

57/105



Test Results

Feedbackfrom

Deployed Systems

CodeReview Risk

Analysis

PenetrationTesting

SecurityOperations

Risk-basedSecurity

Tests

ExternalReview

RiskAnalysis

SecurityRequirements

AbuseCases

122

3

4

5

6

7


57 of 105 2/23/15, 1:54 PM

Credit: http://bsimm.com

58/105


58 of 105 2/23/15, 1:54 PM

[threat modeling] is the use of abstractions toaid in thinking about risks.

“”

Adam Shostack


59 of 105 2/23/15, 1:54 PM

Reasons to Threat ModelFind Security Bugs EarlyUnderstand Your Security RequirementsImproved QualityAddress Issues Other Techniques Won't

····

60/105


60 of 105 2/23/15, 1:54 PM

STRIDESpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege

······

61/105


61 of 105 2/23/15, 1:54 PM

Web Security


62 of 105 2/23/15, 1:54 PM

63/105


63 of 105 2/23/15, 1:54 PM

Web SecurityIdentityAuthenticationAuthorizationProtected ChannelsNon-Repudiation

·····

64/105


64 of 105 2/23/15, 1:54 PM

65/105


65 of 105 2/23/15, 1:54 PM

Same Origin PolicySchemeHostPort

···

66/105


66 of 105 2/23/15, 1:54 PM

JSONP<script type="application/javascript" src="http://server2.bosatsu.net/order/id/16234?jsonp=updateOrder"></script>

updateOrder({"Order" : "16234", "Status" : "Shipped"});

67/105


67 of 105 2/23/15, 1:54 PM

CORS// 1. Origin Header from browser to http://server2.bosatsu.netOrigin: http://server1.bosatsu.net

// 2. Response from http://server2.bosatsu.netAccess-Control-Allow-Origin: http://server1.bosatsu.net

68/105


68 of 105 2/23/15, 1:54 PM

JSONP vs CORSPrefer CORS, but JSONP works w/ older browsersJSONP is GET onlyCORS involves the browser

···

69/105


69 of 105 2/23/15, 1:54 PM

TLS/SSLEncryptionParty IdentificationCipherSuite selectionCertificate managementHMACProtection against downgrade

······

70/105


70 of 105 2/23/15, 1:54 PM

HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhost

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm="report"

71/105


71 of 105 2/23/15, 1:54 PM

HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhostAuthorization : c2NvdHQ6dGlnZXI=

HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984

72/105


72 of 105 2/23/15, 1:54 PM

Base64 != EncryptionBase64Decode(c2NvdHQ6dGlnZXI=) ====> scott:tiger

73/105


73 of 105 2/23/15, 1:54 PM

HTTP Digest#qop = auth or not-specifiedHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI)response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2) orresponse=MD5(HA1:nonce:HA2)

#qop = auth-intHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI:MD5(entityBody))response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)

74/105


74 of 105 2/23/15, 1:54 PM

HTTP DigestGET /dir/index.html HTTP/1.1Host: localhost

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="[email protected]", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"

75/105


75 of 105 2/23/15, 1:54 PM

HTTP DigestGET /dir/index.html HTTP/1.1Host: localhostAuthorization: Digest username="Mufasa", realm="[email protected]", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"

HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984

76/105


76 of 105 2/23/15, 1:54 PM

OpenIDIdentity as a ServiceStagnant adoption, concerns about UX issuesTechnology in search of a problem

···

77/105


77 of 105 2/23/15, 1:54 PM

OAuth 1.0AResource management and two-legged approachComplicated by the signing of requestsNo requirement for TLSFairly widely supported

····

78/105


78 of 105 2/23/15, 1:54 PM

OAuth 2.0Simplified ApproachDifferent use casesDifferent profiles

···

79/105


79 of 105 2/23/15, 1:54 PM

Bearer TokensOAuth Web Resource Authorization Profiles (WRAP)Requires TLSCertificate chain validationSupport for MAC Access Authentication

····

80/105


80 of 105 2/23/15, 1:54 PM

81/105


81 of 105 2/23/15, 1:54 PM

RegistrationRequests tied to appAllows revocation w/o changing credentialsClient receives client_id and client_secretClient specifies redirect_uri

····

82/105


82 of 105 2/23/15, 1:54 PM

OAuth 2.0 Roles

Credit: http://tutorials.jenkov.com/images/oauth2

83/105


83 of 105 2/23/15, 1:54 PM

GET /dir/index.html HTTP/1.1Host: localhostAuthorization: Bearer fa3c.FAFDLKERE

GET /dir/index.html?access_token=fa3c.FAFDLKERE HTTP/1.1Host: localhost

84/105


84 of 105 2/23/15, 1:54 PM

Client ProfilesServer-side Web AppClient-side Browser AppNative Application

···

85/105


85 of 105 2/23/15, 1:54 PM

Server-Side Web App


86/105


86 of 105 2/23/15, 1:54 PM

Authorization Code Authorization FlowResource owner grants access and is returned to the redirect_uri w/authorization code as a parameterServer exchanges code for access token w/ client_id and client_secretAllows long-lived access via refresh tokensResource owner isn't given access to the tokens

·

···

87/105


87 of 105 2/23/15, 1:54 PM

Client-Side Web App


88/105


88 of 105 2/23/15, 1:54 PM

Implicit Grant Authorization FlowResource owner grants accessAccess token is returned via a fragment identifierClient parses the URLs and strips off the token to make requestsNo long-lived access via refresh tokensUser agent has access to the application and API requests

·····

89/105


89 of 105 2/23/15, 1:54 PM

Native App


90/105


90 of 105 2/23/15, 1:54 PM

Resource Owner Password Grant AuthorizationFlow

Resource owner grants access by exchanging credentials for access tokenPassword only need to establish access tokenToken is revokable and scoped to specific resourcesRequires trusted client

····

91/105


91 of 105 2/23/15, 1:54 PM

Client Credential Grant Authorization FlowClient credentials are pre-arranged and shared'Two-legged' Flow

··

92/105


92 of 105 2/23/15, 1:54 PM

93/105


93 of 105 2/23/15, 1:54 PM

94/105


94 of 105 2/23/15, 1:54 PM

The FutureOpenID Connect (http://openid.net/connect/)W3C Web Cryptography WG (http://www.w3.org/2012/webcrypto/)W3C Web Credentials CG (http://opencreds.org)Secure Messaging (https://web-payments.org/specs/source/secure-messaging/)

····

95/105


95 of 105 2/23/15, 1:54 PM

Books


96 of 105 2/23/15, 1:54 PM

97/105


97 of 105 2/23/15, 1:54 PM

98/105


98 of 105 2/23/15, 1:54 PM

99/105


99 of 105 2/23/15, 1:54 PM

100/105


100 of 105 2/23/15, 1:54 PM

101/105


101 of 105 2/23/15, 1:54 PM

102/105


102 of 105 2/23/15, 1:54 PM

103/105


103 of 105 2/23/15, 1:54 PM

104/105


104 of 105 2/23/15, 1:54 PM

Questions?

[email protected]

@bsletten

http://tinyurl.com/bjs-gplus

bsletten

"

!

+

$


105 of 105 2/23/15, 1:54 PM

Documents

Web Security ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird discount ends 2/23 JUG Discount: $50 off use the promo code: nfjsusergroup50