Reducing Web Application Vulnerabilities using OWASP€¦ · 2. Cross Site Scripting 3. Broken...
Transcript of Reducing Web Application Vulnerabilities using OWASP€¦ · 2. Cross Site Scripting 3. Broken...
CONTENTS
• Contents
• Disclaimer
• Introduction
• Common uses for Web Applications
• Common Web Application Infrastructure and Users
• The Importance of Web Application Security
• Why OWASP
• About OWASP
• Top Ten
• Summary.
• Mapping to Verizon Data Breach Report (Hacking Methods)
• In Detail (with Examples and Case Studies)
• 2013 Release Candidate Update
• Recommendations
• Prize
• Q & A
DISCLAIMER
Informational Purposes and ownership of views.
The content of this publication is for information purposes only, individuals and
organisations should assess the suitability of this information for their own
purposes. The information is provided for the purpose of understanding software
vulnerabilities and how to prevent their exploitation.
The views are not necessarily those of OWASP, however their will be similarities.
Chatham House Rule
This presentation is provided under the Chatham House Rule for the purpose of
facilitating free and open discussion.
“Chatham House Rule: Participants are free to use the information received, but
neither the identity nor the affiliation of the speaker(s), nor that of any
participant, may be revealed”.
COMMON USES FOR “WEB APPLICATIONS”
Internet Banking
Online Shopping
Online Bill Payments
Online Gambling
Online Forums
Software as a Service
Remote Access
Device Management (ICT Infrastructure)
THE IMPORTANCE OF WEB APP SECURITY
Competitive Advantage
Increased Consumer / Customer Confidence
Lower Costs from managing Theft / Fraud / Misuse / Recovery
Continuity of Business
Services are less susceptible to data corruption and/or data
accessibility problems resulting from unauthorised access
Compliance with requirements to protect information
WHY OWASP
Widely Recognised :
31 Different ICT Security Related Organisations have cited OWASP https://www.owasp.org/index.php/Industry:Citations#National_.26_International_Legislation.2C_Standards.2C_Guidelines.2C_Committees_and_In
dustry_Codes_of_Practice
Compliance with Security Standards
PCI DSS: Requirement 6.5 Develop Secure Applications (v2). “… as industry best practices for vulnerability management are updated (for example, the OWASP Guide,” Approved Scanning Vendor Program Guide Reference 1.0/PCI DSS Version 1.2: “Perform a Scan without Interference from IDS/IPS”
Australian Government ISM: “Control 0971: Agencies should follow the documentation provided in the Open Web Application Security Project guides to building secure web applications …”
ABOUT OWASP
Open Web Application Security Project
“OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate,
and maintain applications that can be trusted”
Publications
Top 10
Full Development Guide (293 Pages)
Tutorials
Detail advice on Specific Topics
ALIGNMENT TO VERIZON DATA BREACH REPORT (2012)
H A C K I N G M E T H O D S
( A L L % / E N T E R P R I S E % )
• SQL Injection (3/14)
• Brute force and dictionary attacks (29/14)
• Exploitation of default or guessable credentials (55/9)
• Exploitation of insufficient authentication (6/3)
• Use of stolen login credentials (40/51)
• Exploitation of backdoor or command and control
channel (25/29)
• Remote File Inclusion (1/6)
• Abuse of Functionality (1/3)
• Unknown (4/31)
O W A S P T O P 1 0
1. Injection
2. Cross Site Scripting
3. Broken Authentication and Session
Management
4. Insecure Direct Object Access
5. Cross Site Request Forgery
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards.
INJECTION – CASE STUDY
Case Study: Membership Website
Root Cause:
Unchecked Numeric Field due to lack of security awareness.
Log Entries show the attack.
Normal Use: GET /<BaseURL>/<Events> <FIELD>=<Number> 443 - <ClientIP>
Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident
/5.0) 200 0 0
Attack:
GET /<BaseURL>/<Events> <FIELD>='+declare+<snip>exec%28%40s%29--
443 - <AttackerIP>
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 500 0 0
INJECTION – CASE STUDY
• Initial Query (insecure) sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=‘“ . $_POST[“membershipid”] . “’”;
Resultant Query from attempted Exploitation $_POST[“membershipid”]=“’; <injected commands>; --”
sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=‘1000’; <injected commands>; --’”
Using escaping to prevent exploitation, using PHP’s addslashes() function. sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=“ . addslashes($_POST[“membershipid”]);
Resultant Query – exploitation prevented sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=‘1000\’; <injected commands>; --’”
INJECTION – EXAMPLE
Additional Input Validation – Check if membership is a number.
// validate all supplied user input. Set $process = true if all input has been validated.
$process = false; //don’t process by default
$valid_data_count=0; //initialise the counter for valid data elements
$expected_elements=1; // we are expecting to validate 1 element here.
if (is_numeric($_POST[“membershipid”]) { //if membershipid is a number increment valid data counter
$valid_data_count++;
}
if ($valid_data_count == $expected_elements) { //if the valid data count the required number of elements ?
$process = true;
}
if ($process) {
sql_query = “select date,title,status from events, registrations where events.id = registrations.id and
events.date > ‘”. date() . “’ and registrations.id=“ . addslashes($_POST[“membershipid”]);
} else {
// Gracefully handle the invalid membershipid
echo “Invalid data has been received\n”;
// Log input data, source address, date/time into errors database for security operations review.
}
INJECTION – CASE STUDY
Threat Agent
Grouping: Organised Crime.
Motivation: Spread Malware or Extortion
Based on:
Sophistication:
Use of Multiple Hosting Providers
Use of Multiple DNS Names for malware hosting servers
Targeting:
Attacked Multiple of Businesses
Business Impact
Outage of Online Membership Functions
Reduced Services to members.
Increased costs to provide member services.
Remediation and Incident Response Costs:
Application Remediation to Check User Input by Developers
Lost Productivity of IT Support staff diverted to Incident Response
3rd Party Security Incident Response Assistance
CROSS SITE SCRIPTING – CASE STUDY
Case Study: User Registration
Root Cause: Unchecked form data included in
HTML source.
CROSS SITE SCRIPT – CASE STUDY
Insecure Code <?php
//code to obtain data from database
echo “Customer Name:” . $custname;
echo “Customer Address1:” . $custaddr1;
?>
Fix - Escaping
<?php
//code to obtain data from database
echo “Customer Name:” . htmlspecialchars($custname);
echo “Customer Address1:” . htmlspecialchars($custaddr1);
?>
Fix – Output Validation <?php
//code to obtain data from database
echo “Customer Name:” . htmlspecialchars($custname);
echo “Customer Address1:” . htmlspecialchars($custaddr1);
if (is_number($custpostcode)) {
// Works for Australian Numeric Post Codes
// accomodation of International Post Codes will require adjustment.
echo “Customer Post Code:” . $custpostcode;
} else {
//error handler
}
?>
CROSS SITE SCRIPTING – CASE STUDY
Threat Agent
Grouping: N/A
Motivation: N/A
Business Impact
Risk:
Cascaded exploitation by attackers.
Costs:
Application remediation – Developer costs
BROKEN AUTHENTICATION AND SESSION
MANAGEMENT – CASE STUDY
Case Study: Web Application
Root Cause: Insufficient protection of passwords
exposed by inadequate system maintenance.
BROKEN AUTHENTICATION AND SESSION
MANAGEMENT
Insecure Code <?php
//code to store a password from a user in a sql database
$query = ‘update passwords set password=“’ . $password . “’ where
username=“’ . $username . “’;
mysql_query($query);
if (mysql_num_rows($query) == 1) {
//As there is a matching username and password,
//we consider the user authenticated
}
?>
BROKEN AUTHENTICATION AND SESSION
MANAGEMENT Using Salt + multiple hashing.
<?php
//code to store a password from a user in a sql database
$salt_length = mt_rand(135,270); // 135 – 270 characters in the salt.
$iterations = mt_rand(2000,4000); // 2000-4000 iterations of the hashfunction
$hash_algo = “sha256”;
//Generate the salt
$salt = “”;
for ($saltcounter = 0; $saltcounter++; $saltcounter < $salt_length) {
$salt .= mt_rand(32,255);
}
//Combine the salt with the password and iterate the hash function.
$hashpass = $salt . $password;
for ($hashcounter = 0; $hashcounter++; $hashcounter < $iterations) {
$hashpass = hash($hash_algo, $hashpass);
}
$query = ‘update passwords set hashpass=“’ . $hashpass. “’, salt=‘” . $salt . “’, iterations=‘” . $iterations . “’ where username=“’ . $username . “’;
mysql_query($query);
?>
BROKEN AUTHENTICATION AND SESSION
MANAGEMENT – CASE STUDY Threat Agent
Grouping: Infamy (Skilled – Employed Anti-Forensics)
Motivation: (Limited) Distribution of Copyrighted Material
Business Impact
Disruption:
Services unavailable while servers were rebuilt.
Delays to other projects as staff were resolving issues.
Costs:
Security Incident Response Team
7 FTE Staff for 3 Weeks, plus
External Security Incident Support.
Lost Productivity.
Reputational Damage
Additional Support
Additional Security Awareness Training
1 Year Fixed Term Staff Member to Provide.
Improvement to Policies, Procedures and Processes.
INSECURE DIRECT OBJECT REFERENCES
Overview
Prevention: Check access, use per user/session indirect object references.
INSECURE DIRECT OBJECT REFERENCES – CASE
STUDY
Root Cause: Direct access to objects, common in White Label” Sites.
INSECURE DIRECT OBJECT REFERENCES
Code Sample
<?php
include $_GET["header"];
echo "<h1>Payment Gateway</h1>\n";
include $_GET["footer"];
?>
INSECURE DIRECT OBJECT REFERENCES
A Fix – Map hostname to a numeric client identifier. <?php
clientid = hostclientmap($_SERVER[“http_host”]);
include “/” . $clientid . “/header”;
echo “<h1>Payment Gateway</h1>\n”;
include “/” . $clientid. “/footer”;
function hostclientmap($hostname) {
$result = mysql_query(“select clientid from client-hostname-mapping
where hostname=“’” . addslashes($hostname) . “’”);
if(!result) {
// return clientid=0 which is a warning to update the
clientid <-> hostname mapping.
$clientid=0;
} else {
$row=mysql_row();
$clientid = $row[“clientid”];
}
}
?>
INSECURE DIRECT OBJECT REFERENCES– CASE
STUDY
Threat Agent
Grouping: Discovered during testing.
Motivation: N/A
Business Impact
Vendor rework for compliance.
Damages Vendor’s credibility (hence reputation).
Claims of PCI DSS Compliance where able to be cast into doubt.
CROSS SITE REQUEST FORGERY - EXAMPLE
Analysis of the forgery
Visiting the “malicious” site may be incidental – e.g compromised ads, forums, etc.
CROSS SITE REQUEST FORGERY - EXAMPLE
Threat Agent
Grouping: Typically Organised Crime
Motivation: Fraud / Theft.
Business Impact
Damages Vendor’s reputation.
Increased losses from Fraud / Theft.
SECURITY MISCONFIGURATION – CASE STUDY
Code Red Worm (July 13 2001).
“.ida” isapi extension left enabled.
“Indexing Service” – Largely unused.
System maintenance not conducted since June 18 2001
SECURITY MISCONFIGURATION – CASE STUDY
Threat Agent
Grouping: Self Promotion
Motivation: Infamy
eEye believed that the worm had the same original as the ILOVEYOU worm.
Business Impact
Disruption
Restoration costs to websites
INSECURE CRYPTOGRAPHIC STORAGE
Threat Agent
Grouping: N/A
Motivation: N/A
Business Impact
Failure to meet contractual obligations
Increased compliance costs due to additional infrastructure falling “into scope”.
Remediation Costs
FAILURE TO RESTRICT URL ACCESS
Threat Agent
Grouping: N/A
Motivation: N/A
Business Impact
Possible Denial of Service, Data Sniffing.
Remediation Costs Options:
Immediate Fix:
2 hours x 200 devices = 4 weeks.
Approximately $40,000 to bring in a resource.
Delayed Fix and Counter Measures.
Action Taken:
Delayed fix with other maintenance.
Changed Passwords on other systems (4 hours).
Risk Acceptance by Management.
INSUFFICIENT TRANSPORT LAYER PROTECTION
Overview
Prevention: Require SSL for Sensitive Pages, Configure SSL to only use approved
algorithms.
INSUFFICIENT TRANSPORT LAYER PROTECTION –
CASE STUDY
Local Australian Bank.
Root Cause: Use of Deprecated Private Key Crypto.
SSL Uses both Public Key and Private Key Cryptography.
INSUFFICIENT TRANSPORT LAYER PROTECTION –
CASE STUDY
Public Key – Ok
2048 Bits
Meets recent key length
upgrade requirements.
INSUFFICIENT TRANSPORT LAYER PROTECTION
Private Key Encryption – Use of Deprecated RC4.
Considered ineffective as early as 2009[1].
Not “approved” by NIST in SP800-131A
Not “approved” by DSD in the 2012 ISM.
PCI-DSS requires strong cryptography.
Apache Config changes are easy.
“SSLProtocol –all +SSLv2”
“SSLCipherSuite SSLv2:+HIGH”
INSUFFICIENT TRANSPORT LAYER PROTECTION
Threat Agent
Grouping: N/A
Motivation: Obtaining of sensitive information.
Business Impact
Reputation
Damage to reputation.
Compliance:
Fails to meet compliance requirements for PCI-DSS (Req 3.4).
Costs:
Reconfigure equipment to use newer algorithms.
Possible upgrade costs to equipment for newer algorithms
UNVALIDATED REDIRECTS AND FORWARDS
Overview
Prevention
Don’t allow users to control redirects.
Very common with Central Authentication Systems.
UNVALIDATED REDIRECTS AND FORWARDS
Threat Agent
Grouping: N/A
Motivation: N/A
Business Impact
Reduced Customer / Staff Confidence.
Remediation Costs
2010 / 2013 RC TOP 10 COMPARISON
2 0 1 0
1. Injection
2. Cross Site Scripting
3. Broken Authentication & Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
2 0 1 3 R E L E A S E C A N D I D A T E
1. Injection (NC)
2. Broken Authentication & Session Management (+1)
3. Cross-Site Scripting (XSS) (-1)
4. Insecure Direct Object References (NC)
5. Security Misconfiguration (+1)
6. Sensitive Data Exposure (+1 – Similar to 7)
7. Missing Function Level Access Control (+1 – Similar to 8)
8. Cross-Site Request Forgery (CSRF) (-3)
9. Using Components with Known Vulnerabilities (New)
10. Unvalidated Redirects and Forwards. (NC)
RECOMMENDATIONS
When Developing Web Applications
Ensure that you have an Application Security Program
Train (new) developers before projects (including updates)
Develop reusable architectures and code libraries
Build-in rather than retrofit
Take unintended / unwanted “users” into consideration
When Purchasing Web Applications Include appropriate security measures in the contract.
Consider remediation clauses.
Consider requiring support for dependant vendor updates.
If both cases: Assessing the level of compliance with these measures to understand the risk to your organisation is
vital.
Assessments should occur at multiple stages during and after development.
PRIZE
In the presentation iconic object from a James Bond film .
a) What is the object ?
b) Which James Bond film is it from ?