- rootcon 10/trainings/rootcon 10...• authentication is only as strong as your user management...
TRANSCRIPT
WebApplicationSecurity
Expertadvice.Experienceadvantage.ProactiveSecuritySolutionsThroughCutting-EdgeResearch.
www.pandoralabs.net
Expertadvice.Experienceadvantage.ProactiveSecuritySolutionsThroughCutting-EdgeResearch.
WeareaSecurity-as-a-Service
company
Providingbusinesseswithon-demandthreatdetection&intelligenceresourcesand
capabilities,for24x7protection.
WeMakeITSecurewww.pandoralabs.net
Whoweare.Whyweexist.PANDORA SECURITY LABS
WeBuildSecuritySoftwareWhatdowereallydo?
Security Information & Event Manager Web Application Firewall & CDN
www.webranger.io
& WE ARECOOKINGMORE!
www.pandoralabs.net
#pandoralabs
Whoweare.Whyweexist.PANDORA SECURITY LABS
OurCapabilitiesSolutionswecreatedfromourcapabilitiestocomplementyouneeds:
• DefensiveTechnologies• OffensiveIntelligence• AdministrativeExpertise
ThreatScout
Pandora SOC
SENSORUTMs
LOGAGENTSWAFs
ANALYTICSSIEM
CORRELATIONINTEL
OPERATIONSFORENSICS
24x7MONITORIRT/ERT
#pandoralabs
Whoweare.Whyweexist.PANDORA SECURITY LABS
DevelopingSecureWebAppsTipsintodevelopingasecurewebapplication.
WebApplicationSecurityPANDORA SECURITY LABS
AlwaysUseTLS• TransportLayerSecurity• Latestversion1.2• Ensuresthatdataisencryptedasittravelsthewire• Ensuresintegrityusingmessageauthenticationcode• Let’sEncryptprojectprovidesfreeSSLcertificatesforTLS• UsetoolslikeSSLTestbyQualys toverifyTLSconfiguration
PANDORA SECURITY LABS WebApplicationSecurity
Neverstoreplaintextpasswords
Hash passwordswhenyoustoretheminthedatabase
Provisionyourcodeanddatabasesuchthatthehashingalgorithmcanbechanged
ALWAYS hashwithuniquesaltsperrecord,thispreventsrainbowtableattacks
PANDORA SECURITY LABS WebApplicationSecurity
Never storeplaintextpasswords
Letmedemo:Googletheplaintextofhash
Hashwithsaltlogic
PANDORA SECURITY LABS WebApplicationSecurity
UseStrongAuthentication
Strongauthentication(suchastokens,certificates,etc.)providesahigherlevelofsecuritythanusernameandpasswords.
Thegeneralizedformofstrongauthenticationis“somethingyouknow,somethingyouhold”.
PANDORA SECURITY LABS WebApplicationSecurity
UseStrongAuthentication
When tousestrongauthentication:•Forhighvaluetransactions•Whereprivacyisastrongorlegallycompelledconsideration(suchashealthrecords,governmentrecords,etc)•Whereaudittrailsarelegallymandatedandrequireastrongassociationbetweenapersonandtheaudittrail,suchasbankingapplications•Administrativeaccessforhighvalueorhighrisksystems
PANDORA SECURITY LABS WebApplicationSecurity
UseStrongAuthentication
Bestpractices:• Authenticationisonlyasstrongasyourusermanagementprocesses•Usethemostappropriateformofauthenticationsuitableforyourassetclassification•Re-authenticatetheuserforhighvaluetransactionsandaccesstoprotectedareas(suchaschangingfromusertoadministrativelevelaccess)•Authenticatethetransaction,nottheuser•Passwordsaretriviallybrokenandareunsuitableforhighvaluesystems.
PANDORA SECURITY LABS WebApplicationSecurity
EnforceGoodSessionManagement
Sessionmanagementisbyitsnaturecloselytiedtoauthentication,butthisdoesnotmeanusersshouldbeconsideredauthenticateduntilthewebapplicationhastakenpositiveactiontotieasession
withatrustedcredentialorotherauthenticationtoken.
Ifpossible,tieasessiontoaspecificIP.Forcere-authenticateiftheIPchanges.Thisistopreventhijackingandreplayattacks.
Enforcesessiontimeouts.
PANDORA SECURITY LABS WebApplicationSecurity
EnforceGoodSessionManagement
Ensurethatunauthenticatedusersdoesnothaveanyorhaveminimalprivilegesonly.
Ensureallunprotectedpagesuseasfewresourcesaspossible.
Ensurethatsessiontokensareuser-unique,non-predictable,andresistanttoreverseengineering.
PANDORA SECURITY LABS WebApplicationSecurity
UseParameterizedQueries/StoredProcedures• Injectionhappenswhendataissuppliedfromonecomponenttoanother• Hackers"inject"theircodetoruninsteadofyours• Example:SQLinjectionattackStringquery="SELECT*FROMproductsWHEREname='"+request.getParameter("id")+"'";
• CodeexpectsaniceparameterintheURL• http://example.com/products?id=123• Hackercouldinsteadsupplythis:http://example.com/products?id=';+DROP+TABLE+'products';
PANDORA SECURITY LABS WebApplicationSecurity
UseParameterizedQueries/StoredProceduresExample:StringprodId=request.getParameter(“productId");Stringquery="SELECTproduct_status FROMproduct_data WHEREproduct_id = ?";
PreparedStatement pstmt =connection.prepareStatement(query);pstmt.setString(1,prodId);ResultSet results=pstmt.executeQuery();
PANDORA SECURITY LABS WebApplicationSecurity
SanitizeandValidateUserInput
Alwaysassumethedatais“evil”
ALWAYSsanitizeinput!(attheBACKEND notfrontend!)
Encodealluserinputbeforeusingit
Cleanupquotes,semi-colons,parentheses,etc.
PANDORA SECURITY LABS WebApplicationSecurity
SanitizeandValidateUserInput
Datashouldbe:• StronglyTypedatalltimes• LengthCheckedandFieldsLengthMinimized• Rangedcheckifnumeric• Unsignedunlessrequiredtobesigned• Syntaxorgrammarshouldbecheckedpriortofirstuseorinspection• Sanitized
PANDORA SECURITY LABS WebApplicationSecurity
SanitizeandValidateUserInput
Coding guidelines should use some form of visible tainting on inputfrom the client or untrusted sources, such as third party connectorsto make it obvious that the input is unsafe:
taintedPostcode =getParameter(“postCode”);validation=NewValidation();postCode =validation.isPostcode(taintPostcode);
PANDORA SECURITY LABS WebApplicationSecurity
SanitizeandValidateUserInput
Letmedemoanoldvulnerability:Wordpress
PANDORA SECURITY LABS WebApplicationSecurity
UseAnti-CSRFTokens
Anti-csrf tokensaddsauniquetokenthatmustbeincludedwiththedatasubmission.
<%using(Html.Form("UserProfile","SubmitUpdate")){%><%=Html.AntiForgeryToken()%><!-- restofformgoeshere-->
<%}%>
Theoutputwillbesomethinglike:
<formaction="/UserProfile/SubmitUpdate"method="post"><inputname="__RequestVerificationToken"type="hidden"value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs"/><!-- restofformgoeshere-->
</form>
PANDORA SECURITY LABS WebApplicationSecurity
UseAnti-CSRFTokenspublicclassUserProfileController :Controller{publicViewResult Edit(){returnView();
}[ValidateAntiForgeryToken]publicViewResult SubmitUpdate(){
//Gettheuser'sexistingprofiledata(implementationomitted)ProfileData profile=GetLoggedInUserProfile();
//Updatetheuserobjectprofile.EmailAddress =Request.Form["email"];profile.FavoriteHobby =Request.Form["hobby"];SaveUserProfile(profile);
ViewData["message"]="Yourprofilewasupdated.";returnView();
}}
PANDORA SECURITY LABS WebApplicationSecurity
LogRelevantData
• Auditable – allactivitiesthataffectuserstateorbalancesareformallytracked
• Traceable – it’spossibletodeterminewhereanactivityoccursinalltiersoftheapplication
• Highintegrity– logscannotbeoverwrittenortamperedbylocalorremoteusers
• Auditlogsarelegallyprotected– protectthem
PANDORA SECURITY LABS WebApplicationSecurity
LogRelevantData
Datafromlogscanbeusedtomonitoryourapplication
Never logconfidentialdata!
HaveanSIEM collectlogsandtohelpyououtmonitoryourapplications
PANDORA SECURITY LABS WebApplicationSecurity
Never Disclose InformationviaErrorMessages• Stacktracesshowtheinnerworkingsofanapplication
• Donotgiveattackersclueaboutyourapplication(ie.Invalidusername/password)
• Usegenericerrormessages
• Donotsendthe“username”inyourpasswordresetemails
PANDORA SECURITY LABS WebApplicationSecurity
Never Disclose InformationviaErrorMessagesExample with Tomcat:
InCATALINA_HOME/conf/web.xml,addthefollowingentry.
<error-page><exception-type>java.lang.Throwable</exception-type><location>/error.jsp</location>
</error-page>
PANDORA SECURITY LABS WebApplicationSecurity
Never Disclose InformationviaErrorMessagesExample in.NET:
IntheWeb.config fileat theapplication’s root,add thefollowing entry.
<configuration><compilationdebug="true"/></configuration>
Also,consider having ageneric error page:
<customErrors mode="On"defaultRedirect="YourErrorPage.htm"/>
PANDORA SECURITY LABS WebApplicationSecurity
NeverDisclose InformationviaErrorMessages
Letmedemo:Joomla
PANDORA SECURITY LABS WebApplicationSecurity
SecureYourComponents
• Realities:• Wedidnotwritethecodeforeverycomponentinourstack• Wereusecode,components,andlibraries
• Usedependencyinjectiontoolstomanagelibraries• Maven,NuGet,CocoaPods,Npm
• Softwareshouldalwaysbekeptuptodate• VulnerabilityAssessment/PenetrationTestingcancatchoutdatedcomponents• Alwayschecktheissuetrackerorrepositoryofalibrary/componentbeforeusingit
PANDORA SECURITY LABS WebApplicationSecurity
SecureYourComponents
• CheckyourcomponenthasvulnerabilitiesbytheirCommonVulnerabilityEnumeration(CVE)• https://cve.mitre.org/cve/cve.html
PANDORA SECURITY LABS WebApplicationSecurity
EmploySecurityTesting
UseOWASP Top10andOWASPTestingGuide
OWASPZap
PANDORA SECURITY LABS WebApplicationSecurity
EmploySecurityTesting
1. Injection2. BrokenAuthenticationandSessionManagement3. Cross-SiteScripting(XSS)4. InsecureDirectObjectReferences5. SecurityMisconfiguration6. SensitiveDataExposure7. MissingFunctionLevelAccessControl8. Cross-SiteRequestForgery(CSRF)9. UsingComponentswithKnownVulnerabilities10. Unvalidated RedirectsandForwards
PANDORA SECURITY LABS WebApplicationSecurity
EmploySecurityTesting
1. ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')2. ImproperNeutralizationofSpecialElementsusedinanOSCommand('OSCommandInjection')3. BufferCopywithoutCheckingSizeofInput('ClassicBufferOverflow')4. ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')5. MissingAuthenticationforCriticalFunction6. MissingAuthorization7. UseofHard-codedCredentials8. MissingEncryptionofSensitiveData9. UnrestrictedUploadofFilewithDangerousType10. RelianceonUntrustedInputsinaSecurityDecision11. ExecutionwithUnnecessaryPrivileges12. Cross-SiteRequestForgery(CSRF)13. ImproperLimitationofaPathnametoaRestrictedDirectory('PathTraversal')
WebAppSecurityPANDORA SECURITY LABS
EmploySecurityTesting
14. DownloadofCodeWithoutIntegrityCheck15. IncorrectAuthorization16. InclusionofFunctionalityfromUntrustedControlSphere17. IncorrectPermissionAssignmentforCriticalResource18. UseofPotentiallyDangerousFunction19. UseofaBrokenorRiskyCryptographicAlgorithm20. IncorrectCalculationofBufferSize21. ImproperRestrictionofExcessiveAuthenticationAttempts22. URLRedirectiontoUntrustedSite('OpenRedirect')23. UncontrolledFormatString24. IntegerOverfloworWraparound25. UseofaOne-WayHashwithoutaSalt
PANDORA SECURITY LABS WebApplicationSecurity
SecuringYourWebsitewithWebRangerWebRanger
1.AwarenessiskeyAwarenessisthegreatest agent forchangeandaction.
SecuringYourWebsitewithWebRangerWebRanger
2.AccesscontrolandperformanceWAF &CDN toprovideaccesscontrolandperformanceboosttoyoursite
SecuringYourWebsitewithWebRangerWebRanger
WebApplicationFirewall(WAF)toblock threatsaccessingyourwebsite
SecuringYourWebsitewithWebRangerWebRanger
3.EncryptedcommunicationEnsuring yourusersthatyouarecommunicatingsecurely withthem
WebRangerWeb Application SecurityWeb Application Security by PandoraSecurity Labs that protects your web appusing all best defensive solutions in 1:WAF + Threat Analytics + 24x7 Analysts.
PEOPLESECURITYANALYSTS
PROCESSTHREAT
ANALYTICS
PRODUCTANALYTICSWAF&CDN
SSL
SecuringYourWebsitewithWebRangerWebRanger
FREE
HowdoesWebRangerworktoprotectyourwebsite?
1. Attackersattackyourwebsite 2.WebRanger identifiesanomalyandsendsdatatotheanalyticssystem
3.TheanalyticssystemcorrelatesdataandsendsthealertstoSOC
4.TheSOCdeterminesifalertisatruealertandinformstheclient
6.Truealertsarethencommunicatedtotheclienteitherviaphoneoremail
7.ClientviewsWebRanger Consoleforthealertsandattacksresolved
5.PandoraSOCcommandstheWAFtoblocktheattack
8.Attackswithsamepatternsareblocked
WebRanger
AnalyticsSystem PandoraSOC
SecuringYourWebsitewithWebRangerWebRanger
FREE PAID