web security leeds sharp dot netnotts

Web Security

By John StaveleyDot Net Notts 29/02/2016

https://uk.linkedin.com/in/johnstaveley/@johnstaveley

Overview

Why Security?– (case studies)

Who are the hackers? How?

– (with solutions) SecurityEssentials.sln ...and then on the server Further resources Summary Questions

Who am I?

John Staveley Mvc.net developer Not a security expert!

Why Security? - Some headlines

ZdNet 2014, “Hundreds of millions of records have been stolen this year through hacks and data breaches as a result of poor, or flawed security.”

Davos 2015, “Every time we talked to a top 500 company about cyber-security, they'd say to us: 'talk to my technology guy', now the board of directors and the CEOs of the companies pay attention. There is a new sense of urgency" – Head of a security company

FSB 2013, 41% of small businesses are a victim of cyber crime.

Why Security? - Some headlines

ZdNet 2014, “Hundreds of millions of records have been stolen this year through hacks and data breaches as a result of poor, or flawed security.”

Davos 2015, “Every time we talked to a top 500 company about cyber-security, they'd say to us: 'talk to my technology guy', now the board of directors and the CEOs of the companies pay attention. There is a new sense of urgency" – Head of a security company

FSB 2013, 41% of small businesses are a victim of cyber crime.

Why Security? - Some example breaches

Sony – films, confidential email, payroll Target – 110 million records lost including credit card details.

Current cost $110m Home Depot – 56m credit card, 53m email addresses JPMorgan – 10s of millions of customers data lost BadUSB ICloud celebrity pictures Snapchat – 13Gb of data Ebay – 145 million user records lost. $220m loss Heartbleed etc

Why Security? - and the rest...

Why Security?

Loss of reputation Blacklisting Litigation Fines e.g. Data protection act, PCI compliance

What we will/won't cover

WILL: Web application security (MVC)

WON'T: Physical security Network security Trojans, Worms, Viruses IDS, Firewalls, Honey pots Internal threats Advanced persistent threats DDOS Social Engineering

Presentation Approach

OWASP Top 10 Not for profit Cover all technologies Reviewed every 3 years Helps you prioritise

Chapter outline What is the hack? Who has been affected by it? What are the mitigations/countermeasures? Questions

DEMO SecurityEssentials.sln https://github.com/johnstaveley/SecurityEssentials

1 – SQL Injection

SQL Injection – What is it?

SQL Injection – What is it?

string strQry = "SELECT * FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'";

EXEC strQry

Put in username field: Admin' And 1=1 –SELECT * FROM Users WHERE UserName='Admin'

And 1=1 --' AND Password=''

Put in password field: '; DROP TABLE Users --SELECT * FROM Users WHERE UserName='' AND

Password=''; DROP TABLE Users –'

http://www.not-secure.com/products?Id=14

Havijhttp://youtu.be/RBUOJpAfMn4?t=1m28s

2 - Broken authentication and session management

Password security Session Hijacking Weak Account Management

Password Security

What is it? - Storage, Policy and entry Password storage

Plain text = No security (http://plaintextoffenders.com/) Base64 encoding = No security Avoid Encryption – can be broken Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99) Common hashes can be googled Use a salt Don't use RC4, MD4, MD5 and SHA-1 HashCat http://youtu.be/pTDGz7vN3NE?t=12s Use PBKDF2, SCrypt, Bcrypt

Passwords Policy: Enforce minimum complexity Do not reject special characters Validate passwords against a list of known bad passwords Do not allow personal information in the password

Password Entry: Don't disallow paste on a web page

Password Security - Examples

Case Study: Richard Pryce Case Study: Ebay May 2014

Up to 145 million users affected $200m loss Poor password encryption blamed

Case Study: LinkedIn 2012 6.5 million user accounts stolen by Russian criminals

Password Security - Examples

https://haveibeenpwned.com/ SecurityEssentials.sln pwd: Hash, checking, strength

Session hijacking – The What

Session Hijacking – The how

Concept – Man In The Middle (MITM) Opening up the browser CSRF Sensitive data exposure DEMO: Session stealing using document.cookie=""

Session Hijacking - Countermeasures

Counter client code access of cookies (MITM): HttpOnly Counter auth token 'Sniffing' – Use HttpsOnly (Anti-XSS) <forms loginUrl="~/Account/Login" timeout="60" requireSSL="true"

slidingExpiration="false"/> Private error logging/trace Reducing session timeout reduces exposure Track sessions - session invalidated during logoff? SecurityEssentials.sln web.config with transforms

Weak account management – What is it?

Owning the account Why?

– Sensitive data– Admin privileges

Registration Logon Remember me Password reset Change account details Logoff Call Centre

Weak account management – Case Study

Weak account management – Case Study

News contained details Sarah Palin used Yahoo mail Security Information Birthday? 2 minutes on Wikipedia Zip Code? Wallisa only has 2 postcodes Where did you meet your spouse? High School => Password reset

Weak account management - Countermeasures (1)

Account enumeration - Can occur on registration, logon or password reset forms

Success - “An account reset key has been emailed to you” Failure - “That user account does not exist” Success or Failure - “An account reset key has been

emailed to you” Use Https ([RequireHttps]) to protect sensitive data

Weak account management - Countermeasures (2)

Brute force Logon - Do not lock out on incorrect logon – DOS

Brute force Registration/Password reset:– CAPTCHA and/or throttling to prevent brute force– http://anti-captcha.com/

Verify email address by sending an email Re-challenge user on key actions e.g. prompt for old

password when entering new password Log and send email when any account state changes

Weak account management - Countermeasures (3)

Password reset Don't send new password out – DOS Send email with expiring token (1 hour) Security questions: Concise, Specific, has a large range of answers, low

discoverability, constant over time Never roll your own membership provider or session

management – use the default one in the framework Outsource the solution e.g. Azure Active Directory or

OpenId SecurityEssentials.sln – Account Management process,

anti-enumeration, logging, email verification, email on change, activity log, throttling, CAPTCHA, auto-complete off, increase logon time failure

3 – Cross Site Scripting (XSS)

Cross site scripting (XSS) – What is it?

www.mysite.com/index?name=GuestHello Guest!

www.mysite.com/index?name=<b>Guest<b>Hello Guest!

www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script>Hello Guest!

www.mysite.com/index?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>

www.mysite.com/index?name=<script>Insert evil script here</script>

Cross site scripting (XSS) – What is it?

Encoded data vs unencoded e.g. &lt;b&gt;Guest&lt;\b&gt; vs <b>Guest</b> Cookie theft!<script>alert(document.cookies)</script>Concept: Don't trust your users!Reflected vs Persisted XSSAttack Vector: Social Network, Email etc

Cross site scripting (XSS) – Examples

Case Study: Legal Helpdesk Enabler:

Session stealing DOS Sensitive data exposure

Ebay, Sep 2014 – http://www.makeuseof.com/tag/ebay-security-breach-reconsider-membership/

About.com, Oct 2014 – 99.98% of links susceptible– Mar 2015 – still unpatched

Cross site scripting (XSS) - Countermeasures

Validate untrusted data – don't trust your users! Sources of data – html post, urls, excel/csv import, import of

database Mvc3 - “A potentially dangerous Request.Form value was

detected from the client”, except: What if you want to post HTML? [AllowHTML] Countermeasure: Encode reflected data Mvc3 encodes Html by default Except @Html.Raw(Model.MyStuff) For 'safe' HTML fragments use WPL (AntiXSS) Library for

HTML, CSS, URL, JavaScript, LDAP etc Concept: Black vs White listing SecurityEssentials: Incorporation of AntiXSS Library Comparison with ASP.Net web forms

4 – Insecure Direct Object References

Insecure direct object references – what is it?

www.mysite.com/user/edit/12345

// Insecurepublic ActionResult Edit(int id) { var user = UnitOfWork.UserRepository.Get(e => e.Id == id); return View("Details", new UserViewModel(user); }

// Securepublic ActionResult Edit(int id) {

var user = UnitOfWork.UserRepository.Get(e => e.Id == id); // Establish user has right to edit the details if (user.Id != UserIdentity.GetUserId()) { HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not

have permission to edit these details")); return View("Error", error); } return View("Edit", new UserViewModel(user); }

Insecure direct object references - Examples

Immobilise Jan 2015

Citigroup, 2011– 200,000 customer details exposed

Insecure direct object references - Countermeasures

Check the user has permission to see a resource– Don't expose internal keys externally– Map keys to user specific temporary non-guessable ones to

prevent brute force Frequently overlooked:

– Ajax calls– Obfuscation of paths does not work– Passing sensitive data in urls

SecurityEssentials.sln User edit

5 – Security Misconfiguration

Security Misconfiguration – What is it?

Unnecessary features enabled e.g. FTP, SMTP on a web server, ports opened

Default accounts and passwords still enabled and unchanged

Errors reveal internal implementation e.g. Trace.axd

Security Misconfiguration - Examples

Webcams, Nov 2014 Secure Elmah, Google inurl:elmah.axd “error log for”

Security Misconfiguration - Countermeasures

Encrypt connection string Server retail mode Ensure application is set for production – automate using

MVC config transforms SecurityEssentials.sln web.config

6 – Sensitive Data Exposure

Sensitive Data exposure – What is it?

Email addresses Contents of emails Passwords Auth token Credit card details Private pictures

Sensitive Data exposure - Examples

Snapchat Jan 2014– Phone number upload feature brute forced

Tunisian ISP– Login pages for Gmail, Yahoo, and Facebook– Pulls the username and password, and encodes it with a weak

cryptographic algorithm Wifi Pineapple

– https://www.youtube.com/watch?v=mf5ipnmvDxE

Sensitive Data exposure - Countermeasures

Use and enforce SSL/TLS – [RequireSSL] www.startssl.com Google: “SSL/TLS accounts for less than 1% of the CPU

load, less than 10KB of memory per connection and less than 2% of network overhead.”

Encrypt sensitive data in storage Disclosure via URL Browser auto-complete Don't store it! e.g. CVV code SecurityEssentials forcing SSL, HSTS header, prevent

server information disclosure, web.config

7 – Missing Function Level Access Control

Missing Function Level Access Control – What is it?

Checking the user has permission to be there www.mysite.com/admin (Requires admin role!)

Missing Function Level Access Control - Countermeasures

Path level in web.config Method level attribute e.g. [Authorize(Roles=”Admin”)] Controller level Authorize attribute Any point in code using identity features in .net

(System.Web.Security.Roles.IsUserInRole(userName, roleName)

Use [NonAction] Don't show links on UI to unauthorised functions Don't make server side checks depend solely on

information provided by the attacker Obfuscating links is no protection Least Privilege SecurityEssentials.sln unit tests

8 – Cross Site Request Forgery

Cross-Site request forgery - What is it?

Attacker sends malicious link <img src=”www.mysite.com/logoff” /> Requires to be logged on

Cross-Site request forgery - Examples

TP-Link Routers, Mar 2014 300,000 routers reprogrammed DNS Servers changed Exploit known for over a year

Brazil 2011, 4.5m DSL routers reprogrammed

Cross-Site request forgery - Countermeasures

Exploits predictable patterns, tokens add randomness to request

@Html.AntiForgeryToken()<input name="__RequestVerificationToken" type="hidden"

value="NVGfno5qe...... .......yYCzLBc1" /> Anti-forgery token [ValidateAntiForgeryToken] NB: Ajax calls ASP.Net web forms SecurityEssentials (controller and ajax)

9 - Using components with known vulnerabilities

Case Study: WordPress, 2013 3 Year old admin module 10s of thousands of sites affected No Brute force protection

Possible effects: Circumvent access controls SQL Injection, XSS, CSRF Vulnerable to brute force login

NuGet – keep updated Apply Windows Update SecurityEssentials.sln NuGet

10 - Unvalidated redirects and forwards – What is it?

Attacker presents victim with an (obfuscated) url e.g.https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/ User logs into safe, trusted site Redirects to nasty site, malicious content returned Any redirecting url is vulnerable MVC3 vulnerable

Unvalidated redirects and forwards - Countermeasures

MVC4 problem solved (for login):

Form Overposting – What is it?

[HttpPost]public ViewResult Edit(User user){ TryUpdateModel( … }

[HttpPost]public ViewResult Edit([Bind(Include = "FirstName")] User user){ TryUpdateModel( … ,propertiesToUpdate, … }

Securing your site – Code Cheat sheet (1)

Don't trust your users! Use an ORM Use a strong account management process Captcha/throttling Defeat account enumeration Hash passwords, encrypt data Least Privilege Use and enforce SSL Encode all output Secure direct object references [Authorize]/[Authorize(Roles=””)] users Conceal errors and trace Use antiforgery tokens

Securing your site – Code Cheat sheet (2)

Keep components up to date Validate redirects Form overposting DDOS Headers Train staff in social engineering

...and once on the server

Apply a good SSL policy on the server: https://www.ssllabs.com/projects/best-practices/

Poodle Encrypt the connection string on the production server Enable retail mode on the production server Patch the server Run www.asafaweb.com on your site to check security

standards are enforced

Further Resources

OWASP Top 10 Pluralsight courses CEH Certification ZdNet Security Now Podcast

Summary

Hacks have been increasing in number and sophistication OWASP Top 10 Specific solutions in Mvc

Any Questions?