appsec 101 - eivind arvesen
TRANSCRIPT
AppSec 101Eivind Arvesen
Bouvet
AppSec 101Eivind Arvesen
Bouvet
Outline
o Introductiono Motivationo Most critical web application security riskso Resources
Be problem-oriented
Introduction 🖐
Who am I?
o Eivind Arvesen, M.Sc.o Bouvet since summer 2017o Consultant
o Developero Architect
o Leader in subject groups:o Securityo Agile (Lean and DevOps)
Who am I?
o Hobby-writer and -arguer💩
Security 🔐
Security
Information Security (InfoSec)Protecting information, hardware software and privacy against people, accidents and programs.
Security
Application Security (AppSec)Developing, adding and testing security features in applications in order to avoid security risks.
Motivation 🏁
Why do we care?
o Software is (still) eating the worldo Major criseso Can become huge problems for userso Laws and regulations (compliance)
o GDPRo Good craftmanship
Why do we care?
o Democratization of tools (and information)o … even kids can do it –
and they do!o Examples in Norge
Typical Vulnerabilities 💻
OWASP
The Open Web Application Security Project
Community-driven non-profit produces freely available resources such as:• Articles• Methodologies• Documentation• Tools• Technologies
«The Ten Most Critical Web Application Security Risks.»
OWASP Top-10 (2017)
OWASP Top-10 (2017)
1. Injection2. Broken Authentication 3. Sensitive Data Exposure4. XML External Entities (XXE)5. Broken Access Control6. Security Misconfiguration7. Cross-Site Scripting (XSS)8. Insecure Deserialization9. Using Components with Known Vulnerabilities10.Insufficient Logging & Monitoring
1. Injection«Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.»
Example: SQL-query using untrusted data
String query = "SELECT * FROM accounts WHERE customerID = '" + request.getParameter("id") + "'";
1. Injection
http://example.com/app/accountView?id=’or’1’=’1
… returns all rows of the table in question
1. Injection
1. Injection
Prevention:o Use a safe API (avoiding the use of the
interpreter), parameterized queries, Object Relational Mapping Tools (ORMs), etc.
o White list input validation (server-side).o Character-escaping for any residual dynamic
queries, using interpreter-specific escape syntax.
o Use LIMIT and similar controls to avoid mass disclosure of records in case of SQL injection.
1. Injection
2. Broken Authentication«Application functions related to authentication and session
management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or
to exploit other implementation flaws to assume other users’ identities temporarily or permanently.»
Examples:o Permits automated attacks, such as credential stuffingo Permits brute force attackso Permits default, weak, or well-known passwords, such as "Password1" or
"admin/admin“o Uses weak or ineffective credential recovery and forgot-password
processeso Uses plain text, encrypted, or weakly hashed passwordso Has missing or ineffective multi-factor authenticationo Exposes Session IDs in the URLo Does not rotate Session IDs after successful logino Does not properly invalidate Session ID during logout or when inactive
2. Broken Authentication
2. Broken Authentication
2. Broken Authentication
Prevention:o Implement multi-factor authenticationo Don’t use default credentials (admin users in particular) o Implement weak-password checks (matche against known
weak or compromised ones)o Align password length, complexity and rotation policies with
modern evidence-based policieso Harden registration, credential recovery, and API pathways
against account enumeration by using same message for all outcomes
o Limit (or increasingly delay) failed login attempts; Log failures and alert admins when attacks are detected
o Use proper (server-side) session-handling management
2. Broken Authentication
3. Sensitive Data Exposure«Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or
modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.»
3. Sensitive Data Exposure
Examples of sensitive data:o Passwordso Credit card informationo Credentialso Personnummero Health recordso Personally Identifiable
Informationo Other personal information
3. Sensitive Data Exposure
3. Sensitive Data Exposure
Prevention:o Identify and classify your datao Don’t store date you don’t needo Encrypt all sensitive data «at rest» / in storageo Encrypt all traffic «in transit» / on the wireo Use strong algorithms, protocols, and keys – handle these
safelyo Don’t cache responses that contain sensitive datao Store passwords using strong, salted hashing with a «work-
factor» (delay factor)
3. Sensitive Data Exposure
4. XML External Entities (XXE)«Many older or poorly configured XML processors evaluate external entity references within XML documents. External
entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code
execution, and denial of service attacks.»
4. XML External Entities (XXE)
Example: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
4. XML External Entities (XXE)
Prevention:o Use less complex data formats (JSON?), if possible; avoid
serialization of sensitive datao Patch/upgrade all XML-processors and -libraries; Update
SOAP to >= 1.2o Disable XXE and DTD-processing in XML-parserso Implement whitelisting (server-side) validation, sanitation or
filtering to prevent hostile datao Verify that XML/XSL uploads are validated using XSD or
similar
5. Broken Access Control«Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’
data, change access rights, etc.»
Examples of access:o Access to admin panelo Access to server via FTP / SFTP / SSHo Access to other applications on servero Access to database
5. Broken Access Control
5. Broken Access Control
Example:
http://example.com/app/accountInfo?acct=myacct
http://example.com/app/accountInfo?acct=notmyacct
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
Prevention:o Deny access by default, unless it’s a public resourceo Implement control mechanisms once and re-use them, including minimizing
CORSo Model access controls should enforce record ownership; users should only be
able to CRUD data that belongs to themo Enforce business limit requirements in domain modelso Disable web server directory listing; ensure file metadata and backups are not
presento Log access control failures, alert admins on repeated failures, etc.o Rate limit APIs and and control access (make automated attacks more difficult)o Invalidate JWT-tokens (server-side) after logout
5. Broken Access Control
Let’s take a breather 🌬
How Hacking Works
Back to Business 😈
6. Security Misconfiguration«Security misconfiguration is the most commonly seen issue. This is
commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be
securely configured, but they must be patched and upgraded in a timely fashion.»
6. Security Misconfiguration
Examples:o Application server comes with
sample applications that are not removed
o Directory listing is not disabledo Server configuration allows
detailed error messages (e.g. stack traces)
o Public-by-default cloud service provider storage permissions
6. Security Misconfiguration
Many possible sources of error…o Networko Platformo Web servero Application servero Databaseo Frameworko Custom kodeo Pre-installed Virtual Machineso Containerso Storage
6. Security Misconfiguration
Prevention:o Implement a repeatable hardening
process, e.g. a reproducible, locked down environment
o A minimal platform without components you don’t use; remove unused features and frameworks
o Review and update configs appropriate to all security notes, updates and patches
o Segmented architecture, providing separation between components or tenants
o Implementing Security Headerso Automated verification of configurations
«Layered security»
7. Cross-Site Scripting (XSS)«XSS flaws occur whenever an application includes untrusted data
in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API
that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.»
7. Cross-Site Scripting (XSS)
Examples:o Reflected XSS
o App or API includes unvalidated/unescaped user input as part of (HTML) output
o Stored XSSo App or API stores unsanitized user input
that is viewed later by another user/admino DOM XSS
o SPA or API dynamically includes attacker-controllable data in DOM (via unsafe JS-APIs)
7. Cross-Site Scripting (XSS)
Prevention:o Use frameworks that escape XSS – but know their limits!o Escape untrusted HTTP request data based on the
context in the HTML output (body, attribute, JS, CSS, or URL)
o Applying context-sensitive encoding when modifying the browser document on the client side; otherwise apply context sensitive escaping techniques to browser APIs
o Enabling Content Security Policy (CSP) mitigates all but local file include-based XSS
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization«Insecure deserialization often leads to remote code execution.
Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay
attacks, injection attacks, and privilege escalation attacks.»
8. Insecure Deserialization
Explained:o Sending a bytestring-
representation of data/code back and forth between server and client
Illustrasjon: Wikimedia Commons
8. Insecure Deserialization
Example:o User logs in to a PHP-based site, which sets user state in a
«super-token»(client-side)a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:»b6a8b3bea87fe0e05022f8f3c88bc960";}
o Attacker changes role from «user» to «admin»a:4:{i:0;i:1;i:1;s:5:»Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
8. Insecure Deserialization
Prevention:o Don’t use serialized objects (from untrusted sources) if you can help ito Implement integrity checks (e.g. signatures) on all serialized objectso Enforce strict type constraints during deserialization (before object
creation)o Isolating and running code that deserializes in low privilege environments o Log all deserialization-related exceptions and failureso Restrict and monitor network connectivity from containers or servers that
deserialize o Monitoring deserialization, alerting if a user deserializes constantly
9. Using Components with Known Vulnerabilities
«Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a
vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using
components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.»
9. Using Components with Known Vulnerabilities
Examples:o Not knowing the versions of your
dependencies (and their dependencies)o Vulnerable, unsupported or out of date
software, e.g. OSes, web servers, databases, APIs, libraries
o Not scanning for vulnerabilitieso Not fixing or upgrading the underlying
platform, frameworks and dependencies (typically under slow change-control)
o Not testing compatibility of updated, upgraded, or patched libraries
o Not securing component configurations
9. Using Components with Known Vulnerabilities
Prevention:o Remove unused dependencies,
unnecessary features, components, files, and documentation
o Inventory all components and their dependencieso Versions, DependencyCheck, retire.js,
Snyko Cross-reference CVE and NVD
o Only obtain components from official sources over secure links; Use signed packages
o Monitor for unmaintained libraries
10. Insufficient Logging & Monitoring
«Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to
further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.»
10. Insufficient Logging & Monitoring
Example:o An attacker uses scans for users using a common password.
They can take over all accounts using this password. For all other users, this scan leaves only one false login behind. After some days, this may be repeated with a different password.
o Since there is no logging, no one sees any warning signs, and can’t follow up on the ongoing attack.
10. Insufficient Logging & Monitoring
Prevention:o Ensure all login, access control failures, and
server-side input validation errors are logged (with sufficient context) and held for sufficient time
o Log in a format that can be consumed by a centralized log management solution
o Ensure high-value transactions have an audit trail with integrity controls (append-only DB)
o Establish monitoring and alerting, so that suspicious activities are detected and responded to
o Establish or adopt an incident response and recovery plan
(Bonus) 🎰
«Latest» from Vegas
Outlook authentication bypass
o Possible to avoid authentication via unsigned JSON Web Token
o Get any user’s email on Outlook Web under «new UI»
HTTP Request Smuggling (HTTP Desync Attack)
o Splice into somebody else’s request!
Illustration: PortSwigger
HTTP Request Smuggling (HTTP Desync Attack)
Illustration: PortSwigger
Adventures In Smart Buttplug Penetration (testing)
Illustration: smea's DEF CON-presentation
Adventures In Smart Buttplug Penetration (testing)
Illustration: smea's DEF CON-presentation
Adventures In Smart Buttplug Penetration (testing)
Illustration: smea's DEF CON-presentation
Adventures In Smart Buttplug Penetration (testing)
Illustration: smea's DEF CON-presentation
Adventures In Smart Buttplug Penetration (testing)
Illustration: smea's DEF CON-presentation
Adventures In Smart Buttplug Penetration (testing)
o Usual state of security (or lack thereof) in IoT…
o Inject code on a remote client (PC) from a malicious buttplug!
Internet of Shit™
Wanna learn more? 👩💻👨💻
Resources
o Top 10o Proactive Controls o Application Security
Verification Standard (ASVS)o Code Review Guideo Software Assurance Maturity
Model (SAMM)o Testing Projecto CVE / NVD
Tools
o Have I Been Pwnedo OWASP Dependency Checko SonarQubeo JFrog Xrayo Snyko Qualyso OWASP ZAPo Burp Suite
Practice
o OWASPo Webgoato Juiceshop
o CTFso Pico CTFo pwnable.kro OverTheWireo SmashTheStacko TG Hacko HackTheBox
Thanks! 👾