common webapp vulnerabilities and what to do about them
TRANSCRIPT
QUALITY. PRODUCTIVITY. INNOVATION.
endava.com
CommonWebSecurityThreats…and whattodoaboutthem
EoinWoodsEndava
3
3
Introductions
EoinWoods• CTOatEndava• Careerhasspannedproductsandapplications• Architecture andsoftware engineering• Bull,Sybase,InterTrust• BGI(Barclays)andUBS
• Longtimesecuritydabbler• Increasinglyconcernedatcyberthreatfor“normal”systems
4
4
Content
IntroducingWebSecurityThreatsTheOWASPWebVulnerabilitiesListUsefulToolstoKnowAboutReviewingDefencesSummary
6
6
WebSecurityThreats
Weneedsystemsthataredependableinthefaceof• Malice• Error• Mischance
Peoplearesometimesbad,stupid orjustunlucky
Systemsecurityaimstomitigatethesesituations
7
7
WebSecurityThreats
Systemthreatsaresimilartoreal-worldthreats:• Theft• Fraud• Destruction• Disruption
Anythingofvalue mayattractunwelcomeattention
“Irobbanksbecausethat’swherethemoneyis”–WillieSutton
8
8
WebSecurityThreats
Whydowecareaboutthesethreats?• Athreatisariskofaloss ofsomesort
Commontypesoflossare:• Time• Money• Privacy• Reputation• Advantage
9
WebSecurityThreats
Securitytodaymitigatestomorrow’sthreat
Digitalchannelsdemandwebsecurity• SysteminterfacesontheInternet• IntrospectionofAPIs• Attacksbeing“weaponised”• Today’sinternalappis
tomorrow’s“digitalchannel”
10
10
WhoareOWASP?
TheOpenWebApplicationSecurityProject• Largelyvolunteerorganisation,largelyonlineExiststoimprovethestateofsoftwaresecurity• Research,tools,guidance,standards• Runslocalchaptersforfacetofacemeetings(UKhas10+)“OWASPTop10”projectliststopapplicationsecurityrisks• ReferencedwidelybyMITRE,PCIDSSandsimilar• Updatedeveryfewyears(2003,2004,2007,2010,2013)
11
11
OtherSelectedSecurityOrganisations
MITRECorporation• CommonVulnerabilitiesandExposures(CVE)• CommonWeaknessesEnumeration(CWE)
SAFECode• FundamentalPracticesforSecureSoftwareDevelopment• Training
Therearealotofotherstoo(CPNI,CERT,CIS,ISSA,…)
13
13
OWASPTop10- 2013
#1InjectionAttacks#2AuthenticationandSessionManagement#3CrossSiteScripting(XSS)#4DirectObjectReference#5SecurityMisconfiguration#6SensitiveDataExposure#7FunctionLevelAccessControl#8CrossSiteRequestForgery(CSRF)#9ComponentVulnerabilities#10UnvalidatedRedirectsandForwards
Thesemaylook“obvious”butappearonthelistyearafteryear,basedonreal vulnerabilitydatabases!
14
14
#1InjectionAttacks
Unvalidated inputpassedtoaninterpreter• OperatingsystemandSQLaremostcommon
Defencesinclude“escaping”inputs,bindvariables,usingwhitelists,…
SELECT * from table1 where name = ’%1’
Set‘%1’to‘OR1=1-- …thisresults inthisquery:
SELECT * FROM table1 WHERE name = ’’ OR 1=1 --
15
15
#2BrokenAuthenticationorSessionManagement
• HTTPisstateless- somesortofcredentialsenteverytime• Credentialonnon-TLSconnectioncanbetamperedwith• SessionIDoftendisplayedbutcanbeusedaslogindetails• Defencesarestrongauthenticationandsession
managementcontrols
a5f3dd56ff32 a5f3dd56ee33
16
16
#3CrossSiteScripting
• Occurswhenscriptisinjectedintoauser’swebpage• Reflected attack– crafted linkinemail…• Persistent attack- database records, sitepostings,activitylistings
• Allowsredirection,sessiondatastealing,pagecorruption,…• Defencesincludevalidationandescapingontheserver-side
http://www.veracode.com/security/xss
17
17
#4InsecureDirectObjectRefs
Directlyreferencingfilenames,IDsandsimilarinrequests• Notauthenticatingaccesstoeachontheserver• e.g.relyingonlimitedlistofoptionsreturnedtoclient• Clientcanmodifyrequestandgainaccesstootherobjects
Defencesincludeusingpseudoreferencesonclientandauthenticatingallobjectaccesses
http://mysite.com/view?id=file1.txt
…howabout:http://mysite.com/view?id=../robots.txt ??
18
18
#5SecurityMisconfiguration
Securityconfigurationisoftencomplicated• Manydifferentplacestoputit,complexsemantics• LayersfromOStoapplicationallneedtobeconsistent
Itiseasytoaccidentallymissanimportantpart• OSfilepermissions?• .htaccess files?• Sharedcredentialsintestandproduction?Allowsaccidentalaccesstoresourcesorevensitemodification
Mitigationviascanning,standardisation,simplicityandautomation
19
19
#6SensitiveDataExposure
Issensitivedatasecuredintransit?• TLS,messageencryptionIssensitivedatasecuredatrest?• Encryption,tokenisation,separationRisksincludelossofdataorspoofingattacksMitigationviathreatanalysis,limitingscope,standardisation
https://askleo.com
20
20
#7FunctionLevelAccessControl
Relyingoninformationsenttotheclientforaccesscontrol• e.g.pagemenuomitting“update”and“delete”optionforarecord
• Notcheckingtheaction(function)beingperformedontheserverClientcanguesstherightrequestformfortheotheractions• Bypassedsecuritymodel- alsosee#4InsecureObjectReferences
Nevertrusttheclient- checkauthorisationforeveryrequest
http://www.example.com/gettxn?txnid=4567
à http://www.example.com/updttxn?tid=4567&value=100.00
21
21
#8CrossSiteRequestForgery
Usertriggersmaliciouscodethatsubmitsfraudulentrequestusingbrowsersecuritycontext• e.g.clickalink=>runJavaScript=>changeGithub password
Varioussubtlevariationsonthismakedefencequitedifficult• Howyoudoyouknowitistheuser?
Primarydefenceisthe“challengevalue”inpages• Checkforthelatestchallengevalueinrequests• Addauthenticationstepsforsensitiveoperations• Keepshortsessionswithreallogoutprocess
23
23
#9KnownVulnerableComponents
Manycommonlyusedcomponentshavevulnerabilities• SeeweeklyUS-CERTlistforafrighteningrealitycheck!• MuchOSSdoesn’thavewellresearchedvulnerabilitiesFewteamsconsidersecurityoftheir3rdpartycomponents• Andkeepingeverythinguptodateisdisruptive
Considerautomatedscanningof3rdpartycomponents,activelyreviewvulnerabilitylists,keepcomponentspatched
24
24
#10UnvalidatedRedirectsandForwards
Redirectingorforwardingtotargetsbasedonparameters
AvoidusingparametersforredirectorforwardtargetsWhereparameteris neededuseakeyandmaponserver
http://www.mysite.com/selectpage?pageid=emea_home.html
-> http://…/selectpage?pageid=pishinghome.com
(Withoutcarefulvalidationthisredirectsusertomaliciouspage)
25
25
SummaryofAttackVectorTypes
Interpreterinjections• OperatingSystem,SQL,…
Pageinjections• HTML,XSS(JavaScript)
LackofValidation• trustingclientsiderestrictions• allowingsession IDsandcookiestobereused,• notcheckinginputfields thoroughly• parameter valuesdirectlyinpagesandlinks
Missingdataprotection• dataloss, spoofing,maninthemiddle,…
Platform• configurationmistakes,vulnerabilities, complexity
27
• DeliberatelyinsecureLAMPwebapplication
• SoruninaVM!• Providesexamplesofthe
OWASPTop10inaction• Useittoexploreand
understandthem
Mutillidaewww.irongeek.com http://sourceforge.net/projects/mutillidae/
28
• Commercialproxy,scanning,pentest tool
• Verycapablefreeversionavailable
• Inspecttraffic,manipulateheadersandcontent,…
• MadeinKnutsford!
BurpSuitehttp://portswigger.net/burp
29
• ChromeandSwitchySharp orothersimilarpairing
• AllowseasyswitchingofproxyservertoBurpSuite
BrowserandProxySwitcher
30
• AutomatedSQLinjectionanddatabasepentesttool
• OpensourcePythonbasedcommandlinetool
• Frighteninglyeffective!
SQLMaphttp://sqlmap.org
31
• Commercialtoolsuitewithonlinedatabase
• Scansbuildpipelinesforcomponentsecurityvulnerabilities
• Alertsanddashboardsformonitoring
Sonatype ComponentLifecycleManagerhttp://www.sonatype.com/nexus
32
32
BlackDuckHub
• Commercial toolanddatabase foropensourcesecurity,audit&compliance• Scansbuildpipelines lookingforopensourcewithknownvulnerabilities• Alertsanddashboardsformonitoring
https://www.blackducksoftware.com
35
35
AnExampleMulti-StepAttack- Impersonation
Attacksrarelyusejustonevulnerability
1.SQLInjection
User listobtained
PersistentXSS
achieved
XSSScriptexecuted
4.Stealbrowserstate
Sessionsetc.saved
37
37
KeyWebVulnerabilityDefences
Don’ttrustclients(browsers)• Validation,authorisation,…Identify“interpreters”,escapeinputs,usebindvariables,…• Commandlines,webpages,databasequeries,…Protectvaluableinformationatrestandintransit• UseencryptionjudiciouslySimplicity• VerifyconfigurationandcorrectnessStandardiseandAutomate• Forceconsistency,avoidconfigurationerrors
38
38
Don’tTrustClients
Bewarywhentrustinganythingfromabrowser• Youdon’tcontrolit• Sophisticatedcodeexecution(&injection)platform• Outputcanbemanipulated
Assumeorpreventtampering• TLSconnectionstoavoid3rd partyinterception• Shortlivedsessions• Reauthenticate regularly&beforesensitiveoperations• Considermulti-factor authentication• Useopaquetokensnotrealobjectreferencesforparams• Validateeverything
39
39
Watchoutforinjection
Manypiecesofsoftwareactasinterpreters• BrowserforHTMLandJavaScript• Operatingsystemshells– system(“mv $1 $2”)• Databases– querylanguages• Configurationfiles
Assumethatsomeonewillworkitout!• Avoidcreatingcommandsusingstringmanipulation• Uselibrariesandbindvariables
• Escapeallstringsbeingpassedtoan“interpreter”• Useathirdparty“escaping”library(e.g.OWASP)
• Rejectexcessivelylongstrings(e.g.username>30char)
40
40
ProtectValuableInformation
Defenceindepth– assumeperimeterbreach• Encryptmessagingasstandard• Considerdatabaseencryption• Considerfileorfilesystemencryption
Howeverencryptioncomplicatesusingthedata• Slowseverythingdown• Canyouquerywhileencrypted?• Messageroutingonsensitivefields(inheaders)• Howdoyoumanageandrotatethekeys?• Whataboutrestoreondisasterrecovery?
http://getacoder.com
http://slate.com
41
41
Simplicity&Standardisation
Complexityistheenemyofsecurity• “Youcan’tsecure
whatyoudon’tunderstand”- Schneier• Specialcaseswillbeforgotten
Simplify,StandardiseandAutomate• Simplerthingsareeasiertocheckandsecure• Standardisinganapproachmeansthereareno
specialcasestoforgettohandle• Automationeliminateshumaninconsistencies
fromtheprocesssoavoidingatypeofrisk
http://innovationmanagement.se/
43
43
Summary
Muchofthetechnologyweuseisinherentlyinsecure• MitigationneedstobepartofapplicationdevelopmentAttackingsystemsisbecomingindustrialised• Digitaltransformationisprovidingmorevaluable,insecuretargetsFundamentalattackvectorsappearagainandagain• Injection,interception,pagemanipulation,validation,configuration,…
Mostrealattacksexploitaseriesofvulnerabilities• Eachvulnerabilitymaynotlookserious,thecombinationisMostmitigationsnotdifficultbutneedtobeappliedconsistently• …andmayconflictwithotherdesirablequalities