shiny, let’s be bad guys: exploiting and mitigating the top 10 web app vulnerabilities
DESCRIPTION
TRANSCRIPT
![Page 1: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/1.jpg)
Text
Shiny,Let’s Be Bad Guys!
Exploiting and Mitigating theTop 10 Web App Vulnerabilities
Mike Pirnat - @mpirnat
David Stanek - @dstanek
![Page 2: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/2.jpg)
Announcements
![Page 3: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/3.jpg)
Schedule & Lunch
• This session will run 9:00 AM - 12:20 PM• 20-minute break at 10:50 AM• Lunch 12:20 PM - 1:20 PM• Lunch moved to Exhibit Hall D
![Page 4: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/4.jpg)
VolunteeringOpportunities
• Low-commitment! Fun!• SWAG bagging: Thursday 4-8 PM
• Just do 10 bags! (~1/2 hr)
• Registration Desk: any time• 1-2 hours helps
• Friday => meet everyone!
![Page 5: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/5.jpg)
Volunteering Info
• Current needs: http://bit.ly/pycon-volunteering-status
• More information:http://bit.ly/pycon2013-volunteer
![Page 6: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/6.jpg)
Tutorial Feedback
• Go here:• https://www.surveymonkey.com/s/
pycon2013_tutorials or
• https://goo.gl/PvHDc
• Be honest!
![Page 8: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/8.jpg)
QWho here has vulnerable apps?
![Page 9: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/9.jpg)
Why it Matters
• Your users
• Your data
• Your business
![Page 10: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/10.jpg)
OWASP
• http://www.owasp.org
• Open Web Application Security Project• Non-profit focused on improving software
security• Documentation and tools to help learn
about security and protect your apps
![Page 11: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/11.jpg)
OWASP Top Ten
• Based on risk data from 8 firms• Over 500,000 vulnerabilities, hundreds of
orgs, thousands of apps• Selected & prioritized by prevalence data
combined with estimates of exploitability, detectability, and impact
• Recently updated for 2013!
![Page 12: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/12.jpg)
Today
• Background on a type of vulnerability
• Exploit it!• Discuss prevention
• Django-specific advice where possible
![Page 13: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/13.jpg)
Disclaimer
![Page 14: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/14.jpg)
Setup: 1
Make a virtualenv:$ virtualenv badguys$ cd badguys$ source bin/activate
![Page 15: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/15.jpg)
Setup: 2
Clone our repository:$ git clone https://github.com/mpirnat/lets-be-bad-guys src
Or pull the latest changes:$ cd src$ git pull
![Page 16: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/16.jpg)
Setup: 3
Install dependencies:$ cd src$ pip install -r requirements.txt
![Page 17: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/17.jpg)
Setup: 2 & 3 (Offline/USB)
• Extract the project:$ mkdir src$ unzip /Volumes/BADGUYS/project/badguys.zip -d src/
• Install dependencies:$ cd src$ pip install -r requirements.txt -i file:///Volumes/BADGUYS/software
![Page 18: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/18.jpg)
Setup: 4
Start up the app:$ python manage.py runserver
![Page 19: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/19.jpg)
Find a Partner
![Page 20: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/20.jpg)
1Injection
![Page 21: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/21.jpg)
Injection Attacks
• When an application sends untrusted data to an interpreter
• Can result in data loss/corruption, lack of accountability, denial of access
• Can lead to complete host takeover
![Page 22: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/22.jpg)
Trust No One
• External users• Internal users• Administrators
![Page 23: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/23.jpg)
Attack Vectors
• GET parameters• POST parameters• PATH_INFO • Some HTTP headers: Cookie, Host• Uploaded Files
![Page 24: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/24.jpg)
Possible Consequences
• Creation of malicious SQL (or other queries)
• Accessing private files on disk• Arbitrary code execution
![Page 25: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/25.jpg)
Real-World Examples
• Sony Playstation Network• Ruby on Rails• http://es.pn/Z0jnoi
![Page 26: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/26.jpg)
SQL Injection
• Unescaped user input causes the premature end of a SQL query and allows a malicious query to be executed..."""
select * from users where username='%s';
"""
• http://localhost:8000/injection/sql
![Page 27: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/27.jpg)
Accessing Private Files
• File system access + unvalidated user input allows attackers to navigate the file system
• http://localhost:8000/injection/file-access
![Page 28: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/28.jpg)
Arbitrary Code Execution
• Unsafe input is dynamically evaluated or executed
• http://localhost:8000/injection/code-execution
![Page 29: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/29.jpg)
Prevention
• Validate ALL user input• Sign cookies, don’t accept if signature is
bogus/missing• Use ORMs or bind variables when talking
to the database• Don’t use eval or exec, beware of pickle,
user-supplied YAML, etc.
![Page 30: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/30.jpg)
Django Advice
• Make sure data types for your model are tight• Use Forms instead of ModelForms for
stronger validation• Make new validators as needed for your
application• Make sure your URL regexes for dynamic
URLs are tight
![Page 31: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/31.jpg)
Django Advice
• Use the ORM when you can• When you can’t, use extreme caution!
• Bind variables• No string concatenation/formatting of
anything that came from the client
![Page 32: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/32.jpg)
2Broken
Authentication& Session
Management
![Page 33: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/33.jpg)
Broken Auth & Session
Management• Attacker uses leaks or flaws in
authentication or session management to impersonate users
• Roll-your-own solutions contribute to the difficulty of finding these flaws
![Page 34: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/34.jpg)
Possible Consequences
• Compromised user accounts
• Compromised administrative accounts
• Unauthorized use of privileged functionality
![Page 35: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/35.jpg)
Prevention
• Hash or encrypt passwords• Don’t let credentials be easily overwritten
• Don’t put session IDs in URLs• Allow session IDs to timeout/log out
• Rotate session IDs after successful login• TLS connections for passwords, session IDs
![Page 36: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/36.jpg)
Django Advice
• Use django.contrib.auth
• Consider https://github.com/yourlabs/django-session-security middleware for timing out sessions
• We’ll talk about transport layer security later on...
![Page 37: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/37.jpg)
3Cross-Site Scripting (XSS)
![Page 38: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/38.jpg)
XSS Attacks
• Cross-Site Scripting (XSS)• The most prevalent web app security flaw• App includes user-supplied data in content
sent to the browser without properly validating or sanitizing it
![Page 39: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/39.jpg)
XSS Attacks
• Stored: injected code permanently stored in database, message forum, comment, etc.
• Reflected: injected code in live request to server, reflected back in error message or search result
• DOM: injected code in browser DOM environment that causes scripts to run in unexpected ways (eg, reading from URL)
![Page 40: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/40.jpg)
Possible Consequences
• Execute scripts in a victim’s browser• Hijack sessions• Deface sites• Insert hostile content• Redirect users• Hijack browser (install malware)
![Page 41: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/41.jpg)
Most Often Seen...
• Places where user-created text is displayed to other users (comments, messages)
• Form inputs where value is populated with user-supplied data
• Script tags where user-supplied data is populated into script variables
![Page 42: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/42.jpg)
XSS inDynamic URLs
• Part of the URL path is variable, isn’t validated, and gets included into the page
• http://localhost:8000/cross-site-scripting/path-matching/your-path-here
![Page 43: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/43.jpg)
XSS in Query String Parameters
• Unvalidated user input from a query string parameter is included in the page
• http://localhost:8000/cross-site-scripting/query-params?qs=awesome
![Page 44: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/44.jpg)
XSS inForm Fields
• The value part of an input is prematurely terminated, allowing Javascript to be injected into the element (eg, adding an onclick)
• http://localhost:8000/cross-site-scripting/form-field
![Page 45: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/45.jpg)
QCan you trust the database?
![Page 46: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/46.jpg)
Prevention
• Escape all untrusted data based on the HTML context the data will be placed into
• Whitelist input validation• Consider auto-sanitization libraries for rich
content (eg, OWASP’s AntiSamy)• Update your parents’/in-laws’ browsers!
![Page 47: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/47.jpg)
Django Advice
• Be careful with the safe filter, django.utils.safestring, etc.
• Be careful with your own template tags; django.utils.html.escape is your friend!
• Use form.as_p, form.as_table, form.as_ul
![Page 48: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/48.jpg)
4InsecureDirect Object
References
![Page 49: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/49.jpg)
Insecure DirectObject Reference
• Expose a reference to an internal implementation object without verifying authorization
• Attacker changes URL or GET/POST parameters, cookies
![Page 50: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/50.jpg)
Possible Consequences
• Compromise of all data that can be referenced by the vulnerable parameter
• Unless the namespace is sparse, an attacker can easily access all available data of that type
![Page 51: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/51.jpg)
Exercises
• Manipulate parameters in the URL to access data that doesn’t belong to you
• http://localhost:8000/direct-object-references
![Page 52: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/52.jpg)
Prevention
• Implement access controls on any direct references to restricted resources
• Implement per-user or per-session indirect object references
![Page 53: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/53.jpg)
Django Advice
• Use permissions architecture to lock down views
• Customize queryset for looking up objects that involve user ownership
![Page 54: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/54.jpg)
5Security Misconfiguration
![Page 55: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/55.jpg)
Security Misconfiguration
• Insecure application settings• Unpatched flaws• Unused pages
![Page 56: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/56.jpg)
Possible Consequences
• Unauthorized access to some system data or functionality
• Potential complete system compromise
![Page 57: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/57.jpg)
Exercises
• Demos and discussion• http://localhost:8000/misconfiguration
![Page 58: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/58.jpg)
Prevention
• Have a repeatable hardening process
• Have a process for keeping on top of updates and patches
• Architecture that provides secure separation between components
• Periodic scans and audits
![Page 59: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/59.jpg)
Django Advice
• Don’t run in debug mode in production • Keep your SECRET_KEY secret!• Keep Python code out of webserver’s root• Don’t run admin publicly (if you can help it)• Don’t use the built-in admin for normal
user admin tasks
![Page 60: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/60.jpg)
QGateway to Social Engineering?
![Page 61: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/61.jpg)
6SensitiveData Exposure
![Page 62: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/62.jpg)
Sensitive Data Exposure
• Failure to properly protect credit cards, tax ids, authentication credentials, etc.
• Sensitive data deserves extra protection such as encryption at rest or in transit, special precautions when exchanged with the browser
![Page 63: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/63.jpg)
Insecure Cryptographic
Storage• Not encrypting worthy data• Unsafe key generation & storage, failure to
rotate keys• Weak algorithms• Weak or unsalted hashes
![Page 64: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/64.jpg)
Insufficient Transport Layer
Protection• May not authenticate, encrypt, and protect
the confidentiality and integrity of sensitive network traffic
• May use weak algorithms• May use expired or invalid certificates• May use certificates incorrectly
![Page 65: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/65.jpg)
Possible Consequences
• Compromise of all data that should have been encrypted
• This can be highly sensitive information: credentials, credit cards, personal data, health records, etc.
![Page 66: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/66.jpg)
Possible Consequences
• Expose individual users’ data• Account theft
• Compromise an admin account?!• Poor SSL setup can facilitate phishing
and man-in-the-middle attacks
![Page 67: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/67.jpg)
Attack Vectors
• Attacker monitors network traffic of your users
• Maybe in public places (Starbucks, conference wi-fi, etc.)
• Maybe back end connections• Maybe inside your network (!!!)
![Page 68: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/68.jpg)
Prevention
• Encrypt sensitive data at rest• Encrypt offsite backups; manage keys
separately• Use strong standard algorithms, strong keys• Hash passwords with strong standard algorithm
& use appropriate salt
• Protect passwords & keys from unauthorized access
![Page 69: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/69.jpg)
Prevention
• Require SSL for all sensitive pages; redirect non-SSL requests to SSL
• Set the “secure” flag on sensitive cookies• Use only strong SSL algorithms• Ensure your cert is valid, not expired, not
revoked, and matches your domain• SSL/encryption on the back end too
![Page 70: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/70.jpg)
Django Advice
• Use django.contrib.auth for proper password salting and hashing
• Require SSL in Apache or Nginx• Require SSL using middleware:
• http://www.redrobotstudios.com/blog/2010/02/06/requiring-https-for-certain-paths-in-django/
• http://djangosnippets.org/snippets/2833/
• http://djangosnippets.org/snippets/1467/
![Page 71: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/71.jpg)
7MissingFunction Level
Access Control
![Page 72: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/72.jpg)
MissingFunction LevelAccess Control
• Application doesn’t protect its functions properly
• Misconfiguration• Forgot proper code checks
![Page 73: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/73.jpg)
Attack Vectors
• Authorized user changes a URL or parameter to a privileged function
• Anonymous users could access private functions that aren’t protected
![Page 74: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/74.jpg)
Possible Consequences
• Compromised user accounts
• Compromised administrative accounts
• Unauthorized use of privileged functionality
![Page 75: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/75.jpg)
Exercises
• Manipulate the URL to access privileged functionality
• http://localhost:8000/missing-access-control
![Page 76: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/76.jpg)
Prevention
• Consider every page; public or private?• If authentication is required, make sure
that checks are in place• If additional authorization is required,
make sure that checks are in place• Deny all by default; explicitly grant access
to users or roles
![Page 77: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/77.jpg)
Django Advice
• Use the permissions architecture to lock down views
• Don’t use the built-in admin for normal user admin tasks
![Page 78: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/78.jpg)
8Cross-Site Request Forgery
![Page 79: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/79.jpg)
CSRF Attacks
• Cross-Site Request Forgery (CSRF)• Attacker tricks victim into submitting
forged HTTP requests• Attack succeeds if user is authorized/
authenticated
![Page 80: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/80.jpg)
Attack Vectors
• Image tags• Cross-Site Scripting (XSS)• Fake buttons• Phishing forms• Other techniques
![Page 81: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/81.jpg)
Possible Consequences
• Cause victim to change any data the victim is allowed to change
• Cause victim to perform any function the victim is authorized to use
• Impact varies based on victim’s role• Think of some possibilities...
![Page 82: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/82.jpg)
Real-World Examples
• Facebook:http://amolnaik4.blogspot.com/2012/08/facebook-csrf-worth-usd-5000.html
• Google/Gmail:http://cryptogasm.com/2012/02/does-google-understand-csrf/
![Page 83: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/83.jpg)
CSRF via Image
• Craft an “image” link that triggers some site functionality
• http://localhost:8000/csrf/image
![Page 84: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/84.jpg)
What if...
<img src="http://example.com/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
![Page 85: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/85.jpg)
CSRF viaForm Post
• Create an innocuous-looking form that POSTs to a vulnerable location
• http://localhost:8000/csrf/third-party-site
![Page 86: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/86.jpg)
Prevention
• Don’t “do” things on a GET• Include a unique token in a hidden field
(often used in concert with a cookie)• Validate token to make sure the request
is from on-site• Avoid putting the token into a query string
![Page 87: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/87.jpg)
Django Advice
• Don’t change the built-in settings!• Do use the CSRF middleware and
template tag in forms• Be VERY CAREFUL about deactivating it
(csrf_exempt decorator)• Be careful about APIs (Tastypie, oauth)
![Page 88: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/88.jpg)
9Using Known Vulnerable
Components
![Page 89: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/89.jpg)
Components with Known
Vulnerabilities• Libraries, frameworks, and other modules
almost always run with full privilege• Hard to stay up to date on everything• Do you even know all the components in
use, let alone their versions?• Components with known problems can be
identified & exploited with automated tools
![Page 90: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/90.jpg)
Attack Vectors
• Attacker identifies a weak component through scanning or manual analysis
• Customize exploit as needed• More difficult the deeper the component is
in the application
![Page 91: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/91.jpg)
Possible Consequences
• Full range of weaknesses are possible• Impact could be minimal, or...• Complete host takeover!• Data compromise!
![Page 92: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/92.jpg)
Prevention
• Don’t use components you don’t write (unrealistic)
• Keep components up to date
• Identify all components and versions• Monitor security of these components
![Page 93: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/93.jpg)
Django Advice
When @jacobian says there are new security releases for Django, upgrade!
![Page 94: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/94.jpg)
10Unvalidated Redirects &
Forwards
![Page 95: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/95.jpg)
Redirection Abuse
• Attacker tricks user into visiting a URL that redirects or forwards the request without validating the redirect location
• Users prone to click because the link is to a legitimate site
![Page 96: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/96.jpg)
Possible Consequences
• Install malware
• Phishing/information disclosure• Bypass access controls
![Page 97: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/97.jpg)
External Redirection
• Use a redirection URL to redirect to an external location
• http://localhost:8000/redirects-and-forwards/redirects
![Page 98: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/98.jpg)
Forwards
• Manipulate a forward parameter to gain access to privileged functionality
• http://localhost:8000/redirects-and-forwards/forwards
![Page 99: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/99.jpg)
Prevention
• Don’t use redirects or forwards• Don’t involve user-supplied data to build
the redirect location• Ensure the supplied value is valid and
authorized for the user
![Page 100: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/100.jpg)
Django Advice
• Use django.utils.http.is_safe_url to check redirect URLs
• Used by django.contrib.auth internally• Consider wrapping is_safe_url if you have
to allow other off-domain URLs
![Page 101: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/101.jpg)
QWho here has vulnerable apps?
![Page 102: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/102.jpg)
Parting Thoughts
![Page 103: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/103.jpg)
Think Likea Bad Guy
![Page 104: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/104.jpg)
Don’t Stop at Ten
![Page 105: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/105.jpg)
Constant Change
![Page 106: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/106.jpg)
Think Positive
![Page 107: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/107.jpg)
Announcements
• Lunch—moved to Exhibit Hall D
• Feedback—https://goo.gl/PvHDc
• Volunteer:http://bit.ly/pycon2013-volunteer
http://bit.ly/pycon-volunteering-status
![Page 108: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/108.jpg)
Links
• http://www.owasp.org
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• https://docs.djangoproject.com/en/dev/topics/security/
• https://github.com/mpirnat/lets-be-bad-guys
![Page 109: Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022020306/547a664cb4af9fa5158b4a9d/html5/thumbnails/109.jpg)
Contact Us
Mike Pirnathttp://mike.pirnat.com@mpirnat
David Stanekhttp://traceback.org@dstanek