Top Banner
Secure Programming Lecture 12: Web Application Security III David Aspinall 29th October 2019
41

Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Jul 04, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Secure Programming Lecture 12: WebApplication Security III

David Aspinall

29th October 2019

Page 2: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 3: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

OWASP Top 10 list 2017É A1 Injection ØÉ A2 Broken Authentication ØÉ A3 Sensitive Data ExposureÉ A4 XML External Entities (XXE)É A5 Broken Access Control ØÉ A6 Security MisconfigurationÉ A7 Cross-Site Scripting (XSS) ØÉ A8 Insecure DeserializationÉ A9 Using Components with Known VulnerabilitiesÉ A10 Insufficient Logging & Monitoring

We will also mention items from Top 10 list 2013:

É A8 Cross-Site Request Forgery (CSRF)É A10 Unvalidated Redirects and Forwards

Exercise. This leaves 2017 A8, Insecure Deserialization,for you to investigate separately.

Page 4: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 5: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Information leakage

Reminder from your first security course:

Confidentiality is defined as the

unauthorised learning of information

(not merely unauthorised reading of data)

Presumes notions of

É authorisation likely based on an . . .É access control policy likely based on . . .É authentication.

Page 6: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Information leakage

Information can be learned in a variety of ways:

É direct exposureÉ display on a public web pageÉ may be inadvertent on part of user

É indirect/inferred exposureÉ programming mistakes showing wrong infoÉ display of consequences of info

É leakage through side-channel attacksÉ e.g., timing attacks

É (via) offline mechanismsÉ social engineering to get passwords, etc

Page 7: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

The Privacy CrisisA while ago some security researchers, social mediacompany owners and commentators said:

"Privacy is dead, get over it!"

Now it’s clear this isn’t true. We can’t stop peopleintentionally sharing personal information, but it is ourjob to ensure:

É good policy: advise users about it and its impactsÉ good programming: don’t leak data accidentallyÉ good design: don’t force users to leak dataÉ good UX/UI: so users understand what they’re doing

Of course there may be competing incentives to exposepersonal data (Q. for example?).

But it is better that data handling practices are definedand explained clearly in privacy policies for end users.

Page 8: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Example: search data

Google

É may save your web search history foreverÉ gives users the option to turn this off; then searches

are partially “anonymized” after 18 months.

If you haven’t looked at this before, visit:

É https://myactivity.google.com/myactivity/

Anonymization of data is very difficult or impossiblein general: many examples of linkage attacks haverecovered identities.

Page 9: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Example: voice controlApple’s Siri keeps voice data for up to two years:

Here’s what happens. Whenever you speak into Ap-ple’s voice activated personal digital assistant, it shipsit off to Apple’s data farm for analysis.Apple generates a random number to represent theuser and it associates the voice files with that num-ber. This number — not your Apple user ID or emailaddress — represents you as far as Siri’s back-endvoice analysis system is concerned.Once the voice recording is six months old, Apple “dis-associates” your user number from the clip, deletingthe number from the voice file. But it keeps these dis-associated files for up to 18 more months for testingand product improvement purposes.

Wired’s article from 2013, attempting to clarify Apple’s behaviour.Latest policy may be different, check to see.

Page 10: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Example: an amazing mind reader

See the video campaign by Safe Internet Banking inBelgium.

Exercise. What has this got to do with banking? Andwhy should it have anything to do with it?

Page 11: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Privacy by Design

Privacy by design (PbD) is a methodology introduced bythe Information and Privacy Commissioner of Ontario inthe 1990s. It has 7 foundational principles:

1. Be proactive and preventative, not remedial2. Make privacy the default setting3. Put privacy into the design4. Encourage win-win (not privacy-security trade-off)5. Provide full lifecycle protection (end-to-end)6. Be transparent and open about practices7. Be respectful and user-centric

This process is encouraged in the EU GDPR General DataProtection Regulation, which came into law in 2018.

Page 12: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Basic strategy for sensitive data handling

0. Define your policy, devise requirements1. Label the data parts at least informally2. Sanitize to remove sensitive parts/meta-data3. Follow the data through the app and check

Check questions for data flow:

É is the data stored as plain text long term(e.g. backups)?É is the data transmitted as plain text?É are encryption algorithms strong enough?É are browser security directives/headers set

appropriately?

Page 13: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

OWASP advice for sensitive data:

1. Don’t store unnecessarily2. Encrypt appropriately (e.g., large keys if long term)3. Use known strong encryption algorithms4. Manage passwords properly5. Disable auto-completion on forms, disable caching

Page 14: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

RegulationIf you manipulate or store user data you have (legal)responsibilities for managing it properly. For example:

É DPA UK Data Protection ActÉ organisations must register and data must be kept

“safe and secure”. The ICO prosecutes and fines.É GDPR came into EU state laws 2018.É breaches notified, rights of erasure, data portability

É Finance: Payment Card Industry Data SecurityStandard (PCI-DSS)É requirements for anyone who processes card dataÉ larger merchants are audited

É Health: HIPPA (in the US)

Given the scale and frequency of data lossage,regulation/enforcement increasing. (Expect securitycompanies to push for and profit from this.)

Page 15: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 16: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

XML External Entities (XXE)

É Web applications process XML documents which cancontain external references given as URIs.É XML processors may obey these without restriction.É Attacker may be able to upload/control files

Examples were known at least since 2002, exploitsbecame common around 2014.

Defences: use more restrictive and specific formats forexchanging data, take care with deserialisation;configure DTD and XML processors to validatedocuments, enable security checks, prevent externalentity processing.

See the OWASP Cheat Sheet for some library specificadvice.

Page 17: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

DTD external entity

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

Other references could be an internal server:

<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]>

or DoS with endless stream

<!ENTITY xxe SYSTEM "file:///dev/random" >]>

Page 18: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

XML bomb: A billion laughs

Nasty attacks are also possible without loading externalentities:

<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>

See the Wikipedia entry.

Page 19: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 20: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Security MisconfigurationThe whole web app stack must be secured (Q. Why?)

É Make sure up to date wrt security patchesÉ OS, Web/App Server, DBMS, app framework, libs. . .

É Disable unnecessary featuresÉ Default accounts, demo pages, debug interfaces

É Use minimum privilegeÉ Separate concerns, ACLs per component/app

É Ensure error handling doesn’t expose infoÉ Have a repeatable security config processÉ An app-specific checklist to work throughÉ Uniform config for devel, QA, deployment

É Have a automated checking processÉ Ensure configuration security

Part 2 of the coursework asks you to fix some security configurationissues.

Page 21: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Inherited vulnerabilities

Big cause of real-life vulnerabilities:patch was available but not installed

É Need to stay up-to-dateÉ Can be harder than might be hopedÉ no unique clearing house (but CVE, NVD v.~good)É unsatisfiable compatibility dependencies

É Future: expect to see more automated tools

Page 22: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 23: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Cross Site Request Forgery (CSRF) (A8)

É Exploits browser’s trust relationship with a web siteÉ local intranet web site (home router admin, . . . )É banking or email site user is logged intoÉ browser is authorized to connect here

É Attacker triggers malicious actionÉ get user to open malicious linkÉ browser undertakes action on target site

Question. How does CSRF differ from XSS?

Page 24: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

CSRF in pictures

Page 25: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

CSRF in code

Alice is logged in to the (hypothetical) GeeMail webmail system.

She sends an email with this form:

<formaction="http://geemail.com/send_email.htm"method="GET">Recipient’s Email address: <inputtype="text" name="to">

Subject: <input type="text" name="subject">Message: <textarea name="msg"></textarea><input type="submit" value="Send Email">

</form>

Page 26: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Example GET request

Which sends a request like this:

http://geemail.com/send_email.htm?to=bob%40example.com&subject=hello&msg=What%27s+the+status+of+that+proposal%3F

Page 27: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Attacker’s cross-site request

Now Mallory just needs Alice to visit a site which loadsan image link, e.g., by putting a fake image on his ownblog:

<img src="http://geemail.com/send_email.htm?to=charliegeemail.com&subject=Hi&msg=My+email+address+has+been+stolen">

and Alice’s browser will send an Email!

Page 28: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Confused Deputy problem

CSRF is a case of the Confused deputy problem.

The issue motivates the use of capabilities.

See The Confused Deputy by Norm Hardy, ACM SIGOPS OperatingSystems Review, 1988. Picture credit: FP7 project Serscis>

Page 29: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Avoiding CSRF problems

In general: tricky. Need some way to assure the servercode that the request has come from intended place.

É Referer header not tamper proof, may be absentÉ Session ID cookie sent based on destinationÉ The Same Origin Policy restricts client-side code

Best strategy (as a web developer): use a goodframework that provides built-in protection.

But how do they work?

Page 30: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

É Don’t use GET for any (sensitive) state changeÉ basic starting point

É Use a “double cookie” trick, repeated in POSTÉ set a secure secret session ID in a cookieÉ submit it in cookie and hidden field on formÉ server-side, check fields identical

É Use a special CSRF token in POSTÉ secure random number (challenge) for each loginÉ send this with POST and check server-sideÉ save state: generate using hmac from session ID

See Robust defenses for cross-site request forgery, Barth et al, ACMCCS 2008.

Page 31: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Same-origin Policy (browser-side isolation)

The same-origin policy is a now standard browser-sidemechanism to protect simultaneously running webapplications from one another.

It restricts access to:

É DOM (i.e., representation of the document)É APIs for web access (XMLHttpRequest)É Cookies, HTML5 local storage APIs

to pages from the same domain, i.e., protocol-host-port.

JavaScript code can override the defaults by performinglimited manipulation of document.domain.

Browser sandboxing enhances this (e.g., in Chrome,separate tabs/frames run in separate processes).

Page 32: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Access control: Cross-Origin Resource SharingModern browsers provide XMLHttpRequest JS API.

É script code sends messages back to the originatingsite, receives XML (or JSON, HTML, etc).

The same-origin policy became too restricted leading tohacks and workarounds and drafts for improvementincluding Cross-Origin Resource Sharing (CORS).

CORS uses new HTTP headers to allow responses toindicate that they can be shared, for example:

Access-Control-Allow-Origin: http://www.example.com

or

Access-Control-Allow-Origin: *

See the messaging standard part of HTTP for links to details.

Page 33: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 34: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Leaving HP

Page 35: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Unvalidated redirects and forwards (2013 A10)

Web apps often allow redirections which

É send users off-site with a polite messageÉ reroute them immediately

http://www.example.com/redirect.jsp?url=www.disney.com

or forwards which

É redirect internally to different parts of the same site

http://www.example.com/login.jsp?fwd=admin.jsp

Question. What’s the security concern here?

Page 36: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Giving attackers legitimacy

É Attackers can craft URLs that fool users:www.example.com/redirect.jsp?url=www.evilhacker.com

These kind of open redirect links are favourites forphishing attacks, especially as ultimate destinations canbe concealed in URL encodings.

However, this may not directly harm www.example.com.

So, preventing open reirects is a typical example of acommunity wide desirable security measure (like oldercases in network security: open mail relays, ICMPbroadcast, etc.): good practice of all provides securityfor others.

Page 37: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Avoiding redirects and forwards

1. Don’t use them2. Use them but not with user-supplied parameters.3. If user-supplied parameters must be used, use an

indirection (index value)

Another solution is to do the generation (& validation) ofexternal links statically.

Question. Why is static generation of external links stillnot bullet-proof?

Page 38: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Outline

Overview

Sensitive Data

External Entities

Deployment

Cross-site Request Forgery (CSRF)

Redirects

Summary

Page 39: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Review questions

Authorization

É How might you design a web based admin front-endto a database server, supposing that the serverprovides a collection of databases and its own notionof user and authorization?

Redirection

É What is an open redirect in a web application andwhy is it undesirable?

Page 40: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

Handling sensitive data

É Describe three ways that a web applicationprogramming flaw might result in stored private userdata being leaked.

CSRF

É Draw a picture showing how a CSRF attack mightwork against an online banking user. What might anattacker be able to do?É What does a defence mechanism against CSRF need

to be able to do?

Deployment

É Give three recommendations for securing thedeployment environment (server, database,application framework) for a web app.

Page 41: Secure Programming Lecture 12: Web Application Security III · OWASP Top 10 list 2017 É A1 Injection Ø É A2 Broken Authentication Ø É A3 Sensitive Data Exposure É A4 XML External

References

This lecture contained material from:

É the OWASP Top 10É The Tangled Web: a Guide to Securing Modern Web

Applications by Michal Zalewski, No Starch Press,2012.

as well as research papers and other sources cited.