Secure Programming Lecture 12: Web Application Security III David Aspinall 29th October 2019
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Secure Programming Lecture 12: WebApplication Security III
David Aspinall
29th October 2019
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
OWASP Top 10 list 2017É A1 Injection ØÉ A2 Broken Authentication ØÉ A3 Sensitive Data ExposureÉ A4 XML External Entities (XXE)É A5 Broken Access Control ØÉ A6 Security MisconfigurationÉ A7 Cross-Site Scripting (XSS) ØÉ A8 Insecure DeserializationÉ A9 Using Components with Known VulnerabilitiesÉ A10 Insufficient Logging & Monitoring
We will also mention items from Top 10 list 2013:
É A8 Cross-Site Request Forgery (CSRF)É A10 Unvalidated Redirects and Forwards
Exercise. This leaves 2017 A8, Insecure Deserialization,for you to investigate separately.
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
Information leakage
Reminder from your first security course:
Confidentiality is defined as the
unauthorised learning of information
(not merely unauthorised reading of data)
Presumes notions of
É authorisation likely based on an . . .É access control policy likely based on . . .É authentication.
Information leakage
Information can be learned in a variety of ways:
É direct exposureÉ display on a public web pageÉ may be inadvertent on part of user
É indirect/inferred exposureÉ programming mistakes showing wrong infoÉ display of consequences of info
É leakage through side-channel attacksÉ e.g., timing attacks
É (via) offline mechanismsÉ social engineering to get passwords, etc
The Privacy CrisisA while ago some security researchers, social mediacompany owners and commentators said:
"Privacy is dead, get over it!"
Now it’s clear this isn’t true. We can’t stop peopleintentionally sharing personal information, but it is ourjob to ensure:
É good policy: advise users about it and its impactsÉ good programming: don’t leak data accidentallyÉ good design: don’t force users to leak dataÉ good UX/UI: so users understand what they’re doing
Of course there may be competing incentives to exposepersonal data (Q. for example?).
But it is better that data handling practices are definedand explained clearly in privacy policies for end users.
Example: search data
É may save your web search history foreverÉ gives users the option to turn this off; then searches
are partially “anonymized” after 18 months.
If you haven’t looked at this before, visit:
É https://myactivity.google.com/myactivity/
Anonymization of data is very difficult or impossiblein general: many examples of linkage attacks haverecovered identities.
Example: voice controlApple’s Siri keeps voice data for up to two years:
Here’s what happens. Whenever you speak into Ap-ple’s voice activated personal digital assistant, it shipsit off to Apple’s data farm for analysis.Apple generates a random number to represent theuser and it associates the voice files with that num-ber. This number — not your Apple user ID or emailaddress — represents you as far as Siri’s back-endvoice analysis system is concerned.Once the voice recording is six months old, Apple “dis-associates” your user number from the clip, deletingthe number from the voice file. But it keeps these dis-associated files for up to 18 more months for testingand product improvement purposes.
Wired’s article from 2013, attempting to clarify Apple’s behaviour.Latest policy may be different, check to see.
Example: an amazing mind reader
See the video campaign by Safe Internet Banking inBelgium.
Exercise. What has this got to do with banking? Andwhy should it have anything to do with it?
Privacy by Design
Privacy by design (PbD) is a methodology introduced bythe Information and Privacy Commissioner of Ontario inthe 1990s. It has 7 foundational principles:
1. Be proactive and preventative, not remedial2. Make privacy the default setting3. Put privacy into the design4. Encourage win-win (not privacy-security trade-off)5. Provide full lifecycle protection (end-to-end)6. Be transparent and open about practices7. Be respectful and user-centric
This process is encouraged in the EU GDPR General DataProtection Regulation, which came into law in 2018.
Basic strategy for sensitive data handling
0. Define your policy, devise requirements1. Label the data parts at least informally2. Sanitize to remove sensitive parts/meta-data3. Follow the data through the app and check
Check questions for data flow:
É is the data stored as plain text long term(e.g. backups)?É is the data transmitted as plain text?É are encryption algorithms strong enough?É are browser security directives/headers set
appropriately?
OWASP advice for sensitive data:
1. Don’t store unnecessarily2. Encrypt appropriately (e.g., large keys if long term)3. Use known strong encryption algorithms4. Manage passwords properly5. Disable auto-completion on forms, disable caching
RegulationIf you manipulate or store user data you have (legal)responsibilities for managing it properly. For example:
É DPA UK Data Protection ActÉ organisations must register and data must be kept
“safe and secure”. The ICO prosecutes and fines.É GDPR came into EU state laws 2018.É breaches notified, rights of erasure, data portability
É Finance: Payment Card Industry Data SecurityStandard (PCI-DSS)É requirements for anyone who processes card dataÉ larger merchants are audited
É Health: HIPPA (in the US)
Given the scale and frequency of data lossage,regulation/enforcement increasing. (Expect securitycompanies to push for and profit from this.)
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
XML External Entities (XXE)
É Web applications process XML documents which cancontain external references given as URIs.É XML processors may obey these without restriction.É Attacker may be able to upload/control files
Examples were known at least since 2002, exploitsbecame common around 2014.
Defences: use more restrictive and specific formats forexchanging data, take care with deserialisation;configure DTD and XML processors to validatedocuments, enable security checks, prevent externalentity processing.
See the OWASP Cheat Sheet for some library specificadvice.
DTD external entity
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Other references could be an internal server:
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]>
or DoS with endless stream
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
XML bomb: A billion laughs
Nasty attacks are also possible without loading externalentities:
<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>
See the Wikipedia entry.
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
Security MisconfigurationThe whole web app stack must be secured (Q. Why?)
É Make sure up to date wrt security patchesÉ OS, Web/App Server, DBMS, app framework, libs. . .
É Disable unnecessary featuresÉ Default accounts, demo pages, debug interfaces
É Use minimum privilegeÉ Separate concerns, ACLs per component/app
É Ensure error handling doesn’t expose infoÉ Have a repeatable security config processÉ An app-specific checklist to work throughÉ Uniform config for devel, QA, deployment
É Have a automated checking processÉ Ensure configuration security
Part 2 of the coursework asks you to fix some security configurationissues.
Inherited vulnerabilities
Big cause of real-life vulnerabilities:patch was available but not installed
É Need to stay up-to-dateÉ Can be harder than might be hopedÉ no unique clearing house (but CVE, NVD v.~good)É unsatisfiable compatibility dependencies
É Future: expect to see more automated tools
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
Cross Site Request Forgery (CSRF) (A8)
É Exploits browser’s trust relationship with a web siteÉ local intranet web site (home router admin, . . . )É banking or email site user is logged intoÉ browser is authorized to connect here
É Attacker triggers malicious actionÉ get user to open malicious linkÉ browser undertakes action on target site
Question. How does CSRF differ from XSS?
CSRF in pictures
CSRF in code
Alice is logged in to the (hypothetical) GeeMail webmail system.
She sends an email with this form:
<formaction="http://geemail.com/send_email.htm"method="GET">Recipient’s Email address: <inputtype="text" name="to">
Subject: <input type="text" name="subject">Message: <textarea name="msg"></textarea><input type="submit" value="Send Email">
</form>
Example GET request
Which sends a request like this:
http://geemail.com/send_email.htm?to=bob%40example.com&subject=hello&msg=What%27s+the+status+of+that+proposal%3F
Attacker’s cross-site request
Now Mallory just needs Alice to visit a site which loadsan image link, e.g., by putting a fake image on his ownblog:
<img src="http://geemail.com/send_email.htm?to=charliegeemail.com&subject=Hi&msg=My+email+address+has+been+stolen">
and Alice’s browser will send an Email!
Confused Deputy problem
CSRF is a case of the Confused deputy problem.
The issue motivates the use of capabilities.
See The Confused Deputy by Norm Hardy, ACM SIGOPS OperatingSystems Review, 1988. Picture credit: FP7 project Serscis>
Avoiding CSRF problems
In general: tricky. Need some way to assure the servercode that the request has come from intended place.
É Referer header not tamper proof, may be absentÉ Session ID cookie sent based on destinationÉ The Same Origin Policy restricts client-side code
Best strategy (as a web developer): use a goodframework that provides built-in protection.
But how do they work?
É Don’t use GET for any (sensitive) state changeÉ basic starting point
É Use a “double cookie” trick, repeated in POSTÉ set a secure secret session ID in a cookieÉ submit it in cookie and hidden field on formÉ server-side, check fields identical
É Use a special CSRF token in POSTÉ secure random number (challenge) for each loginÉ send this with POST and check server-sideÉ save state: generate using hmac from session ID
See Robust defenses for cross-site request forgery, Barth et al, ACMCCS 2008.
Same-origin Policy (browser-side isolation)
The same-origin policy is a now standard browser-sidemechanism to protect simultaneously running webapplications from one another.
It restricts access to:
É DOM (i.e., representation of the document)É APIs for web access (XMLHttpRequest)É Cookies, HTML5 local storage APIs
to pages from the same domain, i.e., protocol-host-port.
JavaScript code can override the defaults by performinglimited manipulation of document.domain.
Browser sandboxing enhances this (e.g., in Chrome,separate tabs/frames run in separate processes).
Access control: Cross-Origin Resource SharingModern browsers provide XMLHttpRequest JS API.
É script code sends messages back to the originatingsite, receives XML (or JSON, HTML, etc).
The same-origin policy became too restricted leading tohacks and workarounds and drafts for improvementincluding Cross-Origin Resource Sharing (CORS).
CORS uses new HTTP headers to allow responses toindicate that they can be shared, for example:
Access-Control-Allow-Origin: http://www.example.com
or
Access-Control-Allow-Origin: *
See the messaging standard part of HTTP for links to details.
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
Leaving HP
Unvalidated redirects and forwards (2013 A10)
Web apps often allow redirections which
É send users off-site with a polite messageÉ reroute them immediately
http://www.example.com/redirect.jsp?url=www.disney.com
or forwards which
É redirect internally to different parts of the same site
http://www.example.com/login.jsp?fwd=admin.jsp
Question. What’s the security concern here?
Giving attackers legitimacy
É Attackers can craft URLs that fool users:www.example.com/redirect.jsp?url=www.evilhacker.com
These kind of open redirect links are favourites forphishing attacks, especially as ultimate destinations canbe concealed in URL encodings.
However, this may not directly harm www.example.com.
So, preventing open reirects is a typical example of acommunity wide desirable security measure (like oldercases in network security: open mail relays, ICMPbroadcast, etc.): good practice of all provides securityfor others.
Avoiding redirects and forwards
1. Don’t use them2. Use them but not with user-supplied parameters.3. If user-supplied parameters must be used, use an
indirection (index value)
Another solution is to do the generation (& validation) ofexternal links statically.
Question. Why is static generation of external links stillnot bullet-proof?
Outline
Overview
Sensitive Data
External Entities
Deployment
Cross-site Request Forgery (CSRF)
Redirects
Summary
Review questions
Authorization
É How might you design a web based admin front-endto a database server, supposing that the serverprovides a collection of databases and its own notionof user and authorization?
Redirection
É What is an open redirect in a web application andwhy is it undesirable?
Handling sensitive data
É Describe three ways that a web applicationprogramming flaw might result in stored private userdata being leaked.
CSRF
É Draw a picture showing how a CSRF attack mightwork against an online banking user. What might anattacker be able to do?É What does a defence mechanism against CSRF need
to be able to do?
Deployment
É Give three recommendations for securing thedeployment environment (server, database,application framework) for a web app.
References
This lecture contained material from:
É the OWASP Top 10É The Tangled Web: a Guide to Securing Modern Web
Applications by Michal Zalewski, No Starch Press,2012.
as well as research papers and other sources cited.
Related Documents
![Ricoh...] S]c]!]R]H ò µ ]?]U]#]!] S ¹ µ\Ø í \Ø ¢ ò ª \Ø Ä \Á\ü U\¼\ P á\Ø à \Ñ ! W] S\ü õ ·\Á\É 9 ë Å n\ô b\é\ Ç Á!\Ø ¼ B\ì\Ø\Ï\¹\ô ½ Ð \Ø Ä](https://static.cupdf.com/doc/110x72/5f7659def8236d2ef224c783/ricoh-scrh-u-s-u.jpg)
![Ø])] ]+] ]R]!]0 - Yokohama · 2019. 6. 24. · u O C 0 ç »\Õ & _\Á\É W ï Ó]0] ]T\Ø ¼ S ç ÷]!]B]d]! B P . S \î S \Ø\é\Ø < C\Ø Ò n \Ø ï \¶ \Õ\Ô\ó\Ô\® l S ¶](https://static.cupdf.com/doc/110x72/5fc7c780bfa7b913e2026ee2/-r0-yokohama-2019-6-24-u-o-c-0-w-0.jpg)
![図解資料 - Amazon S3 · 2014-10-30 · ïÕÆ ³ ð é 6 [ A c 9 a ; ] A a E é # þ Í é é é é é ø:< # ¡r dH + _ ø] ó é é é é ! & ó - ó ú ò d< d ,) » ( é é](https://static.cupdf.com/doc/110x72/5e45ededbc656207500ecb7b/ee-amazon-s3-2014-10-30-6-a-c-9-a-a-a-e-.jpg)
