Top Banner
Web Application Security Guillermo Pérez [email protected] BE arch & Security Lead Eng. bcndevcon 2011
78

Tuenti: Web Application Security

May 10, 2015

Download

Technology

Tuenti

Tuenti is an always growing web application, constantly adding services and applications, with two or more releases per week, a lot of branches per release, 100+ engineers hacking code and keeping hundreds of servers running. Dealing with security in such an environment is a tough challenge from different perspectives.

On this talk we will explain how we keep security levels high, the most common attacks and good practices that might help you make your web applications safer. Also, some insight in how security is understood across the whole company (legal, user support, engineering) will be given, as it is crucial for us to have top knotch incident response.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Tuenti: Web Application Security

Web Application SecurityGuillermo Pérez

[email protected] arch & Security Lead Eng.

bcndevcon 2011

Page 2: Tuenti: Web Application Security

in web app security

Things to deal with...

Page 3: Tuenti: Web Application Security

Web App security● Anonymous attackers● Worldwide access● Shared environment for all users● Easy distribution, profitable● On top of all other components security:

○ Network security○ OS security○ Server software security○ Social Engineering○ Even more! browsers, plugins, virus, user computer

security, shared computers, open wifis...

Page 4: Tuenti: Web Application Security

How to achieve it?

Page 5: Tuenti: Web Application Security

Web App security

Humans (developers) are the bigger risk

Give tools, frameworks & policies so no developer has to ever think how to secure up things. Should be clear and the easiest path.

But there is no perfect security...

Page 6: Tuenti: Web Application Security

Top risks?

Page 7: Tuenti: Web Application Security

Top 10 security issues in webappsFrom OWASP (risks != frequency)

1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 8: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 9: Tuenti: Web Application Security

1. Injection flaws

Trick services to execute unintended commands to gain control or access unauthorized data. ● Several types:

○ SQL○ OS execution○ LDAP○ XPath○ NoSQL○ uploads

Page 10: Tuenti: Web Application Security

1. Injection flaws● Explotability: EASY● Prevalence: COMMON● Detectability: AVERAGE● Impact: SEVERE

● Prevention:○ Keep untrusted data separate from commands

● How:○ Use safe, parametrized apis vs writting code to be

executed by interpreter.○ Escape special chars depending on interpreter.○ Data cast, whitelist input validation.

Page 11: Tuenti: Web Application Security

1. Injection flaws: SQL● http://example.com/?id=' or '1'='1● Explicit cast, escaping IN-PLACE

○ mysqli_escape_string()○ ...

● Use prepared statements○ Provides data separation○ Client-side implementations (PDO)○ SELECT * FROM table where id=?

● Use safe apis for query generation○ $mysqlService->select($table, $pk, $fields,

$where...)● Safe ORM framework

○ $storage->read($keys);

Page 12: Tuenti: Web Application Security

1. Injection flaws: OS

● Don't use OS execution :)● Escape

○ escapeshellarg

Page 13: Tuenti: Web Application Security

1. Injection flaws: uploads

● Don't put them on public folder● Don't use user-provided data for names● Whitelist extensions● Validate content● Store separately from app (DB, separate

servers)● Ensure write permissions are the minimum

possible

Page 14: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 15: Tuenti: Web Application Security

2. XSS

Trick services to return browser-executable code to user/s. ● Several classifications:

○ Breaking context vs sub-context○ Persistant vs non-persistent○ Traditional vs DOM

Page 16: Tuenti: Web Application Security

2. XSS● Explotability: AVERAGE● Prevalence: WIDESPREAD● Detectability: EASY● Impact: MODERATE

● Prevention:○ Escape untrusted data depending on context○ HTTP-Only Cookie mitigation is useless

● How:○ Escape everything (even safe vars)○ Escape in TEMPLATES (context aware)○ Other (URL params) in specialized safe apis○ Unit test

Page 17: Tuenti: Web Application Security

2. XSS: Classification by context

● Breaking context:○ <a href="?id<?=$_GET['id']?>">○ "<script> ...○ Easy to detect & test

■ Unit-test templates with all injections for all vars and validate html

● Non breaking context:○ <a href="<?=$_GET['url']?>">○ javascript: ...○ HARD TO DETECT

Page 18: Tuenti: Web Application Security

2. XSS: Classification by persistance● Persistant

○ Data gets stored in DB○ Users will be hit by regular navigation○ Easier to test (templates)

● Non persistant○ A request with some params returns XSS○ Users need to be trick to navigate into the malicious

link○ More frequent (No results for 'blah')○ Somewhat harder to test (cover error messages,

non-template based responses)

Page 19: Tuenti: Web Application Security

2. XSS: Classification by mode

● Traditional○ Just by exploiting browser parsing○ Easy to test

● DOM○ Cheating on JS

■ data from server injected in DOM● Use innerText

● Do not compose html in JS

■ parsing data from uri, forms as 'safe'○ Pretty hard to test. Avoid missuse, provide safe apis.

Page 20: Tuenti: Web Application Security

2. XSS

@tuenti● Escape on templates● Escape everything, even what doesn't need

to be escaped:○ <?=View::escape_unsafe($html)?>

● Link generation framework● Tests for templates, controllers

Page 21: Tuenti: Web Application Security

2. XSS: HTML● Never put untrusted data in:

○ <script> contents○ HTML comments○ tag/attribute names○ <style> contents

● Contexts: Content, attributes, url params, urls, js...

● Rich formating○ Use alternative markup lang

■ Markdown■ Textile

○ Filter HTML (white listing, carefull!!!)

Page 22: Tuenti: Web Application Security

2. XSS: JS

● Encode with \xNNN (\" might break HTML that is parsed before)

● Prefer reading values from dom● URL pieces are not safe● Beware of double context: setInterval('...'),

eval()

Page 23: Tuenti: Web Application Security

2. XSS: JSON

● Easy to escape (single context)● Can put the load on the browser (harder to

test)● Avoid mixing contexts (json on html, or json

with/for html)● Eval json as js can trigger js execution

○ Safe, full json encoding in server (never use half-baked json templates!!!)

○ Use the slow json-parse.js vs json.js regexp validation

● Be aware of context. content-type!

Page 24: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 25: Tuenti: Web Application Security

3. Auth & Session

Attack authentication and sessions to gain control over an account. ● Passwords● Session issues

Page 26: Tuenti: Web Application Security

3. Auth & Session

● Explotability: AVERAGE● Prevalence: COMMON● Detectability: AVERAGE● Impact: SEVERE

● Prevention:○ SSL, good session handling, detect auth brute force,

avoid plain text passwords, strong password recovery, user sessions control (logout, history, close all), detect anomalous login patterns...

Page 27: Tuenti: Web Application Security

3. Auth & Session● Passwords

○ Use SSL or digest auth○ Enforce good passwords, rotation○ Store passwords securely (constant time salted

hashes)○ fight phising (easy URL, educate users)

● Authentication○ Don't make distintions between bad login / password○ Reset to hide real logins, time-limited tokens, old

password invalidate resets○ Detect brute force, lock accounts○ Watch misconfigurations○ Specially on admin, secondary platforms

Page 28: Tuenti: Web Application Security

3. Auth & Session

● Sessions○ Random Ids, >= 128 bit○ Use SSL○ Use secure=yes, httponly for cookies○ No session fixation○ No session ids in URLs○ Change session id on priviledge scalation or switch

between http->https○ Expiration○ Offer logout, history, close all○ Do not send cookies to CDNs, non-principal sites

Page 29: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 30: Tuenti: Web Application Security

4. Direct object references

Apps usually map backend objects to URLs. An attacker might bypass privacy and authentication by accessing directly to resources if don't do the appropiate checks. ● Trusted params● Images

Page 31: Tuenti: Web Application Security

4. Direct object references

● Explotability: EASY● Prevalence: COMMON● Detectability: EASY● Impact: MODERATE

● Prevention:○ Properly check privacy on all objects○ Good policy on where to put the privacy check○ Do not trust params. Sign params is an option○ Hide real db keys (show pos X in search Y, /me)○ Make urls hard to guess

Page 32: Tuenti: Web Application Security

4. Direct object references

Sounds stupid......but happens!

Page 33: Tuenti: Web Application Security

4. Direct object references

● Never check privacy on controllers● Never check privacy on storage layer● Privacy in backend api methods

○ With entry point documentation○ Clear responsibility for privacy!○ Most of the time implicit with good api design○ Good performance○ Easy to use privacy framework

Page 34: Tuenti: Web Application Security

4. Direct object references

● Documentation/* * @epoint-changes-state YES * @epoint-privacy-control IMPLICIT * - Only deletes current user tag if exists. * @epoint-summary Deletes the current user's tag on a photo *... */public function deleteMyTag($photoKey) { $userId = CurrentUser::getId(); ...

Page 35: Tuenti: Web Application Security

4. Direct object references

● Privacy framework api○ TPrivacy::hasAnyOf / hasAllOf○ + Privacy providers

if (TPrivacy::hasAnyOf( CurrentUser::getId() == $photoOwner, array('TagApi', TagApi::IS_TAGGED, $photoKey), array('... ... )) {

Page 36: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 37: Tuenti: Web Application Security

5. CSRF

Cross site request forgery [CSFR in tuenti :)]

Trick a authenticated user to submit requests to a service and do actions without consent. The browser will send the cookies and the request might look legit. ● Image tags (get)● Forms (post)● ...

Page 38: Tuenti: Web Application Security

5. CSRF

● Explotability: AVERAGE● Prevalence: WIDESPREAD● Detectability: EASY● Impact: MODERATE

● Prevention:○ Require a non-predictable token param on all

actions that modify state○ Use POST for all actions that modify state○ Use custom header in ajax requests○ Check Origin header when available!!!

Page 39: Tuenti: Web Application Security

5. CSRF

@tuenti:● Before was check when using a post param

○ Default values caused us issues● Now explicit annotation on controllers

○ @ChangesState● Evangelize developers

Page 40: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 41: Tuenti: Web Application Security

6. Security misconfiguration

Missing security updates, open proxies, open ports, default accounts, directory listing, forgotten hardening...

Page 42: Tuenti: Web Application Security

6. Security misconfiguration

● Explotability: EASY● Prevalence: COMMON● Detectability: EASY● Impact: MODERATE

● Prevention:○ Develop install & configuration procedures○ Document services and subscribe to updates○ Hide services versions when possible○ Separate components to minimize risks

Page 43: Tuenti: Web Application Security

6. Security misconfiguration

@tuenti:● we are big >1k servers

○ + possibilities for some issue● But...

○ We use config management (pupet)○ Good deployment procedures, documentation○ Very isolated services○ Few generic web components○ Good systems team

Page 44: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 45: Tuenti: Web Application Security

7. URL access

Attacker guesses URLs that lead to functionality, information.

Page 46: Tuenti: Web Application Security

7. URL access

● Explotability: EASY● Prevalence: UNCOMMON● Detectability: AVERAGE● Impact: MODERATE

● Prevention:○ Deny by default○ Deploy by selection

Page 47: Tuenti: Web Application Security

7. URL access

@tuenti● Good deploy system● Splited environments for production and dev● Most non-public services restricted to vpn +

centralized auth

Page 48: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 49: Tuenti: Web Application Security

8. Unvalidated redirects

Use a service redirect to trick users into clicking on a link (belongs to valid service) and achieve more effective phising/virus downloads/revenue.

Page 50: Tuenti: Web Application Security

8. Unvalidated redirects

● Explotability: AVERAGE● Prevalence: UNCOMMON● Detectability: EASY● Impact: MODERATE

● Prevention:○ Don't expose destination URL as param, use

references to a white list○ Ensure end URLs are safe (Safe search, user

reporting tools...)

Page 51: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 52: Tuenti: Web Application Security

9. Insecure crypto storage

Some data is sensible enought to require being stored encripted/hashed, to protect it from being stolen. Unsalted hashes might be exploitable, backups might contain keys or cleartext, services might expose decrypt mecanisms, internal attacks might have access to keys.

Page 53: Tuenti: Web Application Security

9. Insecure crypto storage

● Explotability: DIFFICULT● Prevalence: UNCOMMON● Detectability: DIFFICULT● Impact: SEVERE

● Prevention:○ Keep backups encripted, don't store keys on same

place.○ Use salted hashes and constant time hashes○ Ensure keys are protected○ Don't offer full info (credit card XXXX 1234)

Page 54: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection

Page 55: Tuenti: Web Application Security

10. Transport layer protection

An attacker might sniff traffic of your users to steal sessions to retrieve data, do spam...

Page 56: Tuenti: Web Application Security

10. Transport layer protection

● Explotability: DIFFICULT● Prevalence: COMMON● Detectability: EASY● Impact: MODERATE

● Prevention:○ Ensure to use SSL on all requests & resources

loaded.○ Change session ids when switching to https.○ If optional, try to detect shared IPs and auto-enable

on those.

Page 57: Tuenti: Web Application Security

Top 10 security issues in webapps1. Injection2. XSS3. Broken auth, session management4. Insecure direct object references5. CSRF6. Security misconfiguration7. Failure to restrict URL access8. Unvalidated redirects9. Insecure crypto storage

10. Insufficient transport layer protection11. Extras

Page 58: Tuenti: Web Application Security

11. Extras: Cross domain data leak

Ajax is changing the web apps, with js-rich clients that request data.

Beware of exposing JS / JSON user data through GET requests without CSRF tokens/headers! <script> tag is not Cross Domain safe!● Require custom header (needs

XMLhttpRequest) keep using GET● Check origin header

Page 59: Tuenti: Web Application Security

11. Extras: Clickjacking

Trick users to click/copy content on your page (by-passing CSRF) by using a hidden frame● Use Frame-options● Some anti-frame JS (hard)

○ top.location might not be accesible, cause JS error○ redirections might be cancelled○ Best (not pretty):

blank page with link target _blank, if top.location == self.location, add content

Page 60: Tuenti: Web Application Security

11. Extras: Unicode

● Filter special unicode that can break design● UTF encoding might bypass your XSS-filters● UTF url encoding might bypass directory

checks...● NULL code %00 might bypass suffixes

Page 61: Tuenti: Web Application Security

11. Extras: HTTP/Mail Headers

● Are subject to CR/LF injection, leading to○ XSS○ Spam○ redirection○ ...

● Use safe api

Page 62: Tuenti: Web Application Security

11. Extras: People

● People is always the weakest link● Phising

○ Educate○ Good urls○ Design○ Referer analysis○ React

● Self-inflicted JS injection○ Educate○ Filter content, be aware of surges

Page 63: Tuenti: Web Application Security

No input validation?

Page 64: Tuenti: Web Application Security

No input validation?Minimize malformed data, make it match business needs.

NOT as primary method to avoid XSS, injection... ● Rules:

○ SERVER SIDE○ Apply to all (form, url params, cookies, http headers)○ Define whitelists of valid chars○ Define length○ Business on top of that

Page 65: Tuenti: Web Application Security

No input validation?

● Even thought, tuenti has a good validation system:○ Based on annotations on controllers.○ At data layer (storage definition)

● Makes exploits harder● Good practice, clean code● Explicit args in controllers

Page 66: Tuenti: Web Application Security

Other important aspects

Page 67: Tuenti: Web Application Security

Logging, stats, counters

● Very important for security● Stats:

○ Detect issues, patterns to take measures.● Logs

○ Analize issues.● Counters

○ Detect & react to malicious activity

Page 68: Tuenti: Web Application Security

Error handling

● Sanitize error messages, use same templating system

● Do not provide information to users● Control debug mode● Dangers:

○ Log review tools (XSS)○ As payload upload mecanism

Page 69: Tuenti: Web Application Security

Community

● Take care of community!○ Thank security researchers○ Reply fast○ <24h fix policy○ Tipically <2h!○ Hall of FAME!!!

● How to report○ Standard box [email protected] + dns entries○ Regular user support○ Researchers know us

Page 70: Tuenti: Web Application Security

Web Security Future?

Page 71: Tuenti: Web Application Security

Browser XSS protections

● Reflexion XSS protection○ Different implementations IE8, chrome○ Adds issues, new problems○ Non perfect, might improve?

Page 72: Tuenti: Web Application Security

Client side templates

● Data only requests are easier to escape● It's harder to inject data into client-side

templates (only persistent XSS)● Templates might work in DOM mode● SLOW in non recent browsers

Page 73: Tuenti: Web Application Security

Better JS

● More secure mashups○ Google Caja...

● More enterprise JS○ Dart, GWT, Closure, CoffeeScript

Page 74: Tuenti: Web Application Security

Plugins ... Apis ... Browsers

● Flash plugin will die! ● But new HTML5 apis will bring more issues ● Browsers extensions nightmare

Page 75: Tuenti: Web Application Security

Avoid cookies

Using XMLHttpRequest with sid as param, from rich JS apps. Destination domain that does not have cookies. ● Decreases attack vectors on:

○ CSRF○ Click jacking

Page 76: Tuenti: Web Application Security

SSL improvements

● HSTS○ Force SSL○ Certificate pinning

● False start○ -30% handshake latency

Page 77: Tuenti: Web Application Security

Content Security Policy (Mozilla)

● Restricts a lot of attacking vectors○ Forbids inline javascript○ Forbids dynamic js code: eval, setTimeout(<string>)○ Restricts inline data source (can be reverted for

images for example)○ Whitelist sources for each type of content (js, css,

images, ajax...)○ Configures frame permissions better

● Hard to implement in complex sites○ twitter mobile is using it○ Reports issues (to detect attacks, debug/testing

phase)

Page 78: Tuenti: Web Application Security

?

[email protected]

We are hiring!http://jobs.tuenti.com