The OWASP Foundation

http://www.owasp.org

Why hackers dont care about your firewall

Seba Deleersnyder
seba@owasp.org

Sebastien Deleersnyder?

5 years developer experience 11 years information security experience

Managing Technical Consultant SAIT Zenitel

Belgian OWASP chapter founder

OWASP board member www.owasp.org

Co-organizer www.BruCON.org

OWASP World

OWASP is a worldwide free and open community focused on improving the security of application software.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

Myth
We are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer *

*Gartner Group (2002 report)

|4

|5

Source: Jeremiah Grossman, BlackHat 2001

20th century technology

Security evolution?

Source: Gunnar Peterson (Arctec Group)

7

A firewall friendly protocol =

a skull friendly bullet (Bruce Schneier)

Your security perimeter has huge holes at the application layer

Application Layer Legacy Systems Human Resrcs Web Services Directories Databases

Custom Developed Application Code APPLICATION ATTACK

App Server Network Layer Web Server Hardened OS Firewall

You cant use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
|9

Billing

Firewall

OWASP Top 10

A1 Injection
Injection means Tricking an application into including unintended commands in the data sent to an interpreter

Interpreters
Take strings and interpret them as commands SQL, OS Shell, LDAP, XPath, Hibernate, etc SQL injection is still quite common Many applications still susceptible (really dont know why) Even though its usually very simple to avoid Typical Impact

Usually severe. Entire database can usually be read or modified May also allow full database schema, or account access, or even OS level access

example : SQL-injection attack

https
User

User Database

Web Server

Application Server

Select user_information from user_table where username=input username and password=input password

Select user_information from user_table where username= or 1=1 - and password=abc

RockYou?
December 2009 Result
data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) the data also contained email-addresses and passwords for 3rd party sites a hacker used SQL Injection techniques to hack the database of RockYou RockYou creates applications for MySpace, Facebook, ...

Question: how many of those users use the same password for other sites too?

A2 Cross-Site Scripting (XSS)

Occurs any time Raw data from attacker is sent to an innocent users browser

Raw data
Stored in database Reflected from web input (form field, hidden field, URL, etc) Sent directly into rich JavaScript client Virtually every web application has this problem Try this in your browser javascript:alert(document.cookie) Typical Impact Steal users session, steal sensitive data, rewrite web page, redirect user to phishing or malware site Most Severe: Install XSS proxy which allows attacker to observe and direct all users behavior on vulnerable site and force user to other sites

XSS = Cross-site Scripting

Web application vulnerability Injection of code into web pages viewed by others

XSS = new buffer overflow

Javascript = new Shell Code

XSSED.ORG

Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/

16

Browser Exploitation Framework

A3 Broken Authentication and Session Management

HTTP is a stateless protocol Means credentials have to go with every request Should use SSL for everything requiring authentication Session management flaws SESSION ID used to track state since HTTP doesnt and it is just as good as credentials to an attacker SESSION ID is typically exposed on the network, in browser, in logs,

Beware the side-doors

Change my password, remember my password, forgot my password, secret question, logout, email address, etc Typical Impact

User accounts compromised or user sessions hijacked

Session Fixation Attack

A4 Insecure Direct Object References

How do you protect access to your data? This is part of enforcing proper Authorization, along with A7 Failure to Restrict URL Access A common mistake Only listing the authorized objects for the current user, or Hiding the object references in hidden fields and then not enforcing these restrictions on the server side This is called presentation layer access control, and doesnt work Attacker simply tampers with parameter value Typical Impact Users are able to access unauthorized files or data

Insecure Direct Object References Illustrated

Attacker notices his acct parameter is 6065 ?acct=6065

https://www.onlinebank.com/user?acct=6065

He modifies it to a nearby number ?acct=6066

Attacker views the victims account information

A5 Cross Site Request Forgery (CSRF)

Cross Site Request Forgery An attack where the victims browser is tricked into issuing a command to a vulnerable web application Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, ) with each request Imagine What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Typical Impact Initiate transactions (transfer funds, logout user, close account) Access sensitive data Change account details

CSRF Illustrated

page 23

CSRF Illustrated

Good Saturday for Orkut Users

25

A6 Security Misconfiguration
Web applications rely on a secure foundation All through the network and platform Dont forget the development environment Is your source code a secret?

Think of all the places your source code goes Security should not require secret source code
Configuration Management must extend to all parts of the application All credentials should change in production Typical Impact Install backdoor through missing network or server patch XSS flaw exploits due to missing application framework patches Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration

Security Misconfiguration Illustrated

Communication Knowledge Mgmt E-Commerce Bus. Functions

Administration Transactions

Accounts Finance

Datab ase

Custom Code App Configuration

Framework App Server

Development

QA Servers Web Server Hardened OS

Insider

Test Servers

Source Control

Serving up malware

A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days. "Of the 128 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent. (sep 2010)

Reason: unpatched WordPress

28

A7 Failure to Restrict URL Access

How do you protect access to URLs (pages)?

This is part of enforcing proper authorization, along with A4 Insecure Direct Object References
A common mistake Displaying only authorized links and menu choices This is called presentation layer access control, and doesnt work Attacker simply forges direct access to unauthorized pages Typical Impact

Attackers invoke functions and services theyre not authorized for Access other users accounts and data Perform privileged actions

Failure to Restrict URL Access Illustrated

Attacker notices the URL indicates his role /user/getAccounts

https://www.onlinebank.com/user/getAccounts

He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts

Attacker views more accounts than just their own

A8 Insecure Cryptographic Storage

Storing sensitive data insecurely

Failure to identify all sensitive data Failure to identify all the places that this sensitive data gets stored
Databases, files, directories, log files, backups, etc.

Failure to properly protect this data in every location

Typical Impact

Attackers access or modify confidential or private information

e.g, credit cards, health care records, financial data (yours or your customers)

Attackers extract secrets to use in additional attacks Company embarrassment, customer dissatisfaction, and loss of trust Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance Business gets sued and/or fined

Encrypt customer data?

customer data, 77 Million compromised. (potentially CCs as well)

32

A9 Insufficient Transport Layer Protection

Transmitting sensitive data insecurely

Failure to identify all sensitive data Failure to identify all the places that this sensitive data is sent
On the web, to backend databases, to business partners, internal communications

Failure to properly protect this data in every location

Typical Impact

Attackers access or modify confidential or private information

e.g, credit cards, health care records, financial data (yours or your customers)

Attackers extract secrets to use in additional attacks Company embarrassment, customer dissatisfaction, and loss of trust Expense of cleaning up the incident Business gets sued and/or fined

Still not using SSL?

34

A10 Unvalidated Redirects and Forwards

Web application redirects are very common And frequently include user supplied parameters in the destination URL If they arent validated, attacker can send victim to a site of their choice
Forwards (aka Transfer in .NET) are common too

They internally send the request to a new page in the same application Sometimes parameters define the target page If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact Redirect victim to phishing or malware site Attackers request is forwarded past security checks, allowing unauthorized function or data access

Jobs by CNN?

http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cPXW

36

Download

http://www.owasp.org/index.php/Top_10

CAN WE WIN THE WAR ON INSECURE SOFTWARE?

Enter the rest of OWASP

People

Education Guides (build, test, code review) Events ...

Tools
Process

Webgoat WebScarab ESAPI ... Requirements list CLASP SAMM ...

39

Software Assurance Maturiy Model (SAMM)

SAMM Security Practices

The Security Practices cover all areas relevant to
software security assurance

Each one is a silo for improvement

Build Your Roadmap

Gap analysis:

Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement

Capturing scores from before and after an iteration of assurance program build-out
Ongoing measurement

To make the building blocks usable, SAMM defines Roadmaps templates for typical kinds of organizations

OWASP Projects Are Alive!

2010 2007

2005 2003 2001

43

|43

www.owasp.org

44

|44

OWASP NEAR YOU

45

Upcoming local events

OWASP Chapter meetings: 23-May - Brussels:

The Ghost of XSS Past, Present and Future A Defensive Tale (by Jim Manico, Infrared Security) 16-Jun - Brussels: The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd)

How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB)

OWASP AppSec Europe Dublin Jun 7-9 BruCON Brussels Sep 19-22

OWASP BeNeLux Luxembourg Nov-30/Dec-1

46

Subscribe mailing list

www.owasp.be Keep up to date!

47

Want to support OWASP?

Become member, annual donation of:

$50 Individual $5000 Corporate

enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities

48