Common Web Application VulnerabilitiesKnow Your Enemy

Speakers

Jason ChrinInfrastructure Security

Jonathan BailerCode Vulnerability

Lawrence WolfeThe Human Factor

The State of the Internet - 2014

• January– Target: 70 million

contact records stolen– Michaels: 2.6 million

credit cards stolen

• May– eBay: 223 million

customer accounts stolen

• June– Evernote: DDoS

• September– Home Depot: 56 million

credit cards stolen– Google: 5 million

accounts compromised– Apple: iCloud hacking

Motivations Behind Attacks

Soucre: Hackmageddon.com

SERVER & INFRASTRUCTURE SECURITY

Know Your Enemy

Attack Surface

• The sum of all paths for data/commands into and out of the application• The code that protects these paths • All valuable data used in the application,

including secrets and keys, intellectual property, critical business data, personal data and Personally Identifiable Information• The code that protects this data

Limiting your Attack Surface

Warner Bros. Pictures 2006

Limiting your Attack Surface

• Build and maintain a secure network• Data Security Policies• Encryption and secure transmission

Attack Type 1: Port Scanning

• Attacker attempts to connect to various ports on your networks

• Tries to determine what is open on the network and can be used as an entry vector

Firewall – external access

• The front door to your application

• Only open access that is needed

• Only allow ingress from known locations

Firewall – internal access

• DMZ• Network Segmentation• Application firewalls

Attack Type 2: Eavesdropping

Source: owasp.org

Data Security

Types of sensitive data1. Regulated• Financial Information• Healthcare Information

2. Unregulated• Proprietary Information• Confidential Information

How to Handle Your Data

• Securely store data – use encryption• Only store what data is needed• Limit Access to data• Encrypted transmission - SSL

Attack Type 3: Password Attacks

• Brute force attacks• Info gained from Eavesdropping• Default credential attempts

Secure Access

• Remote access over secure channels– VPN– SSL connections

• Authentication– Unique credentials for each user– Strong password policy– Multi Factor Authentication

What is MFA?

• Possession Factor – something user has• Knowledge Factor – something user knows• Inherence Factor – something the user is

Logging

• Access Logging for system connections• Application level Logging• Log monitoring software

Attack type 4: Application Layer Attack

• Targets application servers looking for OS or application faults

• Bypass normal access controls• Gains Elevated privileges

Patch Management

• OS Updates• Application Updates• AV / Malware Definitions

Active Scanning

• Anti-Virus– Protects against malicious code

• Malware– Annoyance programs that may offer back door to

attacks• Intrusion Detection– Automated monitoring for suspicious activity

• Penetration Testing

Attack Type 5: Man in the Middle

Source: 4kcc.com

Preventing Man in the Middle

• Use strong encryption for communication• Segregate production networks

Be Diligent

• This is just a start• New exploits found daily• Review your logs and procedures• External auditing

CODE VULNERABILITYKnow Your Enemy

What does code vulnerability mean?

• Flaw or oversight in an application allowing unauthorized or unintended use

Types of code vulnerabilities

• Injection• Cross-site scripting (XSS)• Cross-site request forgery (CSRF)• Information leakage

Injection - What is it?

• Processing of invalid data changing the course of execution– Arbitrary modification of data– Installation of malware– Privilege escalation– HTML/Script injection

Injection – How does it work?

http://xkcd.com/327/

Injection - Example

Injection - Example

Injection – Types

• SQL Injection• HTML Script Injection• Dynamic Evaluation Vulnerability• Object injection (serialization)• Remote File Injection• Shell Injection

Injection – Prevention

• Whitelist input

Injection – Prevention

• Whitelist input• Sanitize input

Injection – Prevention

• Whitelist input• Sanitize input• Parameterization

Cross-site Scripting – What is it?

• Injecting client-side script into Web pages viewed by other users

Cross-site Scripting – Example

Cross-site Scripting – Types

• Non-Persistent– Query string, post data, etc. (e.g. search results)

• Persistent– Database or file changes (e.g. comments)

• DOM-based– Runs entirely in the client

Cross-site Scripting - Prevention

• Sanitize user input and output that is based on user created content

• Top-down testing and analysis of client side scripts

Cross-site Request Forgery – What is it?

Causing a user’s browser to perform an unwanted action on a trusted site for which the user is authenticated.

A form of the confused deputy problem.

Cross-site Request Forgery – Example

Cross-site Request Forgery – Prevention

• Synchronizer token pattern• Cookie-to-header Token

Information Leakage – What is it?

• Application unintentionally revealing sensitive information– System/environment configuration– User information– etc.

Information Leakage – What is it?

• Comments visible in response data• Overly detailed error information• Difference in behavior

Information Leakage – Example

http://xkcd.com/1354/

Information Leakage – Example

http://xkcd.com/1354/

Information Leakage - Prevention

• Parse errors before display• Remove debugging information from

production• Always be aware of what your application’s

behavior reveals

THE HUMAN FACTORKnow Your Enemy

The Human Factor: Code Review

Source: SmartBear

The Human Factor: Code Review

Source: SmartBear

The Human Factor: Code Review

What if?

The Human Factor: Code Review

What if……one of those bugs is a security vulnerability

that exposes customer data?

The Human Factor: Code Review

What if……one of those bugs is a security vulnerability

that exposes customer data?

Labor + Damages = $$$ Millions? Billions?

The Human Factor: Code Review

• Self audit through annotation & peer review– Less defects, better performing code– Reduces chance of vulnerable code making it to production– Go from as strong as your weakest link to as good as the

best on your team– Reduce technical debt– Continuous education

• Tools– SmartBear Collaborator, Atlassian Crucible

The Human Factor: Source Control

The Human Factor: Source Control

• Source Control– Beyond version management and feature development– Enables code collaboration and vulnerability prevention– Merge workflow, feature/module branches– Git - BitBucket, Github + Console, SourceTree, VS

• Automated Builds – Continuous Integration– Code Standards, Static Analysis– Reduces potential for introducing insecure configurations– Empowers team and individual accountability– Tools

Jenkins, Team Foundation Server, Travis CI (cloud)

The Human Factor: Sensitive Data

The Human Factor: Sensitive Data

• Obfuscated, Masked and Mock Data– Limit developer access to production data when

possibleex. employee, customer and financial data

– Development data sources should not contain real data

– Use mock data for test driven development– Tools

SQL: redgate SQL Data Generatorruby: Faker::HipsterIpsum

The Human Factor: Modular Dev

The Human Factor: Modular Dev

• For large projects and teams, isolate risks with modular development

• Architect for modular development.ex. SOA, libraries, packages, gems

• Developer only needs access to build specific components

The Human Factor: Social Hacking

The Human Factor: Social Hacking

• Phishing– Common behaviors

• Spear Phishing– Specific target

• Impersonation - “Service Desk”

Thank You!Q&A