common web application vulnerabilities know your enemy
TRANSCRIPT
Common Web Application VulnerabilitiesKnow Your Enemy
Speakers
Jason ChrinInfrastructure Security
Jonathan BailerCode Vulnerability
Lawrence WolfeThe Human Factor
The State of the Internet - 2014
• January– Target: 70 million
contact records stolen– Michaels: 2.6 million
credit cards stolen
• May– eBay: 223 million
customer accounts stolen
• June– Evernote: DDoS
• September– Home Depot: 56 million
credit cards stolen– Google: 5 million
accounts compromised– Apple: iCloud hacking
Motivations Behind Attacks
Soucre: Hackmageddon.com
SERVER & INFRASTRUCTURE SECURITY
Know Your Enemy
Attack Surface
• The sum of all paths for data/commands into and out of the application• The code that protects these paths • All valuable data used in the application,
including secrets and keys, intellectual property, critical business data, personal data and Personally Identifiable Information• The code that protects this data
Limiting your Attack Surface
Warner Bros. Pictures 2006
Limiting your Attack Surface
• Build and maintain a secure network• Data Security Policies• Encryption and secure transmission
Attack Type 1: Port Scanning
• Attacker attempts to connect to various ports on your networks
• Tries to determine what is open on the network and can be used as an entry vector
Firewall – external access
• The front door to your application
• Only open access that is needed
• Only allow ingress from known locations
Firewall – internal access
• DMZ• Network Segmentation• Application firewalls
Attack Type 2: Eavesdropping
Source: owasp.org
Data Security
Types of sensitive data1. Regulated• Financial Information• Healthcare Information
2. Unregulated• Proprietary Information• Confidential Information
How to Handle Your Data
• Securely store data – use encryption• Only store what data is needed• Limit Access to data• Encrypted transmission - SSL
Attack Type 3: Password Attacks
• Brute force attacks• Info gained from Eavesdropping• Default credential attempts
Secure Access
• Remote access over secure channels– VPN– SSL connections
• Authentication– Unique credentials for each user– Strong password policy– Multi Factor Authentication
What is MFA?
• Possession Factor – something user has• Knowledge Factor – something user knows• Inherence Factor – something the user is
Logging
• Access Logging for system connections• Application level Logging• Log monitoring software
Attack type 4: Application Layer Attack
• Targets application servers looking for OS or application faults
• Bypass normal access controls• Gains Elevated privileges
Patch Management
• OS Updates• Application Updates• AV / Malware Definitions
Active Scanning
• Anti-Virus– Protects against malicious code
• Malware– Annoyance programs that may offer back door to
attacks• Intrusion Detection– Automated monitoring for suspicious activity
• Penetration Testing
Attack Type 5: Man in the Middle
Source: 4kcc.com
Preventing Man in the Middle
• Use strong encryption for communication• Segregate production networks
Be Diligent
• This is just a start• New exploits found daily• Review your logs and procedures• External auditing
CODE VULNERABILITYKnow Your Enemy
What does code vulnerability mean?
• Flaw or oversight in an application allowing unauthorized or unintended use
Types of code vulnerabilities
• Injection• Cross-site scripting (XSS)• Cross-site request forgery (CSRF)• Information leakage
Injection - What is it?
• Processing of invalid data changing the course of execution– Arbitrary modification of data– Installation of malware– Privilege escalation– HTML/Script injection
Injection – How does it work?
http://xkcd.com/327/
Injection - Example
Injection - Example
Injection – Types
• SQL Injection• HTML Script Injection• Dynamic Evaluation Vulnerability• Object injection (serialization)• Remote File Injection• Shell Injection
Injection – Prevention
• Whitelist input
Injection – Prevention
• Whitelist input• Sanitize input
Injection – Prevention
• Whitelist input• Sanitize input• Parameterization
Cross-site Scripting – What is it?
• Injecting client-side script into Web pages viewed by other users
Cross-site Scripting – Example
Cross-site Scripting – Types
• Non-Persistent– Query string, post data, etc. (e.g. search results)
• Persistent– Database or file changes (e.g. comments)
• DOM-based– Runs entirely in the client
Cross-site Scripting - Prevention
• Sanitize user input and output that is based on user created content
• Top-down testing and analysis of client side scripts
Cross-site Request Forgery – What is it?
Causing a user’s browser to perform an unwanted action on a trusted site for which the user is authenticated.
A form of the confused deputy problem.
Cross-site Request Forgery – Example
Cross-site Request Forgery – Prevention
• Synchronizer token pattern• Cookie-to-header Token
Information Leakage – What is it?
• Application unintentionally revealing sensitive information– System/environment configuration– User information– etc.
Information Leakage – What is it?
• Comments visible in response data• Overly detailed error information• Difference in behavior
Information Leakage – Example
http://xkcd.com/1354/
Information Leakage – Example
http://xkcd.com/1354/
Information Leakage - Prevention
• Parse errors before display• Remove debugging information from
production• Always be aware of what your application’s
behavior reveals
THE HUMAN FACTORKnow Your Enemy
The Human Factor: Code Review
Source: SmartBear
The Human Factor: Code Review
Source: SmartBear
The Human Factor: Code Review
What if?
The Human Factor: Code Review
What if……one of those bugs is a security vulnerability
that exposes customer data?
The Human Factor: Code Review
What if……one of those bugs is a security vulnerability
that exposes customer data?
Labor + Damages = $$$ Millions? Billions?
The Human Factor: Code Review
• Self audit through annotation & peer review– Less defects, better performing code– Reduces chance of vulnerable code making it to production– Go from as strong as your weakest link to as good as the
best on your team– Reduce technical debt– Continuous education
• Tools– SmartBear Collaborator, Atlassian Crucible
The Human Factor: Source Control
The Human Factor: Source Control
• Source Control– Beyond version management and feature development– Enables code collaboration and vulnerability prevention– Merge workflow, feature/module branches– Git - BitBucket, Github + Console, SourceTree, VS
• Automated Builds – Continuous Integration– Code Standards, Static Analysis– Reduces potential for introducing insecure configurations– Empowers team and individual accountability– Tools
Jenkins, Team Foundation Server, Travis CI (cloud)
The Human Factor: Sensitive Data
The Human Factor: Sensitive Data
• Obfuscated, Masked and Mock Data– Limit developer access to production data when
possibleex. employee, customer and financial data
– Development data sources should not contain real data
– Use mock data for test driven development– Tools
SQL: redgate SQL Data Generatorruby: Faker::HipsterIpsum
The Human Factor: Modular Dev
The Human Factor: Modular Dev
• For large projects and teams, isolate risks with modular development
• Architect for modular development.ex. SOA, libraries, packages, gems
• Developer only needs access to build specific components
The Human Factor: Social Hacking
The Human Factor: Social Hacking
• Phishing– Common behaviors
• Spear Phishing– Specific target
• Impersonation - “Service Desk”
Thank You!Q&A