design secure web applications - owasp · 2020. 1. 17. · design secure web applications ashish...
TRANSCRIPT
![Page 1: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/1.jpg)
DESIGN SECURE WEB APPLICATIONS
ASHISH RAO & SIDDHARTH ANBALAHAN
![Page 2: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/2.jpg)
About Ashish
– 4 years of IT Security Experience
– Security Consultant and Researcher – Application and Code Security Practice
– Expertise in performing Security Design reviews and Security Code Reviews
– Developed Code Review Checklists and Automation scripts for many platforms
– Conducted Trainings on Secure Development of Web and Mobile applications for different platforms
http://artechtalks.blogspot.in/
![Page 3: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/3.jpg)
• Application Design Understanding
• Need for Design Reviews
• Vulnerable Areas in the design
– Business Logic Invocation
– Backdoor parameters
– Placement of checks
– Inter-Application Communication
• Checklist for secure design
Index
![Page 4: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/4.jpg)
What is a design?
Before
Design – A plan or a diagram that translates ideas into models.
After
![Page 5: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/5.jpg)
What is an application design?
Application Design:
– A structure that determines execution flow
– Determines how different components interact with each other
• There are many design frameworks present today
• Most of such designs are based on “MVC”
![Page 6: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/6.jpg)
What is MVC?
John is a developer of an application and he wants to add a new feature that can let the admin user create new users in the system.
How should he code it?
Well, the very first question to ask is, how should he DESIGN it?
![Page 7: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/7.jpg)
What is MVC?
Write the entire code in one file….
It’s a bad idea. Design it well
![Page 8: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/8.jpg)
What is MVC?
• Things to develop:
– Form to add user
– A class to understand and process add user request
– A class to hold user data
View
Controller
Model
![Page 9: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/9.jpg)
What is MVC?
CONTROLLER
MODEL VIEW
Web Request
Updates Data Update View
Get Data
VIEW
![Page 10: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/10.jpg)
Importance of a design
• Segregation of code in logical components
• Makes code maintainable
• Easy to incorporate change
• Easy to build security controls
![Page 11: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/11.jpg)
Should we review design?
• Can something go wrong in a design?
Why NOT?
• Design reviews are very important
• A flaw in the design can break the entire model
![Page 12: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/12.jpg)
Should we review design?
• Insecure designs are big threat to the application
• Design flaws are:
– Lesser known
– Invisible
– Hardly caught by scanners
– Can lead to many security flaws in the applications
![Page 13: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/13.jpg)
Vulnerable Areas in Design
Things can wrong in:
– Data Flow/Business Logic Invocation
– Handling Inputs
– Placement of Checks
– Inter Application communication
![Page 14: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/14.jpg)
INSECURE BUSINESS LOGIC INVOCATION
![Page 15: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/15.jpg)
Business Logic Invocation
CONTROLLER
MODEL VIEW
Updates Data
Update View
Get Data
Central Controller
Web Request
Handles all web requests
Components specific to requested feature
How does it know which MVC
components to select?
![Page 16: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/16.jpg)
Business Logic Invocation
CONTROLLER
MODEL VIEW
Updates Data
Update View
Get Data
Central Controller
Web Request
Handles all web requests
Components specific to requested feature
Identifies the business logic class/MVC components based on the request – URL/Parameters
![Page 17: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/17.jpg)
Business Logic Invocations
• Lets understand the design:
– The design uses user input to determine:
• Business logic component
– Fully qualified class names
–Method name
–View component
17
![Page 18: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/18.jpg)
Insecure Business Logic Invocation
18 Sample Design
![Page 19: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/19.jpg)
Business Logic Invocation
DEMO - Code Walk through
19
![Page 20: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/20.jpg)
Insecure Business Logic Invocation
• What can go wrong in this design:
– Unexposed Files may be accessible to the user
20
![Page 21: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/21.jpg)
Insecure Business Logic Invocation
21
C
o
n
t
r
o
l
l
e
r
S
e
r
v
l
e
t
Parameter Name = Business Logic Class
BUSINESS LOGIC CLASS
3. Return ACTION mapping
4. Instantiate Business Logic class and invoke its methods
5. Return Data and View Name
Configuration File
1. Request
7. Response
2. Query Config File
VIEW FILE
Action = AccountView
AccountView = AccountAction.java
AccountAction.java
AccountSummary.jsp Account Details
USER
Normal Functioning
![Page 22: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/22.jpg)
Insecure Business Logic Invocation
22
C
o
n
t
r
o
l
l
e
r
S
e
r
v
l
e
t
Parameter Name = Business Logic Class
BUSINESS LOGIC CLASS
3. Return ACTION mapping
4. Instantiate Business Logic class and invoke its methods
5. Return Data and View Name
Configuration File
1. Request
7. Response
2. Query Config File
VIEW FILE
USER
Exploit
Action = TestAction
TestAction = UnexposedAction.java
UnexposedAction.java
UnexposedView.jsp Unexposed Details
![Page 23: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/23.jpg)
Insecure Business Logic Invocation
DEMO -
23
Unauthorized Access to Hidden Business Logic Class
![Page 24: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/24.jpg)
Insecure Business Logic Invocation
Another important scenario –
Request parameters used to identify method names of the business logic class
24
![Page 25: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/25.jpg)
Consider this design
25
Sample Design
![Page 26: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/26.jpg)
Insecure Business Logic Invocation
• What can go wrong in this design:
– Users can try to perform actions not authorized to them
26
![Page 27: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/27.jpg)
Insecure Business Logic Invocation
DEMO – Unauthorized Access to unexposed Business Logic Method
27
![Page 28: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/28.jpg)
Insecure Business Logic Invocation
• Security Measures:
– Remove ALL redundant/test/unexposed business logic configurations from the file
– Apply Authorization check before processing business logic
– Apply a mapping on method/class/view names with the privilege level of the users
28
![Page 29: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/29.jpg)
Backdoor Parameters – Insecure Data Binding
![Page 30: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/30.jpg)
Insecure Data Binding
• Lets understand the design:
– The design uses a data binding logic to bind user inputs to business/form object variables
![Page 31: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/31.jpg)
What is Data Binding?
31
C
o
n
t
r
o
l
l
e
r
S
e
r
v
l
e
t
Parameter Name = Business Logic Class
BUSINESS LOGIC CLASS
3. Return ACTION mapping
4. Instantiate Business Logic class and invoke its methods
5. Return Data and View Name
Configuration File
1. Request
7. Response
2. Query Config File
VIEW FILE
Business
Object
4.A - Bind instance variables to request parameters
![Page 32: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/32.jpg)
Insecure Data Binding
• What can go wrong in the design:
– A user may be able to assign values to unexposed variables of business objects
32
![Page 33: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/33.jpg)
Insecure Data Binding
33
C
o
n
t
r
o
l
l
e
r
S
e
r
v
l
e
t
Parameter Name = Business Logic Class
BUSINESS LOGIC CLASS
3. Return ACTION mapping
4. Instantiate Business Logic class and invoke its methods
5. Return Data and View Name
Configuration File
1. Request
7. Response
2. Query Config File
VIEW FILE
Business Object
<price = 1000>
4.A - Bind instance variables to request parameters
Item=book Quantity=1
Business Object <price = 1000>
Item=book Quantity=1
Business Object <price = 1>
Item=book Quantity=1
Item=book Quantity=1
Price=1
Hacked
![Page 34: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/34.jpg)
Insecure Data Binding
DEMO – Unauthorized access by exploiting data binding flaw
34
![Page 35: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/35.jpg)
Insecure Data Binding
• Security Measures:
– Do not place key variables related to business rules, which are not dependent on user inputs in objects that get bound to request variables
– Initialize key variables after the request to variable binding logic
– Use “disallow” binding logic for certain variables, if provided by the framework
35
![Page 36: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/36.jpg)
BACKDOOR PARAMETERS – Insecure Decision Logic
![Page 37: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/37.jpg)
Incorrect Decision Logic
• Lets understand the design – The application takes business logic decisions based on
presence or absence of a parameter.
• For instance – isAdmin, isSuccess
– Menus/input controls are hidden from certain users, generally observed in ASP.NET applications.
37
![Page 38: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/38.jpg)
Incorrect Decision Logic
• What can go wrong in the design:
– The design believes in the concept of – “what is hidden is secure”
– Server side behavior can be influenced with request parameters
– Users can perform unauthorized operations in the application.
![Page 39: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/39.jpg)
Consider a scenario
• Consider a password reset feature of the applications:
– Scenario:
• Admin users can reset passwords of other users
• Normal users can reset ONLY their passwords
![Page 40: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/40.jpg)
Lets look at the flaw
40
Binding with request parameters
Incorrect Logic
![Page 41: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/41.jpg)
Lets understand the flaw
Flaw:
• Here, absence of username in the request is considered as a request from normal user.
Assumption:
As an option to add username is not given to non-admin users, the username field will always be absent in their request.
![Page 42: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/42.jpg)
Consider a scenario
What if a non-admin user sends additional username parameter in the request?
• The server will be fooled to believe that the request coming from the admin user.
• The user will be able to change password of other users
![Page 43: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/43.jpg)
DEMO Unauthorized access to change password of other users
![Page 44: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/44.jpg)
Incorrect Decision Logic
• Security Measures:
– Don’t believe in – “If it is hidden it is secure”
– Apply authorization checks wherever necessary
– Do not use unvalidated inputs for taking business logic decisions – Use session variables/database values
44
![Page 45: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/45.jpg)
INCORRECT PLACEMENT OF CHECKS
![Page 46: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/46.jpg)
Incorrect Placement of Checks
• Lets understand the design: • The design uses multiple components like MVC.
• The authentication check is implemented on all the views of the application
– if we try to access any view – For instance, “Adduser.jsp” without authentication, it will be disallowed
46
![Page 47: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/47.jpg)
Incorrect Placement of Checks
• What can go wrong in the design:
– Placement of checks can be incorrect
– Business logic components could be placed before the authentication check
– Users will be able to bypass the authentication or any such security check
![Page 48: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/48.jpg)
Incorrect Placement of Checks
48
Auth Check
View Logic
INCORRECT PLACEMENT
Business Logic
Central Controller
Unauthorized
Request ERROR
PAGE
But request gets processed here!!!
CORRECT PLACEMENT
![Page 49: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/49.jpg)
Incorrect Placement of Checks
DEMO – Unauthorized access due to incorrect placement of checks
49
![Page 50: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/50.jpg)
Incorrect Placement of Checks
• Security Measures:
– Place all validation checks before request processing logic
50
![Page 51: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/51.jpg)
INTER APPLICATION COMMUNICATION
![Page 52: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/52.jpg)
Security Areas in Inter-App Communication
• Verifying the authenticity of the user
• Secure Data transmission
• Tamper proof communication
• Prevention of Replay Attacks
![Page 53: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/53.jpg)
Inter App Communication
• Verify authenticity of the user
– Consider a case of web to app server communication
Web server App server
Request
Attacker
![Page 54: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/54.jpg)
Inter App Communication
• Verify authenticity of the user
– In the app server, verify the identity of the requesting user using:
• Declarative access control (container managed)
• Programmatic access control logic
![Page 55: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/55.jpg)
Inter App Communication
• Secure Data transmission
– Consider a server to server communication
Web server Web server
Establish an encrypted channel
![Page 56: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/56.jpg)
Inter App Communication
• Secure Data transmission
– Implement an encrypted channel like SSL or IPSec, wherever possible
– If the channel cannot be encrypted, encrypt sensitive data like account ID, etc. using a pre-shared key
![Page 57: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/57.jpg)
Inter App Communication
• Tamper proof communication
• Prevent Replay Attacks
– Consider a scenario like SSO or payment gateway transaction
![Page 58: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/58.jpg)
SSO Implementation
Authenticating Party
Server
Send the random key encrypted using pre-shared one
Pre-shared key
Generate a random key
Acknowledge by sending the hash of random key + a random token
Send SSO token encrypted by random key ONLY if correct HASH is received + hash of the random token
Verify the Hash and process the SSO token only if the Hash is valid
![Page 59: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/59.jpg)
Inter App Communication
• Verify the authenticity of the user
• Send data over an encrypted channel
• Implement HMAC of the request parameter wherever needed
• Use 2 way handshake in cases like SSO
– Use different pair of pre-shared keys in scenarios where deployment is multiple customer sites
![Page 60: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/60.jpg)
Insecure Design - Recap
• Insecure Business Logic Invocations
– Files
– Methods
• Backdoor Parameters Insecure Data Binding
Incorrect Decision Logic
• Incorrect Placement of Checks
• Inter Application Communication
60
![Page 62: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/62.jpg)
Questions
62
![Page 63: DESIGN SECURE WEB APPLICATIONS - OWASP · 2020. 1. 17. · DESIGN SECURE WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN . About Ashish –4 years of IT Security Experience –Security](https://reader035.vdocuments.us/reader035/viewer/2022071210/6020e0d9d70ebf5b15759da5/html5/thumbnails/63.jpg)
Thank You &
Share your feedback with us.