protecting web applications with esapi and appsensor manuel lopez arredondo...
DESCRIPTION
Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo [email protected]. “The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|. - PowerPoint PPT PresentationTRANSCRIPT
“The cost of cybercrime is greater than the combined effect on the global economy of
trafficking in marijuana, heroin and cocaine”|
http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
Why Security is important?
Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.
Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.
Why Security is important?
Why Security is important?
6
Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend commercial products or services
What is OWASP
7
Community Driven
30,000 Mail List Participants200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters 69 Academic Supporters
What is OWASP
OWASP Guadalajara Chapter
What do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date
9
Quality Resources
200+ Projects15,000+ downloads of tools, documentation250,000+ unique visitors 800,000+ page views (monthly)
What is OWASP
10
Documentation
ToolsCode
50%
10% 40%
Quality Resources
OWASP Top Ten (2010 Edition)
A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery
(CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated Redirects and
Forwards
A1 – Injection
Injection means…
• Tricking an application into including unintended commands in the data sent to an interpreter
Interpreters…
• Take strings and interpret them as commands• SQL, OS Shell, LDAP, XPath, Hibernate, etc…
SQL injection is still quite common
• Many applications still susceptible (really don’t know why)• Even though it’s usually very simple to avoid
Typical Impact
• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS level access
SQL Injection – Illustrated
Fire
wal
l
Hardened OS
Web Server
App ServerFi
rew
all
Data
base
sLe
gacy
Sys
tem
sW
eb S
ervi
ces
Dire
ctor
ies
Hum
an R
esrc
sBi
lling
Custom Code
APPLICATIONATTACK
Net
wor
k La
yer
Appl
icatio
n La
yer
Acco
unts
Fina
nce
Adm
inist
ratio
nTr
ansa
ction
sCo
mm
unic
ation
Know
ledg
e M
gmt
E-Co
mm
erce
Bus.
Fun
ction
s
HTTP request
SQL
queryDB Table
HTTP response
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
1. Application presents a form to the attacker2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Account:
SKU:
Account:
SKU:
A2 – Cross-Site Scripting (XSS)
Occurs any time…
• Raw data from attacker is sent to an innocent user’s browser
Raw data…
• Stored in database• Reflected from web input (form field, hidden field, URL, etc…)• Sent directly into rich JavaScript client
Virtually every web application has this problem
• Try this in your browser – javascript:alert(document.cookie)
Typical Impact
• Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site• Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
Cross-Site Scripting Illustrated
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acco
unts
Fina
nce
Adm
inist
ratio
nTr
ansa
ction
sCo
mm
unic
ation
Know
ledg
e M
gmt
E-Co
mm
erce
Bus.
Fun
ction
s
16
Project Leader: Chris Schmidt, [email protected]
Purpose: A free, open source, web application security control library that makes it easier for programmers to write lower-risk applications
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
for Reboot
ESAPI - Vision
Build a common set of security controls for today's most popular programming languages.
Have interfaces in common across programming languages as much as possible and natural.
Provide at least a simple reference implementation for each security control to serve as example if not useful in itself.
Easily extensible Provide functionality that is most often needed, but
lacking (or inconsistent) in various frameworks / languages.
Using ESAPI (1 of 3)
Getting started https://www.owasp.org/index.php/
Category:OWASP_Enterprise_Security_API Download: http://code.google.com/p/owasp-esapi-
java/ ESAPI Cheat Sheet:
https://www.owasp.org/index.php/ESAPI_Cheat_Sheet ESAPI Swingset: http://code.google.com/p/owasp-
esapi-java-swingset/
Using ESAPI (2 of 3)
Getting help ESAPI User mailing list (focuses on Java version):
https://lists.owasp.org/mailman/listinfo/esapi-user ESAPI Developer mailing list:
https://lists.owasp.org/mailman/listinfo/esapi-dev ESAPI Project page: http://www.esapi.org/ (coming
soon)
Using ESAPI (3 of 3)
Getting involved Many other language implementations, all
playing catch up ESAPI for Java version needs help with user
documentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Port
to use ESAPI 2.0
Enterprise Security API
Custom Enterprise Web Application
Enterprise Security APIAuthenticator
User
AccessController
AccessReferenceMap
Validator
Encode
r
HTTPUtilitie
s
Encryptor
EncryptedPropertie
s
Randomizer
Exception Handling
Logger
IntrusionDetector
SecurityConfiguratio
n
Existing Enterprise Security Services/Libraries
Potential Enterprise ESAPI Cost Savings
Basic ESAPI Approach – Examples
In Java:String input = request.getParameter( "input" );// Throws ValidationException or IntrusionException// if problemString cleaned = ESAPI.validator().getValidInput("Secure input example",
input, "SafeString", // regex spec
200, // max lengyh false, // no nulls true); // canonicalize
String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);
In PHP:
$cleanTmp = array(); // local in scope
$cleanParams = array(); // local in scope
$cleanTmp['username'] =
ESAPI::getValidator()->getValidInput(
"Secure input example",
$input,
"SafeString",
200, false, true);
$cleanParams['username'] =
ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);
Basic ESAPI Approach – Examples
OWASP ESAPI Project ScorecardFeature Set vs. Programming Language
Authentication 2.0 1.4 1.4 1.4 2.0 planned
Identity 2.0 1.4 1.4 1.4 2.0 planned
Access Control 2.0 1.4 1.4 1.4 1.4 2.0 planned
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???
Encryption 2.0 1.4 1.4 1.4 1.4 2.0
Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBD
WAF 2.0
Source Code and Javadoc Online Now!
http://code.google.com/p/owasp-esapi-java
27
AppSensor
Project Leader(s): Michael Coates, John Melton, Colin WatsonPurpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application.
Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)
https://www.owasp.org/index.php/AppSensor
Create attack aware applications
Detecting Attacks the Right Way
• Detect INSIDE the Application• Automatic Detection• Comprehensive• Minimize False Positives• Understand Business Logic• Immediate Response• No Manual Efforts Required
Detection Points
Implementing AppSensor
Application Log Server AppSensor Brain
Response Listener
Take aways
• Open Source solutions• Low cost and low effort• Think out of the box for development teams• Techniques used on the Industry• OWASP Google Summer of Code 2013https://www.owasp.org/index.php/GSoC
Q & A
Backup
About OWASP
• Online since December 1st 2001• Not-for-profit charitable organization • OPEN Everything at OWASP is radically transparent from our finances to
our code. • INNOVATION OWASP encourages and supports innovation/experiments
for solutions to software security challenges. • GLOBAL Anyone around the world is encouraged to participate in the
OWASP community. • INTEGRITY OWASP is an honest and truthful, vendor agnostic, global
community.• https://www.owasp.org/index.php
OWASP Success Story
OWASP Guadalajara Chapter
What do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date
Application Developers
New attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons
Application Testers and Quality Assurance
Testing guidePenetration testing tools
Application Security Verification Standard Project
OWASP ZAP Proxy/ WebScarab / CSRF Tester
OWASP Testing Framework
4. Web Application Penetration Testing•4.2 Information Gathering•4.3 Configuration Management Testing•4.4 Business logic testing•4.5 Authentication Testing•4.6 Authorization Testing•4.7 Session Management Testing•4.8 Data Validation Testing•4.9 Testing for Denial of Service•4.10 Web Services Testing•4.11 Ajax Testing
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
45
Application Project Management and Staff
Define the processSDLCCode Review
Code review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net
Business advantages of being associated with OWASP
• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses
• The organization itself gets security benefit at reduced costs– Security code review tools are free– Lots of open & free security testing tools – Security guidelines & best practices
• Opportunity to endorse organization's logo in OWASP events, conferences, & website
• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group– If you are looking to expand your business in emerging market here is an opportunity to reach out
• When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain
• Membership options : https://www.owasp.org/index.php/Membership
Subscribe mailing listhttps://www.owasp.org/index.php/Guadalajara
Chapter Leaders:Eduardo CernaMauel Lopez
Join Us !
App Sensor Design
Demo App
Embedded AppSensorResponse
AppSensor “Brain”
App Logs