modern web security
DESCRIPTION
Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.TRANSCRIPT
Bill Condo / @mavrck
Modern Web SecurityAttacks & Improvements
4/2/2014 | Dayton Web Developers
Bill Condo / @mavrck
Who here is responsible for a website?
Bill Condo / @mavrck
Who here has published code updates live in the last month?
Bill Condo / @mavrck
Are they secure?
Bill Condo / @mavrck
What We’ll Cover
• Common Threats
• Easy Improvements
• Bonus: Passwords
Bill Condo / @mavrck
Common Threats
• Cross Site Scripting
• SQL Injection
• Path Disclosure
• Cross Site Request Forgery
• Information Disclosure
Bill Condo / @mavrck
• Denial of Service
• Code Execution
• Memory Corruption
• Arbitrary File
• Local File Include
• Remote File Include
• Buffer overflow
Bill Condo / @mavrck
Cross-site scripting (XSS)
• In a nutshell, websites that allow external code to sent with a response to a user’s browser.
• Typically this is javascript that is inserted into a query string or form field that is allowed to run.
• Opens up cookie and sensitive data
Bill Condo / @mavrck
SQL Injection
• Allowing user input to directly be inserted into database queries, opening the possibility of unexpected data, and database corruption and data leakage.
• (original) statement = "SELECT * FROM users WHERE id ='" + id + “';"
• (input) 0’; DROP TABLE users
• (final) statement = "SELECT * FROM users WHERE id =‘0'; DROP TABLE users;"
Bill Condo / @mavrck
http://xkcd.com/327/
Bill Condo / @mavrck
Path Disclosure
• Allowing an attacker to see the path to the web root. /home/site.com/public/index.php
• This could allow viewing of private files, and provides a nugget of knowledge that can be combined to allow full access.
• http://site.com/index.php?page=about
• http://site.com/index.php?page=../config
Bill Condo / @mavrck
Cross Site Request Forgery (CSRF)
• Exploits a website’s unauthenticated functionality from an authenticated user. This is commonly from features driven from url parameters that doesn’t have sufficient verification in place.
• http://site.com/send-message.php?from=bill&to=brad&message=hi
• May also be exploited by malicious code injected into a page.
Bill Condo / @mavrck
Information Disclosure
• Releasing secure information to an untrusted environment. This can be operating environment, customer data, or trade secrets.
• Path that the website runs at, database info, service versions, etc.
• Credit card data, private account info (address, phone), and customer history.
• Business logic, processes, and long-term business plans.
Bill Condo / @mavrck
Bill Condo / @mavrck
Bill Condo / @mavrck
Easy Improvements
• Secure Your Environment
• Secure Your Website
• Establish Audits
Bill Condo / @mavrck
Secure your Environment• Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual
Private Server (VPS) such as Digital Ocean, Linode, Rackspace, AWS, etc. You don’t want to share security concerns with the world.
• Turn of the displaying of errors and debugging info in production, and redirect them to log files.
• Turn on automatic updates for security patches.
• Turn off broadcasting of service versions and extensions.
• Turn off modules that aren’t required.
Bill Condo / @mavrck
Sorry, We’re Not Sharing Security…
Bill Condo / @mavrck
Thanks for letting me know…
Bill Condo / @mavrck
Secure Your Website
• Sanitize user input. Always.
• Escape and sanitize database queries. Better yet, use an established package for prepared statements.
• Store sensitive data outside of the webroot with proper permissions.
• SSL where possible.
• Sandbox user uploads and treat with suspicion.
Bill Condo / @mavrck
Establish Audits
• Black Box: Security/Vulnerability Scanners, Penetration Tests
• White Box: Source Code Analyzers, Code Tests
• Password Testing
Bill Condo / @mavrck
More Security Info
• http://www.webappsec.org
• http://www.owasp.org
Bill Condo / @mavrck
Stretch.Last minute bucket. We’re in overtime.
Bill Condo / @mavrck
Bonus: Password Security
• Terminology
• Landscape/Problems
• Best Practices
• Getting Policy Buy-in
Bill Condo / @mavrck
Password Terminology• Encrypting - The process of encoding messages or information in
such a way that only authorized parties can read it*. Encryption typically involves a private key and can be performed two way.
• Hashing - Password hashing is a one way conversion of an input into a representative string. (i.e. nothing = 4fhk348fhsk48rfk4d3)
• Salting - A unique string of characters (hopefully per user) that helps keep the password hashes different for users that have the same password.
*http://en.wikipedia.org/wiki/Encryption
Bill Condo / @mavrck
• Entropy (Strength) - A measure of the uncertainty associated with a random variable. (i.e. Password Strength)
• Rainbow Tables - Pre-calculated lookup values that match a string with a value for a known encrypted algorithm.
Bill Condo / @mavrck
http://xkcd.com/936/
Bill Condo / @mavrck
Problems
Bill Condo / @mavrck
State of Passwords
• Most people share between sites
• Most people don’t use secure passwords
• Secure passwords, with high entropy are impossible to remember
• Most people don’t use a password manager
Bill Condo / @mavrck
Lack of Transparency
• Web Apps & Sites don’t disclosure their password policies, encryption strength, and their isn’t a standard body to police who’s following best practices and who’s being risky.
• Users often don’t find out what data was compromised from an attack, and frequently don’t find out about an breach at all until it reaches the news cycle.
Bill Condo / @mavrck
Forgotten Trail
• With e-commerce, we often have to create an account, provide payment details, and then may never shop there again. However, the data persists.
• Users typically don’t keep a master list of sites they have an account on, or have purchased from. Each account can act as a nugget of knowledge, slowly building up to enough data for concern.
Bill Condo / @mavrck
Best PracticesWorst Practices
Bill Condo / @mavrck
Don’t help the enemy
• Don’t: Policies that enforce things such as “first character must by upper case” and “must end in a special character”. Allows masking.
• Don’t: To an extent, disclosing the minimum requirements for lower case, upper case, numeric, and special characters.
Bill Condo / @mavrck
Garbage in, garbage out
• Don’t: Having no password policy at all.
• Don’t: Allowing common passwords like ‘password’, ‘123456’.
• Don’t: Allowing common dictionary words.
Bill Condo / @mavrck
Getting Policy Buy-in
Bill Condo / @mavrck
#1 Prevent PR Issues
Bill Condo / @mavrck
#2 Cost vs Risk
• Doing security correctly is less expensive upfront. The opportunity cost is minimal compared the reduction in risk. Cost * Risk = Likelihood Cost
• What does it cost to cleanup the mess: reset the passwords, scan the servers, added support calls/requests, etc…
Bill Condo / @mavrck
#3 Predictability
• Help project/business managers in being able to minimize unexpected security response events.
• Better understand how your week is going to go.
Bill Condo / @mavrck
Bill Condo / @mavrck
My Ask of You
• If you found this information useful, I ask two things of you:
• Follow me Twitter for development tips: @mavrck
• Back the Salt Mines Device Lab fundraiser for $1+: http://igg.me/p/728005
• Also, we’re hiring at LMG. Grab a card if you’re currently not next to your boss (otherwise email [email protected]).
Bill Condo / @mavrck
Roaring Applause Here.Thanks for your time.