securing applications
TRANSCRIPT
Securing ApplicationsSecuring ApplicationsA Practical Primer for DevelopersA Practical Primer for Developers
Burak DayıoğluBurak Dayıoğlu
Your security, your future
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
About the presenterAbout the presenter
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Application Security TodayApplication Security Today
BJ's Settles Case with FTC over Customer Data
JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed
FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions
July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data
Visa, Amex Cut Ties with CardSystems
Jan 18, 2007Massive Security Breach Reveals Credit Card DataThe TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.
CNBC's Easy MoneyBusinessWeek uncovers that the cable channel's own design flaw may be behind the investigation into its million-dollar stock-picking contest
USDA admits data breach, thousands of social security numbers revealedThursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Holistic Approach to SecurityHolistic Approach to Security
Port blockingFilteringEncryption
UpdatesIIS hardeningACLsCASLoggingLeast privilegeAccount mgmt.
ValidationHashingEncryptionSecrets mgmt.Cookie mgmt.Session mgmt.Error handling
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Defend the network
Defend the host
Defend the application
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Hacking with GoogleHacking with Google
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Security in the Development LifecycleSecurity in the Development Lifecycle
RequirementsRequirementsAssessmentAssessment
DesignDesignCompleteComplete
Test PlansTest PlansCompleteComplete
CodeCodeCompleteComplete
ShipShip PostPostShipShip
Applying SecurityApplying SecurityPatternsPatterns
ExternalExternalReviewReviewDevelopmentDevelopment
TeamTeamTrainingTraining
SecuritySecurityTestingTesting
Secure Programming TechniquesSecure Programming TechniquesSource Code ReviewsSource Code ReviewsStatic Analysis ToolsStatic Analysis ToolsReview Check-InsReview Check-Ins
Penetration TestPenetration TestLearn andLearn andImproveImprove
External ReviewExternal Reviewand/or Testand/or TestThreatThreat
ModelingModeling
Support andSupport andIncident ResponseIncident Response
AssessingAssessingSecuritySecurityRequirementsRequirements
Use of DesignUse of DesignPrinciplesPrinciples
InspectingInspectingPreviousPreviousVulnerabilitiesVulnerabilities
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Guiding Design PrinciplesGuiding Design Principles
Secure the weakest link Practice defense in depth Fail securely Follow the principle of least privilege Compartmentalize Keep it simple Remember that hiding secrets is hard Be reluctant to trust
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Attack Surface Reduction (ASR)Attack Surface Reduction (ASR)
A system's attack surface is the set of ways in which an attacker can enter and potentially cause damage to the system
The measure of a system's attack surface is an indication of the system's security The larger the attack surface, the more insecure the system
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Reducing the Attack SurfaceReducing the Attack Surface
Reduce the amount of running code 80% of your users actually use the functionality? If not, turn it
off
Reduce entry points If you can do the same with less ports, sockets, service entry
points etc., then just do it
Reduce access to entry points by untrusted users Restrict access to network endpoints used by your application
to the local subnet or IP range
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Input ValidationInput Validation
All data coming from untrusted sources should be validated before being processed It might be possible to tamper application flow and/or
behaviour with invalid data
What you can trust depends on the application context Users Applications on same host Shared libraries (.so, .dll etc.) OS interfaces Other modules in the same app.
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Blacklisting is “Bad”Blacklisting is “Bad”
Endless security issues with PHF (mid 1990’s) Command injection (improper input validation) Fix through blacklisting Command injection, round 2 (in just two days) Fix through blacklisting Command injection, round 2 (in just another day) Fix through whitelisting (Problem solved)
Command injection, SQL injection, LDAP injection etc.
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Sample SQL InjectionSample SQL Injection
Sample vulnerable code fragment
When criteria is SECURITY
When criteria is “’; DELETE FROM news--”
$query = “SELECT title FROM newsWHERE body LIKE ‘%” . $criteria . ”%’”;
SELECT title FROM news WHERE body LIKE ‘%SECURITY%’
SELECT title FROM news WHERE body LIKE ‘%’; DELETE FROM news--%’
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
What would be the Query?What would be the Query?
Select * from users where
username = “_1_” and
password = “_2_”;
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)/location=<script>document.images[4].src=/location=<script>document.images[4].src="http://www.badsite.com/news.jpg"</script>"http://www.badsite.com/news.jpg"</script>
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Web is just a messaging protocolWeb is just a messaging protocol
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
HTML Form TamperingHTML Form Tampering
<FORM METHOD=POST ACTION="/pb/phonebook.php"><INPUT type="hidden" name="sessionID" value=”ad757gj02m357”><INPUT type="hidden" name=“username" value=”pinguin”><INPUT type="submit" name=“Retrieve Entries"></FORM>
1
<INPUT TYPE=text NAME=phonenumber MAXLENGTH=30>2<INPUT TYPE=“radio” NAME=“agegroup” VALUE=“young”><INPUT TYPE=“radio” NAME=“agegroup” VALUE=“middle”><INPUT TYPE=“radio” NAME=“agegroup” VALUE=“old”>
3
<SELECT NAME=“langs”><OPTION VALUE=PHP>Personal Home Page</OPTION><OPTION VALUE=ASP>Active Server Pages</OPTION></SELECT>
4
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Validating Form Data in BrowserValidating Form Data in Browser
Client side validations can be bypassed or tampered<HTML><HEAD><TITLE>Client Side Validation Example</TITLE><SCRIPT LANG="Javascript1.2"><!--function checkmail() {
regexpmail = /^[a-z0-9_\-\.]+\@([a-z0-9_\-]+\.)+[a-z0-9_\-]+$/ ;stremail = document.myform.email.value;
result = stremail.match(regexpmail);
if (!result) {alert (“Address information not valid, pls try again");return false;
}
return true;}//--></SCRIPT></HEAD><BODY><FORM NAME=myform ONSUBMIT="return checkmail()"><INPUT TYPE=text NAME=email MAZLENGTH=50><INPUT TYPE=submit VALUE=“Submit"></FORM></BODY></HTML>
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Error MessagesError Messages
Error messages might reveal sensitive information to a potential attacker Portions of an SQL statement Error message that includes brand/version of database or
directory server Error message for a file that doesn’t open up …
Handle all failure cases that you can foresee, configure the environment to log (and not display) verbose error messages
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Filesystem Operations and SecurityFilesystem Operations and Security
Any component that operates on files is of high risk If input validation is broken somehow
Arbitrary files might be read Arbitrary files might be overwritten Arbitrary files might be uploaded & executed
Beware critical symbols for filesystem objects and the OS shell. .. && || > < *
; null (%00)
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Easy to Guess Files and DirectoriesEasy to Guess Files and Directories
There are things to discover by just educated guessing /CVS /admin /test README INSTALL backup.zip
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Backup FilesBackup Files
Would one of them be left somewhere? mycode.jsp~ mycode.jsp.OLD mycode.jsp.ORIG mycode.jsp.BACK mycode.jsp.BAK
© 2009, Pro-G Information Security & Research Ltd., All Rights Reserved
Directory ListingsDirectory Listings
Directory listings should be turned-off for all servers/sites
Thank you!Thank [email protected]@pro-g.com.tr
Twitter: dayioglu FriendFeed: dayiogluTwitter: dayioglu FriendFeed: dayioglu
http://www.burakdayioglu.nethttp://www.burakdayioglu.net
Your security, your future