The OWASP Foundationhttp://www.owasp.org

Why hackers don’t care about your firewall

Seba Deleersnyder

seba@owasp.org

Sebastien Deleersnyder?

• 5 years developer experience

• 11 years information security experience

• Managing Technical Consultant SAIT Zenitel

• Belgian OWASP chapter founder

• OWASP board member

• www.owasp.org

• Co-organizer www.BruCON.org

OWASP World

OWASP is a worldwide free and open community focused on improving the security of

application software.

Our mission is to make application security visible so

that people and organizations can make

informed decisions about application security risks.

OWASP is a worldwide free and open community focused on improving the security of

application software.

Our mission is to make application security visible so

that people and organizations can make

informed decisions about application security risks.

Everyone is free to participate in OWASP and all of our materials are available

under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit

charitable organization that ensures the ongoing

availability and support for our work.

Everyone is free to participate in OWASP and all of our materials are available

under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit

charitable organization that ensures the ongoing

availability and support for our work.

|4

Myth

We are secure because we have a firewall

75% of Internet Vulnerabilities are at Web Application Layer *

*Gartner Group (2002 report)

|5 Source: Jeremiah Grossman, BlackHat 2001

20th century technology

7

Security evolution?

Source: Gunnar Peterson (Arctec Group)

8

A firewall friendly protocol

=

“a skull friendly bullet”

(Bruce Schneier)

Your security “perimeter” has huge holes at the application layer

|9

Fire

wall

Hardened OS

Web Server

App Server

Fire

wall

Data

bases

Leg

acy

Syste

ms

Web

Serv

ices

Dir

ecto

ries

Hu

man

Resrc

s

Billin

g

Custom Developed Application Code

APPLICATIONATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Ne

two

rk L

aye

rA

pp

lica

tio

n L

aye

r

OWASP Top 10

A1: Injection A2: Cross-Site Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request

Forgery (CSRF)

A6: Security Misconfigurati

on

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport

Layer Protection

A10: Unvalidated

Redirects and Forwards

A1 – Injection

• Tricking an application into including unintended commands in the data sent to an interpreter

Injection means…

• Take strings and interpret them as commands• SQL, OS Shell, LDAP, XPath, Hibernate, etc…

Interpreters…

• Many applications still susceptible (really don’t know why)• Even though it’s usually very simple to avoid

SQL injection is still quite common

• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS

level access

Typical Impact

example : SQL-injection attack

Select user_information from user_table where username=’input username’ and password=’input password’

Web Server Application Server

User DatabaseUser

https

Select user_information from user_table

where username=’’ or 1=1 -– ‘ and password=’abc’

RockYou?

December 2009

• a hacker used SQL Injection techniquesto hack the database of RockYou

• RockYou creates applications for MySpace, Facebook, ...

Result

• data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords)

• the data also containedemail-addresses and passwordsfor 3rd party sites

Question: how many of those users use the same password for other sites too?

A2 – Cross-Site Scripting (XSS)

• Raw data from attacker is sent to an innocent user’s browser

Occurs any time…

• Stored in database• Reflected from web input (form field, hidden field, URL, etc…)• Sent directly into rich JavaScript client

Raw data…

• Try this in your browser – javascript:alert(document.cookie)

Virtually every web application has this problem

• Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site

• Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites

Typical Impact

XSS = Cross-site Scripting

Web application vulnerability

Injection of code into web pages viewed by others

XSS = new buffer overflow

Javascript = new Shell Code

16

XSSED.ORG

Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/

Browser Exploitation Framework

A3 – Broken Authentication and Session Management

• Means credentials have to go with every request• Should use SSL for everything requiring authentication

HTTP is a “stateless” protocol

• SESSION ID used to track state since HTTP doesn’t• and it is just as good as credentials to an attacker

• SESSION ID is typically exposed on the network, in browser, in logs, …

Session management flaws

• Change my password, remember my password, forgot my password, secret question, logout, email address, etc…

Beware the side-doors

• User accounts compromised or user sessions hijacked

Typical Impact

Session Fixation Attack

A4 – Insecure Direct Object References

• This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access

How do you protect access to your data?

• Only listing the ‘authorized’ objects for the current user, or• Hiding the object references in hidden fields• … and then not enforcing these restrictions on the server side• This is called presentation layer access control, and doesn’t

work• Attacker simply tampers with parameter value

A common mistake …

• Users are able to access unauthorized files or data

Typical Impact

Insecure Direct Object References Illustrated

Attacker notices his acct parameter is 6065

?acct=6065

He modifies it to a nearby number

?acct=6066

Attacker views the victim’s account information

https://www.onlinebank.com/user?acct=6065

A5 – Cross Site Request Forgery (CSRF)

• An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application

• Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request

Cross Site Request Forgery

• What if a hacker could steer your mouse and get you to click on links in your online banking application?

• What could they make you do?

Imagine…

• Initiate transactions (transfer funds, logout user, close account)• Access sensitive data• Change account details

Typical Impact

CSRF Illustrated

page 23

CSRF Illustrated

25

Good Saturday for Orkut Users

A6 – Security Misconfiguration

• All through the network and platform• Don’t forget the development environment

Web applications rely on a secure foundation

• Think of all the places your source code goes• Security should not require secret source code

Is your source code a secret?

• All credentials should change in production

Configuration Management must extend to all parts of the application

• Install backdoor through missing network or server patch• XSS flaw exploits due to missing application framework patches• Unauthorized access to default accounts, application functionality or data, or

unused but accessible functionality due to poor server configuration

Typical Impact

Hardened OS

Web Server

App Server

Framework

Security Misconfiguration Illustrated

App Configuration

Custom Code

Acc

ounts

Fin

ance

Adm

inis

trati

on

Transa

ctio

ns

Com

mun

icati

on

Know

ledge M

gm

t

E-C

om

merc

e

Bus.

Funct

ion

s

Test Servers

QA Servers

Source Control

Development

Database

Insider

28

Serving up malware

A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days. "Of the 128 pages we tested on the site over the past 90 days,

58 page(s) resulted in malicious software being downloaded and installed without user consent.”(sep 2010) 

Reason: unpatched WordPress

A7 – Failure to Restrict URL Access

• This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References

How do you protect access to URLs (pages)?

• Displaying only authorized links and menu choices• This is called presentation layer access control, and doesn’t

work• Attacker simply forges direct access to ‘unauthorized’ pages

A common mistake …

• Attackers invoke functions and services they’re not authorized for

• Access other user’s accounts and data• Perform privileged actions

Typical Impact

Failure to Restrict URL Access Illustrated

Attacker notices the URL indicates his role

/user/getAccounts

He modifies it to another directory (role)

/admin/getAccounts, or

/manager/getAccounts

Attacker views more accounts than just their own

https://www.onlinebank.com/user/getAccountshttps://www.onlinebank.com/user/getAccounts

A8 – Insecure Cryptographic Storage

• Failure to identify all sensitive data• Failure to identify all the places that this sensitive data gets stored

• Databases, files, directories, log files, backups, etc.• Failure to properly protect this data in every location

Storing sensitive data insecurely

• Attackers access or modify confidential or private information• e.g, credit cards, health care records, financial data (yours or your customers)

• Attackers extract secrets to use in additional attacks• Company embarrassment, customer dissatisfaction, and loss of trust• Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing

thousands of credit cards, providing identity theft insurance• Business gets sued and/or fined

Typical Impact

32

Encrypt customer data?

customer data, 77 Million compromised.(potentially CCs as well)

A9 – Insufficient Transport Layer Protection

• Failure to identify all sensitive data• Failure to identify all the places that this sensitive data is sent

• On the web, to backend databases, to business partners, internal communications• Failure to properly protect this data in every location

Transmitting sensitive data insecurely

• Attackers access or modify confidential or private information• e.g, credit cards, health care records, financial data (yours or your customers)

• Attackers extract secrets to use in additional attacks• Company embarrassment, customer dissatisfaction, and loss of trust• Expense of cleaning up the incident• Business gets sued and/or fined

Typical Impact

34

Still not using SSL?

A10 – Unvalidated Redirects and Forwards

• And frequently include user supplied parameters in the destination URL

• If they aren’t validated, attacker can send victim to a site of their choice

Web application redirects are very common

• They internally send the request to a new page in the same application

• Sometimes parameters define the target page• If not validated, attacker may be able to use unvalidated

forward to bypass authentication or authorization checks

Forwards (aka Transfer in .NET) are common too

• Redirect victim to phishing or malware site• Attacker’s request is forwarded past security checks, allowing

unauthorized function or data access

Typical Impact

Jobs by CNN?

http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW

36

Download

http://www.owasp.org/index.php/Top_10

CAN WE WIN THE WAR ON INSECURE SOFTWARE?

39

Enter the rest of OWASP

• Education• Guides (build, test, code review)• Events• ...

People

• Webgoat• WebScarab• ESAPI• ...

Tools• Requirements list• CLASP• SAMM• ...

Process

Software Assurance Maturiy Model

(SAMM)

SAMM Security Practices• The Security Practices cover all areas relevant

to software security assurance

• Each one is a ‘silo’ for improvement

Build “Your” Roadmap

• Gap analysis:

• Capturing scores from detailed assessments versus expected performance levels

• Demonstrating improvement

• Capturing scores from before and after an iteration of assurance program build-out

• Ongoing measurement

• To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations

OWASP Projects Are Alive!

|43

43

2001

2003

2005

2007

2010 …

www.owasp.org

|44

44

45

OWASP NEAR YOU

46

Upcoming local events

• OWASP Chapter meetings:

• 23-May - Brussels:

• The Ghost of XSS Past, Present and Future – A Defensive Tale (by Jim Manico, Infrared Security)

• 16-Jun - Brussels:

• The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd)

• How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB)

• OWASP AppSec Europe – Dublin – Jun 7-9

• BruCON – Brussels – Sep 19-22

• OWASP BeNeLux – Luxembourg Nov-30/Dec-1

47

Subscribe mailing list

www.owasp.be

Keep up to date!

48

Want to support OWASP?

Become member, annual donation of:

• $50 Individual

• $5000 Corporate

enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities…