webappsec @ ibuildings in 2014

@ Ibuildings

Boy Baukema29th January 2014, Vlissingen

Web Application Security 2014

Wednesday, February 5, 14

Fear Uncertainty and Doubt (FUD)

2

Adobe / Apple / Drupal.org / Evernote / LinkedInFacebook / NYT / PHP.netJava 0-daysSSL BREACH

High Profile customers targets: ‣ AbuseHub‣MijnDomein‣RTLNieuws

Windows XP EOL in April ’14Wednesday, February 5, 14

What to do?

‣OWASP Top 10 2013

‣ Status (Secure) Software Development Lifecycle

‣OWASP ASVS 2013

‣OWASP ASVS Bingo!

3


Security is a cross-cutting concern

'Thuisrouter directeur ook interessant voor hackers'

4


https://www.security.nl/posting/40213/%2527Thuisrouter+directeur+ook+interessant+voor+hackers%2527

https://www.security.nl/posting/40213/%2527Thuisrouter+directeur+ook+interessant+voor+hackers%2527

OWASP Top 10 (2013) time!

5


A1-Injection

6

‣ SQL Injection‣HTML Injection‣ XML Injection• XML External Entities (XXE)

‣ JavaScript Injection‣ CSS Injection


A2-Broken Authentication and Session Management

‣ Session Fixation‣Missing Session Timeout‣ Login over HTTP‣Unprotected Password Reset

7


HTTP Strict Transport Security

Strict-Transport-Security: ‣max-age=60000; ‣ includeSubDomains

8


A3-Cross-Site Scripting (XSS)

‣ Stored‣Reflected‣DOM based

See Injection.

9


Content-Security-Policy

Content-Security-Policy(-Report-Only): ‣ default-src 'none'; ‣ script-src https://cdn.mybank.net; ‣ style-src https://cdn.mybank.net; ‣ img-src https://cdn.mybank.net; ‣ connect-src https://api.mybank.com; ‣ frame-src 'self'‣ report-uri /my_amazing_csp_report_parser;

IE10+, FF4+, Chrome 14+, (iOS)Safari 5.1+, Android 4.4+http://caniuse.com/contentsecuritypolicy 10


https://cdn.mybank.net






https://api.mybank.com

https://api.mybank.com

http://caniuse.com/contentsecuritypolicy

http://caniuse.com/contentsecuritypolicy

A4-Insecure Direct Object References

11


A5-Security Misconfiguration

‣Out of date PHP version (PHP<5.3, <5.4 after July)‣ admin/admin‣ Stack traces‣ php.ini• max_execution_time= 0

• session.cookie_httponly = Off

• session.cookie_secure = Off

• allow_url_fopen = On

• See: PhpSecInfo

12


http://phpsec.org/projects/phpsecinfo/index.html

http://phpsec.org/projects/phpsecinfo/index.html

A6-Sensitive Data Exposure

‣Unsalted passwords‣Unencrypted Credit Cards‣ Passwords / Session tokens over HTTP

13


A7-Missing Function Level Access Control

14


A8-Cross-Site Request Forgery (CSRF)

15


A9-Using Components with Known Vulnerabilities

16


A10-Unvalidated Redirects and Forwards

17


BONUS: Clickjacking

18


X-Frame-Options

DENYThe page cannot be displayed in a frame, regardless of the site attempting to do so.SAMEORIGINThe page can only be displayed in a frame on the same origin as the page itself.ALLOW-FROM uriThe page can only be displayed in a frame on the specified origin.

IE8+,Chrome 4+, FF 3.6+ Safari 4+ 19


Secure Software Development LifeCycleSSDLC

20


Secure Software Development Life Cycle

21Source: http://pentestmag.com/security-and-the-software-development-life-cycle/


http://pentestmag.com/security-and-the-software-development-life-cycle/

http://pentestmag.com/security-and-the-software-development-life-cycle/

Requirements / Functional DesignThreat modeling

22

Security Requirements


Architecture & Design / Technical Design‣Web App Review

23


Development / Implementation

‣ Secure Coding Practices‣Whitebox Testing

24


Development: Secure Coding Guidelines

‣Use only POST for credentials‣Notify users when a password reset occurs‣Re-authenticate users prior to performing critical

operations‣ Logout functionality should be available from all pages

protected by authorization ‣Generate a new session identifier on any re-

authentication‣ Logging controls should support both success and failure

of specified security events

25Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf


https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

Development: (360) Code Reviews

26


Testing

‣Greybox testing

27


Deployment

‣Greybox security testing by third party

28


Maintenance / SLA

‣Black box quarterly‣Grey box annually‣Monitoring‣ Security Patches

29


Training‣Basic WebAppSec training‣ Secure Coding training‣QA & Testing training

30


OWASP ASVS 2013

31


Security Checklist

32


Leveling up

33

Requirements:

164

136

47


Scope

34


Requirements

V1. AuthenticationV2. Session ManagementV3. Access ControlV4. Input ValidationV5. Cryptography (at Rest)V6. Error Handling and LoggingV7. Data Protection

35

V8. Communication SecurityV9. HTTP SecurityV10. Malicious ControlsV11. Business LogicV12. Files and ResourcesV13. Mobile


An example

36


Annotated ASVS 2013

37


An AASVS Requirement has...

‣ Short Title‣ Long Title‣ Verification PASS‣ Verification FAIL‣ Verification Help‣ [Verification Help for PHP]‣ [Verification Help for Drupal]‣ [Verification Help for Symfony 2]‣Related Resources

38


Security Audit Template

‣ Introduction• Target Of Verification

• Scope

• Confidentiality

‣Document History, TOC‣ Conclusions‣ V1 - V13‣ Appendix A: Source Code analysis‣ Appendix B: Third Party libraries

39


Risk Rating

40Source: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology


https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

OWASP ASVS 2013 and the SSDLC

41


FAQ

‣ So we must be fully ASVS compliant?‣ ...?

42


ASVS BINGO!

43


BINGO!

44


Prizes

45


Bootcamp

46


Verify it

47


Your Script for today

100 Fork the Template to your personal space.

220 Pop the ‘TODO’ stack of Requirements221 If no Requirement, GOTO 350230 Assign the Requirement (mark with your name).231 Verify Requirement.232 Report the results.240 Push Requirement in the ‘DONE’ stack241 GOTO 220

350 Review the DONE stack. 48


webappsec @ ibuildings in 2014

Technology