OWASP 201: Request-based Security

Transcript

1. OWASP 201:
   Request-Based Security
   Eric Mann
   

   View Slide

2. ASR 1 - Injection
   

   View Slide

3. The attacker's hostile data can
   trick the interpreter into
   executing unintended
   commands or accessing data
   without proper authorization.
   

   View Slide

4. xkcd: Exploits of a Mom - https://xkcd.com/327/
   

   View Slide

5. $db = new \PDO(...);
   $name = $_POST['name'];
   $sql = "SELECT * FROM users WHERE email='$name'";
   foreach($db->query($sql) as $user) {
   // ...
   }
   curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
   SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'
   

   View Slide

6. $db = new \PDO(...);
   $name = $_POST['name'];
   $sql = "SELECT * FROM users WHERE email=:email";
   $statement = $db->prepare($sql);
   $params = [':email' => $name];
   foreach($db->execute($statement, $params) as $user) {
   // ...
   }
   curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
   SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'
   

   View Slide

7. function serve_file($filename) {
   header("Content-Type: application/octet-stream");
   header("Content-Disposition: attachment; filename=\"{$filename}\"");
   header("Content-Length: 11111");
   passthru("cat /home/uploads/" . $filename);
   exit();
   }
   curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
   cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem
   

   View Slide

8. function serve_file($filename) {
   // Sanitize the filename before it's used
   $sanitized = basename($filename);
   header("Content-Type: application/octet-stream");
   header("Content-Disposition: attachment; filename=\"{$sanitized}\"");
   header("Content-Length: 11111");
   $path = "/home/uploads/{$sanitized}";
   passthru('cat ' . escapeshellarg($path));
   exit();
   }
   curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
   cat /home/uploads/privkey.pem
   

   View Slide

9. ASR 2 - Broken
   Authentication
   

   View Slide

10. Application functions related
    to authentication and session
    management are often not
    implemented correctly...
    

    View Slide

11. Client-side Sessions
    Don’t trust the user to store sensitive information
    Don’t trust information provided by the user
    Don’t store sensitive information with an untrusted party
    Don’t use cookies to store sensitive data
    (If you are using cookies, use secure cookies - but only store identifiers)
    

    View Slide

12. Password Management
    Passwords should NEVER be stored in plaintext.
    Passwords should NEVER be stored with encryption.
    Passwords should ONLY be stored using one-way hashes.
    Try to avoid passwords in the first place...
    

    View Slide

13. View Slide

14. (Full image slide. No text)
    

    View Slide

15. Problems with JWT
    Leaking sensitive information
    The `none` algorithm is required by the spec
    Algorithm confusion - RSA vs HMAC
    Weak algorithms are allowed
    

    View Slide

16. What you should do
    Only store session data on the server
    Ensure strong authentication protects user identities
    Lock down insecure algorithms and primitives
    Only use trusted third-party library implementations
    

    View Slide

17. ASR 4 - XML External
    Entities
    

    View Slide

18. Untrusted XML input
    containing a reference to an
    external entity is processed by
    a weakly configured XML
    parser ...
    

    View Slide

19. 
    ]>
    
    Friend of &name;
    &name;
    &name; - 2019
    
    "php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]>
    
    &info;
    
    

    View Slide

20. 
    
    
    
    
    
    
    
    ]>
    
    &bomb;
    
    

    View Slide

21. $default = libxml_disable_entity_loader(true);
    $dom = new DOMDocument();
    $dom->loadXML($xml);
    // Do things with XML
    // Restore the previous value
    libxml_disable_entity_loader($default);
    What you should do
    

    View Slide

22. ASR 7 - Cross-Site
    Scripting (XSS)
    

    View Slide

23. An application takes
    untrusted data and sends it to
    a web browser without
    proper validation or escaping.
    

    View Slide

24. 
    Search results for: ""
    
    
    
    
    title; ?>
    
    
    
    No results for ''
    
    
    
    Search results for:
    No results for ''
    
    

    View Slide

25. 
    
    Search results for: ""
    
    
    
    title; ?>
    
    
    
    No results for ''
    
    
    
    Search results for: ""
    No results for ''
    
    

    View Slide

26. ASR 8 - Insecure
    Deserialization
    

    View Slide

27. Languages’ native
    deserialization mechanisms
    can be repurposed for
    malicious effect when
    operating on untrusted data.
    

    View Slide

28. class CartCache {
    $cache_file;
    $data = [];
    // ...
    /**
    * Automatically purge the cache file from disk to clean up
    */
    public function __destruct() {
    $file = "/var/www/cache/tmp/carts/{$this->cache_file}";
    if ($this->cleanup && file_exists($file)) {
    @unlink($file);
    }
    }
    }
    $data = unserialize($_GET['data']);
    https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i
    ndex.php";s:4:"data";a:0:{}}
    

    View Slide

29. Do not pass untrusted user
    input to unserialize()
    regardless of the options
    value of allowed_classes.
    

    View Slide

30. Questions?
    

    View Slide

31. Thank you
    [email protected] | 503.925.6266
    

    View Slide