$30 off During Our Annual Pro Sale. View Details »

OWASP 301: Infrastructure-based Security

OWASP 301: Infrastructure-based Security

Some of the trickier application security risks (ASRs) covered by the OWASP Top ten are focused on infrastructure and application configuration. As these risks are deeper within the production stack, they can be harder to find and address. Together, we’ll walk through each of these risks, examine how to identify them in an application or production environment, and cover actionable steps you can take today to address them with your application.

Eric Mann

May 22, 2019
Tweet

More Decks by Eric Mann

Other Decks in Programming

Transcript

  1. OWASP 301:
    Infrastructure-Based Security
    Eric Mann

    View Slide

  2. ASR 3 - Sensitive Data
    Exposure

    View Slide

  3. Many web applications do not
    adequately protect sensitive
    data, such as credit cards, tax
    IDs, and authentication
    credentials.

    View Slide

  4. Photo borrowed from Schneier on Security:
    https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

    View Slide

  5. Sensitive Data Retention
    What data do you retain?
    Why do you need this data in the first place?
    Who has access to the data?
    Where are backups stored?
    Who has access to the data via the backup system?

    View Slide

  6. Encoding is not
    encryption!

    View Slide

  7. function encodeString($str) {
    for ($i = 0; $i < 5; $i++) {
    $str = strrev(base64_encode($str));
    }
    return $str;
    }
    function decodeString($str) {
    for ($i = 0; $i < 5; $i++) {
    $str = base64_decode(strrev($str));
    }
    return $str;
    }
    encodeString('this is a secret');
    QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP

    View Slide

  8. ASR 5 - Broken Access
    Control

    View Slide

  9. Restrictions on what
    authenticated users are
    allowed to do are not properly
    enforced.

    View Slide

  10. $app->post( '/profile',
    function ($request, $response, $args) {
    if (!isset($_SESSION['user_id']) ||
    !$this->users->get($_SESSION['user_id'])) {
    return $response->withRedirect('/?error=notloggedin');
    }
    $userID = $request->getParam('user_id');
    $fname = $request->getParam('fname');
    $lname = $request->getParam('lname');
    $email = $request->getParam('email');
    // Retrieve the user's account from the database (via the app container)
    $user = $this->users->get(intval($userID));
    $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING);
    $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING);
    $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL);
    $this->users->update($user);
    }
    );

    View Slide

  11. United Airlines experienced this vulnerability in their mobile app in 2015 -
    https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//

    View Slide

  12. ASR 6 - Security
    Misconfiguration

    View Slide

  13. Secure settings should be
    defined, implemented, and
    maintained, as defaults are
    often insecure.

    View Slide

  14. PHP Settings
    Disable error display (display_errors)
    Disable remote includes (allow_url_fopen and allow_url_include)
    Set reasonable resource maximums (upload_max_filesize and memory_limit)
    Leverage the disable_functions directive to block dangerous functions:
    exec, passthru, shell_exec, system, proc_open, popen,
    parse_ini_file, show_source, eval, create_function

    View Slide

  15. Webserver Settings (Nginx / Apache / etc)
    Disable server tokens and signature disclosure
    Configure a static server name (don’t trust potentially malicious HOST headers)
    Disable directory traversal
    ALWAYS configure strong SSL certificates for secure access
    Return proper error codes

    View Slide

  16. Database (MySQL) Settings
    Set an appropriate bind-address
    Ensure users are configured from the correct host, not a % wildcard
    Limit user permissions on the database to just what the application needs

    View Slide

  17. ASR 9 - Using
    Components with
    Known Vulnerabilities

    View Slide

  18. Applications using
    components with known
    vulnerabilities may undermine
    application defenses and
    enable a range of possible
    attacks and impacts.

    View Slide

  19. Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need

    View Slide

  20. Custom error messages can help demonstrate when a security hole has been plugged. Or
    annoy those who were exploiting it in the first place...

    View Slide

  21. Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need
    Only run current, supported versions of PHP!!!

    View Slide

  22. ASR 10 - Insufficient
    Logging & Monitoring

    View Slide

  23. Attackers rely on the lack of
    monitoring and timely
    response to achieve their
    goals without being detected.

    View Slide

  24. It’s Important to Track:
    What happened
    When it happened
    Where it happened (in terms of code and the IP of the server)
    To whom it happened
    What input triggered the event

    View Slide

  25. Event Classes
    Input Validation Errors
    Output Validation Errors
    Authentication Events
    Authorization (Access Control) Failures
    Application Errors
    Application Startup/Shutdown
    High-risk Operations

    View Slide

  26. (Full image slide. No text)

    View Slide

  27. Questions?

    View Slide

  28. Thank you
    [email protected] | 503.925.6266

    View Slide