OWASP 301: Infrastructure-based Security

OWASP 301: Infrastructure-based Security

Some of the trickier application security risks (ASRs) covered by the OWASP Top ten are focused on infrastructure and application configuration. As these risks are deeper within the production stack, they can be harder to find and address. Together, we’ll walk through each of these risks, examine how to identify them in an application or production environment, and cover actionable steps you can take today to address them with your application.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

May 22, 2019
Tweet

Transcript

  1. 3.

    Many web applications do not adequately protect sensitive data, such

    as credit cards, tax IDs, and authentication credentials.
  2. 5.

    Sensitive Data Retention What data do you retain? Why do

    you need this data in the first place? Who has access to the data? Where are backups stored? Who has access to the data via the backup system?
  3. 7.

    function encodeString($str) { for ($i = 0; $i < 5;

    $i++) { $str = strrev(base64_encode($str)); } return $str; } function decodeString($str) { for ($i = 0; $i < 5; $i++) { $str = base64_decode(strrev($str)); } return $str; } encodeString('this is a secret'); QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP
  4. 10.

    $app->post( '/profile', function ($request, $response, $args) { if (!isset($_SESSION['user_id']) ||

    !$this->users->get($_SESSION['user_id'])) { return $response->withRedirect('/?error=notloggedin'); } $userID = $request->getParam('user_id'); $fname = $request->getParam('fname'); $lname = $request->getParam('lname'); $email = $request->getParam('email'); // Retrieve the user's account from the database (via the app container) $user = $this->users->get(intval($userID)); $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING); $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING); $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL); $this->users->update($user); } );
  5. 11.

    United Airlines experienced this vulnerability in their mobile app in

    2015 - https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//
  6. 14.

    PHP Settings Disable error display (display_errors) Disable remote includes (allow_url_fopen

    and allow_url_include) Set reasonable resource maximums (upload_max_filesize and memory_limit) Leverage the disable_functions directive to block dangerous functions: exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, eval, create_function
  7. 15.

    Webserver Settings (Nginx / Apache / etc) Disable server tokens

    and signature disclosure Configure a static server name (don’t trust potentially malicious HOST headers) Disable directory traversal ALWAYS configure strong SSL certificates for secure access Return proper error codes
  8. 16.

    Database (MySQL) Settings Set an appropriate bind-address Ensure users are

    configured from the correct host, not a % wildcard Limit user permissions on the database to just what the application needs
  9. 19.

    Audit Application Dependencies Monitor Composer-installed dependencies for outdated or vulnerable

    libraries Leverage unattended-upgrades to keep system packages up-to-date Audit the packages installed on your server - don’t install things you don’t need
  10. 20.

    Custom error messages can help demonstrate when a security hole

    has been plugged. Or annoy those who were exploiting it in the first place...
  11. 21.

    Audit Application Dependencies Monitor Composer-installed dependencies for outdated or vulnerable

    libraries Leverage unattended-upgrades to keep system packages up-to-date Audit the packages installed on your server - don’t install things you don’t need Only run current, supported versions of PHP!!!
  12. 23.

    Attackers rely on the lack of monitoring and timely response

    to achieve their goals without being detected.
  13. 24.

    It’s Important to Track: What happened When it happened Where

    it happened (in terms of code and the IP of the server) To whom it happened What input triggered the event
  14. 25.

    Event Classes Input Validation Errors Output Validation Errors Authentication Events

    Authorization (Access Control) Failures Application Errors Application Startup/Shutdown High-risk Operations