Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AppSecUSA 2013: Insecure Expectations

Matt Konda
November 21, 2013
Programming
1
190

AppSecUSA 2013: Insecure Expectations

This talk introduces a simple web testing framework and a vulnerable application. By writing tests with security implications we can illustrate issues, show how to test for them, and when we use behavior driven language (Cucumber) we can even express security issues as business features!

Matt Konda

November 21, 2013
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
110
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
94
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
95
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
52
Application Security Landscape
mkonda
0
73

Other Decks in Programming

See All in Programming
Hanami and htmx
bkuhlmann
0
190
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
[SF Ruby, March 2024] Rails on Wasm
palkan
0
370
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
870
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190
Git Rebase
bkuhlmann
11
1.6k
品質とスピードを両立: TypeScriptの柔軟な型システムをバックエンドで活用する
kosui
8
2.2k
Ruby製社内ツールのGo移行
bgpat
2
330
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
100
甘い香りに誘われてVanilla Extractを1年間運用してみた
miyahkun
1
110
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
300

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
331
56k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
A Philosophy of Restraint
colly
195
16k
Building Adaptive Systems
keathley
29
1.8k
What's in a price? How to price your products and services
michaelherold
237
11k
Docker and Python
trallard
33
2.7k
Code Reviewing Like a Champion
maltzj
513
39k
Optimizing for Happiness
mojombo
369
69k
Embracing the Ebb and Flow
colly
78
4.1k
GraphQLの誤解/rethinking-graphql
sonatard
49
9.2k

Transcript

  1. insecure expectations Matt Konda @mkonda Jemurai.com

  2. introduction

  3. BACKGROUND ON ME

  4. Thanks to family!

  5. demo cucumber --name "person is restricted from putting input into

    a field that will be executed by the system"
  6. None

  7. root cause def destroy! @project = Project.find(params[:id])! ! name =

    @project.name! `rm /tmp/#{name}.log` ! ! @project.destroy! ! respond_to do |format|! format.html { redirect_to projects_url }! format.json { head :no_content }! end! end! ! ! What if @project.name is : ! "; cat /etc/passwd > public/passwd.html;”!

  8. How many  people here  ! Write tests?

  9. How many  people here  ! Use TDD?

  10. How many  people here  ! Use BDD?

  11. How many  people here  ! know of OWASP?

  12. How many  people here  ! currently write security

    tests?

  13. insecure expectations

  14. rspec

  15. -6 = 64.1 Trillion

  16. None
  17. None

  18. bdd with cucumber

  19. feature scenario ! given when then

  20. Feature: person is restricted from accessing project they do not

    own Scenario: person accesses a project  that is not theirs  Given a new project created by a user When a different person attempts to access the project Then the system should prevent access

  21. demo cucumber --name "person is restricted from accessing project they

    do not own"
  22. None

  23. Given(/^a new project created by a user$/) do! uuid =

    SecureRandom.uuid! @user1 = "fb_user_1_#{uuid}@jemurai.com"! register_as_user(@user1, "password")! new_project("Insecure Direct Object Reference #{uuid}", ! "Forceful Browsing Desc")! @url = current_url ! end! ! When(/^a different person attempts to access the project$/) do! logout(@user1)! uuid = SecureRandom.uuid! @user2 = "fb_user_2_#{uuid}@jemurai.com"! register_as_user(@user2, "password")! end! ! Then(/^the system should prevent access$/) do! visit @url! expect(page).not_to have_content "Forceful Browsing Desc"! end

  24. introducing: triage https://github.com/Jemurai/triage

  25. handy http://localhost:3000/projects?name=%27A%27%29%20or%201=1%20-- def index! email = current_user.email! !conditions = "owner

    LIKE '#{email}'"! !if params[:name]! !! conditions = "name like #{params[:name]} " + conditions! !end! !@projects = Project.find(:all, :conditions=>conditions)! !! respond_to do |format|! format.html # index.html.erb! format.json { render json: @projects }! end! end SELECT "projects".* FROM "projects" ! WHERE (name like 'A') or 1=1 -- owner LIKE '[email protected]') For illustration

  26. introducing: SWTF

  27. Security Web Testing Framework

  28. Security WTF

  29. features/env.rb

  30. None

  31. Feature: user is prevented from putting XSS in project form

    fields! ! A user wants to be sure that others users can't ! put XSS in the projects pages! ! in order to ensure that their sessions and information are safe.! ! ! ! @javascript! ! Scenario Outline: xss attempt! ! ! Given the field is "<fieldname>"! ! ! When the value is "<value>"! ! ! Then the field result should be "<result>"! ! ! ! ! ! Scenarios: xss in fields! ! ! ! | fieldname | value | result |! ! ! ! | project[name] | ProjectName | noxss |! ! ! ! | project[name] | ProjectName <script>alert('project[name]- >xss');</script> | xss |! ! ! ! | project[description] | ProjectDescription <script>alert('project[description]->xss');</script> | noxss |! ! ! ! ! ! ! !

  32. new_project("XSS Name #{@field} #{uniq}","XSS Desc #{@field}"+ uniq)! click_link 'Edit'! fill_in

    @field, :with => @value! click_button "Update Project"! if @result == "xss" ! # This should have xss in it...did it stick?! alerted = false! begin ! page.driver.browser.switch_to.alert.accept ! alerted = true! rescue ! end! if alerted! fail("XSS Used to create Popup in #{@field} with #{@value}") ! else! puts "Good news, no xss where expected."! end! else! expect(page).to have_content @value! end

  33. demo cucumber --name "user is prevented from putting XSS in

    project form fields"
  34. None
  35. None

  36. tests in app Rails Application rspec / cucumber

  37. tests out of app Rails Application: Triage Cucumber | SWTF

  38. tests out of app Rails Application: Triage (Insecure) Cucumber |

    SWTF Rails Application: Triage (Secure)

  39. means they can be easily adapted to test different apps

  40. demo cucumber --name "user is protected from malicious content and

    having their page framed"
  41. None

  42. Feature: user is protected from malicious content and having their

    page framed! ! A user wants to be sure that effective browser protections are enabled ! ! in order to ensure that their information is safe.! ! ! ! @javascript! ! Scenario Outline: check for secure headers attempt! ! ! Given a new project created by a user! ! ! And the page is "<page>"! ! ! When the header is "<header>"! ! ! Then the header value should be "<result>"! ! ! ! ! ! Scenarios: headers in pages! ! ! ! | page | header | result |! ! ! ! | projects/ | X-Frame-Options | DENY |! ! ! ! | projects/ | X-XSS-Protection | 1 |!

  43. ! cookies = Capybara.current_session.driver.browser.manage.all_cookies! csrf_token = Capybara.current_session.driver.browser.find_element(:xpath, "// meta[@name='csrf-token']").attribute('content');! #

    Switch mode to net::http! uri = URI.parse(url)! http = Net::HTTP.new(uri.host, uri.port) ! http.verify_mode = OpenSSL::SSL::VERIFY_NONE! request = Net::HTTP::Post.new(uri.request_uri)! request['Cookie'] = cookies ! request.set_form_data( { ! "_method" => "put", ! "authenticity_token" => "#{csrf_token}", ! "project[name]"=> "header updated and verified", ! "commit"=>"Update Project" })! response = http.request(request)! ! ...! ! if response[@header] == @result! #pass! else! fail("Header #{@header} not set to #{@result} as expected. ! Instead was #{response[@header]}.")! end!

  44. take a vulnerable project

  45. None

  46. write tests that illustrate the security issues

  47. try to illustrate how easy it would be to write

    security tests

  48. in language everyone can understand

  49. why is application scanning so hard?

  50. what if the dev writing the code were testing security

    cases along the way? ! MUCH smarter.

  51. exploratory testing

  52. quiz •user should not be able to set fields not

    shown in the form

  53. quiz •user should not be able to submit forms in

    anothers session

  54. ARE STAKEHOLDERS ASKING FOR SECURITY?

  55. but if you ask them about these features they might

    want them

  56. current Tests • Injection / Sql Injection • Cross Site

    Scripting • Mass Assignment • Cross Site Request Forgery • Secure Headers • Sensitive Data Exposure (Session Cookie)

  57. demo cucumber --name "users favorite album is in cookie"

  58. None
  59. None

  60. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data with net::http and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect

  61. OWASP Top 10 From: owasp.org

  62. A natural extension is to make it easy to fuzz

    forms
  63. None

  64. there is no !

  65. goal #1: Platform for educating developers

  66. goal #2: language for communicating with business owners

  67. goal #3: mechanism for making it easier to implement tests.

  68. None

  69. how many people have had a penetration test against their

    application?

  70. instead of a pdf, what if we deliver findings with

    working tests!

  71. what if a developer could fix a security issue by

    making the TEST pass.

  72. wander

  73. good: almost every client engagement benefits from OWASP

  74. Bad: owasp meetings I have been to are predominantly security

    people

  75. how do we “communicate”

  76. cheat sheets

  77. How many  people here  ! have attended developer

    conferences this year?
  78. None

  79. How many  people here  ! Commit to development

    projects?

  80. Community organizing

  81. ideas:  ! Go to dev meetup go dev conference

    contribute to Oss listen

  82. more ideas:  ! identify technology leaders and approach them

  83. make developer friends !

  84. make developer friends !

  85. more ideas:  ! form an outreach subcommittee

  86. more ideas:  ! de-”criminalize” application security ignorance

  87. more ideas:  ! invite developers to speak

  88. more ideas:  ! find activities that developers can participate

    in at meetings

  89. more ideas:  ! emphasize developer contributions to owasp site

  90. more ideas:  ! get developers on the owasp board

  91. more ideas:  ! ???

  92. basically, I want to see owasp try to build community

    organizing with developers into a model that can be repeated

  93. Thanks! Justin Collins @presidentbeef Jeff Jarmoc @jjarmoc Ben Toews @mastahyeti

    Neil Matatall @ndm Aaron Bedra @abedra Jon Claudius @claudijd Chris Oliver @excid3 Chris Hildebrand @ckhrysze Jon Rose Brett Hardin @miscsecurity Elizabeth Hendrickson @testobsessed

  94. References • https://github.com/Jemurai/triage • https://bitbucket.org/mkonda/swtf/ • http://speakerdeck.com/mkonda • http://brakemanscanner.org •

    http://rails-sqli.org • https://github.com/twitter/secureheaders • http://testobsessed.com/wp-content/uploads/2011/04/ testheuristicscheatsheetv1.pdf • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet

  95. Thanks!

  96. features • person is restricted from putting input into a

    field that will be executed by the system • user is prevented from putting XSS in project form fields • user should not be able to set fields not shown in the form • user should not be able to submit forms in anothers session • user is protected from malicious content and having their page framed • users favorite album is in cookie