Shiny, Let's Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities -- OSCON 2016 edition

Slide 1

Slide 1 text

Shiny Let’s Be Bad Guys! Exploiting and Mitigating the Top 1 0 Web App Vulnerabilities Mike Pirnat - @mpirnat OSCON 2016 Setup: https://github.com/mpirnat/lets-be-bad-guys

Slide 2

Slide 2 text

Schedule • This session will run 1:30 PM – 5:00 PM • 30-minute break 3:00 – 3:30 PM • Here on Level 4

Slide 3

Slide 3 text

Shiny Let’s Be Bad Guys! Exploiting and Mitigating the Top 1 0 Web App Vulnerabilities Mike Pirnat - @mpirnat OSCON 2016

Slide 4

Slide 4 text

Who here makes web apps?

Slide 5

Slide 5 text

Who here has vulnerable apps?

Slide 6

Slide 6 text

Why it Matters • Your users • Your data • Your business

Slide 7

Slide 7 text

OWASP • http://www.owasp.org • Open Web Application Security Project • Non-proﬁt focused on improving software security • Documentation and tools to help learn about security and protect your apps

Slide 8

Slide 8 text

OWASP Top Ten • Based on risk data from 8 ﬁrms • Over 500,000 vulnerabilities, hundreds of orgs, thousands of apps • Selected & prioritized by prevalence data combined with estimates of exploitability, detectability, and impact • Updated in 2013

Slide 9

Slide 9 text

Today • Background on a type of vulnerability • Exploit it! • Discuss prevention • Django & Flask speciﬁc advice where possible • Light examples where we have time

Slide 10

Slide 10 text

Disclaimer

Slide 11

Slide 11 text

About Django

Slide 12

Slide 12 text

About Flask

Slide 13

Slide 13 text

Setup: 1 Make & activate a virtualenv: # Python 3... $ pyvenv badguys # Python 2... $ virtualenv badguys $ cd badguys $ source bin/activate

Slide 14

Slide 14 text

Setup: 2 Clone our repository: $ git clone https://github.com/ mpirnat/lets-be-bad-guys src Or pull the latest changes: $ cd src $ git pull

Slide 15

Slide 15 text

Setup: 3 Install dependencies: $ cd src $ pip install -r requirements.txt

Slide 16

Slide 16 text

Setup: 4 Start up the app: $ python manage.py runserver

Slide 17

Slide 17 text

Find a Partner

Slide 18

Slide 18 text

Injection

Slide 19

Slide 19 text

Injection Attacks • When an application sends untrusted data to an interpreter • Can result in data loss/corruption, lack of accountability, denial of access • Can lead to complete host takeover

Slide 20

Slide 20 text

Who can you trust?

Slide 21

Slide 21 text

Trust No One • External users • Internal users • Administrators

Slide 22

Slide 22 text

Attack Vectors • GET parameters • POST parameters • PATH_INFO • Some HTTP headers: Cookie, Host • Uploaded Files

Slide 23

Slide 23 text

Possible Consequences • Creation of malicious SQL (or other queries) • Accessing private ﬁles on disk • Arbitrary code execution

Slide 24

Slide 24 text

Real-World Examples • Sony Playstation Network • Ruby on Rails • HBGary • MySQL • Many, many others…

Slide 25

Slide 25 text

SQL Injection • Unescaped user input causes the premature end of a SQL query and allows a malicious query to be executed... """ select * from users where username='%s'; """ • http://localhost:8000/injection/sql

Slide 26

Slide 26 text

Accessing Private Files • File system access + unvalidated user input allows attackers to navigate the ﬁle system • http://localhost:8000/injection/ﬁle- access

Slide 27

Slide 27 text

Arbitrary Code Execution • Unsafe input is dynamically evaluated or executed • http://localhost:8000/injection/code- execution

Slide 28

Slide 28 text

Prevention • Validate ALL user input • Sign cookies, don’t accept if signature is bogus/missing • Use ORMs or bind variables when talking to the database • Don’t use eval or exec, beware of pickle, user-supplied YAML, etc.

Slide 29

Slide 29 text

Django Advice • Make sure data types for your model are tight • Use Forms instead of ModelForms for stronger validation • Make new validators as needed for your application • Make sure your URL regexes for dynamic URLs are tight

Slide 30

Slide 30 text

Django Advice • Use the ORM when you can • When you can’t, use extreme caution! • Use bind variables/parameters • No string concatenation/formatting of anything that came from the client

Slide 31

Slide 31 text

Without the ORM # If it's a basic select: MyModel.objects.raw("SELECT ... WHERE foo = %s", params={'foo': ...}) # If it's more complicated: from django.db import connection cursor = connection.cursor() cursor.execute("UPDATE bar set bar = 1 WHERE foo < %s", [foo]) row = cursor.fetchall()

Slide 32

Slide 32 text

Flask Advice • Use Flask-WTF to validate form input • Use SQLAlchemy • Bind variables if you don’t

Slide 33

Slide 33 text

Broken Authentication & Session Management

Slide 34

Slide 34 text

Broken Auth & Session Management • Attacker uses leaks or flaws in authentication or session management to impersonate users • Roll-your-own solutions contribute to the difficulty of finding these flaws

Slide 35

Slide 35 text

Possible Consequences • Compromised user accounts • Compromised administrative accounts • Unauthorized use of privileged functionality

Slide 36

Slide 36 text

Prevention • Hash or encrypt passwords • Don’t let credentials be easily overwritten • Don’t put session IDs in URLs • Allow session IDs to timeout/log out • Rotate session IDs after successful login • TLS connections for passwords, session IDs

Slide 37

Slide 37 text

Django Advice • Use django.contrib.auth • Consider https://github.com/yourlabs/ django-session-security middleware for timing out sessions • We’ll talk about transport layer security later on...

Slide 38

Slide 38 text

Flask Advice • Use ﬂask-security • Read https://pythonhosted.org/Flask- Security/ • Avoid overuse of cookies for storing session state

Slide 39

Slide 39 text

Cross-Site Scripting (XSS)

Slide 40

Slide 40 text

XSS Attacks • Cross-Site Scripting (XSS) • The most prevalent web app security ﬂaw • App includes user-supplied data in content sent to the browser without properly validating or sanitizing it

Slide 41

Slide 41 text

XSS Attacks • Stored: injected code permanently stored in database, message forum, comment, etc. • Reﬂected: injected code in live request to server, reﬂected back in error message or search result • DOM: injected code in browser DOM environment that causes scripts to run in unexpected ways (eg, reading from URL)

Slide 42

Slide 42 text

Possible Consequences • Execute scripts in a victim’s browser • Hijack sessions • Deface sites • Insert hostile content • Redirect users • Hijack browser (install malware)

Slide 43

Slide 43 text

Most Often Seen... • Places where user-created text is displayed to other users (comments, messages) • Form inputs where value is populated with user-supplied data • Script tags where user-supplied data is populated into script variables

Slide 44

Slide 44 text

Text Real-World Example • http://es.pn/Z0jnoi

Slide 45

Slide 45 text

XSS in Dynamic URLs • Part of the URL path is variable, isn’t validated, and gets included into the page: http://example.com/stuff/{$CATEGORY} • http://localhost:8000/cross-site- scripting/path-matching/your-path- here

Slide 46

Slide 46 text

XSS in Query String Parameters • Unvalidated user input from a query string parameter is included in the page: http://example.com/?search={$TEXT} • http://localhost:8000/cross-site- scripting/query-params?qs=awesome

Slide 47

Slide 47 text

XSS in Form Fields • The value part of an input is prematurely terminated, allowing Javascript to be injected into or adjacent to the element: • http://localhost:8000/cross-site- scripting/form-ﬁeld

Slide 48

Slide 48 text

Can you trust the database?

Slide 49

Slide 49 text

Prevention • Escape all untrusted data based on the HTML context the data will be placed into • Whitelist input validation • Consider auto-sanitization libraries for rich content (eg, OWASP’s AntiSamy) • Update your parents’/in-laws’ browsers!

Slide 50

Slide 50 text

Django Advice • Be careful with the safe ﬁlter, django.utils.safestring, etc. • Use form.as_p, form.as_table, form.as_ul when displaying a form in a template • Be careful with your own template tags; django.utils.html.escape is your friend!

Slide 51

Slide 51 text

django.utils.html cleaned = escape(unsafe_value) cleaned = escapejs(unsafe_value) cleaned = strip_tags(unsafe_value) cleaned = remove_tags(unsafe_value, ['script', ...])

Slide 52

Slide 52 text

Flask Advice • Don’t disable autoescaping • Be very careful with anything you bless via Markup objects, the safe ﬁlter, or blocks where autoescape is disabled

Slide 53

Slide 53 text

Insecure Direct Object References

Slide 54

Slide 54 text

Insecure Direct Object Reference • Expose a reference to an internal implementation object without verifying authorization • Attacker changes URL, GET/POST parameters, cookies

Slide 55

Slide 55 text

Possible Consequences • Compromise of all data that can be referenced by the vulnerable parameter • Unless the namespace is sparse, an attacker can easily access all available data of that type

Slide 56

Slide 56 text

Exercises • Manipulate parameters in the URL to access data that doesn’t belong to you • http://localhost:8000/direct-object- references

Slide 57

Slide 57 text

Prevention • Implement access controls on any direct references to restricted resources • Implement per-user or per-session indirect object references • This can be as much about URL design as about access control!

Slide 58

Slide 58 text

Django + Flask • Lock down views: • Use Django’s permissions architecture • Use Flask-Security or Flask-Login • Customize Django queryset for looking up objects that involve user ownership

Slide 59

Slide 59 text

Custom Queryset # In models.py... class ThingyManager(models.Manager): def for_user(self, user): return self.get_query_set().filter(user=user) class Thingy(models.Model): objects = ThingyManager() # In views.py... class ThingyUpdateView(UpdateView): def get_queryset(self): return Thingy.objects.for_user( self.request.user)

Slide 60

Slide 60 text

Security Misconfiguration

Slide 61

Slide 61 text

Security Misconfiguration • Insecure application settings • Unpatched ﬂaws • Unused pages

Slide 62

Slide 62 text

Possible Consequences • Unauthorized access to some system data or functionality • Potential complete system compromise

Slide 63

Slide 63 text

Exercises • Demos and discussion • http://localhost:8000/misconﬁguration

Slide 64

Slide 64 text

Text This Really Happens! • Patreon compromised via exposed Werkzeug Debugger • https://labs.detectify.com/2015/10/02/ how-patreon-got-hacked-publicly- exposed-werkzeug-debugger/

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

Prevention • Have a repeatable hardening process • Have a process for keeping on top of updates and patches • Architecture that provides secure separation between components • Periodic scans and audits

Slide 69

Slide 69 text

Django Advice • Don’t run in debug mode in production • Keep your SECRET_KEY secret! • Keep Python code out of webserver’s root • Don’t run admin publicly • Don’t use the built-in admin for normal user admin tasks

Slide 70

Slide 70 text

Flask Advice • Read http://ﬂask.pocoo.org/docs/ security • Set app.debug = False to turn off debugging

Slide 71

Slide 71 text

Gateway to Social Engineering?

Slide 72

Slide 72 text

Sensitive Data Exposure

Slide 73

Slide 73 text

Sensitive Data Exposure • Failure to properly protect credit cards, tax IDs, authentication credentials, etc. • Sensitive data deserves extra protection such as encryption at rest or in transit, special precautions when exchanged with the browser

Slide 74

Slide 74 text

Insecure Cryptographic Storage • Not encrypting worthy data • Unsafe key generation & storage, failure to rotate keys • Weak algorithms • Weak or unsalted hashes

Slide 75

Slide 75 text

Insufficient Transport Layer Protection • May not authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic • May use weak algorithms • May use expired or invalid certificates • May use certificates incorrectly

Slide 76

Slide 76 text

Possible Consequences • Compromise of all data that should have been encrypted • This can be highly sensitive information: credentials, credit cards, personal data, health records, etc.

Slide 77

Slide 77 text

Possible Consequences • Expose individual users’ data • Account theft • Compromise an admin account?! • Poor SSL setup can facilitate phishing and man-in-the-middle attacks

Slide 78

Slide 78 text

Attack Vectors • Attacker monitors network traﬃc of your users • Maybe in public places (Starbucks, conference wi-ﬁ, etc.) • Maybe back end connections • Maybe inside your network (!!!)

Slide 79

Slide 79 text

http://cdn.ttgtmedia.com/digitalguide/images/Misc/WiresharkSS3_lg.png

Slide 80

Slide 80 text

http://echeng.com/journal/images/misc/ﬁresheep.png

Slide 81

Slide 81 text

Prevention • Encrypt sensitive data at rest • Encrypt offsite backups; manage keys separately • Use strong standard algorithms, strong keys • Hash passwords with strong standard algorithm & use appropriate salt • Protect passwords & keys from unauthorized access

Slide 82

Slide 82 text

Prevention • Require SSL for all sensitive pages; redirect non-SSL requests to SSL • Set the “secure” ﬂag on sensitive cookies • Use only strong SSL algorithms • Ensure your cert is valid, not expired, not revoked, and matches your domain • SSL/encryption on the back end too

Slide 83

Slide 83 text

Django Advice • Use django.contrib.auth for proper password salting and hashing • Use bcrypt; see https://docs.djangoproject.com/en/ 1.8/topics/auth/passwords/ • Require SSL in Apache or Nginx • Require SSL using middleware: • Conﬁgure Django SecurityMiddleware–new in Django 1.8! • http://django-secure.readthedocs.org/en/v0.1.2/ • https://github.com/rdegges/django-sslify

Slide 84

Slide 84 text

Secure Cookies # In your settings.py... SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True

Slide 85

Slide 85 text

Flask Advice • Salt passwords using werkzeug.security: • http://ﬂask.pocoo.org/snippets/54/ • Require SSL: • https://github.com/kennethreitz/ﬂask-sslify • https://github.com/jacobian/wsgi-sslify • Use bcrypt: https://pythonhosted.org/ passlib/

Slide 86

Slide 86 text

Missing Function Level Access Control

Slide 87

Slide 87 text

Missing Function Level Access Control • Application doesn’t protect its functions properly • Misconﬁguration • Forgot proper code checks

Slide 88

Slide 88 text

Attack Vectors • Authorized user changes a URL or parameter to a privileged function • Anonymous users could access private functions that aren’t protected

Slide 89

Slide 89 text

Possible Consequences • Compromised user accounts • Compromised administrative accounts • Unauthorized use of privileged functionality

Slide 90

Slide 90 text

Exercises • Manipulate the URL to access privileged functionality • http://localhost:8000/missing-access- control

Slide 91

Slide 91 text

Prevention • Consider every page; public or private? • If authentication is required, make sure that checks are in place • If additional authorization is required, make sure that checks are in place • Deny all by default; explicitly grant access to users or roles

Slide 92

Slide 92 text

Django + Flask • Lock down views: • Use Django’s permissions architecture • Use Flask-Security or Flask-Login • Don’t use Django’s built-in admin for normal user admin tasks

Slide 93

Slide 93 text

Cross-Site Request Forgery

Slide 94

Slide 94 text

CSRF Attacks • Cross-Site Request Forgery (CSRF) • Attacker tricks victim into submitting forged HTTP requests • Attack succeeds if user is authorized/ authenticated

Slide 95

Slide 95 text

Attack Vectors • Image tags • Cross-Site Scripting (XSS) • Fake buttons • Phishing forms • Other techniques

Slide 96

Slide 96 text

Possible Consequences • Cause victim to change any data the victim is allowed to change • Cause victim to perform any function the victim is authorized to use • Impact varies based on victim’s role • Think of some possibilities...

Slide 97

Slide 97 text

Real-World Examples • Facebook: http://amolnaik4.blogspot.com/ 2012/08/facebook-csrf-worth- usd-5000.html • Google/Gmail: http://cryptogasm.com/2012/02/does- google-understand-csrf/

Slide 98

Slide 98 text

What if... http://example.com/transferFunds?amount=…&destinationAccount=…

Slide 99

Slide 99 text

What if...

Slide 100

Slide 100 text

CSRF via Image • Craft an “image” link that triggers some site functionality • http://localhost:8000/csrf/image

Slide 101

Slide 101 text

CSRF via Form Post • Create an innocuous-looking form that POSTs to a vulnerable location • http://localhost:8000/csrf/third-party- site

Slide 102

Slide 102 text

Prevention • Don’t “do” things on a GET • Include a unique token in a hidden ﬁeld (often used in concert with a cookie) • Validate token to make sure the request is from on-site • Avoid putting the token into a query string

Slide 103

Slide 103 text

Django Advice • Don’t change the built-in settings! • Do use the CSRF middleware and template tag in forms • Be VERY CAREFUL about deactivating it (csrf_exempt decorator) • Be careful about APIs (Tastypie, oauth); http://codrspace.com/vote539/csrf- protection-in-django-tastypie/

Slide 104

Slide 104 text

Flask Advice Various CSRF solutions... • DIY/naïve: http://flask.pocoo.org/snippets/3/ • Flask-WTF: http://flask-wtf.readthedocs.org/ en/latest/csrf.html • Flask-SeaSurf: https://flask- seasurf.readthedocs.org/en/latest/ • Flask-csrf: http://sjl.bitbucket.org/flask-csrf/

Slide 105

Slide 105 text

Using Known Vulnerable Components

Slide 106

Slide 106 text

Components with Known Vulnerabilities • Libraries, frameworks, and other modules almost always run with full privilege • Hard to stay up to date on everything • Do you even know all the components in use, let alone their versions? • Components with known problems can be identiﬁed & exploited with automated tools

Slide 107

Slide 107 text

Attack Vectors • Attacker identiﬁes a weak component through scanning or manual analysis • Customize exploit as needed • More difﬁcult the deeper the component is in the application

Slide 108

Slide 108 text

Possible Consequences • Full range of weaknesses are possible • Impact could be minimal, or... • Complete host takeover! • Data compromise!

Slide 109

Slide 109 text

No content

Slide 110

Slide 110 text

No content

Slide 111

Slide 111 text

No content

Slide 112

Slide 112 text

No content

Slide 113

Slide 113 text

No content

Slide 114

Slide 114 text

Prevention • Don’t use components you don’t write (unrealistic) • Keep components up to date • Identify all components and versions • Monitor security of these components

Slide 115

Slide 115 text

Python Advice • Use pip to ﬁnd old packages: pip list --outdated • Use requires.io to monitor dependencies

Slide 116

Slide 116 text

Django + Flask • Keep an eye on the mailing lists: • https://groups.google.com/group/django- announce • http://ﬂask.pocoo.org/mailinglist • Follow @djangoproject on Twitter

Slide 117

Slide 117 text

Unvalidated Redirects & Forwards

Slide 118

Slide 118 text

Redirection Abuse • Attacker tricks user into visiting a URL that redirects or forwards the request without validating the redirect location • Users prone to click because the link is to a legitimate site

Slide 119

Slide 119 text

Possible Consequences • Install malware • Phishing/information disclosure • Bypass access controls

Slide 120

Slide 120 text

External Redirection • Use a redirection URL to redirect to an external location • http://localhost:8000/redirects-and- forwards/redirects

Slide 121

Slide 121 text

Forwards • Manipulate a forward parameter to gain access to privileged functionality • http://localhost:8000/redirects-and- forwards/forwards

Slide 122

Slide 122 text

Prevention • Don’t use redirects or forwards • Don’t involve user-supplied data to build the redirect location • Ensure the supplied value is valid and authorized for the user

Slide 123

Slide 123 text

Django Advice • Use django.utils.http.is_safe_url to check redirect URLs • Used by django.contrib.auth internally • Consider wrapping is_safe_url if you have to allow other off-domain URLs

Slide 124

Slide 124 text

Checking Redirects from django.shortcuts import redirect from django.utils.http import is_safe_url def my_view(request): ... url = 'http://www.example.com/foo/bar' if is_safe_url(url, host='www.example.com'): return redirect(url) else: ...

Slide 125

Slide 125 text

Allowing Multiple Safe Hosts from django.utils.http import is_safe_url def is_whitelisted_url(url, hosts): for host in hosts: if is_safe_url(url, host=host): return True return False >>> url = 'http://us.pycon.org' >>> whitelist = ['us.pycon.org', 'pycon.org', ...] >>> is_whitelisted_url(url, whitelist) True

Slide 126

Slide 126 text

Flask Advice • Redirect back: http://ﬂask.pocoo.org/ snippets/62/ • Redirect back, more selectively with whitelist, using cookies for previous URL: http://ﬂask.pocoo.org/snippets/120/ • Can modify these approaches to suit, as with the Django example

Slide 127

Slide 127 text

Who here has vulnerable apps?

Slide 128

Slide 128 text

Who is ready to do something about it?

Slide 129

Slide 129 text

Parting Thoughts

Slide 130

Slide 130 text

Think Like a Bad Guy

Slide 131

Slide 131 text

Don’t Stop at Ten

Slide 132

Slide 132 text

Constant Change

Slide 133

Slide 133 text

Think Positive

Slide 134

Slide 134 text

Links • http://www.owasp.org • https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project • https://docs.djangoproject.com/en/dev/ topics/security/ • http://ﬂask.pocoo.org/docs/security • https://github.com/mpirnat/lets-be-bad-guys

Slide 135

Slide 135 text

Contact Me Mike Pirnat http://mike.pirnat.com @mpirnat