Your web application seen
from the Hell’s Kitchen
RubyDay.it - Torino, November 13 2015
< CodiceInsicuro />
Slide 2
Slide 2 text
$ whoami
• Application Security Specialist
• Ruby lover
• Blogger at https://codiceinsicuro.it
• Husband && Dad
• Taekwon-do ITF martial artist
• Twitter hashtag for today’s topic:
#appsec_hk
Slide 3
Slide 3 text
Section 1
Alone in the darkness
Slide 4
Slide 4 text
Section objectives
• Understand the risk of exposing a poor
designed web application
• See some real world break-ins
• Knows what SQLinj, XSS, exploits,
authentication bypass, user enumeration
mean
Slide 5
Slide 5 text
The Internet
As normal people think it is…
Slide 6
Slide 6 text
The Internet
As it really is…
a place full of opportunities, to make business and to be ruined by villains
Slide 7
Slide 7 text
Attackers are everywhere
• Villains (want your databases, want to
takeover your servers, want you to stop
to work)
• Bots (the same as villains but fully
automated)
• Malware (wants to spread itself mostly
to hijack your workstation and steal
data)
• Activists (the same as villains but
philosophy driven)
Slide 8
Slide 8 text
Breaches in 2015 (US)
http://www.idtheftcenter.org/images/breach/
ITRCBreachStatsReportSummary2015.pdf
Slide 9
Slide 9 text
Very popular breach in 2015
https://en.wikipedia.org/wiki/Ashley_Madison_data_breach
Slide 10
Slide 10 text
Even crowfunders got hacked
https://patreon.thecthulhu.com/
Slide 11
Slide 11 text
Some Italian breaches in 2015
sources:
http://urlin.it/131563
http://urlin.it/131564
http://urlin.it/131565
Slide 12
Slide 12 text
“The” Italian breach in 2015
http://urlin.it/131566
Slide 13
Slide 13 text
They happens every… single… day
http://www.zone-h.org
Slide 14
Slide 14 text
What attackers want - 1
Other people identity
Servers
Servers picture courtesy by: Matthew Musgrove (https://flic.kr/p/6xsbxQ)
Bot picture courtesy by: Jenn and Tony Bot (https://flic.kr/p/6Bk6p8)
Botnets
Slide 15
Slide 15 text
What attackers want - 2
Hacktivism
Guy fawkes mask picture courtesy by: Thierry Hermann (https://flic.kr/p/bmUQJw)
Newspaper vendor picture courtesy by: Nathan Gibbs (https://flic.kr/p/deNep)
Boycott corporations
Money
Bitcoin guy picture courtesy by: scottks (https://flic.kr/p/j1XXSa)
Slide 16
Slide 16 text
The Owasp Top 10 (2013 edition)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Slide 17
Slide 17 text
Hosting risks
• Cloud is the new black
• Shared servers are dangerous
• Outsourced security
- you’re a number, not a priority
- are hosting providers security aware?
- do they make VA and WAPT on regular
basis?
- do they have Web Application Firewalls?
Slide 18
Slide 18 text
OS Based risks
• Poorly configured daemons
• Missing patches (security || all)
• Non hardened accounts
• Missing basic firewall protection
• Advanced web application firewall
protection is required too…
Slide 19
Slide 19 text
Authentication risks
• Information leakage due to SSL poorly
configured
• User enumeration
• Weak credentials. Password policy,
anyone?
• Authentication bypass due to poor
session management - Session fixation
Slide 20
Slide 20 text
Runtime risks
• Cross site scripting
- reflected
- stored
- DOM Based
• SQL Injections
• Vulnerable third party components (OS,
system daemons, libraries, …)
Slide 21
Slide 21 text
Section 2
Dangers from strangers
Slide 22
Slide 22 text
Section objectives
• Learn more about security tools (both
commercial than opensource… but we
love most the latter)
• See how some very common attacks can
be carried on.
Slide 23
Slide 23 text
This is not an ethical
hacking class!!!
But I want to show you some funny stuff :-)
Slide 24
Slide 24 text
Victim 1: The ancient server
• Ubuntu 8.04 based
• Heavily misconfigured
• Made to be exploited
• “Do they still exists?” - “Yes!”
Slide 25
Slide 25 text
Victim 2: Cyclone Transfer
• Rails 3.2 web app
• It brake a lot of code stilling guide
• Serious vulnerabilities inside
Slide 26
Slide 26 text
Victim 3: Railsgoat
• Rails 4 web application
• Owasp project made to train developers
about appsec
Slide 27
Slide 27 text
Victim 4: A broken Sinatra app
• Sinatra based app
• The “Hello World!” of the XSS example
• Here to demonstrate how to use BDD
and a security story
• … and because I love Sinatra
Slide 28
Slide 28 text
Bonus Victim: Old WordPress
• It’s PHP, everybody here is happy to
break it!
• Empower 25% of the Internet websites
out there (58,7% of websites with a
CMS installed) - http://w3techs.com/
technologies/details/cm-wordpress/all/
all
• Vulnerabilities for plugins and themes
out almost everyday
Slide 29
Slide 29 text
Attacking servers
Slide 30
Slide 30 text
Step 0. Information gathering
• Detect open ports and listening services
• Detect Operating System
Slide 31
Slide 31 text
Step 1. Vulnerability
assessment
• Use Google to find vulns
- vsftpd
- smb
- nfs
- Unreal ircd
• Use tools (€€€!)
- Nexpose
- Nessus
- Qualys
Slide 32
Slide 32 text
Step 2. Exploit / OS
It’s showtime
Slide 33
Slide 33 text
Step 2. Exploit / OS (daemons)
It’s showtime
Slide 34
Slide 34 text
Attacking web
applications
Slide 35
Slide 35 text
Step 0. Information gathering
• Google dorks
• Netcraft services
• Venerable whois
• “ip:” query courtesy by Bing
(today we work offline, those techniques
won’t be applicable)
Slide 36
Slide 36 text
Step 1. Recognisance
• Detect web server and underlying
framework
• SSL Certificate check
• URLs enumeration
• Website crawling
Section objectives
• Harden your server and keep it updated
automagically
• Setup some basic ipfilter rules
• Setup a web application firewall with
nginx and mod_security
• Use code review to heal our source code
from vulnerabilities
• Learn some tips to write safe code
starting from today
Slide 40
Slide 40 text
Heal your basement
• Tune your OS with automatic security
patching
• Install an intrusion detection software
(tripwire or aide)
• Setup firewalling with iptables
• Harden your configuration
- install libpam-cracklib
- setup password aging
Slide 41
Slide 41 text
Heal your web exposure
• Lockdown your web server config
• Install and tune mod_security
• Do a very basic penetration test before
deploy
Slide 42
Slide 42 text
Heal your code
• Deploy the safe manner
• Use code review
• Follow best practices
Slide 43
Slide 43 text
Deploy, the insane way
• Not using a versioning system at all
• Using SMB provided, cut & paste
facilities
• Copying all repository content via bulk
command
• rsync
Slide 44
Slide 44 text
Deploy, the sane way
• Double check ORM / Warden
configuration
• Provide securely generated seeds
• Use staging and make regression tests
• Use capistrano-like tools
• if DateTime.now.wday == 5 then
sleep(172800); // 2 days! :-)
Slide 45
Slide 45 text
If you’re thinking “I know, but I’m
always late”, then “automate it”
Slide 46
Slide 46 text
Remember: you must be authorised
Please, be nice
Please
Really
Slide 47
Slide 47 text
But be aware of ‘revenge of the .git’
It’s showtime
Slide 48
Slide 48 text
Use code review tools
• Choose the tool you’re more
comfortable with
• Integrate in your rake test strategy
• Some KPI you must have:
- some stats about your code (LOC/
comment density, …)
- vulnerability in third party dependencies
- warning about bad programming habits
Slide 49
Slide 49 text
Review the code: dawnscanner
It’s showtime
Slide 50
Slide 50 text
Review the code: brakeman
It’s showtime
(the important rule is not to trust a single tool… trust only your brain)
Slide 51
Slide 51 text
What about dynamic testing?
…or the time I wanted a web application penetration test but I must deploy today…
oh… it’s showtime again
Slide 52
Slide 52 text
Testing software is good but…
• Customers don’t give enough time
- strict timeframes
- not clear specs (remember, ideally it’s
up to the customer to write BDD
scenarios)
• We’re not trained to
- school teach us we must deploy a code
that is working
- school doesn’t teach us how to write
good test lists
Slide 53
Slide 53 text
So let’s be realistic
even #appsec guys have an heart
Slide 54
Slide 54 text
So let’s be realistic
• We must test out software
• But we don’t have time, we have to ship code
• So testing must be
- automatic
- generic
- fast
- easy to consume
• This way we can iterate over development -
testing - shipment
Slide 55
Slide 55 text
Let’s use [T|B]DD
• Write your own security stories
• Ask you neighbourhood #appsec guy to
write them
• Use something already prepared (http://
www.continuumsecurity.net/bdd-
getstarted.html)
• Integrate your stories in your testing
workout
• You just scored a A- in your security
class
Slide 56
Slide 56 text
Use [T|B]DD
It’s showtime
Slide 57
Slide 57 text
Some links
• This is the slide everybody loves
• A comprehensive list will be available at
https://codiceinsicuro.it/useful_links.txt