Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your web application seen from the hell's kitchen

Paolo Perego
November 13, 2015

Your web application seen from the hell's kitchen

This is the deck for the talk I gave at Rubyday 2015 in Turin.
Attackers see your web application in a very different way, it's not product, it's a target.

Paolo Perego

November 13, 2015
Tweet

More Decks by Paolo Perego

Other Decks in Technology

Transcript

  1. Your web application seen
    from the Hell’s Kitchen
    RubyDay.it - Torino, November 13 2015
    < CodiceInsicuro />

    View full-size slide

  2. $ whoami
    • Application Security Specialist
    • Ruby lover
    • Blogger at https://codiceinsicuro.it
    • Husband && Dad
    • Taekwon-do ITF martial artist
    • Twitter hashtag for today’s topic:
    #appsec_hk

    View full-size slide

  3. Section 1
    Alone in the darkness

    View full-size slide

  4. Section objectives
    • Understand the risk of exposing a poor
    designed web application
    • See some real world break-ins
    • Knows what SQLinj, XSS, exploits,
    authentication bypass, user enumeration
    mean

    View full-size slide

  5. The Internet
    As normal people think it is…

    View full-size slide

  6. The Internet
    As it really is…
    a place full of opportunities, to make business and to be ruined by villains

    View full-size slide

  7. Attackers are everywhere
    • Villains (want your databases, want to
    takeover your servers, want you to stop
    to work)
    • Bots (the same as villains but fully
    automated)
    • Malware (wants to spread itself mostly
    to hijack your workstation and steal
    data)
    • Activists (the same as villains but
    philosophy driven)

    View full-size slide

  8. Breaches in 2015 (US)
    http://www.idtheftcenter.org/images/breach/
    ITRCBreachStatsReportSummary2015.pdf

    View full-size slide

  9. Very popular breach in 2015
    https://en.wikipedia.org/wiki/Ashley_Madison_data_breach

    View full-size slide

  10. Even crowfunders got hacked
    https://patreon.thecthulhu.com/

    View full-size slide

  11. Some Italian breaches in 2015
    sources:
    http://urlin.it/131563
    http://urlin.it/131564
    http://urlin.it/131565

    View full-size slide

  12. “The” Italian breach in 2015
    http://urlin.it/131566

    View full-size slide

  13. They happens every… single… day
    http://www.zone-h.org

    View full-size slide

  14. What attackers want - 1
    Other people identity
    Servers
    Servers picture courtesy by: Matthew Musgrove (https://flic.kr/p/6xsbxQ)
    Bot picture courtesy by: Jenn and Tony Bot (https://flic.kr/p/6Bk6p8)
    Botnets

    View full-size slide

  15. What attackers want - 2
    Hacktivism
    Guy fawkes mask picture courtesy by: Thierry Hermann (https://flic.kr/p/bmUQJw)
    Newspaper vendor picture courtesy by: Nathan Gibbs (https://flic.kr/p/deNep)
    Boycott corporations
    Money
    Bitcoin guy picture courtesy by: scottks (https://flic.kr/p/j1XXSa)

    View full-size slide

  16. The Owasp Top 10 (2013 edition)
    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

    View full-size slide

  17. Hosting risks
    • Cloud is the new black
    • Shared servers are dangerous
    • Outsourced security
    - you’re a number, not a priority
    - are hosting providers security aware?
    - do they make VA and WAPT on regular
    basis?
    - do they have Web Application Firewalls?

    View full-size slide

  18. OS Based risks
    • Poorly configured daemons
    • Missing patches (security || all)
    • Non hardened accounts
    • Missing basic firewall protection
    • Advanced web application firewall
    protection is required too…

    View full-size slide

  19. Authentication risks
    • Information leakage due to SSL poorly
    configured
    • User enumeration
    • Weak credentials. Password policy,
    anyone?
    • Authentication bypass due to poor
    session management - Session fixation

    View full-size slide

  20. Runtime risks
    • Cross site scripting
    - reflected
    - stored
    - DOM Based
    • SQL Injections
    • Vulnerable third party components (OS,
    system daemons, libraries, …)

    View full-size slide

  21. Section 2
    Dangers from strangers

    View full-size slide

  22. Section objectives
    • Learn more about security tools (both
    commercial than opensource… but we
    love most the latter)
    • See how some very common attacks can
    be carried on.

    View full-size slide

  23. This is not an ethical
    hacking class!!!
    But I want to show you some funny stuff :-)

    View full-size slide

  24. Victim 1: The ancient server
    • Ubuntu 8.04 based
    • Heavily misconfigured
    • Made to be exploited
    • “Do they still exists?” - “Yes!”

    View full-size slide

  25. Victim 2: Cyclone Transfer
    • Rails 3.2 web app
    • It brake a lot of code stilling guide
    • Serious vulnerabilities inside

    View full-size slide

  26. Victim 3: Railsgoat
    • Rails 4 web application
    • Owasp project made to train developers
    about appsec

    View full-size slide

  27. Victim 4: A broken Sinatra app
    • Sinatra based app
    • The “Hello World!” of the XSS example
    • Here to demonstrate how to use BDD
    and a security story
    • … and because I love Sinatra

    View full-size slide

  28. Bonus Victim: Old WordPress
    • It’s PHP, everybody here is happy to
    break it!
    • Empower 25% of the Internet websites
    out there (58,7% of websites with a
    CMS installed) - http://w3techs.com/
    technologies/details/cm-wordpress/all/
    all
    • Vulnerabilities for plugins and themes
    out almost everyday

    View full-size slide

  29. Attacking servers

    View full-size slide

  30. Step 0. Information gathering
    • Detect open ports and listening services
    • Detect Operating System

    View full-size slide

  31. Step 1. Vulnerability
    assessment
    • Use Google to find vulns
    - vsftpd
    - smb
    - nfs
    - Unreal ircd
    • Use tools (€€€!)
    - Nexpose
    - Nessus
    - Qualys

    View full-size slide

  32. Step 2. Exploit / OS
    It’s showtime

    View full-size slide

  33. Step 2. Exploit / OS (daemons)
    It’s showtime

    View full-size slide

  34. Attacking web
    applications

    View full-size slide

  35. Step 0. Information gathering
    • Google dorks
    • Netcraft services
    • Venerable whois
    • “ip:” query courtesy by Bing
    (today we work offline, those techniques
    won’t be applicable)

    View full-size slide

  36. Step 1. Recognisance
    • Detect web server and underlying
    framework
    • SSL Certificate check
    • URLs enumeration
    • Website crawling

    View full-size slide

  37. Step 2. Exploit
    It’s showtime
    (image courtesy by: http://www.themoviethemesong.com/wargames/)

    View full-size slide

  38. Section 3
    Heal the world, make a better place

    View full-size slide

  39. Section objectives
    • Harden your server and keep it updated
    automagically
    • Setup some basic ipfilter rules
    • Setup a web application firewall with
    nginx and mod_security
    • Use code review to heal our source code
    from vulnerabilities
    • Learn some tips to write safe code
    starting from today

    View full-size slide

  40. Heal your basement
    • Tune your OS with automatic security
    patching
    • Install an intrusion detection software
    (tripwire or aide)
    • Setup firewalling with iptables
    • Harden your configuration
    - install libpam-cracklib
    - setup password aging

    View full-size slide

  41. Heal your web exposure
    • Lockdown your web server config
    • Install and tune mod_security
    • Do a very basic penetration test before
    deploy

    View full-size slide

  42. Heal your code
    • Deploy the safe manner
    • Use code review
    • Follow best practices

    View full-size slide

  43. Deploy, the insane way
    • Not using a versioning system at all
    • Using SMB provided, cut & paste
    facilities
    • Copying all repository content via bulk
    command
    • rsync

    View full-size slide

  44. Deploy, the sane way
    • Double check ORM / Warden
    configuration
    • Provide securely generated seeds
    • Use staging and make regression tests
    • Use capistrano-like tools
    • if DateTime.now.wday == 5 then
    sleep(172800); // 2 days! :-)

    View full-size slide

  45. If you’re thinking “I know, but I’m
    always late”, then “automate it”

    View full-size slide

  46. Remember: you must be authorised
    Please, be nice
    Please
    Really

    View full-size slide

  47. But be aware of ‘revenge of the .git’
    It’s showtime

    View full-size slide

  48. Use code review tools
    • Choose the tool you’re more
    comfortable with
    • Integrate in your rake test strategy
    • Some KPI you must have:
    - some stats about your code (LOC/
    comment density, …)
    - vulnerability in third party dependencies
    - warning about bad programming habits

    View full-size slide

  49. Review the code: dawnscanner
    It’s showtime

    View full-size slide

  50. Review the code: brakeman
    It’s showtime
    (the important rule is not to trust a single tool… trust only your brain)

    View full-size slide

  51. What about dynamic testing?
    …or the time I wanted a web application penetration test but I must deploy today…
    oh… it’s showtime again

    View full-size slide

  52. Testing software is good but…
    • Customers don’t give enough time
    - strict timeframes
    - not clear specs (remember, ideally it’s
    up to the customer to write BDD
    scenarios)
    • We’re not trained to
    - school teach us we must deploy a code
    that is working
    - school doesn’t teach us how to write
    good test lists

    View full-size slide

  53. So let’s be realistic
    even #appsec guys have an heart

    View full-size slide

  54. So let’s be realistic
    • We must test out software
    • But we don’t have time, we have to ship code
    • So testing must be
    - automatic
    - generic
    - fast
    - easy to consume
    • This way we can iterate over development -
    testing - shipment

    View full-size slide

  55. Let’s use [T|B]DD
    • Write your own security stories
    • Ask you neighbourhood #appsec guy to
    write them
    • Use something already prepared (http://
    www.continuumsecurity.net/bdd-
    getstarted.html)
    • Integrate your stories in your testing
    workout
    • You just scored a A- in your security
    class

    View full-size slide

  56. Use [T|B]DD
    It’s showtime

    View full-size slide

  57. Some links
    • This is the slide everybody loves
    • A comprehensive list will be available at
    https://codiceinsicuro.it/useful_links.txt

    View full-size slide

  58. Thanks!
    @thesp0nge

    View full-size slide