Security of Web Applications
TOP 6 RISKS TO AVOID
Console.WriteLine(“Hello World”);
I'm Audrius Kovalenko
.NET Developer
Hack for fun
@slicklash
http://www.notreallycode.com
Forecasts for Upcoming Years
VERY CLOUDY
SaaS GROWTH
WEB APPLICATIONS IN HIGH-DEMAND
Web Application Security Today
Source: Web Hacking Incident Database (WHID)
Distribution of Attack Methods in 2011
Puzzle
How to pour all liquid into the glass?
IMPOSSIBLE
Everyone knows it
How to deliver secure product knowing little about application security?
Who's bag is it then?If that's my bag
SQLi
XSS
CSRF
HD Moore
Bruce
Schneier
Troy
Hunt
Michał Zalewski
Agile
TDD
Refactoring DI
Kent BeckREST
Steve
Freeman
DesignPatterns
Martin
Fowler
Builder vs Breaker
Problem
We don't know what we don't know
The Unknowns
WHAT ARE THE COUNTERMEASURES?
WHAT TO LOOK FOR?
WHAT ARE THE MAJOR RISKS?
CWE/SANS Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25
What is a risk anyway?
The OWASP Top 10 6 Web Risks
A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A1 INJECTION
A2 CROSS SITE SCRIPTING (XSS)
A4 INSECURE DIRECT OBJECT REFERENCES
A5 CROSS SITE REQUEST FORGERY (CSRF)
A6 SECURITY MISCONFIGURATION
Injections
Breaking out of a data context into a code context
Why is SQLi still around?
Injections (2)
var catId = Request.QueryString["Category"];var sql = "SELECT * FROM Products WHERE [CategoryId] = " + catId;
Anti-Injection
ORM
PARAMETERIZED QUERIES
DON'T BE LAZY
Cross Site Scripting (XSS)
Injection of client-side code into Web pages viewed by other users
public static MvcHtmlString DeviceInfoEvil(this HtmlHelper helper){ string s = "<span>" + helper.ViewContext.HttpContext.Request.UserAgent + "</span>"; return MvcHtmlString.Create(s);}
[...]
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;)<script>alert(1);</script>
[...]
public static MvcHtmlString DeviceInfoGood(this HtmlHelper helper){ TagBuilder userAgent = new TagBuilder("span"); userAgent.SetInnerText(helper.ViewContext.HttpContext.Request.UserAgent); return MvcHtmlString.Create(userAgent.ToString());}
Cross Site Request Forgery (CSRF)
Forged requests executed by tricking authenticated victim
<img src="https://bank.com/smth?param=1" />
<iframe src="https://bank.com/smth?param=1" />
<body onload="document.forms[0].submit"> <form method="post" action="https://bank.com/smth"> <input type="hidden" name="param" value="1" /> </form></body>
Anti-XSS
INPUT FILTERING
OUTPUT FILTERING
MICROSOFT AntiXSS
OUTPUT FILTERING
ANTIFORGERY TOKENS
Broken Authentication andSession Management
Poor implementation of authentication and session management
6.5 MILLION HASHES
PLAIN SHA1
450 000 PASSWORDS
PLAIN TEXT
June 2012 July 2012
Be careful
OUTPUT FILTERING
HASH + SALT + STRECHING
NO HARDCODED “SHORTCUTS”
TLS
Use #if DEBUG
bcrypt/scrypt
https://www.cookiecadger.com
DON'T REINVENT THE WHEEL
Insecure Direct Object References
Unauthorized access of exposed reference to an internal implementation
MASS ASSIGNMENT VULNERABILITY
Insecure Direct Object References (2)
public class User{ public string UserName { get; set; } public bool IsAdmin { get; set; }}
[Authorize][AcceptVerbs(HttpVerbs.Post)]public ActionResult UpdateUser(User model){ if (ModelState.IsValid) { var user = db.Users.Single(u => u.UserName == model.UserName); if (TryUpdateModel(user)) { db.SaveChanges(); } } return View();}
Insecure Direct Object References (3)
public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing - NO
[...]
public ActionResult UpdateUser([Bind(Include="UserName")] User model) //White Listing – OK
[...]
public class UserViewModel //Secure by Design - BEST{ public string UserName { get; set; }}
Countermeasures
CODE REVIEWS
ACCESS CHECKS
NO COPY-PASTE
Security Misconfiguration
Improper application configuration
Web.Config Security Analyzer
https://sourceforge.net/projects/wcsa
Introducing in development
DEDICATED PERSON
SPECIAL TRAINING
SELF TRAINING LEARN
PRACTICE
UNDERSTAND
?
Common Excuses
TIGHT DEADLINESS Budget
NO ONE WILL HACK US Ignorance
The Real Issue
WRONG PERSON IN WRONG PLACE Architect
Manager
Lazy Co-Worker
Security is hard but possiblewhen you know
Drowning is your personal problem
Don't forget
Further Reading
Highly Recommended
ACADEMIC
ENTERPRISE
HACKER
Learning From The Breakers
http://www.irongeek.com
Hacking IllustratedVideo from Security Conferences