Mehis Hakkaja esitlus

advertisement
Mehis Hakkaja
CEO/Founder/Owner
http://linkedin.com/in/mehishakkaja
E-stonia - IT solutions that make sense and work
Security out of necessity - “e-way of life”, too late to turn back
Web layer - the "glue" & delivery method
"Devil in the details" – end-point implementations, unique &
custom-made solutions <= typical places to fail with typical
vulnerabilities
Clarified Security OÜ
Estonian pentesting company & practical security trainer,
immersed in the Estonian "IT fairy tale" & validating its practical
security implementation
Penetration testing
"We break security to bring clarity"
Do you want the red or blue pill?
Hands-on security trainings
"We teach what we do and know the best"
Red Teaming for NATO CCDCoE large-scale Cyber Defence Exercises (CDX):
2010 May, CDX10 "Baltic Cyber Shield"
2012 Mar, CDX12 "Locked Shields"
2013 Apr, CDX13 "Locked Shields"
2014 Apr, CDX14 "Locked Shields" ...
Bug
requirements .
implementation
bug
4
Bug, Security Problem
requirements .
implementation
bug
security
problem
Whittaker, James A. - Thompson, Herbert - „How to Break Software Security“, 2003
5
Reliable software does
what it is supposed to do.
Secure software does
what it is supposed to do,
and nothing else.
Ivan Arce
OWASP (Open Web Application Security Project)
ASVS (Application Security Verification Standard)
●
ASVS verification Levels
Level 1: Automated Verification
1A - Dynamic Scan (Partial Automated Verification)
1B - Source Code Scan (Partial Automated Verification)
Level 2: Manual Verification
2A - Security Test (Partial Manual Verification)
2B - Code Review (Partial Manual Verification)
Level 3: Design Verification
Level 4: Internal Verification
ASVS Verification Requirements
V1. Security Architecture
V2. Authentication
V3. Session Management
V4. Access Control
V5. Input Validation
V6. Output Encoding/Escaping
V7. Cryptography
V8. Error Handling and Logging
V9. Data Protection
V10. Communication Security
V11. HTTP Security
V12. Security Configuration
V13. Malicious Code Search
V14. Internal Security
Developers do what they are asked to do ...
... what if someone does something else?
●
Business logic implementation errors, gotta love those :)
a) CHEAP shopping
banklinks - standard things implemented wrong at the end point (e-shop, e-service, ...)
* goodies for the price of one item ← is the payment AMOUNT actually verified?
dumbuser: 2 bank payment windows open, same shopping cart id, different amounts ...
1337 haxor: changes the amount with FF Data Tamper Add-on / Web Proxy tool
b) FREE shopping
* finding a hidden URL & broken access control = free 40" LCD TV
c) MAKING MONEY while shopping
* try negative amounts in a shopping cart with credit card payments
●
Missing server-side controls = killing the front- & back-end server with one query :)
●
S*** lists: standard mistakes of development companies & copy-paste code
... like continuing with an old session when logging in a new user
… & the usual OWASP Top 10 suspects:
www.owasp.org/index.php/Top_10_2013
●
A1 - Injection
●
A2 - Broken Authentication and Session Management
●
A3 - Cross-Site Scripting (XSS)
●
A4 - Insecure Direct Object References
●
A5 - Security Misconfiguration
●
A6 - Sensitive Data Exposure
●
A7 - Missing Function Level Access Control
●
A8 - Cross-Site Request Forgery (CSRF)
●
A9 - Using Components with Known Vulnerabilities
●
A10 - Unvalidated Redirects and Forwards
It honestly really sucks to have to document them all in a report, repeatedly, within the same site ...
Peaaegu maakeelne slaid kah
●
Kesksete ägedate “asjadega” (X-tee, pangalingid, digidocindus jne.) liidestatud “asjad” on katki
●
Kõik on sisend & töötluskeskkondi palju! (DDOC/BDOC/CDOC metadata, failinimed)
●
–
Stored XSS, path traversal + blind overwrite, BoF
–
Baastarkvara <-- uuenda teeke ja tea, mis muudatusi ning miks on tehtud
"Kombelõtv" isikukoodi kasutamine (rakenduse päringutes) + access control vead
+ puudulik logimine & monitooring = isikustavad ja sihitud ründed, millest me ei tea!
* oma päringutes isikukoodi asendamine võõraga (ik. = google, äriregister...)
* menetlus- ja koostöö keskkonnad/tarkvara = sihitud ründe vektor
…
●
Usalda, aga kontrolli (auditid ja läbistustestimine)
●
Veebirakenduste turvameetrika paika enne arenduse algust! (OWASP ASVS)
Hacking Demo:
Web vulnerability as a vector for taking over your entire company network
„What can we break for you?“
www.clarifiedsecurity.com/trainings
www.facebook.com/pages/Clarified-Security/301801776551016
www.linkedin.com/company/clarified-security-o-/
13
Download