Mehis Hakkaja CEO/Founder/Owner http://linkedin.com/in/mehishakkaja E-stonia - IT solutions that make sense and work Security out of necessity - “e-way of life”, too late to turn back Web layer - the "glue" & delivery method "Devil in the details" – end-point implementations, unique & custom-made solutions <= typical places to fail with typical vulnerabilities Clarified Security OÜ Estonian pentesting company & practical security trainer, immersed in the Estonian "IT fairy tale" & validating its practical security implementation Penetration testing "We break security to bring clarity" Do you want the red or blue pill? Hands-on security trainings "We teach what we do and know the best" Red Teaming for NATO CCDCoE large-scale Cyber Defence Exercises (CDX): 2010 May, CDX10 "Baltic Cyber Shield" 2012 Mar, CDX12 "Locked Shields" 2013 Apr, CDX13 "Locked Shields" 2014 Apr, CDX14 "Locked Shields" ... Bug requirements . implementation bug 4 Bug, Security Problem requirements . implementation bug security problem Whittaker, James A. - Thompson, Herbert - „How to Break Software Security“, 2003 5 Reliable software does what it is supposed to do. Secure software does what it is supposed to do, and nothing else. Ivan Arce OWASP (Open Web Application Security Project) ASVS (Application Security Verification Standard) ● ASVS verification Levels Level 1: Automated Verification 1A - Dynamic Scan (Partial Automated Verification) 1B - Source Code Scan (Partial Automated Verification) Level 2: Manual Verification 2A - Security Test (Partial Manual Verification) 2B - Code Review (Partial Manual Verification) Level 3: Design Verification Level 4: Internal Verification ASVS Verification Requirements V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security Developers do what they are asked to do ... ... what if someone does something else? ● Business logic implementation errors, gotta love those :) a) CHEAP shopping banklinks - standard things implemented wrong at the end point (e-shop, e-service, ...) * goodies for the price of one item ← is the payment AMOUNT actually verified? dumbuser: 2 bank payment windows open, same shopping cart id, different amounts ... 1337 haxor: changes the amount with FF Data Tamper Add-on / Web Proxy tool b) FREE shopping * finding a hidden URL & broken access control = free 40" LCD TV c) MAKING MONEY while shopping * try negative amounts in a shopping cart with credit card payments ● Missing server-side controls = killing the front- & back-end server with one query :) ● S*** lists: standard mistakes of development companies & copy-paste code ... like continuing with an old session when logging in a new user … & the usual OWASP Top 10 suspects: www.owasp.org/index.php/Top_10_2013 ● A1 - Injection ● A2 - Broken Authentication and Session Management ● A3 - Cross-Site Scripting (XSS) ● A4 - Insecure Direct Object References ● A5 - Security Misconfiguration ● A6 - Sensitive Data Exposure ● A7 - Missing Function Level Access Control ● A8 - Cross-Site Request Forgery (CSRF) ● A9 - Using Components with Known Vulnerabilities ● A10 - Unvalidated Redirects and Forwards It honestly really sucks to have to document them all in a report, repeatedly, within the same site ... Peaaegu maakeelne slaid kah ● Kesksete ägedate “asjadega” (X-tee, pangalingid, digidocindus jne.) liidestatud “asjad” on katki ● Kõik on sisend & töötluskeskkondi palju! (DDOC/BDOC/CDOC metadata, failinimed) ● – Stored XSS, path traversal + blind overwrite, BoF – Baastarkvara <-- uuenda teeke ja tea, mis muudatusi ning miks on tehtud "Kombelõtv" isikukoodi kasutamine (rakenduse päringutes) + access control vead + puudulik logimine & monitooring = isikustavad ja sihitud ründed, millest me ei tea! * oma päringutes isikukoodi asendamine võõraga (ik. = google, äriregister...) * menetlus- ja koostöö keskkonnad/tarkvara = sihitud ründe vektor … ● Usalda, aga kontrolli (auditid ja läbistustestimine) ● Veebirakenduste turvameetrika paika enne arenduse algust! (OWASP ASVS) Hacking Demo: Web vulnerability as a vector for taking over your entire company network „What can we break for you?“ www.clarifiedsecurity.com/trainings www.facebook.com/pages/Clarified-Security/301801776551016 www.linkedin.com/company/clarified-security-o-/ 13