The OWASP Foundation http://www.owasp.org Why hackers don’t care about your firewall Seba Deleersnyder seba@owasp.org Sebastien Deleersnyder? • 5 years developer experience • 11 years information security experience • Managing Technical Consultant SAIT Zenitel • Belgian OWASP chapter founder • OWASP board member • www.owasp.org • Co-organizer www.BruCON.org OWASP World OWASP is a worldwide free and open community focused on improving the security of application software. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Myth We are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *Gartner Group (2002 report) |4 |5 Source: Jeremiah Grossman, BlackHat 2001 20th century technology Security evolution? Source: Gunnar Peterson (Arctec Group) 7 A firewall friendly protocol = “a skull friendly bullet” (Bruce Schneier) 8 Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Databases Application Layer Your security “perimeter” has huge holes at the application layer Web Server Hardened OS Firewall Firewall Network Layer App Server You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks |9 OWASP Top 10 A1 – Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access example : SQL-injection attack https User User Database Web Server Application Server Select user_information from user_table where username=’input username’ and password=’input password’ Select user_information from user_table where username=’’ or 1=1 -– ‘ and password=’abc’ RockYou? December 2009 • a hacker used SQL Injection techniques to hack the database of RockYou • RockYou creates applications for MySpace, Facebook, ... Result • data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) • the data also contained email-addresses and passwords for 3rd party sites Question: how many of those users use the same password for other sites too? A2 – Cross-Site Scripting (XSS) Occurs any time… • Raw data from attacker is sent to an innocent user’s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) Typical Impact • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites XSS = Cross-site Scripting Web application vulnerability Injection of code into web pages viewed by others XSS = new buffer overflow Javascript = new Shell Code XSSED.ORG Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/ 16 Browser Exploitation Framework A3 – Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn’t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked Session Fixation Attack A4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the ‘authorized’ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn’t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data Insecure Direct Object References Illustrated https://www.onlinebank.com/user?acct=6065 Attacker notices his acct parameter is 6065 ?acct=6065 He modifies it to a nearby number ?acct=6066 Attacker views the victim’s account information A5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details CSRF Illustrated page 23 CSRF Illustrated Good Saturday for Orkut Users 25 A6 – Security Misconfiguration Web applications rely on a secure foundation • All through the network and platform • Don’t forget the development environment Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code Configuration Management must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing network or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration Communication Knowledge Mgmt E-Commerce Bus. Functions Administration Transactions Accounts Finance Security Misconfiguration Illustrated Datab ase Custom Code App Configuration Framework Development App Server QA Servers Web Server Hardened OS Insider Test Servers Source Control Serving up malware A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days. "Of the 128 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent.” (sep 2010) Reason: unpatched WordPress 28 A7 – Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn’t work • Attacker simply forges direct access to ‘unauthorized’ pages Typical Impact • Attackers invoke functions and services they’re not authorized for • Access other user’s accounts and data • Perform privileged actions Failure to Restrict URL Access Illustrated https://www.onlinebank.com/user/getAccounts Attacker notices the URL indicates his role /user/getAccounts He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts Attacker views more accounts than just their own A8 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined Encrypt customer data? customer data, 77 Million compromised. (potentially CCs as well) 32 A9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined Still not using SSL? 34 A10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access Jobs by CNN? http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW 36 Download http://www.owasp.org/index.php/Top_10 CAN WE WIN THE WAR ON INSECURE SOFTWARE? Enter the rest of OWASP People • • • • Education Guides (build, test, code review) Events ... Tools • • • • Webgoat WebScarab ESAPI ... • • • • Requirements list CLASP SAMM ... Process 39 Software Assurance Maturiy Model (SAMM) SAMM Security Practices • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement Build “Your” Roadmap • • Gap analysis: • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations OWASP Projects Are Alive! 2010 … 2007 2005 2003 2001 43 |43 www.owasp.org 44 |44 OWASP NEAR YOU 45 Upcoming local events • OWASP Chapter meetings: • 23-May - Brussels: • • The Ghost of XSS Past, Present and Future – A Defensive Tale (by Jim Manico, Infrared Security) 16-Jun - Brussels: • The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd) • How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB) • OWASP AppSec Europe – Dublin – Jun 7-9 • BruCON – Brussels – Sep 19-22 • OWASP BeNeLux – Luxembourg Nov-30/Dec-1 46 Subscribe mailing list www.owasp.be Keep up to date! 47 Want to support OWASP? Become member, annual donation of: • $50 Individual • $5000 Corporate enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities… 48