Upload
teige
View
30
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Secure software development for the World Wide Web. Derek Mathieson Group Leader Administrative Information Services CERN – Geneva, Switzerland. Who Am I. Agenda. Background Information Impact of Security Flaws Definitions Types of Attack Techniques / Solutions. - PowerPoint PPT Presentation
Citation preview
CERN – European Organization for Nuclear ResearchGS Department – Administrative Information Services
Secure software development for the World Wide Web
Derek MathiesonGroup Leader
Administrative Information ServicesCERN – Geneva, Switzerland
CERNGS-AIS
Who Am I
CERNGS-AIS
AgendaBackground InformationImpact of Security FlawsDefinitionsTypes of AttackTechniques / Solutions
CERNGS-AIS
Why Secure Web Application?
CERNGS-AIS
Impact of Security FlawsPing of deathMorris worm (1988)
– 6,000 infected computersSanty (2004)
– ~40,000 infected computers (in 24 hours)Conficker (2008)
– Up to 15,000,000 infected computers
CERNGS-AIS
http://inj3ct0r.com/
CERNGS-AIS
http://www.exploit-db.com/
CERNGS-AIS
DefinitionsIdentificationAuthenticationAuthorisationSession Management
CERNGS-AIS
Identification / AuthenticationHow Can You Prove Who You Are?
– Biometric Passport– Photo ID– Fingerprint– Username / Password
CERNGS-AIS
DefinitionsEntity
– A User, another computer system component
Identification– Providing credential such that a system can
recognise the entity and distinguish it from other entities.
Authentication– The process of verifying the identity of an
entity.
CERNGS-AIS
Authentication FactorsSomething an entity knows:
– Password, PINSomething an entity has:
– ID Card, private keySomething an entity is:
– Fingerprint, iris scan, …
CERNGS-AIS
AuthenticationSingle / Multi-factor Authentication
– Password only– Password + Fingerprint
Trade-off between– Convenience– Cost– Complexity– Security
CERNGS-AIS
Identity TheftForgotten Passwords
– Self ServiceLost ID Cards
– Blocking ListCompromised Private Keys
– CRL
What about Biometrics?
No easy solution
CERNGS-AIS
PasswordsServer good practices
– Never store them in ‘clear’– Use encrypted communication protocols
(SSL)– Log authentication failures–Use generic error messages:
• User/password combination not recognised’– Show user
• Last login date• Previous failed login attempts
CERNGS-AIS
Web Authentication TechniquesBasic AuthenticationDigest AuthenticationForm Authentication
CERNGS-AIS
Basic Authentication
CERNGS-AIS
Basic Authentication
Password:Username
Base64
QWxhZGRpbjpvcGVuIHNlc2FtZQ==
CERNGS-AIS
Basic AuthenticationNo encryption
– Username / Password ‘encoded’Depends on a secure communication
channel
CERNGS-AIS
Digest Authentication
CERNGS-AIS
Digest Authentication
PasswordrealmUsername
MD5
348RU349URFJ934FH3FH9… =HA1URIMethod
MD5
4I0R9I34F034403RI4I… =HA2
GET /Protected/secrets.html
CERNGS-AIS
Digest Authentication
HA2HA1
MD5
R3984UR34R43RU… =response
nonce
CERNGS-AIS
Digest AuthenticationAdvantages
– Communication is more secure• Some doubts over irreversibility of MD5
– Server nonce can avoid replay attacksDisadvantages
– Server password file is contains usable credentials in plaintext
– Vulnerable to a man-in-the-middle (MitM) attack
CERNGS-AIS
Digest Authentication
Request + Digest
ResponseUser Server
Request
401 Unauthorized + nonce
CERNGS-AIS
Digest Authentication
Attacker
User Server
Request
401 Unauthorized +
basic auth
Request
401 Unauthorized +
nonce
CERNGS-AIS
Digest Authentication
Attacker
User Server
Request + basic
ResponseRequest + Digest
ResponseUsername PasswordDerek VerySecret
CERNGS-AIS
Form Authentication
CERNGS-AIS
Form AuthenticationAdvantages
– Simple to develop– Richer User Interface– Can use multifactor authentication
Disadvantages– Depends on a secure communication
channel (usually)
CERNGS-AIS
Other Authentication MethodsSingle Sign-on
– OpenID, Shibboleth, …Integrated Windows AuthenticationToken-based
– One Time Passwords (OTP)• SecureID, YubiKey
– Public key authentication (SSL client certificates).
CERNGS-AIS
Authorisation
CERNGS-AIS
AuthorisationAn Authorisation system should:
– Allow access to resources to users/systems that are permitted to access them.
– Prevent access to those that are not permitted.
CERNGS-AIS
AuthorisationSystem requirements:
– Who (entity)– What (resource)– Which operation (read / update / delete / …)– Access Policy
CERNGS-AIS
Role Based Access ControlRoles are identified
– e.g. administrator, group leader, developer.Rights are assigned to roles
– group leader can access homepageRoles are assigned to entities
– Derek is a group leader
CERNGS-AIS
AIS Roles
CERNGS-AIS
Role Based Access ControlLess complex than individual
assignment of access rightsRoles can link to organization roles
– Automatic maintenance– Less administration
CERNGS-AIS
Authorisation: Good PracticesCheck every accessCentralise rights managementPrincipal of Least Privilege
CERNGS-AIS
Session Management
CERNGS-AIS
Session ManagementWhy do we need it?
– HTTP is state-less
CERNGS-AIS
Session Management
Credentials
Session ID: 42
User Server
User ID Session ID
Session Memory
Derek 42
Frank 43
Jim 44
Alex 45Jane 46
Billy 47
Lilly 48
CERNGS-AIS
Session ManagementGood Practices
– Keep Session ID secret!• Use encrypted communications.
– Make them unpredictable• Based on a random sequence• Never re-used
– Time limited
Use a standard framework
CERNGS-AIS
Types of AttackSession
– Session Fixation / Session ID Forgery– Cross-Site Scripting– Cross-Site Request Forgery
Injection– SQL Injection– Command Injection
Google Hacks
CERNGS-AIS
Cross-Site Scripting
XSS
CERNGS-AIS
Cross-Site ScriptingThe most common publicly-reported
security vulnerability– Up to 68% of websites could be vulnerable
CERNGS-AIS
Cross-Site Scripting (Persistent)
<script>…</script>
Server
User
Attacker
request
response +
malicious s
cript
CERNGS-AIS
Cross-Site Scripting (non-persistent)
‘Click H
ere’ + m
alicious script Server
User
Attacker
request +
malicious s
cript
response +
malicious s
cript
CERNGS-AIS
Cross-Site Scripting: ImpactSite defacement
CERNGS-AIS
USDA.GOV
CERNGS-AIS
EU President
CERNGS-AIS
BP.COM
CERNGS-AIS
Cross-Site Scripting: ImpactSite defacementIdentity TheftMalware distribution…
CERNGS-AIS
Cross-Site Scripting: Impact‘Samy’ XSS Worm on MySpace
– Automatically made ‘friend request’ back to author.
– Within 20 hours of release over 1,000,000 users were affected.
Author: Samy Kamkar– Arrested and on felony charge.
• Sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.
CERNGS-AIS
Cross-Site Scripting: RemediesDo not trust any User Input
– Form Input– URLs– Cookies– HTTP Request Headers
CERNGS-AIS
Cross-Site Scripting: RemediesRemove / replace HTML entities
– ‘White List’ or ‘Black List’ Filter
Use Non-HTML Lightweight mark-up– Wiki– bb-code– Textile
Use a Site Scanning Tool– We use Acunetix
CERNGS-AIS
Cross-Site Request Forgery
CSRF / XSRF
CERNGS-AIS
Cross-Site Request Forgery
‘Click H
ere’
ServerUser
Attacker
request
response + embedded command
Evil Server
‘Hidden’ request
CERNGS-AIS
Cross-Site Request Forgery
<img src="http://bank.example/withdraw? account=bob&amount=1000000&for=mallory">
Embedded Image
<body onload="document.secretform.submit()"> <form name="secretform" method="POST" action="http:bank.example/account"> <input type="hidden" name="action" value= "transfer"> … </form></body>
Hidden Form
CERNGS-AIS
XSRF: RemediesFor End Users: Very Little!
– Log out before visiting other sites– Don’t use ‘remember me’ features– Don’t visit ‘untrustworthy’ sites
CERNGS-AIS
XSRF: RemediesFor Website Authors
– Include a hidden ‘nonce’ token in forms– Ignore GET parameters when processing a
POST– Include Authentication Cookies in POST
body (via JavaScript)
CERNGS-AIS
Injection Exploits
SQL Injection
CERNGS-AIS
SQL InjectionSQL Injection is user input allowed to
pass through and to the database directly
CERNGS-AIS
SQL Injection: Example
Log on to NetBank
User name:
Password:
Logon
b.cameron
••••••••
SELECT idFROM loginsWHERE username = '$username'AND password = '$password'
SELECT idFROM loginsWHERE username = 'b.cameron'AND password = 'SecretWord'
SELECT idFROM loginsWHERE username = 'b.cameron'AND password = 'X' OR 1 = 1
Attacker
X' or 1=1
CERNGS-AIS
SQL Injection: RemediesDo not trust any User Input
– Form Input– URLs– Cookies– HTTP Request Headers
Use a Site Scanning Tool
CERNGS-AIS
SQL Injection: RemediesPrepared Statements
– Advantages• Precompiled Query: Faster (usually)• Database engine does the bind
– Disadvantages• (a little) More Complex
SELECT idFROM loginsWHERE username = ?AND password = ?
CERNGS-AIS
Other Exploits
CERNGS-AIS
Command InjectionVariation of SQL Injection
– Injects malicious OS commandexec ("ls " + $userPath)exec ("ls /home/myfiles")exec ("ls .; cat /etc/passwd")
CERNGS-AIS
Google Hacking Databasehttp://www.hackersforcharity.org/ghdb
CERNGS-AIS
SummaryDo not trust any User Input
– Form Input– URLs– Cookies– HTTP Request Headers
Use a Site Scanning Tool
CERNGS-AIS
Thank You