Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP

http://www.owasp.org

Securing Open Source Projects with OWASP Guide 2.0

By Andrew van der StockApril, 2005vanderaj@owasp.org

2OWASP

What is OWASP?

Open Web Application Security ProjectNon-profit, volunteer driven organization

All members are volunteers All work is donated by sponsors

Provide free resources to the community Publications, Articles, Standards Testing and Training Software Local Chapters & Mailing Lists

Supported through sponsorships Corporate support through financial or project

sponsorship Personal sponsorships from members

3OWASP

OWASP Guide 2.0

Three years in the making Major new version Complete from the ground re-write Adopts OWASP Top 10 approach Now has information on web services! Currently:

Three times the length of the old standardMore than three times the amount of controlsDeals with nearly all web application security

issues

4OWASP

Massive overhaul

Developer standards Threat Risk Modelling Phishing Credit Card Handling Web Services 18 new authentication 11 new authorization 12 new session

management (including CSRF)

Error/Log/Audit Data Validation

Interpreter Injection (includes LDAP and XML)

File System Admin interfaces Unicode/Locale/I18N Buffer overflows Cryptography Privacy Configuration SQA Deployment Maintenance

5OWASP

Current State

Easily more useful than 1.1.1 and Top 10 Of the 28 chapters:

4 are done: content finished, peer reviewed and edited

Most have more content than 1.1.1 and are useful

7 are empty or incomplete We need more volunteers:

Content authorsTechnical EditorsPeer ReviewersHelps if you can spel gud and no wat grama is

6OWASP

Helping a FOSS project the right way

XMB as case study1.8 had over 12 public vulnerabilities in the time

I was running it as my primary board1.9 was late, but I wanted to fix it so it was

secure

Be or become part of the project Work with the lifecycle Start by harm minimization – fix the old

project first Fix and test Refactor old crap out of existence

7OWASP

Case Study: XMB Result

1.8 has been retired Too hard to fix due to PHP brain damage Insufficient dev resources to fix

1.9.1 is a high quality release1.9.1 has been out for 8 months so far without

a public vulnerabilityFar faster and more scalable than 1.8

From my own extensive testing, 1.9.1 has a few weaknesses, but it should be safe from attack (for now!)

8OWASP

Case study: phpBB

Tried to help the phpBB project just after 2.0.13 came out

Good motives Shared my own infrastructure with it Needed to test out OWASP 2.0 with PHP code and FOSS

methodologies Hundreds of thousands of boards, millions use phpBB

Bad motives None

What happened next does not make me proud, but phpBB and their fan boys are more than 50% to blame

9OWASP

What happened

I’d like to show you my original postBut they deleted itBecause if I reposted links to Bugtraq posts,

that would be used by “hackers”

I was going to do a demo on phpBB 2.0.13 for you here as I found a few things

No time to get these issues fixed prior to this presentation

Very low inclination to help them as they will NOT take patches from the public

10OWASP

More background

My second post was to area51Beware: Here be anoraks and trolls!This become an absolute ****-fight I was accused of wanting to fork phpBB (which

the GPL allows), steal developers (why steal devs who missed delivery for so long AND are poor at security?), and all sorts of other bad motives

I responded in like. Not one of my proudest moments

11OWASP

I smell a rat! – An actual post

LOL!!! There are different ways to become part of any team whatsoever. I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?

Is it really a pretext of doing a code review and when it's rejected by the legitimate dev team, all of sudden turns up as phpBB "reviewed" or "improved" something like that?

Just wondering:-)

12OWASP

13OWASP

How not to help

Don’t respond to the well meaning anoraks and fan boys They are vocal and may even seem knowledgeable, but

they don’t represent the developers

Don’t respond to the trolls They are vocal but they cannot help

Don’t tell the trolls that they are trolls or even imply that they have roughly the IQ of a warm room. In Celsius. They get really annoyed, and their whining overwhelms

your message

Don’t educate the great unwashed They really don’t care and will try to shoot you down

14OWASP

How not to help

Don’t get angry If you don’t tolerate fools gladly, don’t

respond to them Don’t get offended when the most

offensive posts pop up Hubris

When the developers finally responded, the mood was so negative that my chances of “helping” were negligible

15OWASP

What happens back in the real world?

16OWASP

Well… what to do?

ajv: Stick to writing the standard and helping those who want to be helped

phpBB: Grow up! You have millions of users who rely on your softwareYou violate their trust and are directly

responsible for all their lost data. Particularly when you refuse help, and then pat

yourselves on the back for getting rid of the help ISPs and hosters will only take so many

defacements before banning insecure crap. Don’t become that crap

Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP

http://www.owasp.org

Demo

Using OWASP Guide 2.0 withphpBB 2.0.13

18OWASP

Ingredients

phpBB 2.0.13 xAMP (Apache, MySQL, PHP) Latest OWASP Guide 2.0 Firefox and the web developer extension Something like grep

19OWASP

Threat Risk Model

Primary assets: Reputation User posts and attachments

Who are the motivated attackers? Script kiddies Defacers Motivated attackers – rare

This attack session is more like a pen test than a structured security review We will not find everything: ~ 5-25% No time to do a proper weighting

20OWASP

Authentication

Guide 2.0 has approximately 20 authentication controlsOnly a fraction are relevant to BBS / Forum

Work through them systematically Items to look for include:

Data validationCrypto and Password storageSQL and LDAP injectionsCookie and client-side session handlers Infrastructure accounts used

21OWASP

Authorization

Main aim of a pen-test:Perform authenticated actions without

authorizationPerform admin actions without authorization

Main aim of a security review: Inspect coverage Inspect centralized authorization checking codeCheck error handling and pathways

Things to check for Implicit trust in client side tokens (Cookies,

headers, form fields, etc)Coverage

22OWASP

Session Management

Cryptographically secure session IDs Session fixation controls

Check to see if IP address change allows replayCheck to see if tampering with HTTP headers is

noticed HttpOnly; blocking of TRACE and TRACK IFRAME exploits (_top) Session Riding attack vectors:

Random page tokensURL argumentsLack of confirmations or undo

23OWASP

Error/Log/Audit Handling

Error handling in phpBB is not good Due to PHP 3.x compatibility

Log handling in phpBB is non-existent No idea what happens in admin areasNo idea what happens during attacks

There is no audit trail within phpBBNo event management triggers (login, change

password, logout, etc)No triggers in the databaseCould be argued that forum software doesn’t

need audit trails

24OWASP

Data validation

The MOST important control GPCE and HTTP headers

PHP is notorious for GPC -> $var. PHP 4 almost fixed this. Many apps put the bad behavior back. NO! NO! NO! NO! phpBB is one of them

What to look for? Look for coverage Look for validation libraries Check error pathways Check business rule validation

Look for system() fopen() shellexec() exec() passthru()

Look for safe-mode choices within the code (see config as well)

25OWASP

Interpreter injection

phpBB has four interpreters:HTML through templates (which use eval())PHP through eval()SQL through the database layerOS through fopen() and friends for optional

template caching Luckily, no LDAP or XML in phpBB 2.0.x

No such luck in 3.0!XML used for Jabber and adminLDAP used for authentication

Each of these has their own special challenges

26OWASP

Canocalization

The process of making Unicode and HTTP encodings “real” to the underlying application

Major issues include:Double and n-deep encodingsUTF-8 and UTF-16 overlong representations“Best effort” canocalizationBuffer overrunsHomographs

27OWASP

File System

Objective is to ensure that file system access is as secure as possible

Things to look for include:Sandbox / chroot jail out of bound inclusionsDefacement via new file creationFile system permissions (ACLs)Minimalist permissionsAuditingAbuse of file system access to run commands

(either as a first or second order attack)

28OWASP

Buffer overflows

The current Guide has been brought up to date

Includes:Heap, Stack, Integer, and Unicode overflows

A huge issue for people writing in dangerous languagesUse compiler features! Correct then fast

Not a huge issue for ASP.NET, PHP or J2EE programmersExcept if you call the OS

29OWASP

Administrative Interfaces

Users are not admins Admins are not users

REQUIRED BY LAW IN THE US REQUIRED by ISO 17799

To be effective, ensure that admin application uses completely different RDBMS users

Prefer separate servers and access control lists

Section revived from an earlier Top 10 document Completely overhauled Needs finishing

30OWASP

Cryptography

Cryptography is hard This new text presents best practices and

items to look out for Primary controls:

Use published standardsUse them wellDo not store secrets unless you have to Inter-related with Privacy chapter

Partially complete, needs finishing

31OWASP

Privacy

Objective is to ensure that the tracks left by an application are minimalist and safe (enough)

Major controls: Laws in effect Look for browser droppings (cookies, history, logs, etc) The (in)-effectiveness of cache control GET vs POST What SSL really hides

New chapter inspired by a couple of paragraphs in the old Guide 1.1.1

Partially complete, needs finishing

32OWASP

Configuration

Objective: to ensure that an application is safe out of the box

Major controls:Minimal attack surface area - what’s on by

defaultLeast privilege file permissionsPackagingDocumentationCode signing

New chapter, partially complete

33OWASP

PHP Configuration

Look for safe-mode:safe_modesafe_mode_gidsafe_mode_include_dirsafe_mode_exec_dirsafe_mode_allowed_env_varssafe_mode_protected_env_varsopen_basedirdisable_functionsdisable_classes

34OWASP

Software Quality Assurance

Bwahahahahahaha!

Testing Excuses We don’t have enough

devs to do that That’s what betas are for More eyes = fewer bugs

Suggest use of SimpleUnit and HTTPUnit

Include security tests

35OWASP

Deployment

Safe to install out of the box Applications should not require world writeable

files Minimum attack surface area Your app should be safe to deploy even if it’s half

way installed PHP apps should:

work with or require safe-mode restrictions Magic quotes is evil – Be one way or the other Old GPC behavior – do not re-introduce it

phpBB: Install/ contrib/ must go Small window of opportunity to take over box during

installation

36OWASP

Maintenance

Be up front with users about your support plans

Even if there’s no reason to deploy, release 2-4 times a yearRefactor bad codePull up bug fixes from the next version (and

vice versa)Only do security and performance fixes in x.y.z

releasesConsider using a “Windows Update” type of

facility or at least a “Check current version”

37OWASP

Where to go from here?

OWASPLikely to finish around June if we’re luckyYou can get drafts and contribute now!

phpBB:LART applicationNeed to train developers in secure coding

techniquesNeed to assist code review with the developers

and implement fixes

38OWASP

Resources

OWASPhttp://www.owasp.org/

This presentation can be found at:http://www.greebo.net/owasp/secureossguide20.

ppt phpBB

http://www.phpBB.com/ Firefox’s Web Developer

http://www.chrispederick.com/work/firefox/webdeveloper/ Chris Shifflett’s PHP security web sites:

http://shiflett.org/http://phpsec.org/

39OWASP

What you can do!

Don’t be phpBB (or ajv)

Download OWASP Guide 2.0 and read it Use threat modeling to find the most important

issues Fix the problems in your applications now!

Security is not a one time shot: Starts when you have the bright idea Thinking Evil™ helps, but is not the entire solution Ends when the last copy of your app is decommissioned