Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Securing Open Source Projects with OWASP Guide 2.0
By Andrew van der StockApril, [email protected]
2OWASP
What is OWASP?
Open Web Application Security ProjectNon-profit, volunteer driven organization
All members are volunteers All work is donated by sponsors
Provide free resources to the community Publications, Articles, Standards Testing and Training Software Local Chapters & Mailing Lists
Supported through sponsorships Corporate support through financial or project
sponsorship Personal sponsorships from members
3OWASP
OWASP Guide 2.0
Three years in the making Major new version Complete from the ground re-write Adopts OWASP Top 10 approach Now has information on web services! Currently:
Three times the length of the old standardMore than three times the amount of controlsDeals with nearly all web application security
issues
4OWASP
Massive overhaul
Developer standards Threat Risk Modelling Phishing Credit Card Handling Web Services 18 new authentication 11 new authorization 12 new session
management (including CSRF)
Error/Log/Audit Data Validation
Interpreter Injection (includes LDAP and XML)
File System Admin interfaces Unicode/Locale/I18N Buffer overflows Cryptography Privacy Configuration SQA Deployment Maintenance
5OWASP
Current State
Easily more useful than 1.1.1 and Top 10 Of the 28 chapters:
4 are done: content finished, peer reviewed and edited
Most have more content than 1.1.1 and are useful
7 are empty or incomplete We need more volunteers:
Content authorsTechnical EditorsPeer ReviewersHelps if you can spel gud and no wat grama is
6OWASP
Helping a FOSS project the right way
XMB as case study1.8 had over 12 public vulnerabilities in the time
I was running it as my primary board1.9 was late, but I wanted to fix it so it was
secure
Be or become part of the project Work with the lifecycle Start by harm minimization – fix the old
project first Fix and test Refactor old crap out of existence
7OWASP
Case Study: XMB Result
1.8 has been retired Too hard to fix due to PHP brain damage Insufficient dev resources to fix
1.9.1 is a high quality release1.9.1 has been out for 8 months so far without
a public vulnerabilityFar faster and more scalable than 1.8
From my own extensive testing, 1.9.1 has a few weaknesses, but it should be safe from attack (for now!)
8OWASP
Case study: phpBB
Tried to help the phpBB project just after 2.0.13 came out
Good motives Shared my own infrastructure with it Needed to test out OWASP 2.0 with PHP code and FOSS
methodologies Hundreds of thousands of boards, millions use phpBB
Bad motives None
What happened next does not make me proud, but phpBB and their fan boys are more than 50% to blame
9OWASP
What happened
I’d like to show you my original postBut they deleted itBecause if I reposted links to Bugtraq posts,
that would be used by “hackers”
I was going to do a demo on phpBB 2.0.13 for you here as I found a few things
No time to get these issues fixed prior to this presentation
Very low inclination to help them as they will NOT take patches from the public
10OWASP
More background
My second post was to area51Beware: Here be anoraks and trolls!This become an absolute ****-fight I was accused of wanting to fork phpBB (which
the GPL allows), steal developers (why steal devs who missed delivery for so long AND are poor at security?), and all sorts of other bad motives
I responded in like. Not one of my proudest moments
11OWASP
I smell a rat! – An actual post
LOL!!! There are different ways to become part of any team whatsoever. I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?
Is it really a pretext of doing a code review and when it's rejected by the legitimate dev team, all of sudden turns up as phpBB "reviewed" or "improved" something like that?
Just wondering:-)
12OWASP
13OWASP
How not to help
Don’t respond to the well meaning anoraks and fan boys They are vocal and may even seem knowledgeable, but
they don’t represent the developers
Don’t respond to the trolls They are vocal but they cannot help
Don’t tell the trolls that they are trolls or even imply that they have roughly the IQ of a warm room. In Celsius. They get really annoyed, and their whining overwhelms
your message
Don’t educate the great unwashed They really don’t care and will try to shoot you down
14OWASP
How not to help
Don’t get angry If you don’t tolerate fools gladly, don’t
respond to them Don’t get offended when the most
offensive posts pop up Hubris
When the developers finally responded, the mood was so negative that my chances of “helping” were negligible
15OWASP
What happens back in the real world?
16OWASP
Well… what to do?
ajv: Stick to writing the standard and helping those who want to be helped
phpBB: Grow up! You have millions of users who rely on your softwareYou violate their trust and are directly
responsible for all their lost data. Particularly when you refuse help, and then pat
yourselves on the back for getting rid of the help ISPs and hosters will only take so many
defacements before banning insecure crap. Don’t become that crap
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Demo
Using OWASP Guide 2.0 withphpBB 2.0.13
18OWASP
Ingredients
phpBB 2.0.13 xAMP (Apache, MySQL, PHP) Latest OWASP Guide 2.0 Firefox and the web developer extension Something like grep
19OWASP
Threat Risk Model
Primary assets: Reputation User posts and attachments
Who are the motivated attackers? Script kiddies Defacers Motivated attackers – rare
This attack session is more like a pen test than a structured security review We will not find everything: ~ 5-25% No time to do a proper weighting
20OWASP
Authentication
Guide 2.0 has approximately 20 authentication controlsOnly a fraction are relevant to BBS / Forum
Work through them systematically Items to look for include:
Data validationCrypto and Password storageSQL and LDAP injectionsCookie and client-side session handlers Infrastructure accounts used
21OWASP
Authorization
Main aim of a pen-test:Perform authenticated actions without
authorizationPerform admin actions without authorization
Main aim of a security review: Inspect coverage Inspect centralized authorization checking codeCheck error handling and pathways
Things to check for Implicit trust in client side tokens (Cookies,
headers, form fields, etc)Coverage
22OWASP
Session Management
Cryptographically secure session IDs Session fixation controls
Check to see if IP address change allows replayCheck to see if tampering with HTTP headers is
noticed HttpOnly; blocking of TRACE and TRACK IFRAME exploits (_top) Session Riding attack vectors:
Random page tokensURL argumentsLack of confirmations or undo
23OWASP
Error/Log/Audit Handling
Error handling in phpBB is not good Due to PHP 3.x compatibility
Log handling in phpBB is non-existent No idea what happens in admin areasNo idea what happens during attacks
There is no audit trail within phpBBNo event management triggers (login, change
password, logout, etc)No triggers in the databaseCould be argued that forum software doesn’t
need audit trails
24OWASP
Data validation
The MOST important control GPCE and HTTP headers
PHP is notorious for GPC -> $var. PHP 4 almost fixed this. Many apps put the bad behavior back. NO! NO! NO! NO! phpBB is one of them
What to look for? Look for coverage Look for validation libraries Check error pathways Check business rule validation
Look for system() fopen() shellexec() exec() passthru()
Look for safe-mode choices within the code (see config as well)
25OWASP
Interpreter injection
phpBB has four interpreters:HTML through templates (which use eval())PHP through eval()SQL through the database layerOS through fopen() and friends for optional
template caching Luckily, no LDAP or XML in phpBB 2.0.x
No such luck in 3.0!XML used for Jabber and adminLDAP used for authentication
Each of these has their own special challenges
26OWASP
Canocalization
The process of making Unicode and HTTP encodings “real” to the underlying application
Major issues include:Double and n-deep encodingsUTF-8 and UTF-16 overlong representations“Best effort” canocalizationBuffer overrunsHomographs
27OWASP
File System
Objective is to ensure that file system access is as secure as possible
Things to look for include:Sandbox / chroot jail out of bound inclusionsDefacement via new file creationFile system permissions (ACLs)Minimalist permissionsAuditingAbuse of file system access to run commands
(either as a first or second order attack)
28OWASP
Buffer overflows
The current Guide has been brought up to date
Includes:Heap, Stack, Integer, and Unicode overflows
A huge issue for people writing in dangerous languagesUse compiler features! Correct then fast
Not a huge issue for ASP.NET, PHP or J2EE programmersExcept if you call the OS
29OWASP
Administrative Interfaces
Users are not admins Admins are not users
REQUIRED BY LAW IN THE US REQUIRED by ISO 17799
To be effective, ensure that admin application uses completely different RDBMS users
Prefer separate servers and access control lists
Section revived from an earlier Top 10 document Completely overhauled Needs finishing
30OWASP
Cryptography
Cryptography is hard This new text presents best practices and
items to look out for Primary controls:
Use published standardsUse them wellDo not store secrets unless you have to Inter-related with Privacy chapter
Partially complete, needs finishing
31OWASP
Privacy
Objective is to ensure that the tracks left by an application are minimalist and safe (enough)
Major controls: Laws in effect Look for browser droppings (cookies, history, logs, etc) The (in)-effectiveness of cache control GET vs POST What SSL really hides
New chapter inspired by a couple of paragraphs in the old Guide 1.1.1
Partially complete, needs finishing
32OWASP
Configuration
Objective: to ensure that an application is safe out of the box
Major controls:Minimal attack surface area - what’s on by
defaultLeast privilege file permissionsPackagingDocumentationCode signing
New chapter, partially complete
33OWASP
PHP Configuration
Look for safe-mode:safe_modesafe_mode_gidsafe_mode_include_dirsafe_mode_exec_dirsafe_mode_allowed_env_varssafe_mode_protected_env_varsopen_basedirdisable_functionsdisable_classes
34OWASP
Software Quality Assurance
Bwahahahahahaha!
Testing Excuses We don’t have enough
devs to do that That’s what betas are for More eyes = fewer bugs
Suggest use of SimpleUnit and HTTPUnit
Include security tests
35OWASP
Deployment
Safe to install out of the box Applications should not require world writeable
files Minimum attack surface area Your app should be safe to deploy even if it’s half
way installed PHP apps should:
work with or require safe-mode restrictions Magic quotes is evil – Be one way or the other Old GPC behavior – do not re-introduce it
phpBB: Install/ contrib/ must go Small window of opportunity to take over box during
installation
36OWASP
Maintenance
Be up front with users about your support plans
Even if there’s no reason to deploy, release 2-4 times a yearRefactor bad codePull up bug fixes from the next version (and
vice versa)Only do security and performance fixes in x.y.z
releasesConsider using a “Windows Update” type of
facility or at least a “Check current version”
37OWASP
Where to go from here?
OWASPLikely to finish around June if we’re luckyYou can get drafts and contribute now!
phpBB:LART applicationNeed to train developers in secure coding
techniquesNeed to assist code review with the developers
and implement fixes
38OWASP
Resources
OWASPhttp://www.owasp.org/
This presentation can be found at:http://www.greebo.net/owasp/secureossguide20.
ppt phpBB
http://www.phpBB.com/ Firefox’s Web Developer
http://www.chrispederick.com/work/firefox/webdeveloper/ Chris Shifflett’s PHP security web sites:
http://shiflett.org/http://phpsec.org/
39OWASP
What you can do!
Don’t be phpBB (or ajv)
Download OWASP Guide 2.0 and read it Use threat modeling to find the most important
issues Fix the problems in your applications now!
Security is not a one time shot: Starts when you have the bright idea Thinking Evil™ helps, but is not the entire solution Ends when the last copy of your app is decommissioned