Upload
frank-kim
View
327
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Modern Web Application Defense with OWASP Tools
Citation preview
Modern Web Applica0on Defense
with OWASP Tools
OWASP AppSec 2014
1
• Frank Kim – SANS Ins0tute • Curriculum Lead, Applica0on Security • Author, Secure Coding in Java
About
2
Cross-‐Site Scrip0ng (XSS)
• Occurs when unvalidated data is rendered in the browser
• Types of XSS – Reflected – Stored – Document Object Model (DOM) based
3
Contextual Output Encoding
• OWASP ESAPI – hWps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Encoder e = ESAPI.encoder();
e.encodeForHTML(string); e.encodeForURL(string);
e.encodeForJavaScript(string);
• OWASP Java Encoder – hWps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
Encode.forHtml(value);
Encode.forUri(value);
Encode.forJavaScript(value);
4
HWpOnly Flag • Ensures that the Cookie cannot be accessed via client side scripts (e.g. JavaScript)
• Configure in web.xml as of Servlet 3.0 <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>
• Programma0cally – Since Servlet 3.0 Cookie cookie = new Cookie("mycookie", "test"); cookie.setHttpOnly(true);
– Before Servlet 3.0 String cookie = "mycookie=test; Secure; HttpOnly"; response.addHeader("Set-Cookie", cookie);
5
Content Security Policy
• Helps mi0gate XSS – Originally developed by Mozilla – Currently a W3C Candidate Recommenda0on
• hWp://www.w3.org/TR/CSP
• CSP headers – Content-Security-Policy
• Star0ng in Firefox 23 and Chrome 25 – X-Content-Security-Policy
• Experimental header supported in IE 10 and older Firefox versions – X-WebKit-CSP
• Experimental header supported in Safari and older Chrome versions
6
CSP Requirements
• No inline scripts – Can't put code in <script> blocks – Can't do inline event handlers like
<a onclick="javascript">
• No inline styles – Can't write styles inline
7
CSP Direc0ves
• default-‐src • script-‐src • object-‐src • style-‐src • img-‐src • media-‐src • frame-‐src • font-‐src • connect-‐src
8
CSP Examples 1) Only load resources from the same origin X-Content-Security-Policy: default-src 'self'
2) Example from mikewest.org x-content-security-policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net 9
Report Only • Facebook Example x-content-security-policy-report-only: allow *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*; options inline-script eval-script; report-uri https://www.facebook.com/csp.php
10
Content Security Policy Demo
11
Strict-‐Transport-‐Security
• Tells browser to only talk to the server via HTTPS – First 0me your site accessed via HTTPS and the header is used the browser stores the cer0ficate info
– Subsequent requests to HTTP automa0cally use HTTPS
• Supported browsers – Implemented in Firefox and Chrome – Currently an IETF drag
Strict-Transport-Security: max-age=seconds [; includeSubdomains]
12
X-‐Frame-‐Op0ons • Prevents Clickjacking – HTTP Response Header supported by modern browsers
• Three op0ons – DENY
• Prevents any site from framing the page – SAMEORIGIN
• Allows framing only from the same origin – ALLOW-‐FROM origin
• Allows framing only from the specified origin • Only supported by IE (based on my tes0ng) • Firefox Bug 690168 -‐ "This was an uninten0onal oversight"
13
Using Secure Headers
• OWASP Secure Headers Project – hWps://www.owasp.org/index.php/OWASP_Secure_Headers_Project
• Security Header Injec0on Module (SHIM) – Developed by Eric Johnson & Aaron Cure
14
Cross-‐Site Request Forgery (CSRF)
15
Vic0m browser
mybank.com
1) Vic0m signs on to mybank
2) Vic0m visits aWacker.com
3) Page contains CSRF code
4) Browser sends the request to mybank <form ac0on=hWps://mybank.com/transfer.jsp
method=POST> <input name=recipient value=aWacker> <input name=amount value=1000> </form> <script>document.forms[0].submit()</script>
POST /transfer.jsp HTTP/1.1 Cookie: <mybank authen0ca0on cookie> recipient=aWacker&amount=1000
aWacker.com
OWASP 1-‐Liner
• Deliberately vulnerable applica0on – Intended for demos and training – Created by John Wilander @johnwilander
• More informa0on at – hWps://www.owasp.org/index.php/OWASP_1-‐Liner
16
JSON CSRF Demo
17
Normal JSON Message
{"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}!
18
Forged JSON Message
!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!
19
CSRF AWack Form <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!
20
CSRF AWack Form <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!
21
Forged JSON Message
!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!
22
CSRF Defense
• Must include something random in the request – Use an an0-‐CSRF token
• OWASP CSRFGuard – WriWen by Eric Sheridan @eric_sheridan – Can inject an0-‐CSRF token using • JSP Tag library -‐ for manual, fine grained protec0on • JavaScript DOM manipula0on -‐ for automated protec0on requiring minimal effort
– Filter that intercepts requests and validates tokens
23
CSRFGuard JSP Tags
• Tags for token name and value <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> !</form>
• Tag for name/value pair (delimited with "=") <a href="protect.html?<csrf:token/>">protect.html</a>!
• Convenience tags for forms and links as well <csrf:form> and <csrf:a>!!
24 Examples from hWps://www.owasp.org/index.php/CSRFGuard_3_Token_Injec0on
CSRFGuard DOM Manipula0on • Include JavaScript in every page that needs CSRF protec0on <script src="/securish/JavaScriptServlet"></script>!
• JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;!XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);!}!!XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;!XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);!}!
25
Protec0ng XHR Requests
• CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {!
this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")!
this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }!};!
26
JSON CSRF Protec0on Demo
27
Summary
• Many tools to choose from – ESAPI, Java Encoder, Secure Headers Project, CSRFGuard, 1-‐Liner, Zed AWack Proxy (ZAP)
• Look to use Secure HTTP Response Headers like – Content Security Policy – Strict-‐Transport-‐Security – X-‐Frame-‐Op0ons
28
Frank Kim [email protected]
@sansappsec