30
Modern Web Applica0on Defense with OWASP Tools OWASP AppSec 2014 1

Modern Web Application Defense

Embed Size (px)

DESCRIPTION

Modern Web Application Defense with OWASP Tools

Citation preview

Page 1: Modern Web Application Defense

Modern  Web  Applica0on  Defense    

with  OWASP  Tools  

OWASP  AppSec  2014  

1  

Page 2: Modern Web Application Defense

•  Frank  Kim  – SANS  Ins0tute  •  Curriculum  Lead,  Applica0on  Security  •  Author,  Secure  Coding  in  Java  

About  

2  

Page 3: Modern Web Application Defense

Cross-­‐Site  Scrip0ng  (XSS)  

•  Occurs  when  unvalidated  data  is  rendered  in  the  browser  

•  Types  of  XSS  – Reflected  – Stored  – Document  Object  Model  (DOM)  based  

3  

Page 4: Modern Web Application Defense

Contextual  Output  Encoding  

•  OWASP  ESAPI  –  hWps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API  

Encoder e = ESAPI.encoder();

e.encodeForHTML(string); e.encodeForURL(string);

e.encodeForJavaScript(string);

•  OWASP  Java  Encoder  –  hWps://www.owasp.org/index.php/OWASP_Java_Encoder_Project  

Encode.forHtml(value);

Encode.forUri(value);

Encode.forJavaScript(value);

4  

Page 5: Modern Web Application Defense

HWpOnly  Flag  •  Ensures  that  the  Cookie  cannot  be  accessed  via  client  side  scripts  (e.g.  JavaScript)  

•  Configure  in  web.xml  as  of  Servlet  3.0  <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>

•  Programma0cally  –  Since  Servlet  3.0  Cookie cookie = new Cookie("mycookie", "test"); cookie.setHttpOnly(true);

–  Before  Servlet  3.0  String cookie = "mycookie=test; Secure; HttpOnly"; response.addHeader("Set-Cookie", cookie);

5  

Page 6: Modern Web Application Defense

Content  Security  Policy  

•  Helps  mi0gate  XSS  –  Originally  developed  by  Mozilla  –  Currently  a  W3C  Candidate  Recommenda0on  

•  hWp://www.w3.org/TR/CSP  

•  CSP  headers  –  Content-Security-Policy

•  Star0ng  in  Firefox  23  and  Chrome  25    –  X-Content-Security-Policy

•  Experimental  header  supported  in  IE  10  and  older  Firefox  versions  –  X-WebKit-CSP

•  Experimental  header  supported  in  Safari  and  older  Chrome  versions  

6  

Page 7: Modern Web Application Defense

CSP  Requirements  

•  No  inline  scripts  – Can't  put  code  in  <script>  blocks  – Can't  do  inline  event  handlers  like          

 <a onclick="javascript">

•  No  inline  styles  – Can't  write  styles  inline  

7  

Page 8: Modern Web Application Defense

CSP  Direc0ves  

•  default-­‐src  •  script-­‐src  •  object-­‐src  •  style-­‐src  •  img-­‐src  •  media-­‐src  •  frame-­‐src  •  font-­‐src  •  connect-­‐src  

8  

Page 9: Modern Web Application Defense

CSP  Examples  1)  Only  load  resources  from  the  same  origin  X-Content-Security-Policy: default-src 'self'

2)  Example  from  mikewest.org  x-content-security-policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net 9  

Page 10: Modern Web Application Defense

Report  Only  •  Facebook  Example  x-content-security-policy-report-only: allow *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*; options inline-script eval-script; report-uri https://www.facebook.com/csp.php

10  

Page 11: Modern Web Application Defense

   

Content  Security  Policy  Demo  

11  

Page 12: Modern Web Application Defense

Strict-­‐Transport-­‐Security  

•  Tells  browser  to  only  talk  to  the  server  via  HTTPS  –  First  0me  your  site  accessed  via  HTTPS  and  the  header  is  used  the  browser  stores  the  cer0ficate  info  

–  Subsequent  requests  to  HTTP  automa0cally  use  HTTPS  

•  Supported  browsers  –  Implemented  in  Firefox  and  Chrome  –  Currently  an  IETF  drag  

 

Strict-Transport-Security: max-age=seconds [; includeSubdomains]

12  

Page 13: Modern Web Application Defense

X-­‐Frame-­‐Op0ons  •  Prevents  Clickjacking  – HTTP  Response  Header  supported  by  modern  browsers  

•  Three  op0ons  – DENY  

•  Prevents  any  site  from  framing  the  page    – SAMEORIGIN  

•  Allows  framing  only  from  the  same  origin  – ALLOW-­‐FROM  origin  

•  Allows  framing  only  from  the  specified  origin  •  Only  supported  by  IE  (based  on  my  tes0ng)  •  Firefox  Bug  690168  -­‐  "This  was  an  uninten0onal  oversight"  

13  

Page 14: Modern Web Application Defense

Using  Secure  Headers  

•  OWASP  Secure  Headers  Project  – hWps://www.owasp.org/index.php/OWASP_Secure_Headers_Project  

•  Security  Header  Injec0on  Module  (SHIM)  – Developed  by  Eric  Johnson  &  Aaron  Cure  

14  

Page 15: Modern Web Application Defense

Cross-­‐Site  Request  Forgery  (CSRF)  

15  

Vic0m  browser  

mybank.com  

1)  Vic0m  signs  on  to  mybank  

2)  Vic0m  visits  aWacker.com  

3)  Page  contains  CSRF  code  

4)  Browser  sends  the  request  to  mybank  <form  ac0on=hWps://mybank.com/transfer.jsp  

   method=POST>      <input  name=recipient  value=aWacker>      <input  name=amount  value=1000>  </form>  <script>document.forms[0].submit()</script>  

POST  /transfer.jsp  HTTP/1.1  Cookie:  <mybank  authen0ca0on  cookie>  recipient=aWacker&amount=1000  

aWacker.com  

Page 16: Modern Web Application Defense

OWASP  1-­‐Liner  

•  Deliberately  vulnerable  applica0on  –  Intended  for  demos  and  training  – Created  by  John  Wilander  @johnwilander  

•  More  informa0on  at  – hWps://www.owasp.org/index.php/OWASP_1-­‐Liner  

16  

Page 17: Modern Web Application Defense

   

JSON  CSRF  Demo  

17  

Page 18: Modern Web Application Defense

Normal  JSON  Message  

 {"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}!

18  

Page 19: Modern Web Application Defense

Forged  JSON  Message  

!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!

19  

Page 20: Modern Web Application Defense

CSRF  AWack  Form  <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!

20  

Page 21: Modern Web Application Defense

CSRF  AWack  Form  <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!

21  

Page 22: Modern Web Application Defense

Forged  JSON  Message  

!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!

22  

Page 23: Modern Web Application Defense

CSRF  Defense  

•  Must  include  something  random  in  the  request  – Use  an  an0-­‐CSRF  token  

•  OWASP  CSRFGuard  – WriWen  by  Eric  Sheridan  @eric_sheridan  – Can  inject  an0-­‐CSRF  token  using  •  JSP  Tag  library  -­‐  for  manual,  fine  grained  protec0on  •  JavaScript  DOM  manipula0on  -­‐  for  automated  protec0on  requiring  minimal  effort  

– Filter  that  intercepts  requests  and  validates  tokens  

23  

Page 24: Modern Web Application Defense

CSRFGuard  JSP  Tags  

•  Tags  for  token  name  and  value  <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> !</form>  

•  Tag  for  name/value  pair  (delimited  with  "=")  <a href="protect.html?<csrf:token/>">protect.html</a>!

•  Convenience  tags  for  forms  and  links  as  well  <csrf:form>  and  <csrf:a>!!

24  Examples  from  hWps://www.owasp.org/index.php/CSRFGuard_3_Token_Injec0on  

Page 25: Modern Web Application Defense

CSRFGuard  DOM  Manipula0on  •  Include  JavaScript  in  every  page  that  needs  CSRF  protec0on  <script src="/securish/JavaScriptServlet"></script>!

•  JavaScript  used  to  hook  the  open  and  send  methods  XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;!XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);!}!!XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;!XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);!}!

  25  

Page 26: Modern Web Application Defense

Protec0ng  XHR  Requests  

•  CSRFGuard  sends  two  HTTP  headers  XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {!

this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")!

this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }!};!

26  

Page 27: Modern Web Application Defense

   

JSON  CSRF  Protec0on  Demo  

27  

Page 28: Modern Web Application Defense

Summary  

•  Many  tools  to  choose  from  – ESAPI,  Java  Encoder,  Secure  Headers  Project,  CSRFGuard,  1-­‐Liner,  Zed  AWack  Proxy  (ZAP)  

•  Look  to  use  Secure  HTTP  Response  Headers  like  – Content  Security  Policy  – Strict-­‐Transport-­‐Security  – X-­‐Frame-­‐Op0ons  

28  

Page 29: Modern Web Application Defense

Frank  Kim        [email protected]  

@sansappsec                                

Page 30: Modern Web Application Defense