Using the OWASP Top Ten to Upgrade your Authorization Services

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p> 2015 Axiomatics AB 1</p><p>Getting the OWASP Top Ten Right with ABAC and XACML</p><p>With Gunnar Peterson and Gerry Gebel</p><p>Webinar: February 10, 2015</p></li><li><p>2</p><p>Agenda</p><p> OWASP Top Ten</p><p> 3 Examples</p><p> More Efficient Authorization</p><p> Q&amp;A </p><p> 2015 Axiomatics AB</p></li><li><p>Why Identity Matters</p><p>Corporate networks are like candy bars: hard on the outside, soft and chewy on the inside,-Rich Mogull, 2004</p><p> 2015 Axiomatics AB 3</p></li><li><p>OWASP Top Ten</p><p> 2015 Axiomatics AB 4</p></li><li><p>5</p><p>Using Access Control Matrix</p><p> Problem description</p><p> WebGoat demo</p><p> XACML 101</p><p> XACML based solution </p><p> 2015 Axiomatics AB</p></li><li><p>Using an Access Control Matrix</p><p> 2015 Axiomatics AB 6</p></li><li><p>Using an Access Control Matrix</p><p> 2015 Axiomatics AB 7</p></li><li><p>Using an Access Control Matrix</p><p> 2015 Axiomatics AB 8</p></li><li><p>What is XACML?</p><p> eXtensible Access Control Markup Language</p><p> OASIS standard</p><p> V 3.0 approved in January 2013</p><p> V 1.0 approved in 2003 ( over 10 years ago!)</p><p> XACML core is expressed as</p><p> A specification document and</p><p> An XML schema</p><p></p><p>9 2015 Axiomatics AB</p></li><li><p> Profiles add functionality</p><p> REST</p><p> JSON</p><p> Export Control</p><p> IP Protection</p><p> Hierarchal Resources</p><p> Etc.</p><p>Whats in the XACML standard</p><p>XACML</p><p>Reference</p><p>Architecture</p><p>Policy Language</p><p>Request / Response Scheme</p><p>10 2015 Axiomatics AB</p></li><li><p>XACML Architecture</p><p>11</p><p>ManagePolicy Administration Point</p><p>DecidePolicy Decision Point</p><p>SupportPolicy Information Point</p><p>Policy Retrieval Point</p><p>EnforcePolicy Enforcement Point</p><p> 2015 Axiomatics AB</p></li><li><p>XACML Flow</p><p>12</p><p>DecidePolicy Decision Point</p><p>ManagePolicy Administration Point</p><p>SupportPolicy Information Point</p><p>Policy Retrieval Point</p><p>EnforcePolicy Enforcement Point</p><p>Access </p><p>Document #123</p><p>Access </p><p>Document #123</p><p>Can Alice access </p><p>Document #123?Yes, Permit</p><p>Load XACML </p><p>policies</p><p>Retrieve user role, </p><p>clearance and </p><p>document </p><p>classification</p><p> 2015 Axiomatics AB</p></li><li><p>XACML Standard</p><p>13</p><p>XACML</p><p>Reference</p><p>Architecture</p><p>Policy Language</p><p>Request / Response Scheme</p><p> 2015 Axiomatics AB</p></li><li><p>14</p><p>How does it work?Subject Action Resource Environment</p><p>A user wants to do </p><p>something </p><p> with an information </p><p>asset </p><p> in a given context</p><p>Example:</p><p>An analyst wants to </p><p>view </p><p> market data related to </p><p>a new share issue </p><p> via a secure channel after having </p><p>been authenticated using the </p><p>corporate smart card</p><p> 2015 Axiomatics AB</p></li><li><p>XACML Standard</p><p>15</p><p>XACML</p><p>Reference</p><p>Architecture</p><p>Policy Language</p><p>Request / Response Scheme</p><p> 2015 Axiomatics AB</p></li><li><p>Request/Response Scheme</p><p>16</p><p>Environment</p><p>Subject Action</p><p>Resource Environment</p><p>Action</p><p>Resource</p><p>Subject</p><p>XACML Policies</p><p>XACML Response</p><p> 2015 Axiomatics AB</p></li><li><p>17</p><p>XACML-based solutionforUsing Access Control Matrix</p><p> 2015 Axiomatics AB</p></li><li><p>18</p><p>JSON Injection Problem description</p><p> WebGoat demo</p><p> XACML based solution </p><p> 2015 Axiomatics AB</p></li><li><p>JSON Injection</p><p> 2015 Axiomatics AB 19</p></li><li><p>JSON Injection</p><p>Lets get a $600 flight for $1</p><p> 2015 Axiomatics AB 20</p></li><li><p>JSON Injection</p><p> 2015 Axiomatics AB 21</p></li><li><p>22</p><p>XACML-based solutionforJSON injection</p><p> 2015 Axiomatics AB</p></li><li><p>23</p><p>Bypass path based access control scheme</p><p> Problem description</p><p> WebGoat demo</p><p> XACML based solution </p><p> 2015 Axiomatics AB</p></li><li><p>Bypass Path Based access control scheme</p><p> Direct Object reference allows attacker to swap selected file for different path+file and traverse file system</p><p> 2015 Axiomatics AB 24</p></li><li><p>Bypass Path Based access control scheme</p><p>root:!:0:0::/:/usr/bin/kshdaemon:!:1:1::/etc:bin:!:2:2::/bin:sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm:uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/..</p><p> 2015 Axiomatics AB 25</p></li><li><p>26</p><p>XACML-based solutionforPath based access control scheme</p><p> 2015 Axiomatics AB</p></li><li><p>27</p><p>Forced Browsing Problem description</p><p> WebGoat demo</p><p> XACML based solution </p><p> 2015 Axiomatics AB</p></li><li><p>Forced Browsinghttp://localhost:8080/WebGoat/conf</p><p>Swap URL to access Admin Config page</p><p> 2015 Axiomatics AB 28</p></li><li><p>29</p><p>XACML-based solutionforForced browsing</p><p> 2015 Axiomatics AB</p></li><li><p>Indirect Object Reference solution</p><p> 2015 Axiomatics AB 30</p></li><li><p> Indeed, ../ example of XACML policy was just an example</p><p> More elegant solution would be use of indirect object reference</p><p> Map each shareable object to reference value (simple integer, random characters)</p><p> Use this indirect references instead of the actual filename</p><p> Two possible XACML solutions</p><p> Minimal use of PDP</p><p> PDP has a mapping of who can access which indirect reference</p><p> App asks PDP if user is allowed to access specific indirect reference</p><p> PDP replies PERMIT/DENY and app performs the reference-to-object mapping to act on object</p><p> Using PDP to perform lookup</p><p> Add the reference map to a information point (PIP)</p><p> PDP responds with a PERMIT/DENY</p><p> It also replies with the mapped objects identity as XACML Obligation</p><p> App interprets the response and value returned in the Obligation</p><p> 2015 Axiomatics AB 31</p></li><li><p>32</p><p>Summary</p><p> 2015 Axiomatics AB</p></li><li><p>A Path Towards More Effective Authorization </p><p> Get granular</p><p> Roles are great. Roles plus attributes are better</p><p> Use dynamic, fine grained attributes to drive access rules</p><p> Externalize authorization logic from code</p><p> Configure - dont code authorization</p><p> Get defensive</p><p> Use ABAC to close out pernicious web vulnerabilities like Injection, Direct Object Reference, and Forced Browsing</p><p> 2015 Axiomatics AB 33</p></li><li><p>Next Steps</p><p> Download and read the whitepaper</p><p> Download and run the code</p><p> Let us know how it works</p><p> Any other vulnerabilities you think ABAC can address?</p><p></p><p> 2015 Axiomatics AB 34</p></li><li><p>35</p><p>Q&amp;A</p><p> 2015 Axiomatics AB</p></li><li><p>Dont miss out on these events!</p><p> February 12 (Los Angeles): IAM Meet Up</p><p> February 26 (Chicago): IAM Meet Up</p><p> March 16-17 (London): Gartner Identity &amp; Access Management Summit</p><p> March 24 (Washington DC): ABAC half day seminar</p><p>36</p><p>Upcoming events &amp; webinars</p><p>More at</p><p> 2015 Axiomatics AB</p></li></ul>