Upload
rap-payne
View
66
Download
0
Embed Size (px)
DESCRIPTION
Part of the Web Application Security Course
Citation preview
A9 Insufficient Transport Layer Protection
Problem and Protection
o Lost 45.7 Million credit card numbers o 455K drivers license numbers o Considered a 'worst-case scenario'. o The attack went for two years before
uncovered. o Cause: WEP traffic was not encrypted well.
The attackers basically authenticated themselves inside the firewall.
Insufficient Transport Layer Protection
o Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
o When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.
How attackers do it
o They use packet sniffers to read the communications over a network
o Anything unencrypted can be read easily • Pages (duh)
o But we forget about encrypting • Cookies • Web services • Intranet communications • Database requests • AJAX communication
o Anything encrypted weakly can be cracked
How we protect ourselves
o Require TLS for all sensitive pages • Especially login pages!
o Set the ‘secure’ flag on all sensitive cookies o Configure TLS provider to only support
strong algorithms o Ensure your certificate is valid, not expired,
not revoked, and matches all domains used by the site
o Don't neglect the backend communications
Require SSL for all sensitive pages
o Non-SSL requests to these pages should be redirected to the SSL page
o Every Login page should use TLS • Because the username and password would be
sent in clear text if they didn't
Make cookies secure
o Set the secure flag on all sensitive cookies o This requires them to be sent via SSL HttpCookie c = new HttpCookie("PetsName","Mouser"); c.Secure = true;
o Do the same for ASP.NET forms authentication cookies in web.config.
<authentication mode="Forms"> <forms loginUrl="Login.aspx" requireSSL="true" .../> …
</authentication>
Use only strong encryption
o FIPS 140-2 compliant algorithms • Use AES or Blowfish for symmetric cryptography • Use SHA-256 or SHA-512 for hashing • Use RSA for asymmetric (but all are okay)
o If you use SHA-1 or MD5, please expect to be compromised
Ensure comprehensive certificates
o Certificate errors desensitizes users to future alerts
o Keep your certs up-to-date and valid o Use wildcards for domains
• Ex: if we have a cert for www.tic.com and we open reports.tic.com, the user sees a certificate error
• Get a cert for *.tic.com instead of www.tic.com
Don't forget about the back end
o Sniffers can see more than just web pages. o When sensitive, you should use TLS for:
• JavaScript files with business logic • AJAX calls • XML web services • Database communications
Summary
o Attackers use network sniffers to get to our sensitive data
o We should use TLS/SSL to protect: • Pages (especially login pages) • Cookies • Web services & other backend processes
o Only use strong cryptographic ciphers like AES and SHA-256
Further study
o Secure cookies white paper: • http://bit.ly/SecureCookies
o How to harden databases: • http://bit.ly/HardeningDatabases
o Wireshark information and download: • http://wireshark.org