Protecting Web Applications with ESAPI and AppSensor

Manuel Lopez Arredondomanuel.lopez@owasp.org

“The cost of cybercrime is greater than the combined effect on the global economy of

trafficking in marijuana, heroin and cocaine”|

http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/

Why Security is important?

Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.

Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.

Why Security is important?

Why Security is important?

6

Mission Driven

Nonprofit | World Wide | Unbiased

OWASP does not endorse or recommend commercial products or services

What is OWASP

7

Community Driven

30,000 Mail List Participants200 Active Chapters in 70 countries

1600+ Members, 56 Corporate Supporters 69 Academic Supporters

What is OWASP

OWASP Guadalajara Chapter

What do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environments

Meetings Workshops Conference News Letter Page Visit

3 1 1 3 2,528+

https://www.owasp.org/index.php/Guadalajara

March 2012 – Till Date

9

Quality Resources

200+ Projects15,000+ downloads of tools, documentation250,000+ unique visitors 800,000+ page views (monthly)

What is OWASP

10

Documentation

ToolsCode

50%

10% 40%

Quality Resources

OWASP Top Ten (2010 Edition)

A1: Injection A2: Cross-Site Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request Forgery

(CSRF)

A6: Security Misconfiguration

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport Layer

Protection

A10: Unvalidated Redirects and

Forwards

A1 – Injection

Injection means…

• Tricking an application into including unintended commands in the data sent to an interpreter

Interpreters…

• Take strings and interpret them as commands• SQL, OS Shell, LDAP, XPath, Hibernate, etc…

SQL injection is still quite common

• Many applications still susceptible (really don’t know why)• Even though it’s usually very simple to avoid

Typical Impact

• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS level access

SQL Injection – Illustrated

Fire

wal

l

Hardened OS

Web Server

App ServerFi

rew

all

Dat

abas

es

Lega

cy S

yste

ms

Web

Ser

vice

s

Dire

ctor

ies

Hum

an R

esrc

s

Billi

ng

Custom Code

APPLICATIONATTACK

Net

wor

k La

yer

Appl

icati

on L

ayer

Acco

unts

Fina

nce

Adm

inist

ratio

nTr

ansa

ction

s

Com

mun

icati

onKn

owle

dge

Mgm

tE-

Com

mer

ceBu

s. F

uncti

ons

HTTP request

SQL

query

DB Table

HTTP response

"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"

1. Application presents a form to the attacker2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL query

Account Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293

4. Database runs query containing attack and sends encrypted results back to application

5. Application decrypts data as normal and sends results to the user

Account:

SKU:

Account:

SKU:

A2 – Cross-Site Scripting (XSS)

Occurs any time…

• Raw data from attacker is sent to an innocent user’s browser

Raw data…

• Stored in database• Reflected from web input (form field, hidden field, URL, etc…)• Sent directly into rich JavaScript client

Virtually every web application has this problem

• Try this in your browser – javascript:alert(document.cookie)

Typical Impact

• Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site• Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites

Cross-Site Scripting Illustrated

Application with stored XSS vulnerability

3

2

Attacker sets the trap – update my profile

Attacker enters a malicious script into a web page that stores the data on the server

1

Victim views page – sees attacker profile

Script silently sends attacker Victim’s session cookie

Script runs inside victim’s browser with full access to the DOM and cookies

Custom Code

Acco

unts

Fina

nce

Adm

inist

ratio

nTr

ansa

ction

s

Com

mun

icati

onKn

owle

dge

Mgm

tE-

Com

mer

ceBu

s. F

uncti

ons

16

Project Leader: Chris Schmidt, Chris.Schmidt@owasp.org

Purpose: A free, open source, web application security control library that makes it easier for programmers to write lower-risk applications

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Enterprise Security API

for Reboot

ESAPI - Vision

Build a common set of security controls for today's most popular programming languages.

Have interfaces in common across programming languages as much as possible and natural.

Provide at least a simple reference implementation for each security control to serve as example if not useful in itself.

Easily extensible Provide functionality that is most often needed, but

lacking (or inconsistent) in various frameworks / languages.

Using ESAPI (1 of 3)

Getting started https://www.owasp.org/index.php/

Category:OWASP_Enterprise_Security_API Download: http://code.google.com/p/owasp-esapi-

java/ ESAPI Cheat Sheet:

https://www.owasp.org/index.php/ESAPI_Cheat_Sheet ESAPI Swingset: http://code.google.com/p/owasp-

esapi-java-swingset/

Using ESAPI (2 of 3)

Getting help ESAPI User mailing list (focuses on Java version):

https://lists.owasp.org/mailman/listinfo/esapi-user ESAPI Developer mailing list:

https://lists.owasp.org/mailman/listinfo/esapi-dev ESAPI Project page: http://www.esapi.org/ (coming

soon)

Using ESAPI (3 of 3)

Getting involved Many other language implementations, all

playing catch up ESAPI for Java version needs help with user

documentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Port

to use ESAPI 2.0

Enterprise Security API

Custom Enterprise Web Application

Enterprise Security API

Au

then

ticato

r

User

Access

Con

trol

ler

Access

Refe

ren

ceM

ap

Valid

ato

r

En

co

der

HT

TP

Uti

liti

es

En

cr

yp

tor

En

cry

pte

dP

rop

ert

ies

Ran

do

miz

er

Excep

tio

n

Han

dlin

g

Log

ger

Intr

usi

on

Dete

cto

r

Secu

rit

yC

on

fig

ura

tion

Existing Enterprise Security Services/Libraries

Potential Enterprise ESAPI Cost Savings

Basic ESAPI Approach – Examples

In Java:String input = request.getParameter( "input" );// Throws ValidationException or IntrusionException// if problemString cleaned = ESAPI.validator().getValidInput("Secure input example",

input, "SafeString", // regex spec

200, // max lengyh false, // no nulls true); // canonicalize

String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);

In PHP:

$cleanTmp = array(); // local in scope

$cleanParams = array(); // local in scope

$cleanTmp['username'] =

ESAPI::getValidator()->getValidInput(

"Secure input example",

$input,

"SafeString",

200, false, true);

$cleanParams['username'] =

ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);

Basic ESAPI Approach – Examples

OWASP ESAPI Project ScorecardFeature Set vs. Programming Language

Authentication 2.0 1.4 1.4 1.4 2.0 planned

Identity 2.0 1.4 1.4 1.4 2.0 planned

Access Control 2.0 1.4 1.4 1.4 1.4 2.0 planned

Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0

Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0

Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???

Encryption 2.0 1.4 1.4 1.4 1.4 2.0

Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0

Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0

Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0

Intrusion Detection 2.0 1.4 1.4 1.4

Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBD

WAF 2.0

Source Code and Javadoc Online Now!

http://code.google.com/p/owasp-esapi-java

27

AppSensor

Project Leader(s): Michael Coates, John Melton, Colin WatsonPurpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application.

Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)

https://www.owasp.org/index.php/AppSensor

Create attack aware applications

Detecting Attacks the Right Way

• Detect INSIDE the Application• Automatic Detection• Comprehensive• Minimize False Positives• Understand Business Logic• Immediate Response• No Manual Efforts Required

Detection Points

Implementing AppSensor

Application Log Server AppSensor Brain

Response Listener

VIDEO DEMO

Take aways

• Open Source solutions• Low cost and low effort• Think out of the box for development teams• Techniques used on the Industry• OWASP Google Summer of Code 2013https://www.owasp.org/index.php/GSoC

Q & A

Backup

About OWASP

• Online since December 1st 2001• Not-for-profit charitable organization • OPEN Everything at OWASP is radically transparent from our finances to

our code. • INNOVATION OWASP encourages and supports innovation/experiments

for solutions to software security challenges. • GLOBAL Anyone around the world is encouraged to participate in the

OWASP community. • INTEGRITY OWASP is an honest and truthful, vendor agnostic, global

community.• https://www.owasp.org/index.php

OWASP Success Story

OWASP Guadalajara Chapter

What do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environments

Meetings Workshops Conference News Letter Page Visit

3 1 1 3 2,528+

https://www.owasp.org/index.php/Guadalajara

March 2012 – Till Date

Application Developers

New attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons

Application Testers and Quality Assurance

Testing guidePenetration testing tools

Application Security Verification Standard Project

OWASP ZAP Proxy/ WebScarab / CSRF Tester

OWASP Testing Framework

4. Web Application Penetration Testing•4.2 Information Gathering•4.3 Configuration Management Testing•4.4 Business logic testing•4.5 Authentication Testing•4.6 Authorization Testing•4.7 Session Management Testing•4.8 Data Validation Testing•4.9 Testing for Denial of Service•4.10 Web Services Testing•4.11 Ajax Testing

http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

45

Application Project Management and Staff

Define the processSDLCCode Review

Code review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net

Download

Get OWASP Books

Business advantages of being associated with OWASP

• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses

• The organization itself gets security benefit at reduced costs– Security code review tools are free– Lots of open & free security testing tools – Security guidelines & best practices

• Opportunity to endorse organization's logo in OWASP events, conferences, & website

• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group– If you are looking to expand your business in emerging market here is an opportunity to reach out

• When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain

• Membership options : https://www.owasp.org/index.php/Membership

Subscribe mailing listhttps://www.owasp.org/index.php/Guadalajara

Chapter Leaders:Eduardo CernaMauel Lopez

Join Us !

App Sensor Design

Demo App

Embedded AppSensorResponse

AppSensor “Brain”

App Logs