Hacking and Hacking and Compliance in a Web Compliance in a Web

2.0 World2.0 WorldDamon P. Cortesi, CISSPDamon P. Cortesi, CISSP

Director @ Alchemy SecurityDirector @ Alchemy Security

Stats Nut | Security Geek | Builder of Stats Nut | Security Geek | Builder of ToolsTools

$ whoami$ whoami

Connecticut >> Chicago >> Seattle (2006)Connecticut >> Chicago >> Seattle (2006)

@dacort on Twitter (@dacort on Twitter (http://tweetstats.comhttp://tweetstats.com))

Security Consultant, recently self-employedSecurity Consultant, recently self-employed

Destroyer of Web Apps and Dual-CoresDestroyer of Web Apps and Dual-Cores

$ cat ~/.plan$ cat ~/.plan

Web 2.0 SecurityWeb 2.0 Security

Things you still need to watch out for.Things you still need to watch out for.

E-commerce Startups and ComplianceE-commerce Startups and Compliance

What is this PCI thing you speak of?What is this PCI thing you speak of?

Privacy Policy and Data Breach Notification Privacy Policy and Data Breach Notification Laws.Laws.

And maybe if we’re lucky...demo time.And maybe if we’re lucky...demo time.

Web 2.0 FrameworksWeb 2.0 Frameworks

Rails, Django, CakePHPRails, Django, CakePHP

Rapid Development, Data abstractionRapid Development, Data abstraction

Alleviates common security pain pointsAlleviates common security pain points

SQL InjectionSQL Injection

Cross-Site Scripting (kind of ...)Cross-Site Scripting (kind of ...)

Typical challenges still presentTypical challenges still present

The “kind of” - XSSThe “kind of” - XSS

As of Django 1.0 (Sep 2008), HTML is auto-escapedAs of Django 1.0 (Sep 2008), HTML is auto-escaped

YAYYYYYYYYYYYY!YAYYYYYYYYYYYY!

Does Rails? ------------------------- NoDoes Rails? ------------------------- No

Does Google App Engine? -------- NoDoes Google App Engine? -------- No

Really? Yup, really. (No domain-wide cookies, Really? Yup, really. (No domain-wide cookies, phew!) phew!)

Does ASP.NET ---------------------- On built-in controlsDoes ASP.NET ---------------------- On built-in controls

Also has built-in request validationAlso has built-in request validation

Define BrieflyDefine Briefly

SQL Injection - Unsanitized data being passed SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary to a database, potentially executing arbitrary code.code.

dpc’ OR ‘a’=’adpc’ OR ‘a’=’a

xp_cmdshellxp_cmdshell

XSS - Unsanitized data being re-displayed and XSS - Unsanitized data being re-displayed and interpreted in the browser.interpreted in the browser.

<script>alert(document.cookie);</script><script>alert(document.cookie);</script>

XSS - The Bad, The UglyXSS - The Bad, The Ugly

XSS 101 - Executes user input in browser contextXSS 101 - Executes user input in browser context

Typical test: Typical test: “><script>alert(‘dcash’)</script>“><script>alert(‘dcash’)</script>

““site:appspot.com search” on Googlesite:appspot.com search” on Google

156,000 Results156,000 Results

First 30 results, at least 4 XSS-vulnerable appsFirst 30 results, at least 4 XSS-vulnerable apps

So...why is this bad?So...why is this bad?

““><script>alert(‘dcash’)</><script>alert(‘dcash’)</script>script>

XSS ScenariosXSS Scenarios

Arbitrary JavaScript ExecutionArbitrary JavaScript Execution

Page/HTML inserts, deletesPage/HTML inserts, deletes

Browser control, exploit downloadBrowser control, exploit download

Cookie monstersCookie monsters

Fixing XSSFixing XSS

Primarily - HTML/URL Encoding, Proper EscapingPrimarily - HTML/URL Encoding, Proper Escaping

<%= h “<b>dacort</b>” %><%= h “<b>dacort</b>” %> &lt;b&gt;dacort&lt;/b&gt; &lt;b&gt;dacort&lt;/b&gt;

Validation && Sanitization - RegexesValidation && Sanitization - Regexes

Rails RoutesRails Routes

‘‘:controller/show/:id’, :id => /\:controller/show/:id’, :id => /\d+/, :action ...d+/, :action ...

ActiveRecord ActiveRecord validates_format_ofvalidates_format_of

More XSS PreventionMore XSS Prevention

Secure Cookie Flag (GMail, again...)Secure Cookie Flag (GMail, again...)

https://site.comhttps://site.com

(Inject link to image on (Inject link to image on httphttp://site.com://site.com))

Uses HTTPS cookie if “secure” flag not setUses HTTPS cookie if “secure” flag not set

HTTPOnly Cookie FlagHTTPOnly Cookie Flag

Can’t be accessed using <script>Can’t be accessed using <script>

Use Use innerTextinnerText, not innerHTML, not innerHTML

Cross-Site Request Cross-Site Request ForgeryForgery

Browsing circa 1998Browsing circa 1998

One window. One site.One window. One site.

Browsing circa 2008Browsing circa 2008

CSRF++CSRF++Daily browsing - authenticated to many sites at Daily browsing - authenticated to many sites at onceonce

GET style attacksGET style attacks

<img src=”<img src=”http://x.com/message/123/deletehttp://x.com/message/123/delete”/>”/>

Cookies sent with this requestCookies sent with this request

POST style attacksPOST style attacks

Generally combined with JavaScriptGenerally combined with JavaScript

Due to lack of form tokensDue to lack of form tokens

GMail Hack (There’s a new one!!)GMail Hack (There’s a new one!!)

CSRF GETCSRF GET

<img src=”<img src=”http://x.com/message/123/deletehttp://x.com/message/123/delete”/>”/><img src=”<img src=”http://x.com/message/124/deletehttp://x.com/message/124/delete”/>”/><img src=”<img src=”http://x.com/message/125/deletehttp://x.com/message/125/delete”/>”/><img src=”<img src=”http://x.com/message/126/deletehttp://x.com/message/126/delete”/>”/><img src=”<img src=”http://x.com/message/.../deletehttp://x.com/message/.../delete”/>”/>

No tokens? Logged in? Valid message?No tokens? Logged in? Valid message?

““Pwned”Pwned”

POST requests not the solutionPOST requests not the solution

CSRF POSTCSRF POST

GMail AnalysisGMail Analysis

GMail Create Filter (GET URL)GMail Create Filter (GET URL)

““at” variable == “GMAIL_AT” cookie valueat” variable == “GMAIL_AT” cookie value

Using CSRF (or XSS?) on malicious pageUsing CSRF (or XSS?) on malicious page

Steal GMAIL_AT, submit GET request aboveSteal GMAIL_AT, submit GET request above

Third-Party ComponentsThird-Party Components

You installed what??You installed what??

Drupal PluginsDrupal Plugins

Wordpress PluginsWordpress Plugins

Themes, too!Themes, too!

ASP.NET ASP.NET ComponentsComponents

Is that code secure?Is that code secure?

Does it execute Does it execute commands?commands?

Does it utilize network?Does it utilize network?

Funky encoding...Funky encoding...

What to Look For?What to Look For?

Find input vectorsFind input vectors

Request.[Cookies|Form|QueryString]Request.[Cookies|Form|QueryString]

$_GET, $_POST, $_REQUEST (<-- careful)$_GET, $_POST, $_REQUEST (<-- careful)

params[:id]params[:id]

Make sure output is protectedMake sure output is protected

Encoding to browser, Escaping to database, Encoding to browser, Escaping to database, etcetc

Poor Design = Poor Poor Design = Poor SecuritySecurity

Example Startup FreeMail (names changed ... )Example Startup FreeMail (names changed ... )

RSS feed for your InboxRSS feed for your Inbox

Google does it, why can’t we?Google does it, why can’t we?

No authenticationNo authentication

No SSLNo SSL

No securityNo security

Flash SecurityFlash Security

Flash - Fantastic base on which to build Flash - Fantastic base on which to build dynamic sitesdynamic sites

crossdomain.xml - Allows Flash to access data crossdomain.xml - Allows Flash to access data on different domainson different domains

BADBAD: <allow-access-from domain="*"/>: <allow-access-from domain="*"/>

Can ultimately allow for compromise of user Can ultimately allow for compromise of user data (cookies) if trusted domain is vulnerable data (cookies) if trusted domain is vulnerable to XSS, etcto XSS, etc

Some Other Things...Some Other Things...Keeping systems/software up-to-dateKeeping systems/software up-to-date

Rails < 2.1.1? -- SQL Injection bugRails < 2.1.1? -- SQL Injection bug

JumpBox (Server Provisioning) uses Rails 2.1.0JumpBox (Server Provisioning) uses Rails 2.1.0

Curious - How do you manage security updates?Curious - How do you manage security updates?

Infrastructure SecurityInfrastructure Security

Do _you_ know your external network presence?Do _you_ know your external network presence?

Have all _your_ default passwords been Have all _your_ default passwords been changed?changed?

And a few more...And a few more...

Multiple layers of restrictionMultiple layers of restriction

Have a phpMyAdmin Internet-accessible?Have a phpMyAdmin Internet-accessible?

Do you ...Do you ...

Restrict access by IP address?Restrict access by IP address?

Rename the default location?Rename the default location?

Have authentication enabled?Have authentication enabled?

ProcessProcess. . ProcessProcess. . ProcessProcess..

One last thing ...One last thing ...

Not always some über-technical buffer Not always some über-technical buffer overflow sploit...overflow sploit...

Access database on unprotected shareAccess database on unprotected share

demo/demo passworddemo/demo password

Email on confirmation pageEmail on confirmation page

Are people thinking securely?Are people thinking securely?

Password SecurityPassword Security

250 250 passwords passwords

later...later...

5 5 Minutes Minutes

LaterLater

Switching GearsSwitching GearsComplianceCompliance

We <3 Our DataWe <3 Our Data

Some of that data is restricted, though!Some of that data is restricted, though!

Personally Identifiable Information (PII)Personally Identifiable Information (PII)

Data Breach Notification LawsData Breach Notification Laws

Payment Card Industry (Credit Cards, PCI)Payment Card Industry (Credit Cards, PCI)

So you’re building a web service...So you’re building a web service...

...what do you need to know?...what do you need to know?

Planning and ProcessPlanning and Process

44 states have data breach notification laws44 states have data breach notification laws

Name, address, emailName, address, email

Social Security NumberSocial Security Number

Passport ID, License NumberPassport ID, License Number

If you are compromised and the above is If you are compromised and the above is unencrypted and compromised - you must unencrypted and compromised - you must notify data owners.notify data owners.

Data Breach/Privacy Data Breach/Privacy PolicyPolicy

Data Breach Laws are why services such as Twitter Data Breach Laws are why services such as Twitter and Evernote have this in their Privacy Policy.and Evernote have this in their Privacy Policy.

If Evernote learns of a security system breach we may attempt to notify If Evernote learns of a security system breach we may attempt to notify you and provide information on protective steps, if available, through you and provide information on protective steps, if available, through the e-mail address that you supplied during registration or posting a the e-mail address that you supplied during registration or posting a notice on our web site. Depending on where you live, you may have a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing. -- legal right to receive such notices in writing. -- http://evernote.com/about/privacy/http://evernote.com/about/privacy/

We will make any legally-required disclosures of any breach of the We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on this Site stored personal data to you via email or conspicuous posting on this Site in the most expedient time possible and without unreasonable delay. -- in the most expedient time possible and without unreasonable delay. -- http://twitter.com/privacyhttp://twitter.com/privacy

PCIPCI

PCI only applies to you if you “store, process, or PCI only applies to you if you “store, process, or transmit cardholder data.”transmit cardholder data.”

Want the PCI compliance monkey off your back?Want the PCI compliance monkey off your back?

““It’s simple, just don’t ever store, process, or It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else transmit cardholder data - let someone else do it for you.”do it for you.”

And if you must store, process, or transmit ... call And if you must store, process, or transmit ... call us.us.

PCI If You Have ToPCI If You Have To

Cardholder data is defined as the primary Cardholder data is defined as the primary account number (“PAN,” or credit card number) account number (“PAN,” or credit card number) and other data obtained as part of a payment and other data obtained as part of a payment transaction, including the following data transaction, including the following data elements:elements:

PANPAN

Cardholder NameCardholder Name

Expiration DateExpiration Date

Service CodeService Code

Sensitive Authentication Data: (1) full magnetic stripe data, (2) Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocksCAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks

ThanksThanks

DCortesi@AlchemySecurity.comDCortesi@AlchemySecurity.com

http://xkcd.com/327/