Upload
start-pad
View
3.808
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Damon Cortesi of Alchemy Security presents the most effective ways to plug the most common holes found in web services. Learn about XSS, SQL injection, and why you should care about these things now instead of later.
Citation preview
Hacking and Hacking and Compliance in a Web Compliance in a Web
2.0 World2.0 WorldDamon P. Cortesi, CISSPDamon P. Cortesi, CISSP
Director @ Alchemy SecurityDirector @ Alchemy Security
Stats Nut | Security Geek | Builder of Stats Nut | Security Geek | Builder of ToolsTools
$ whoami$ whoami
Connecticut >> Chicago >> Seattle (2006)Connecticut >> Chicago >> Seattle (2006)
@dacort on Twitter (@dacort on Twitter (http://tweetstats.comhttp://tweetstats.com))
Security Consultant, recently self-employedSecurity Consultant, recently self-employed
Destroyer of Web Apps and Dual-CoresDestroyer of Web Apps and Dual-Cores
$ cat ~/.plan$ cat ~/.plan
Web 2.0 SecurityWeb 2.0 Security
Things you still need to watch out for.Things you still need to watch out for.
E-commerce Startups and ComplianceE-commerce Startups and Compliance
What is this PCI thing you speak of?What is this PCI thing you speak of?
Privacy Policy and Data Breach Notification Privacy Policy and Data Breach Notification Laws.Laws.
And maybe if we’re lucky...demo time.And maybe if we’re lucky...demo time.
Web 2.0 FrameworksWeb 2.0 Frameworks
Rails, Django, CakePHPRails, Django, CakePHP
Rapid Development, Data abstractionRapid Development, Data abstraction
Alleviates common security pain pointsAlleviates common security pain points
SQL InjectionSQL Injection
Cross-Site Scripting (kind of ...)Cross-Site Scripting (kind of ...)
Typical challenges still presentTypical challenges still present
The “kind of” - XSSThe “kind of” - XSS
As of Django 1.0 (Sep 2008), HTML is auto-escapedAs of Django 1.0 (Sep 2008), HTML is auto-escaped
YAYYYYYYYYYYYY!YAYYYYYYYYYYYY!
Does Rails? ------------------------- NoDoes Rails? ------------------------- No
Does Google App Engine? -------- NoDoes Google App Engine? -------- No
Really? Yup, really. (No domain-wide cookies, Really? Yup, really. (No domain-wide cookies, phew!) phew!)
Does ASP.NET ---------------------- On built-in controlsDoes ASP.NET ---------------------- On built-in controls
Also has built-in request validationAlso has built-in request validation
Define BrieflyDefine Briefly
SQL Injection - Unsanitized data being passed SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary to a database, potentially executing arbitrary code.code.
dpc’ OR ‘a’=’adpc’ OR ‘a’=’a
xp_cmdshellxp_cmdshell
XSS - Unsanitized data being re-displayed and XSS - Unsanitized data being re-displayed and interpreted in the browser.interpreted in the browser.
<script>alert(document.cookie);</script><script>alert(document.cookie);</script>
XSS - The Bad, The UglyXSS - The Bad, The Ugly
XSS 101 - Executes user input in browser contextXSS 101 - Executes user input in browser context
Typical test: Typical test: “><script>alert(‘dcash’)</script>“><script>alert(‘dcash’)</script>
““site:appspot.com search” on Googlesite:appspot.com search” on Google
156,000 Results156,000 Results
First 30 results, at least 4 XSS-vulnerable appsFirst 30 results, at least 4 XSS-vulnerable apps
So...why is this bad?So...why is this bad?
““><script>alert(‘dcash’)</><script>alert(‘dcash’)</script>script>
XSS ScenariosXSS Scenarios
Arbitrary JavaScript ExecutionArbitrary JavaScript Execution
Page/HTML inserts, deletesPage/HTML inserts, deletes
Browser control, exploit downloadBrowser control, exploit download
Cookie monstersCookie monsters
Fixing XSSFixing XSS
Primarily - HTML/URL Encoding, Proper EscapingPrimarily - HTML/URL Encoding, Proper Escaping
<%= h “<b>dacort</b>” %><%= h “<b>dacort</b>” %> <b>dacort</b> <b>dacort</b>
Validation && Sanitization - RegexesValidation && Sanitization - Regexes
Rails RoutesRails Routes
‘‘:controller/show/:id’, :id => /\:controller/show/:id’, :id => /\d+/, :action ...d+/, :action ...
ActiveRecord ActiveRecord validates_format_ofvalidates_format_of
More XSS PreventionMore XSS Prevention
Secure Cookie Flag (GMail, again...)Secure Cookie Flag (GMail, again...)
https://site.comhttps://site.com
(Inject link to image on (Inject link to image on httphttp://site.com://site.com))
Uses HTTPS cookie if “secure” flag not setUses HTTPS cookie if “secure” flag not set
HTTPOnly Cookie FlagHTTPOnly Cookie Flag
Can’t be accessed using <script>Can’t be accessed using <script>
Use Use innerTextinnerText, not innerHTML, not innerHTML
Cross-Site Request Cross-Site Request ForgeryForgery
Browsing circa 1998Browsing circa 1998
One window. One site.One window. One site.
Browsing circa 2008Browsing circa 2008
CSRF++CSRF++Daily browsing - authenticated to many sites at Daily browsing - authenticated to many sites at onceonce
GET style attacksGET style attacks
<img src=”<img src=”http://x.com/message/123/deletehttp://x.com/message/123/delete”/>”/>
Cookies sent with this requestCookies sent with this request
POST style attacksPOST style attacks
Generally combined with JavaScriptGenerally combined with JavaScript
Due to lack of form tokensDue to lack of form tokens
GMail Hack (There’s a new one!!)GMail Hack (There’s a new one!!)
CSRF GETCSRF GET
<img src=”<img src=”http://x.com/message/123/deletehttp://x.com/message/123/delete”/>”/><img src=”<img src=”http://x.com/message/124/deletehttp://x.com/message/124/delete”/>”/><img src=”<img src=”http://x.com/message/125/deletehttp://x.com/message/125/delete”/>”/><img src=”<img src=”http://x.com/message/126/deletehttp://x.com/message/126/delete”/>”/><img src=”<img src=”http://x.com/message/.../deletehttp://x.com/message/.../delete”/>”/>
No tokens? Logged in? Valid message?No tokens? Logged in? Valid message?
““Pwned”Pwned”
POST requests not the solutionPOST requests not the solution
CSRF POSTCSRF POST
GMail AnalysisGMail Analysis
GMail Create Filter (GET URL)GMail Create Filter (GET URL)
““at” variable == “GMAIL_AT” cookie valueat” variable == “GMAIL_AT” cookie value
Using CSRF (or XSS?) on malicious pageUsing CSRF (or XSS?) on malicious page
Steal GMAIL_AT, submit GET request aboveSteal GMAIL_AT, submit GET request above
Third-Party ComponentsThird-Party Components
You installed what??You installed what??
Drupal PluginsDrupal Plugins
Wordpress PluginsWordpress Plugins
Themes, too!Themes, too!
ASP.NET ASP.NET ComponentsComponents
Is that code secure?Is that code secure?
Does it execute Does it execute commands?commands?
Does it utilize network?Does it utilize network?
Funky encoding...Funky encoding...
What to Look For?What to Look For?
Find input vectorsFind input vectors
Request.[Cookies|Form|QueryString]Request.[Cookies|Form|QueryString]
$_GET, $_POST, $_REQUEST (<-- careful)$_GET, $_POST, $_REQUEST (<-- careful)
params[:id]params[:id]
Make sure output is protectedMake sure output is protected
Encoding to browser, Escaping to database, Encoding to browser, Escaping to database, etcetc
Poor Design = Poor Poor Design = Poor SecuritySecurity
Example Startup FreeMail (names changed ... )Example Startup FreeMail (names changed ... )
RSS feed for your InboxRSS feed for your Inbox
Google does it, why can’t we?Google does it, why can’t we?
No authenticationNo authentication
No SSLNo SSL
No securityNo security
Flash SecurityFlash Security
Flash - Fantastic base on which to build Flash - Fantastic base on which to build dynamic sitesdynamic sites
crossdomain.xml - Allows Flash to access data crossdomain.xml - Allows Flash to access data on different domainson different domains
BADBAD: <allow-access-from domain="*"/>: <allow-access-from domain="*"/>
Can ultimately allow for compromise of user Can ultimately allow for compromise of user data (cookies) if trusted domain is vulnerable data (cookies) if trusted domain is vulnerable to XSS, etcto XSS, etc
Some Other Things...Some Other Things...Keeping systems/software up-to-dateKeeping systems/software up-to-date
Rails < 2.1.1? -- SQL Injection bugRails < 2.1.1? -- SQL Injection bug
JumpBox (Server Provisioning) uses Rails 2.1.0JumpBox (Server Provisioning) uses Rails 2.1.0
Curious - How do you manage security updates?Curious - How do you manage security updates?
Infrastructure SecurityInfrastructure Security
Do _you_ know your external network presence?Do _you_ know your external network presence?
Have all _your_ default passwords been Have all _your_ default passwords been changed?changed?
And a few more...And a few more...
Multiple layers of restrictionMultiple layers of restriction
Have a phpMyAdmin Internet-accessible?Have a phpMyAdmin Internet-accessible?
Do you ...Do you ...
Restrict access by IP address?Restrict access by IP address?
Rename the default location?Rename the default location?
Have authentication enabled?Have authentication enabled?
ProcessProcess. . ProcessProcess. . ProcessProcess..
One last thing ...One last thing ...
Not always some über-technical buffer Not always some über-technical buffer overflow sploit...overflow sploit...
Access database on unprotected shareAccess database on unprotected share
demo/demo passworddemo/demo password
Email on confirmation pageEmail on confirmation page
Are people thinking securely?Are people thinking securely?
Password SecurityPassword Security
250 250 passwords passwords
later...later...
5 5 Minutes Minutes
LaterLater
Switching GearsSwitching GearsComplianceCompliance
We <3 Our DataWe <3 Our Data
Some of that data is restricted, though!Some of that data is restricted, though!
Personally Identifiable Information (PII)Personally Identifiable Information (PII)
Data Breach Notification LawsData Breach Notification Laws
Payment Card Industry (Credit Cards, PCI)Payment Card Industry (Credit Cards, PCI)
So you’re building a web service...So you’re building a web service...
...what do you need to know?...what do you need to know?
Planning and ProcessPlanning and Process
44 states have data breach notification laws44 states have data breach notification laws
Name, address, emailName, address, email
Social Security NumberSocial Security Number
Passport ID, License NumberPassport ID, License Number
If you are compromised and the above is If you are compromised and the above is unencrypted and compromised - you must unencrypted and compromised - you must notify data owners.notify data owners.
Data Breach/Privacy Data Breach/Privacy PolicyPolicy
Data Breach Laws are why services such as Twitter Data Breach Laws are why services such as Twitter and Evernote have this in their Privacy Policy.and Evernote have this in their Privacy Policy.
If Evernote learns of a security system breach we may attempt to notify If Evernote learns of a security system breach we may attempt to notify you and provide information on protective steps, if available, through you and provide information on protective steps, if available, through the e-mail address that you supplied during registration or posting a the e-mail address that you supplied during registration or posting a notice on our web site. Depending on where you live, you may have a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing. -- legal right to receive such notices in writing. -- http://evernote.com/about/privacy/http://evernote.com/about/privacy/
We will make any legally-required disclosures of any breach of the We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on this Site stored personal data to you via email or conspicuous posting on this Site in the most expedient time possible and without unreasonable delay. -- in the most expedient time possible and without unreasonable delay. -- http://twitter.com/privacyhttp://twitter.com/privacy
PCIPCI
PCI only applies to you if you “store, process, or PCI only applies to you if you “store, process, or transmit cardholder data.”transmit cardholder data.”
Want the PCI compliance monkey off your back?Want the PCI compliance monkey off your back?
““It’s simple, just don’t ever store, process, or It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else transmit cardholder data - let someone else do it for you.”do it for you.”
And if you must store, process, or transmit ... call And if you must store, process, or transmit ... call us.us.
PCI If You Have ToPCI If You Have To
Cardholder data is defined as the primary Cardholder data is defined as the primary account number (“PAN,” or credit card number) account number (“PAN,” or credit card number) and other data obtained as part of a payment and other data obtained as part of a payment transaction, including the following data transaction, including the following data elements:elements:
PANPAN
Cardholder NameCardholder Name
Expiration DateExpiration Date
Service CodeService Code
Sensitive Authentication Data: (1) full magnetic stripe data, (2) Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocksCAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks