Hack Proof Your Webapps

Transcription

1 Hack Proof Your Webapps

2 About ERM

3 About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University Bachelors and Masters of Science Massachusetts Institute of Technology

4 Overview General Security review Hacking statistics Security as a layered process Web programming layer Web vulnerability review Cross-site scripting SQL Injection Other vulnerabilities Security strategies Rules for deployment Writing code for unknown risks Mitigation strategies Questions

5 Statistics

6 Security as a layered process Network Server-Network Web application SSL (https) Session Privacy Input Validation Data Protection Server-base

7 Common types of attacks Cenzic Vulnerability Trend Report, March 2013

8 Cross-Site Scripting (XSS) Code injection via improper escaping (mixing code and content): + <script>...</script> COMPROMISED

9 SQL Injection Improper escaping of user input leads to DB manipulation

10 Cross-Site Request Forgery (CSRF) Exploit active user sessions to launch blind attack Victim 1 Authenticated session Legitimate site 2 Send malicious link 3 Follow link Background request 4 Malicious site triggers action on legitimate site without consent Attacker Malicious site

11 Session hijacking (information leakage) User's information stored in server in session Session ID is transmitted to user as a Cookie Server Impersonation Session ID acts as a key to the information stored in server about user Session ID Man-in-the-middle (MITM) can usurp user by supplying stolen Session ID Attacker Malicious user can piggy-back on unattended workstation Client

12 Rules for secure web development 1. Never trust user input 2. Never mix code and content 3. Never, ever trust user input

13 Validating user input Javascript is not a proper validation tool Useful to assist the user Should not be a requirement Validate against whitelist of possible values Sanitation is not necessary if proper validation in place Proper error handling is vital to user interaction SQL Injection Denial of Service Code Execution Information disclosure

14 Separate code and content SQL Injection Cross-Site Scripting Content is the syntactical language for the exchange, such as HTML, JSON, XML, etc. Code is the language of the embedded technology: SQL Javascript Use libraries or frameworks to assemble SQL queries and HTML pages.

15 SSL and secure cookies prevent MITM Session information can only be truly protected with SSL Use strong encryption (AES 256) Enforce redirection from port 80 to SSL Use secure cookies to avoid accidental sharing over non-ssl Use HttpOnly flag for cookies to avoid being read by browser scripts Authentication Information disclosure Man-In- The-Middle Session hijacking

16 Mitigation through organization Cross-Site Request Forgery Information disclosure Unknown bugs Use HTTP methods correctly GET requests should not have side effects Use POST (even in AJAX) for any request with a side effect Clean web-accessible directory Maintain library files outside of the web root to avoid disclosure Deploy development and staging environments Use consistent coding practices

17 CSRF Techniques Use HTTP POST for any action with side effects Check the Referer HTTP header against whitelist of allowed clients Use nonce tokens to validate each request

18 Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL Phone: info@emrisk.com