Top 10 Web Security Controls March 2012 Top
Top 10 Web Security Controls March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 1
Jim Manico @manicode 4 VP Security Architecture, White. Hat Security 415 years of web-based, database-driven software development and analysis experience 4 Over 7 years as a provider of secure developer training courses for SANS, Aspect Security and others 4 OWASP Connections Committee Chair § OWASP Podcast Series Producer/Host § OWASP Cheat-Sheet Series Manager March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 2
(1) Query Parameterization (PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (: name, : value)"); $stmt->bind. Param(': name', $name); $stmt->bind. Param(': value', $value); March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 3
Query Parameterization (. NET) Sql. Connection obj. Connection = new Sql. Connection(_Connection. String); obj. Connection. Open(); Sql. Command obj. Command = new Sql. Command( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", obj. Connection); obj. Command. Parameters. Add("@Name", Name. Text. Box. Text); obj. Command. Parameters. Add("@Password", Password. Text. Box. Text); Sql. Data. Reader obj. Reader = obj. Command. Execute. Reader(); if (obj. Reader. Read()) {. . . March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 4
Query Parameterization (Java) double new. Salary = request. get. Parameter("new. Salary") ; int id = request. get. Parameter("id"); Prepared. Statement pstmt = con. prepare. Statement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ? "); pstmt. set. Double(1, new. Salary); pstmt. set. Int(2, id); Query safe. HQLQuery = session. create. Query("from Inventory where product. ID=: productid"); safe. HQLQuery. set. Parameter("productid", user. Supplied. Parameter); March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 5
Query Parameterization (Ruby) # Create Project. create!(: name => 'owasp') # Read Project. all(: conditions => "name = ? ", name) Project. all(: conditions => { : name => name }) Project. where("name = : name", : name => name) # Update project. update_attributes(: name => 'owasp') # Delete Project. delete(: name => 'name') March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 6
Query Parameterization (Cold Fusion) <cfquery name="get. First" data. Source="cfsnippets"> SELECT * FROM #str. Database. Prefix#_courses WHERE int. Course. ID = <cfqueryparam value=#int. Course. ID# CFSQLType="CF_SQL_INTEGER"> </cfquery> March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 7
Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ? , ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz ); March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 8
OWASP Query Parameterization Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 9
XSS: Why so Serious? 4 Session hijacking 4 Site defacement 4 Network scanning 4 Undermining CSRF defenses 4 Site redirection/phishing 4 Load of remotely hosted scripts 4 Data theft 4 Keystroke logging March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 10
Danger: Multiple Contexts Browsers have multiple contexts that must be considered! HTML Body HTML Attributes <STYLE> Context March 2012 Top Ten Controls v 4. 2 <SCRIPT> Context Jim Manico and Eoin Keary URL Context Page 11
XSS in HTML Attributes <input type="text" name="comments" value="UNTRUSTED DATA"> <input type="text" name="comments" value="hello" onmouseover="/*fire attack*/"> Attackers can add event handlers: on. Mouse. Over on. Load on. Un. Load etc… March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 12
XSS in Source Attribute User input often winds up in src attribute Tags such as <img src=""> <iframe src=""> Example Request: http: //example. com/view. Image? imagename=mymap. jpg Attackers can use javascript: /*attack*/ in src attributes March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 13
URL Parameter Escaping Escape all non alpha-num characters with the %HH format <a href="/search? data=UNTRUSTED DATA"> Be careful not to allow untrusted data to drive entire URL’s or URL fragments This encoding only protects you from XSS at the time of rendering the link Treat DATA as untrusted after submitted March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 14
XSS in the Style Tag Applications sometimes take user data and use it to generate presentation style URL parameter written within style tag Consider this example: http: //example. com/view. Document? background=white March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 15
CSS Pwnage Test Case <div style="width: <%=UNTRUSTED%>; "> Mouse over </div> UNTRUSTED = ESAPI. encoder(). encode. For. CSS("expression(alert(String. fr om. Char. Code (88, 88)))"); <div style="width: expression28 alert28 String2 e from. Char. Code20 28 882 c 8829 29 ; "> Mouse over </div> Pops in at least IE 6 and IE 7 lists. owasp. org/pipermail/owasp-esapi/2009 -February/000405. html March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 16
Javascript Context Escape all non alpha-num characters with the x. HH format <script>var x='UNTRUSTED DATA'; </script> You're now protected from XSS at the time data is assigned What happens to x after you assign it? March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 17
Best Practice: DOM Based XSS Defense < Untrusted data should only be treated as displayable text < Java. Script encode and delimit untrusted data as quoted strings < Use document. create. Element("…"), element. set. Attribute("…", "value"), element. append. Child(…), etc. to build dynamic interfaces < Avoid use of HTML rendering methods < If you do have to use the methods above remember to HTML and then Java. Script encode the untrusted data < Avoid passing untrusted data to eval(), set. Timeout() etc. < Don’t eval() JSON to convert it to native Java. Script objects. Instead use JSON. to. JSON() and JSON. parse() < Run untrusted scripts in a sandbox (ECMAScript canopy, HTML 5 frame sandbox, etc) March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 18
(2) XSS Defense by Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL Validation, avoid javascript: URL’s, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML Body HTML Validation (JSoup, Anti. Samy, HTML Sanitizer) Any DOM XSS Cheat sheet Untrusted Java. Script Any Sandboxing JSON Client parse time JSON. parse() or json 2. js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 19
OWASP Abridged XSS Prevention Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 20
Attacks on Access Control <Vertical Access Control Attacks § A standard user accessing administration functionality § "Privilege Escalation" <Horizontal Access Control attacks § Same role, but accessing another user's private data <Business Logic Access Control Attacks § Abuse of workflow March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 21
Best Practice: Code to the Permission if (AC. has. Access(ARTICLE_EDIT, NUM)) { //execute activity } <Code it once, never needs to change again <Implies policy is persisted in some way <Requires more design/work up front to get right March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 22
Best Practice: Use a Centralized Access Controller In Presentation Layer if (ACL. is. Authorized(VIEW_LOG_PANEL)) { <h 2>Here are the logs</h 2> <%=get. Logs(); %/> } In Controller try (ACL. assert. Authorized(DELETE_USER)) { delete. User(); } March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 23
(3) Access Control Positive Patterns <Code to the permission, not the role <Centralize access control logic <Design access control as a filter <Fail securely (deny-by-default) <Apply same core logic to presentation and serverside access control decisions <Server-side trusted data should drive access control <Provide privilege and user grouping for better management <Isolate administrative features and access March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 24
OWASP Access Control Cheat Sheet (beta, work in progress) March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 25
Anatomy of an CSRF Attack <Consider a consumer banking application that contains the following form <form action="https: //bank. com/Transfer. asp" method="POST" id="form 1"> <p>Account Num: <input type="text" name="acct" value="13243"/></p> <p>Transfer Amt: <input type="text" name="amount" value="1000" /></p> </form> <script>document. get. Element. By. Id(‘form 1’). submit(); </script> March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 26
(4) Cross Site Request Forgery Defenses <Cryptographic Tokens 4 Primary and most powerful defense. Randomness is your friend. <Request that cause side effects should use (and require) the POST method 4 Alone, this is not sufficient <Require users to re-authenticate 4 Amazon. com does this *really* well <Double-cookie submit 4 Decent defense, but no based on randomness, based on SOP March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 27
OWASP CSRF Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 28
Authentication Dangers <Weak password <Login Brute Force <Username Harvesting <Session Fixation <Weak or Predictable Session <Plaintext or poor password storage <Weak "Forgot Password" feature <Weak "Change Password" feature <Credential or session exposure in transit via network sniffing <Session Hijacking via XSS March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 29
(5) Authentication Defenses < 2 FA/MFA/Passwords as single factor are DEAD < Develop generic failed login messages that do not indicate whether the user-id or password was incorrect < Enforce account lockout after a pre-determined number of failed login attempts < Force re-authentication at critical application boundaries 4 edit email, edit profile, edit finance info, ship to new address, change password, etc. < Implement server-side enforcement of credential syntax and strength March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 30
OWASP Authentication Sheet Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 31
(6) Forgot Password Secure Design < Require identity and security questions 4 Last name, account number, email, DOB 4 Enforce lockout policy 4 Ask one or more good security questions § http: //www. goodsecurityquestions. com/ < Send the user a randomly generated token via out-of-band method 4 email, SMS or token < Verify code in same web session 4 Enforce lockout policy < Change password 4 Enforce password policy March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 32
OWASP Forgot Password Sheet Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 33
(7) Session Defenses < Ensure secure session ID’s 420+ bytes, cryptographically random 4 Stored in HTTP Cookies 4 Cookies: Secure, HTTP Only, limited path < Generate new session ID at login time 4 To avoid session fixation < Session Timeout 4 Idle Timeout 4 Absolute Timeout 4 Logout Functionality March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 34
OWASP Session Management Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 35
(8) Clickjacking Defense < Standard Option: X-FRAME-OPTIONS Header // to prevent all framing of this content response. add. Header( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response. add. Header( "X-FRAME-OPTIONS", "SAMEORIGIN" ); < Frame-breaking Script defense: <style id="anti. Clickjack">body{display: none}</style> <script type="text/javascript"> if (self == top) { var anti. Clickjack = document. get. Element. By. ID("anti. Clickjack"); anti. Clickjack. parent. Node. remove. Child(anti. Clickjack) } else { top. location = self. location; } </script> March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 36
OWASP Clickjacking Sheet Cheat Sheet Missing, care to help? March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 37
(9 a) Secure Password Storage public String hash(String plaintext, String salt, int iterations) throws Encryption. Exception { byte[] bytes = null; try { Message. Digest digest = Message. Digest. get. Instance(hash. Algorithm); digest. reset(); digest. update(ESAPI. security. Configuration(). get. Master. Salt()); digest. update(salt. get. Bytes(encoding)); digest. update(plaintext. get. Bytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest(); for (int i = 0; i < iterations; i++) { digest. reset(); bytes = digest(bytes); } String encoded = ESAPI. encoder(). encode. For. Base 64(bytes, false); return encoded; } catch (Exception ex) { throw new Encryption. Exception("Internal error", "Error"); }} March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 38
(9 b) Password Security Defenses < Disable Browser Autocomplete <form AUTOCOMPLETE="off"> 4 <input AUTOCOMPLETE="off"> 4 < Password and form fields Input type=password Additional password security Do not display passwords in HTML document 4 Only submit passwords over HTTPS 4 March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 39
OWASP Password Storage Sheet Cheat Sheet beta, work in progress March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 40
(10) Encryption in Transit (TLS) < Authentication credentials and session identifiers must me be encrypted in transit via HTTPS/SSL 4 Starting when the login form is rendered 4 Until logout is complete 4 All other sensitive data should be protected via HTTPS! < https: //www. ssllabs. com free online assessment of public facing server HTTPS configuration < https: //www. owasp. org/index. php/Transport_Layer_Protec tion_Cheat_Sheet for HTTPS best practices March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 41
OWASP Transport Layer Protection Cheat Sheet March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 42
Thank you! Questions? 4 jim. manico@whitehatsec. com 4 jim@owasp. org March 2012 Top Ten Controls v 4. 2 Jim Manico and Eoin Keary Page 43
- Slides: 43