Presentation on theme: "The OWASP Foundation Why hackers don’t care about your firewall Seba Deleersnyder"— Presentation transcript:
The OWASP Foundation http://www.owasp.org Why hackers don’t care about your firewall Seba Deleersnyder email@example.com
Sebastien Deleersnyder? 5 years developer experience 11 years information security experience Managing Technical Consultant SAIT Zenitel Belgian OWASP chapter founder OWASP board member www.owasp.org Co-organizer www.BruCON.orgwww.BruCON.org
OWASP World OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
|4|4 Myth We are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *Gartner Group (2002 report)
Your security “perimeter” has huge holes at the application layer |9|9 Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer
A1 – Injection Tricking an application into including unintended commands in the data sent to an interpreter Injection means… Take strings and interpret them as commands SQL, OS Shell, LDAP, XPath, Hibernate, etc… Interpreters… Many applications still susceptible (really don’t know why) Even though it’s usually very simple to avoid SQL injection is still quite common Usually severe. Entire database can usually be read or modified May also allow full database schema, or account access, or even OS level access Typical Impact
example : SQL-injection attack Select user_information from user_table where username=’input username’ and password=’input password’ Select user_information from user_table where username=’’ or 1=1 -– ‘ and password=’abc’
RockYou? December 2009 a hacker used SQL Injection techniques to hack the database of RockYou RockYou creates applications for MySpace, Facebook,... Result data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) the data also contained email-addresses and passwords for 3rd party sites Question: how many of those users use the same password for other sites too?
XSSED.ORG 16 Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/
A3 – Broken Authentication and Session Management Means credentials have to go with every request Should use SSL for everything requiring authentication HTTP is a “stateless” protocol SESSION ID used to track state since HTTP doesn’t and it is just as good as credentials to an attacker SESSION ID is typically exposed on the network, in browser, in logs, … Session management flaws Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Beware the side-doors User accounts compromised or user sessions hijacked Typical Impact
A4 – Insecure Direct Object References This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access How do you protect access to your data? Only listing the ‘authorized’ objects for the current user, or Hiding the object references in hidden fields … and then not enforcing these restrictions on the server side This is called presentation layer access control, and doesn’t work Attacker simply tampers with parameter value A common mistake … Users are able to access unauthorized files or data Typical Impact
Insecure Direct Object References Illustrated Attacker notices his acct parameter is 6065 ?acct=6065 He modifies it to a nearby number ?acct=6066 Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065
A5 – Cross Site Request Forgery (CSRF) An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Cross Site Request Forgery What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Imagine… Initiate transactions (transfer funds, logout user, close account) Access sensitive data Change account details Typical Impact
A6 – Security Misconfiguration All through the network and platform Don’t forget the development environment Web applications rely on a secure foundation Think of all the places your source code goes Security should not require secret source code Is your source code a secret? All credentials should change in production Configuration Management must extend to all parts of the application Install backdoor through missing network or server patch XSS flaw exploits due to missing application framework patches Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration Typical Impact
Hardened OS Web Server App Server Framework Security Misconfiguration Illustrated App Configuration Custom Code Accounts Finance AdministrationTransactions Communication Knowledge Mgmt E-Commerce Bus. Functions Test Servers QA Servers Source Control Development Datab ase Insider
Serving up malware 28 A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days.Google Safe Browsing search "Of the 128 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent.” (sep 2010) Reason: unpatched WordPress
A7 – Failure to Restrict URL Access This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References How do you protect access to URLs (pages)? Displaying only authorized links and menu choices This is called presentation layer access control, and doesn’t work Attacker simply forges direct access to ‘unauthorized’ pages A common mistake … Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions Typical Impact
Failure to Restrict URL Access Illustrated Attacker notices the URL indicates his role /user/getAccounts He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts Attacker views more accounts than just their own
A8 – Insecure Cryptographic Storage Failure to identify all sensitive data Failure to identify all the places that this sensitive data gets stored Databases, files, directories, log files, backups, etc. Failure to properly protect this data in every location Storing sensitive data insecurely Attackers access or modify confidential or private information e.g, credit cards, health care records, financial data (yours or your customers) Attackers extract secrets to use in additional attacks Company embarrassment, customer dissatisfaction, and loss of trust Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance Business gets sued and/or fined Typical Impact
Encrypt customer data? customer data, 77 Million compromised. (potentially CCs as well) 32
A9 – Insufficient Transport Layer Protection Failure to identify all sensitive data Failure to identify all the places that this sensitive data is sent On the web, to backend databases, to business partners, internal communications Failure to properly protect this data in every location Transmitting sensitive data insecurely Attackers access or modify confidential or private information e.g, credit cards, health care records, financial data (yours or your customers) Attackers extract secrets to use in additional attacks Company embarrassment, customer dissatisfaction, and loss of trust Expense of cleaning up the incident Business gets sued and/or fined Typical Impact
A10 – Unvalidated Redirects and Forwards And frequently include user supplied parameters in the destination URL If they aren’t validated, attacker can send victim to a site of their choice Web application redirects are very common They internally send the request to a new page in the same application Sometimes parameters define the target page If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Forwards ( aka Transfer in.NET ) are common too Redirect victim to phishing or malware site Attacker’s request is forwarded past security checks, allowing unauthorized function or data access Typical Impact
Jobs by CNN? http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW 36
SAMM Security Practices The Security Practices cover all areas relevant to software security assurance Each one is a ‘silo’ for improvement
Build “Your” Roadmap Gap analysis: Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations
Upcoming local events OWASP Chapter meetings: 23-May - Brussels: The Ghost of XSS Past, Present and Future – A Defensive Tale (by Jim Manico, Infrared Security) 16-Jun - Brussels: The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd) How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB) OWASP AppSec Europe – Dublin – Jun 7-9 BruCON – Brussels – Sep 19-22 OWASP BeNeLux – Luxembourg Nov-30/Dec-1 46
47 Subscribe mailing list www.owasp.be Keep up to date!
48 Want to support OWASP? Become member, annual donation of: $50 Individual $5000 Corporate enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities…projectsmailing listsconferencespodcastsgrantsglobal steering activities
Your consent to our cookies if you continue to use this website.