Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Page © 2012 WhiteHat Security, Inc. 1 Top 10 Defenses for Website Security Jim Manico VP of Security Architecture June 2012.

Published byKristian Dynes Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Page © 2012 WhiteHat Security, Inc. 1 Top 10 Defenses for Website Security Jim Manico VP of Security Architecture June 2012."— Presentation transcript:

1 1 Page © 2012 WhiteHat Security, Inc. 1 Top 10 Defenses for Website Security Jim Manico VP of Security Architecture Jim.Manico@whitehatsec.com June 2012

2 2 Page © 2012 WhiteHat Security, Inc. 2 Jim Manico VP Security Architecture, WhiteHat Security 15 years of web-based, database-driven software development and analysis experience Over 7 years as a provider of secure developer training courses for SANS, Aspect Security and others OWASP Connections Committee Chair OWASP Connections Committee Chair - - OWASP Podcast Series Producer/Host - OWASP Cheat-Sheet Series Manager

3 3 Page © 2012 WhiteHat Security, Inc. 3 Top 10 Website Attack Methods 1.Query Parameterization (PHP PDO) 2.XSS 3.Access Control Positive Patterns 4.Cross-Site Request Forgery Defenses 5.Authentication Defenses 6.Forgot Password Secure Design 7.Session Defenses 8.Clickjacking Defense 9. Secure Password Storage 9b. Password Defenses 10.Encryption in Transit (TLS)

4 4 Page © 2012 WhiteHat Security, Inc. 4 Query Parameterization (PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); [1][1]

5 5 Page © 2012 WhiteHat Security, Inc. 5 Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) {...

6 6 Page © 2012 WhiteHat Security, Inc. 6 Query Parameterization (Java) double newSalary = request.getParameter("newSalary") ; int id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setDouble(1, newSalary); pstmt.setInt(2, id); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter);

7 7 Page © 2012 WhiteHat Security, Inc. 7 Query Parameterization (Ruby) # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) # Update project.update_attributes(:name => 'owasp') # Delete Project.delete(:name => 'name')

8 8 Page © 2012 WhiteHat Security, Inc. 8 Query Parameterization (Cold Fusion) SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =

9 9 Page © 2012 WhiteHat Security, Inc. 9 Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );

10 10 Page © 2012 WhiteHat Security, Inc. 10 OWASP Query Parameterization Cheat Sheet

11 11 Page © 2012 WhiteHat Security, Inc. 11 2. XSS: Why So Serious? Session Hijacking Site Defacement Network Scanning Undermining CSRF Defenses Site Redirection/Phishing Load of Remotely Hosted Scripts Data Theft Keystroke Logging [2][2]

12 12 Page © 2012 WhiteHat Security, Inc. 12 XSS Defense by Data Type and Context Data TypeContextDefense StringHTML BodyHTML Entity Encode StringHTML AttributeMinimal Attribute Encoding StringGET ParameterURL Encoding StringUntrusted URLURL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification StringCSSStrict structural validation, CSS Hex encoding, good design HTMLHTML BodyHTML Validation (JSoup, AntiSamy, HTML Sanitizer) AnyDOMDOM XSS Cheat Sheet Untrusted JavaScriptAnySandboxing JSONClient Parse TimeJSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

13 13 Page © 2012 WhiteHat Security, Inc. 13 HTML Body Context UNTRUSTED DATA

14 14 Page © 2012 WhiteHat Security, Inc. 14 HTML Attribute Context

15 15 Page © 2012 WhiteHat Security, Inc. 15 HTTP GET Parameter Context clickme

16 16 Page © 2012 WhiteHat Security, Inc. 16 URL Context clickme

17 17 Page © 2012 WhiteHat Security, Inc. 17 CSS Value Context Selection

18 18 Page © 2012 WhiteHat Security, Inc. 18 JavaScript Variable Context var currentValue='UNTRUSTED DATA'; someFunction('UNTRUSTED DATA');

19 19 Page © 2012 WhiteHat Security, Inc. 19 JSON Parsing Context JSON.parse(UNTRUSTED JSON DATA)

20 20 Page © 2012 WhiteHat Security, Inc. 20 Dangerous jQuery “sinks”.after().prependTo().append().replaceAll().appendTo().replaceWith().before().unwrap().html().wrap().insertAfter().wrapAll().insertBefore().wrapInner().prepend() Properly escape before sending untrusted data to these methods!

21 21 Page © 2012 WhiteHat Security, Inc. 21 Contextual encoding is a crucial technique needed to stop all types of XSS jqencoder is a jQuery plugin that allows developers to do contextual encoding in JavaScript to stop DOM-based XSS  http://plugins.jquery.com/plugin-tags/security http://plugins.jquery.com/plugin-tags/security  $('#element').encode('html', cdata); Jquery Encoding with JQencoder

22 22 Page © 2012 WhiteHat Security, Inc. 22 Best Practice: DOM-Based XSS Defense Untrusted data should only be treated as displayable text JavaScript encode and delimit untrusted data as quoted strings Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces (safe attributes only) Avoid use of HTML rendering methods Make sure that any untrusted data passed to eval() methods is delimited with string delimiters and enclosed within a closure eval(someFunction(‘UNTRUSTED DATA’));

23 23 Page © 2012 WhiteHat Security, Inc. 23 OWASP Abridged XSS Prevention Cheat Sheet

24 24 Page © 2012 WhiteHat Security, Inc. 24 Attacks on Access Control Vertical Access Control Attacks -A standard user accessing administration functionality -"Privilege Escalation" Horizontal Access Control Attacks -Same role, but accessing another user's private data Business Logic Access Control Attacks -Abuse of workflow

25 25 Page © 2012 WhiteHat Security, Inc. 25 Best Practice: Code to the Permission if (AC.hasAccess(ARTICLE_EDIT, NUM)) { //execute activity } Code it once, and it never needs to change again Implies policy is persisted in some way Requires more design/work up front to get right

26 26 Page © 2012 WhiteHat Security, Inc. 26 Best Practice: Use a Centralized Access Controller In Presentation Layer if (ACL.isAuthorized(VIEW_LOG_PANEL)) { Here are the logs } In Controller try (ACL.assertAuthorized(DELETE_USER)) { deleteUser(); }

27 27 Page © 2012 WhiteHat Security, Inc. 27 Access Control Positive Patterns Code to the permission, not the role Centralize access control logic Design access control as a filter Fail securely (deny-by-default) Apply same core logic to presentation and server-side access control decisions Server-side trusted data should drive access control Provide privilege and user grouping for better management Isolate administrative features and access [3][3]

28 28 Page © 2012 WhiteHat Security, Inc. 28 OWASP Access Control Cheat Sheet

29 29 Page © 2012 WhiteHat Security, Inc. 29 Anatomy of a CSRF Attack Consider a consumer banking application that contains the following form: Account Num: Transfer Amt: document.getElementById(‘form1’).submit();

30 30 Page © 2012 WhiteHat Security, Inc. 30 Cross-Site Request Forgery Defenses Cryptographic Tokens -Primary and most powerful defense. Randomness is your friend Require users to re-authenticate -Amazon.com does this *really* well Requests that cause side effects should use (and require) the POST method -Alone, this is not sufficient Double-cookie submit defense -Decent defense, but not based on randomness; instead, based on SOP [4][4]

31 31 Page © 2012 WhiteHat Security, Inc. 31 OWASP Cross-Site Request Forgery Cheat Sheet

32 32 Page © 2012 WhiteHat Security, Inc. 32 Authentication Dangers Weak Password Login Brute Force Username Harvesting Session Fixation Weak or Predictable Session Plaintext or Poor Password Storage Weak "Forgot Password" Feature Weak "Change Password" Feature Credential or Session Exposure in Transit via Network Sniffing Session Hijacking via XSS

33 33 Page © 2012 WhiteHat Security, Inc. 33 Authentication Defenses 2FA/MFA/Passwords as a single factor are DEAD Develop generic failed login messages that do not indicate whether the user-id or password was incorrect Enforce account lockout after a pre-determined number of failed login attempts Force re-authentication at critical application boundaries -edit email, edit profile, edit finance info, ship to new address, change password, etc. Implement server-side enforcement of credential syntax and strength [5][5]

34 34 Page © 2012 WhiteHat Security, Inc. 34 OWASP Authentication Sheet Cheat Sheet

35 35 Page © 2012 WhiteHat Security, Inc. 35 Forgot Password Secure Design Require identity and security questions -Last name, account number, email, DOB -Enforce lockout policy -Ask one or more good security questions -http://www.goodsecurityquestions.com/http://www.goodsecurityquestions.com/ Send the user a randomly generated token via out-of- band method -email, SMS or token Verify code in same Web session -Enforce lockout policy Change password -Enforce password policy [6][6]

36 36 Page © 2012 WhiteHat Security, Inc. 36 OWASP Forgot Password Cheat Sheet

37 37 Page © 2012 WhiteHat Security, Inc. 37 Ensure secure session IDs - 20+ bytes, cryptographically random - Stored in HTTP Cookies - Cookies: Secure, HTTP Only, limited path Generate new session ID at login time - To avoid session fixation Session Timeout - Idle Timeout - Absolute Timeout - Logout Functionality Session Defenses [7][7]

38 38 Page © 2012 WhiteHat Security, Inc. 38 OWASP Session Management Cheat Sheet

39 39 Page © 2012 WhiteHat Security, Inc. 39 Clickjacking Defense Standard Option: X-FRAME-OPTIONS Header // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" ); Frame-Breaking Script Defense: body{display:none} if (self == top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } [8][8]

40 40 Page © 2012 WhiteHat Security, Inc. 40 OWASP Clickjacking Cheat Sheet Missing? Care to Help?

41 41 Page © 2012 WhiteHat Security, Inc. 41 Secure Password Storage public String hash(String plaintext, String salt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(salt.getBytes(encoding)); digest.update(plaintext.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }} [9][9]

42 42 Page © 2012 WhiteHat Security, Inc. 42 Password Security Defenses Disable browser autocomplete - Password and form fields -Input type=password Additional password security -Do not display passwords in HTML document -Only submit passwords over HTTPS [9 b ]

43 43 Page © 2012 WhiteHat Security, Inc. 43 OWASP Password Storage Cheat Sheet

44 44 Page © 2012 WhiteHat Security, Inc. 44 Encryption in Transit (TLS) Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL - Starting when the login form is rendered - Until logout is complete - All other sensitive data should be protected via HTTPS! https://www.ssllabs.com free online assessment of public-facing server HTTPS configuration https://www.ssllabs.com https://www.owasp.org/index.php/Transport_Layer_Protection_C heat_Sheet for HTTPS best practices https://www.owasp.org/index.php/Transport_Layer_Protection_C heat_Sheet [10][10]

45 45 Page © 2012 WhiteHat Security, Inc. 45 OWASP Transport Layer Protection Cheat Sheet

46 46 Page © 2012 WhiteHat Security, Inc. 46 Thank You Jim Manico VP of Security Architecture Jim.Manico@whitehatsec.com

Download ppt "1 Page © 2012 WhiteHat Security, Inc. 1 Top 10 Defenses for Website Security Jim Manico VP of Security Architecture June 2012."

Similar presentations

February 2012 Top Ten Controls v1 Eoin Keary and Jim Manico Page 1 OWASP Foundation – Los Angeles Chapter

February 2012 Top Ten Controls v1 Eoin Keary and Jim Manico Page 1 OWASP Foundation – Los Angeles Chapter
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Past, Present and Future

Past, Present and Future
March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls.

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
APPLICATION DEVELOPMENT SECURE CODING WORKSHOP JIM MANICO VP, Security Architecture MARCH 2013.

APPLICATION DEVELOPMENT SECURE CODING WORKSHOP JIM MANICO VP, Security Architecture MARCH 2013.
Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.

Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.
Top 10 Defenses for Website Security Jim Manico VP Security Architecture.

Top 10 Defenses for Website Security Jim Manico VP Security Architecture.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web App Access Control Design

Web App Access Control Design
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google