Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

Similar presentations


Presentation on theme: "CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web."— Presentation transcript:

1 CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web Derek Mathieson Group Leader Advanced Information Systems CERN – Geneva, Switzerland

2 CERN GS-AIS Agenda Impact of Security Flaws Definitions Types of Attack Techniques / Solutions

3 CERN GS-AIS Why Secure Web Application?

4 CERN GS-AIS Impact of Security Flaws Ping of death Morris worm (1988) –~6,000 infected computers Santy (2004) –~40,000 infected computers (in 24 hours) Conficker (2008) –17,000,000 infected computers

5 CERN GS-AIS US Army Computer Virus Hits U.S. Drone Fleet

6 CERN GS-AIS SONY PlayStation Network

7 CERN GS-AIS SonyPictures.com

8 CERN GS-AIS SONY PlayStation Network

9 CERN GS-AIS Top 25 Most Dangerous Software Errors 2011 (CWE/SANS) 1 SQL Injection 2 OS Command Injection 3 Classic Buffer Overflow 4 Cross-site Scripting 5 Missing Authentication for Critical Function 6 Missing Authorization 7 Use of Hard-coded Credentials 8 Missing Encryption of Sensitive Data 9 Unrestricted Upload of File with Dangerous Type 10 Reliance on Untrusted Inputs in a Security Decision 11 Execution with Unnecessary Privileges 12 Cross-Site Request Forgery (CSRF) 13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14 Download of Code Without Integrity Check 15 Incorrect Authorization 16 Inclusion of Functionality from Untrusted Control Sphere 17 Incorrect Permission Assignment for Critical Resource 18 Use of Potentially Dangerous Function 19 Use of a Broken or Risky Cryptographic Algorithm 20 Incorrect Calculation of Buffer Size 21 Improper Restriction of Excessive Authentication Attempts 22 URL Redirection to Untrusted Site ('Open Redirect') 23 Uncontrolled Format String 24 Integer Overflow or Wraparound 25 Use of a One-Way Hash without a Salt Top 25 Software Errors

10 CERN GS-AIS Top 25 Most Dangerous Software Errors 2011 (CWE/SANS) 1 SQL Injection 2 OS Command Injection 3 Classic Buffer Overflow 4 Cross-site Scripting 5 Missing Authentication for Critical Function 6 Missing Authorization 7 Use of Hard-coded Credentials 8 Missing Encryption of Sensitive Data 9 Unrestricted Upload of File with Dangerous Type 10 Reliance on Untrusted Inputs in a Security Decision 11 Execution with Unnecessary Privileges 12 Cross-Site Request Forgery (CSRF) 13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14 Download of Code Without Integrity Check 15 Incorrect Authorization 16 Inclusion of Functionality from Untrusted Control Sphere 17 Incorrect Permission Assignment for Critical Resource 18 Use of Potentially Dangerous Function 19 Use of a Broken or Risky Cryptographic Algorithm 20 Incorrect Calculation of Buffer Size 21 Improper Restriction of Excessive Authentication Attempts 22 URL Redirection to Untrusted Site ('Open Redirect') 23 Uncontrolled Format String 24 Integer Overflow or Wraparound 25 Use of a One-Way Hash without a Salt Top 25 Software Errors

11 CERN GS-AIS Top 25 Most Dangerous Software Errors 2011 (CWE/SANS) 1 SQL Injection 2 OS Command Injection 3 Classic Buffer Overflow 4 Cross-site Scripting 5 Missing Authentication for Critical Function 6 Missing Authorization 7 Use of Hard-coded Credentials 8 Missing Encryption of Sensitive Data 9 Unrestricted Upload of File with Dangerous Type 10 Reliance on Untrusted Inputs in a Security Decision 11 Execution with Unnecessary Privileges 12 Cross-Site Request Forgery (CSRF) 13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14 Download of Code Without Integrity Check 15 Incorrect Authorization 16 Inclusion of Functionality from Untrusted Control Sphere 17 Incorrect Permission Assignment for Critical Resource 18 Use of Potentially Dangerous Function 19 Use of a Broken or Risky Cryptographic Algorithm 20 Incorrect Calculation of Buffer Size 21 Improper Restriction of Excessive Authentication Attempts 22 URL Redirection to Untrusted Site ('Open Redirect') 23 Uncontrolled Format String 24 Integer Overflow or Wraparound 25 Use of a One-Way Hash without a Salt Top 25 Software Errors

12 CERN GS-AIS Top 25 Most Dangerous Software Errors 2011 (CWE/SANS) 1 SQL Injection 2 OS Command Injection 3 Classic Buffer Overflow 4 Cross-site Scripting 5 Missing Authentication for Critical Function 6 Missing Authorization 7 Use of Hard-coded Credentials 8 Missing Encryption of Sensitive Data 9 Unrestricted Upload of File with Dangerous Type 10 Reliance on Untrusted Inputs in a Security Decision 11 Execution with Unnecessary Privileges 12 Cross-Site Request Forgery (CSRF) 13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14 Download of Code Without Integrity Check 15 Incorrect Authorization 16 Inclusion of Functionality from Untrusted Control Sphere 17 Incorrect Permission Assignment for Critical Resource 18 Use of Potentially Dangerous Function 19 Use of a Broken or Risky Cryptographic Algorithm 20 Incorrect Calculation of Buffer Size 21 Improper Restriction of Excessive Authentication Attempts 22 URL Redirection to Untrusted Site ('Open Redirect') 23 Uncontrolled Format String 24 Integer Overflow or Wraparound 25 Use of a One-Way Hash without a Salt Top 25 Software Errors

13 CERN GS-AIS Our Focus Today… Cross-site Scripting (XSS) Cross-Site Request Forgery (CSRF) SQL Injection OS Command Injection

14 CERN GS-AIS Definitions Identification Authentication Authorisation Session Management

15 CERN GS-AIS Identification / Authentication How Can You Prove Who You Are? –Biometric Passport –Photo ID –Fingerprint –Username / Password

16 CERN GS-AIS Definitions Entity –A User, another computer system component Identification –Providing credential such that a system can recognise the entity and distinguish it from other entities. Authentication –The process of verifying the identity of an entity.

17 CERN GS-AIS Authentication Factors Something an entity knows: –Password, PIN Something an entity has: –ID Card, private key Something an entity is: –Fingerprint, iris scan, …

18 CERN GS-AIS Authentication Single / Multi-factor Authentication –Password only –Password + Fingerprint Trade-off between –Convenience –Cost –Complexity –Security

19 CERN GS-AIS Identity Theft Compromised Passwords –Self Service password reset Lost ID Cards –Blocking List Compromised Private Keys –CRL What about Biometrics? –No easy solution

20 CERN GS-AIS Passwords Server good practices –Never store them in ‘clear’ –Use encrypted communication protocols (SSL) –Log authentication failures –Use generic error messages: User/password combination not recognised’ –Show user Last login date Previous failed login attempts

21 CERN GS-AIS Web Authentication Techniques Basic Authentication Digest Authentication Form Authentication

22 CERN GS-AIS Basic Authentication

23 CERN GS-AIS Basic Authentication Password : : Username Base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ==

24 CERN GS-AIS Basic Authentication Password : : Username Base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ==

25 CERN GS-AIS Basic Authentication No encryption –Username / Password ‘encoded’ Depends on a secure communication channel

26 CERN GS-AIS Basic Authentication No encryption –Username / Password ‘encoded’ Depends on a secure communication channel

27 CERN GS-AIS Digest Authentication

28 CERN GS-AIS Digest Authentication Password realm Username MD5 348RU349URFJ934FH3FH9… =HA1 URI Method MD5 4I0R9I34F034403RI4I… =HA2 GET /Protected/secrets.html

29 CERN GS-AIS Digest Authentication HA2 HA1 MD5 R3984UR34R43RU… =response nonce

30 CERN GS-AIS Digest Authentication Advantages –Communication is more secure Some doubts over irreversibility of MD5 –Server nonce can avoid replay attacks Disadvantages –Server password file is contains usable credentials in plaintext –Vulnerable to a man-in-the-middle (MitM) attack

31 CERN GS-AIS Digest Authentication Request + Digest Response UserServer Request 401 Unauthorized + nonce

32 CERN GS-AIS Digest Authentication Attacker UserServer Request 401 Unauthorized + basic auth Request 401 Unauthorized + nonce

33 CERN GS-AIS Digest Authentication Attacker UserServer Request + basic Response Request + Digest Response UsernamePassword DerekVerySecret

34 CERN GS-AIS Form Authentication

35 CERN GS-AIS Form Authentication Advantages –Simple to develop –Richer User Interface –Can use multifactor authentication Disadvantages –Depends on a secure communication channel (usually)

36 CERN GS-AIS BEAST (Browser Exploit Against SSL / TLS)

37 CERN GS-AIS Other Authentication Methods Single Sign-on –OpenID, Shibboleth, … Integrated Windows Authentication Token-based –One Time Passwords (OTP) SecureID, YubiKey –Public key authentication (SSL client certificates).

38 CERN GS-AIS Authorisation

39 CERN GS-AIS Authorisation An Authorisation system should: –Allow access to resources to users/systems that are permitted to access them. –Prevent access to those that are not permitted.

40 CERN GS-AIS Authorisation System requirements: –Who (entity) –What (resource) –Which operation (read / update / delete / …) –Access Policy

41 CERN GS-AIS Role Based Access Control Roles are identified –e.g. administrator, group leader, developer. Rights are assigned to roles –group leader can access homepage Roles are assigned to entities –Derek is a group leader

42 CERN GS-AIS AIS Roles

43 CERN GS-AIS Role Based Access Control Less complex than individual assignment of access rights Roles can link to organization roles –Automatic maintenance –Less administration

44 CERN GS-AIS Authorisation: Good Practices Check every access Centralise rights management Principal of Least Privilege

45 CERN GS-AIS Session Management

46 CERN GS-AIS Session Management Why do we need it? –HTTP is state-less

47 CERN GS-AIS Session Management Credentials Session ID: 42 UserServer User IDSession ID Session Memory Derek42 Frank43 Jim44 Alex45 Jane46 Billy47 Lilly48

48 CERN GS-AIS Session Management Good Practices –Keep Session ID secret! Use encrypted communications. –Make them unpredictable Based on a random sequence Never re-used –Time limited Use a standard framework

49 CERN GS-AIS Types of Attack

50 CERN GS-AIS Types of Attack Session –Session Fixation / Session ID Forgery –Cross-Site Scripting –Cross-Site Request Forgery Injection –SQL Injection –Command Injection Google Hacks

51 CERN GS-AIS Session ID Forgery URL Manipulation POST parameter Manipulation

52 CERN GS-AIS Citibank June 2011 Citibank customers lost $2.7 million in recent attack

53 CERN GS-AIS PayPal April year-old hacker accessed 200,000 PayPal accounts

54 CERN GS-AIS Cross-Site Scripting XSS

55 CERN GS-AIS Cross-Site Scripting The most common publicly-reported security vulnerability –Up to 68% of websites could be vulnerable

56 CERN GS-AIS Cross-Site Scripting (Persistent) … Server User Attacker request response + malicious script

57 CERN GS-AIS Cross-Site Scripting (non-persistent) ‘Click Here’ + malicious script Server User Attacker request + malicious script response + malicious script

58 CERN GS-AIS Cross-Site Scripting: Impact Site defacement

59 CERN GS-AIS USDA.GOV

60 CERN GS-AIS EU President

61 CERN GS-AIS BP.COM

62 CERN GS-AIS Cross-Site Scripting: Impact Site defacement Identity Theft Malware distribution …

63 CERN GS-AIS WordPress April 2011 WordPress corrects a cross-site request forgery (CSRF) and cross-site scripting (XSS) in version

64 CERN GS-AIS eBay.de August 2011 Potential account theft with XSS hole in eBay.de

65 CERN GS-AIS American Express October 2011

66 CERN GS-AIS Cross-Site Scripting: Impact ‘Samy’ XSS Worm on MySpace –Automatically made ‘friend request’ back to author. –Within 20 hours of release over 1,000,000 users were affected. Author: Samy Kamkar –Arrested and on felony charge. Sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.

67 CERN GS-AIS Cross-Site Scripting: Remedies Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers

68 CERN GS-AIS Cross-Site Scripting: Remedies Remove / replace HTML entities –‘White List’ or ‘Black List’ Filter Use Non-HTML Lightweight mark-up –Wiki –bb-code –Textile Use a Site Scanning Tool –We use Acunetix

69 CERN GS-AIS Exploit Test Site

70 CERN GS-AIS Cross-Site Request Forgery CSRF / XSRF

71 CERN GS-AIS Cross-Site Request Forgery ‘Click Here’ Server User Attacker request response + embedded command Evil Server ‘Hidden’ request

72 CERN GS-AIS Cross-Site Request Forgery Embedded Image

… … Hidden Form

73 CERN GS-AIS CSRF: Remedies For End Users: Very Little! –Log out before visiting other sites –Don’t use ‘remember me’ features –Don’t visit ‘untrustworthy’ sites

74 CERN GS-AIS CSRF: Remedies For Website Authors –Include a hidden ‘nonce’ token in forms –Ignore GET parameters when processing a POST –Include Authentication Cookies in POST body (via JavaScript)

75 CERN GS-AIS Injection Exploits SQL Injection

76 CERN GS-AIS SQL Injection SQL Injection is user input allowed to pass through to the database directly

77 CERN GS-AIS SQL Injection: Example Log on to NetBank User name: Password: Logon b.cameron SELECT id FROM logins WHERE username = '$username' AND password = '$password' SELECT id FROM logins WHERE username = 'b.cameron' AND password = 'SecretWord' SELECT id FROM logins WHERE username = 'b.cameron' AND password = 'X' OR 1 = 1 Attacker X' or 1=1

78 CERN GS-AIS SQL Injection: Remedies Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers Use a Site Scanning Tool

79 CERN GS-AIS SQL Injection: Remedies Prepared Statements –Advantages Precompiled Query: Faster (usually) Database engine does the bind –Disadvantages (a little) More Complex SELECT id FROM logins WHERE username = ? AND password = ?

80 CERN GS-AIS Other Exploits

81 CERN GS-AIS Command Injection Variation of SQL Injection –Injects malicious OS command exec ("ls " + $userPath) exec ("ls /home/myfiles") exec ("ls.; cat /etc/passwd")

82 CERN GS-AIS Google Hacking Database

83 CERN GS-AIS Summary Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers Use a Site Scanning Tool

84 CERN GS-AIS Thank You

85 CERN GS-AIS Questions My website is not well known –No bad people will find it…

86 CERN GS-AIS Questions Hacking websites is difficult. –You need to be an expert programmer. Metasploit BeEF

87 CERN GS-AIS

88 CERN GS-AIS

89 CERN GS-AIS Thank You


Download ppt "CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web."

Similar presentations


Ads by Google