Embed Size (px)
Citation preview
Surviving Web Security
Gergely Nemeth, RisingStack
ATTACK TREES
“formal, methodical way of describing the security of systems, based on varying attacks”
Bruce Schneier
ATTACK TREES
ATTACK TREES
Open Safe
Pick Lock Learn Combo Bad Setup
Find it WrittenLearn From
Target
Blackmail Eavesdrop Bribe
KNOW YOUR ATTACKER
ATTACK TREES
ATTACK TREES
Open Safe (P)
Pick Lock (I)Learn Combo
(P)Bad Setup (I)
Find it Written (I)
Learn From Target (P)
Blackmail (I) Eavesdrop (I) Bribe (P)
P = Possible
I = Impossible
DENIAL OF SERVICE
ATTACK TREES - DENIAL OF SERVICE
Denial of Service
Find Evil Regex Vulnerability
Distributed Mass Traffic
ATTACK TREES - DENIAL OF SERVICE
1
^(a+)+$
2
3
4 5a a a
a
a
a a a
Nondeterministic finite automaton
ATTACK TREES - DENIAL OF SERVICE
^(a+)+$
for the input “aaaaX”
16 possible paths
ATTACK TREES - DENIAL OF SERVICE
^(a+)+$
for the input “aaaaaaaaaaaaaaaaX”
65536 possible paths
ATTACK TREES - DENIAL OF SERVICE
Regular Expression implementations may
reach extreme situations that cause them to
work very slowly
ATTACK TREES - DENIAL OF SERVICE
Evil Regexes
- Grouping with repetition
- Inside the repeated group:
- Repetition
- Alternation with overlapping
WE HAVE A SINGLE THREAD
ATTACK TREES - DENIAL OF SERVICE
ATTACK TREE FOR USER ACCOUNTS
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
GUESSING - BRUTE FORCE
systematically enumerating all possible
candidates for the solution
GUESSING - BRUTE FORCE
use a rate-limiter for your endpoints
GUESSING - BRUTE FORCE
GUESSING - TIMING ATTACKS
compromise a cryptosystem by analyzing
the time taken to execute cryptographic
algorithms
GUESSING - TIMING ATTACKS
GUESSING - TIMING ATTACKS
WRONG!
GUESSING - TIMING ATTACKS
T R A C E T R A C E
1st iteration
GUESSING - TIMING ATTACKS
T R A C E T R A C E
2nd iteration
GUESSING - TIMING ATTACKS
T R A C E T R A C E
5th iteration
GUESSING - TIMING ATTACKS
T R A C E T R I C K
1th iteration
GUESSING - TIMING ATTACKS
T R A C E T R I C K
2nd iteration
GUESSING - TIMING ATTACKS
T R A C E T R I C K
3rd iteration
GUESSING - TIMING ATTACKS
T R A C E T R I C K
3rd iteration
missmatch - no more iterations
GUESSING - TIMING ATTACKS
the more letters match from the password,
the more time it takes
GUESSING - TIMING ATTACKS
ALWAYS USE FIXED-TIME
COMPARISON
GUESSING - TIMING ATTACKS
INSECUREDEPENDENCIES
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
YOU ARE WHAT YOU REQUIRE
INSECURE DEPENDENCIES
INSECURE DEPENDENCIES
INSECURE DEPENDENCIES
node-uuid is downloaded 255.000 times
daily, while 4.000+ modules depend on it
INSECURE DEPENDENCIES
THE HUMAN FACTOR
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
95% OF ALL SECURITY INCIDENTS INVOLVE HUMAN ERROR
WE ARE THE WEAKEST LINK
security must be part of the agile workflow
THE HUMAN FACTOR
stories should include acceptance criteria for security
THE HUMAN FACTOR
Given an unauthenticated user,
when tries to view her profile,
then redirected to the login.
SECURITY IS PART OF YOUR JOB!
- Node.js Security Checklist -
https://blog.risingstack.com/node-js-security-checklist/
- Advisories of NSP - on nodesecurity.io
- OWASP TOP 10 - on owasp.org
WHAT’S NEXT?
Thanks!
