Embed Size (px)
DESCRIPTION
English version of the workshop slides from PHDays III
Citation preview
How to Develop a Secure Web Application and Stay in Mind?
Vladimir Kochetkovweb applications security researcher
Positive Technologies
Translated into English by @pand0chkaPositive Hack Days III
Synopsis
― The effective development of the secure code requires changes in the mindset of the participants involved.
― The training resources available impose the learning of causes on their consequences and counteraction to consequences instead of causes elimination.
― Following the general approaches, the developer shall become the qualified pentester in order to start writing a secure code.
It doesn’t work!
Why?
GET /api/shop/discount?shopId=3&productId=1584&coupon=1y3z9 HTTP/1.1Host: superdupershop.comCookie: ASP.NET_SessionId=10g5o4zjkmbd2i552d5j3255;.ASPXAUTH= f2d345118221742ee0316d4080a53af014eb8a3161db421d36aa6a86ffea6781b5584f4157ec85ae5956cfc54cc93c34a3f9449c8ef4c70b5b54d46e0def3677cce9a8105340b8ccc6c8e64dfa37ae953f987517
Attention, the black box!
var shopId = Request["shopId"];var productId = Request["productId"];var coupon = Request["coupon"];
var couponPattern = string.Format("{0}-{1}-{2}", shopId, productId, coupon);var sqlCommandTxt = string.Format(" SELECT value FROM Discounts WHERE coupon LIKE {0}", coupon);
var cmd = new SqlCommand(sqlCommandTxt, dataConnection);
// Execute query, process result etc...
Attention, the white box!
var shopId = Request["shopId"];var productId = Request["productId"];var coupon = Request["coupon"];
var couponPattern = string.Format("{0}-{1}-{2}", shopId, productId, coupon);
var cmd = new SqlCommand("SELECT * FROM Discounts WHERE coupon LIKE @couponPattern", dataConnection);cmd.Parameters.Add(new SqlParameter("@couponPattern", couponPattern));
// Execute query, process result etc...
Are vulnerabilities fixed?
var shopId = 0;if (!int.TryParse(Request["shopId"], out shopId)){ throw new InvalidArgumentException();}
var productId = 0;if (!int.TryParse(Request["productId"], out productId)){ throw new InvalidArgumentException();}
var coupon = Request["coupon"];if (!Regex.IsMatch(coupon, "^[A-Za-z0-9]{5}$")){ throw new InvalidArgumentException();}
var couponPattern = string.Format("{0}-{1}-{2}", shopId, productId, coupon);
var cmd = new SqlCommand("SELECT * FROM Discounts WHERE coupon=@couponPattern", dataConnection);cmd.Parameters.Add(new SqlParameter("@couponPattern", couponPattern));
// Execute query, process result etc...
Now - yes!
Glossary
The information system is secured, if a number of properties of all its information flows aren't violated:
• CIA model:—confidentiality—availability—integrity
• STRIDE model – CIA plus:—authenticity—authorization—non-repudiation
Secure information system
― The threat is a thing the attacker can do with information
― The vulnerability stipulated by the weakness is a thing with the help of which he can do it
― The attack is a method how he can do it― The risk is the expectancy of the positive
results and consequences of his actions― The security is a thing which doesn’t let the
attacker to attack― The safety is a thing which minimizes the risk
Quick terms of information security
It is necessary to fight the causes, not the consequences!
Causes and consequences
Weakness Threat
Vulnerability Attack
Risk
Insecurity
Unsafeness
Why a struggle with attacks is more difficult than with weaknesses or ASP.NET Request Validation
versus IRV
http://habrahabr.ru/company/pt/blog/178357/
Demo
Typical mindset
― Focus on the functional requirements
― Knows about:• 10 risks (OWASP Top 10)• 1 threat (deadline violation)• Weaknesses? No, not heard
― Risk-centric
«I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman
“Developer”
* based on poll results http://www.rsdn.ru/?poll/3488
Developers awareness*Ab
use
of F
uncti
onal
ity
Brut
e Fo
rce
Buffe
r/Fo
rmat
Str
ing
Ove
rflow
Cont
ent S
poofi
ng
Cred
entia
l/Ses
sion
Pred
iction
Cros
s-Si
te R
eque
st F
orge
ry
Cros
s-Si
te S
crip
ting
Deni
al o
f Ser
vice
Fing
erpr
intin
g
HPP/
HPC
HRS
Inte
ger O
verfl
ows
LDAP
Inje
ction
Mai
l Com
man
d In
jecti
on
Null
Byte
Inje
ction
OS
Com
man
ding
Path
Tra
vers
al
Pred
ictab
le R
esou
rce
Loca
tion
Rem
ote/
Loca
l File
Inclu
sion
Routi
ng D
etou
r
Sess
ion
Fixa
tion
SOAP
Arr
ay A
buse
SQL I
njec
tion
SSI I
njec
tion
URL R
edire
ctor
Abu
se
XML A
ttrib
ute
Blow
up
XML E
ntity
Exp
ansio
n
XML E
xter
nal E
ntitie
s
XML I
njec
tion
XPat
h/XQ
uery
Inje
ction
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
Attacks based on WASC classification Attacks included at OWASP Top 10 risks
Risks are for managers…
… not for developers!
“Security officer”― Focus on security requirements― Distinguishes attacks from the vulnerabilities ― Vulnerability-centric
«If you don't understand the business, you can't see business logic flaws.» (с) OWASP
Functional weaknesses
… are also causes of
vulnerabilities!
Mindset refactoring― «Developer»:
• throw out from the head all security hit-parades• follow a weakness-centric approach
― «Security officer»:• interact with developers• consider the functional specific• follow a threat-centric approach
What is a vulnerability?
A slightly boring theory
Mathematical abstraction representing the universal computing machine.
― Turing machine consists of:• infinite tape divided into cells;• control unit with finite set of states;• table of transitions between states.
― On the each iteration it can:• change content of the current cell;• proceed to another state;• move to a neighboring cell.
Turing machine
TM: a 7-tuple M=(Q,Γ,b,Σ,δ,q0,F) where:
Q is a finite, non-empty set of states;Γ is a finite, non-empty set of the tape alphabet/symbols;b∈Γ is the blank symbol;Σ⊆Γ∖b is the set of input symbols;q0∈Q is the initial state;
F⊆Q is the set of final or accepting states;δ:Q∖F×Γ → Q×Γ×{L,R} is a partial function called the transition function, where
• L is left shift;• R is right shift;
The formal definition of
Halt theorem: there's no algorithm able to determine whether the program halts on a given set of data;
Klini fixed-point theorem: there's no algorithmic transformation of programs that would assign to each program another, nonequivalent one;
Uspenskiy-Rice theorem: there's no algorithm to decide non-trivial properties of programs;
TM Limits
Replaces all occurrences of the character «a»
What happens if the input string will contain an empty symbol or “#”?
Demo
?
Machine with states, in which:
― the transition functions and/or set of states are distorted by the input data;
― the unpredictable transition into incorrect state takes place at each iteration.
The use of weird-machine can give thecomplete or partial control over initial machine.
― ;― на каждой итерации происходит
непредсказуемый переход в некорректное состояние.
Эксплуатация weird-машиныможет дать полный или частичныйконтроль над исходной машиной.
Weird-machine
Configuration: current state, tape contents, head position.
Conditional policy: a set of configurations permitted under certain conditions and do not lead to the implementation of information threats.
Security policy: an union of conditional policies.
Secure TM: a machine, where all runtime configurations meet the security policy.
Secure TM
2-tuple (V, C), where:
― V is an unauthorized configuration that violates the security policy;
― C is the sequence of conditions that describe the computation history, leading to V.
Vulnerability
The complete model of a secure TM«and we need to go deeper» (с)
"Modeling Computer Insecurity" (Sophie Engle, Sean Whalen and Matt Bishop):
It is possible to perform the complete dynamic program’s security analysis only if it is performed at
all possible input data sets.
The development of a secure code is less complicated in comparison with the security analysis of the existed code.
The computability of security problem
The statistical evaluation of a program’s security, even in accordance with the policy defined for it, is the undecidable problem.
The determination of the alignment of a current configuration with security policy is apparently decidable.
The semantics of any discrete process can be described as a set of states and conditions of transition between them.
What for all this?!
Criteria to the input data, leading a process to one or another states, form a set of configurations of an IS.
What for all this?!
Security Policy is formed as a result of the analysis of the threat model and highlighting of unauthorized configurations, leading to the implementation of any of the identified threats.
Elimination of unauthorized configurations forms a complex of countermeasures to ensure the security of IS, any other actions that operate with the «degree of unauthorization», form a complex of countermeasures to ensure the safety of IS.
Code development in accordance with the security
policy: security driven development
What for all this?!
The countermeasures to ensure the security of a typical building blocks of the web applications are already formulated as result of evolution.
A set of practices was developed on their basis, following by which it is possible to avoid the occurrence of weaknesses in architecture and implementation of web applications.
Good news
The building of security policy is usually necessary only for implementation of the business logic layer, in order to avoid the occurrence of logical weaknesses.
Threat modeling
What?The process of threats detection in an application developed
Who?Architects and developers
When?As soon as possible
What for?In order to detect the weaknesses in architecture or model of application environment, which can became vulnerabilities
The Basics
The Process
DFD creation or update
Threats identification
Countermeasures elaboration
Model validation
DFD Creation or Update
Element Figure Examples
External entity UsersExternal systems
Process ExecutablesComponentsOS ServicesWeb-services
Data flow Function callsNetwork data
Data storage DatabasesFilesData structures
Trust boundary ProcessesMachines
DFD Creation or Update
The further decomposition of a model is necessary if :― not all flows passing through the trust boundaries
are described;― there are implicit objects crossing the trust
boundaries;― the word description of a model require the use of
the words «sometimes», «as well as», «except of», etc.:• «Sometimes this data storage is used as…» the
second data storage should be added into the diagram
• «This data flow is always used for transition of business-entities, except the authentication stage» the additional flow should be added
DFD Creation or Update
DFD Creation or Update
― Contextual• Unified components/ products / systems
― 1st level• Separate functional possibilities or scripts
― 2nd level• Functional possibilities, divided into components
― 3rd level• Complete decomposition describing in details the
architecture or domain model
DFD Detail
― The finite source of the data flow may be an external entity, storage or process that creates it.
― If write-only data flows are present in the DFD, that in 90% of cases means its incompleteness.
― Data flows can not be transferred from the storage to storage directly, transmission is possible only through the processes.
― DFD should describe the architecture or domain model, and not their implementation («no» to flowcharts, classes diagrams and calls graphs).
The rules of DFD creation
The STRIDE model describes the threats of violation of 6 information flow properties.
It doesn’t require knowledge of the expert level for its building.
Threat identification
Threat Property
Spoofing Authenticity
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of privilege Authorization
A set of threats is specific for each DFD element.
* Repudiation is specific only for storages leading a transaction log
Threats specificity
Element S T R I D E
√ √√ √ √ √ √ √
√ √ √√ ?* √ √
The countermeasures elaboration is the final purpose of threat modeling.The countermeasures for each threat should come down to :― redesigning or requirements review
(concentration on threats);― highlighting the configurations leading to threat
implementation and taking measures on eliminating the causes of their occurrence (concentration on vulnerability/weakness);
― creation of requirements to environment for elimination of the possibility of vulnerability use (concentration on attack) or decrease of the possible success of the attack and damage minimization (concentration on risks).
Countermeasures elaboration
Should be performed during all the development cycle.
― Does a model corresponds to the current implementation?
― Have all the threats been enumerated?• minimum: elements crossing the trust boundaries.
― Have the countermeasures been elaborated for each threat?
― Have the countermeasures been implemented correctly?
Model validation
Creation of the threat model for a typical web-application
Example
Default configuration security
Secure by Design, by Default and in Deployment
― implementation of the principle of least rights and privileges;
― minimal set of functionality enabled;
― forced change the default credentials;
― designing of each component on the basis of the proposed compromise all other.
SD3 Principle
Transport layer security
- HTTP over SSL/TLS. It is designed to provide:― the confidentiality and integrity of data
transmitted over HTTP;― the authenticity of the server-side (less
frequently - of the client-side).Or in other words, to protect against MitM attacks.
HTTPS
Static resources used in a document that is transmitted over HTTPS:
― style sheets,― scripts,― objects,
also must be transmitted over a secure channel!
The use of mixed content
Popular approaches:- HTTP by default, HTTPS is user option,- HTTP everywhere, critical entry points through
HTTPS
are inefficient and vulnerable to SSL Stripping attacks.
Inefficient data transmission
Partially counteraction is possible by using:
― site-wide HTTPS without optional HTTP,
― HTTP-header: Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
provided that the first time the user gets to the site over HTTPS.
Inefficient data transmission
- use 2048 private keys;- protect private keys;- ensure sufficient domain name coverage;- obtain certificates from a reliable CA;- ensure that the certificate chain is valid;- use only secure protocols;- use only secure cipher suites;- control cipher suite selection;- disable client-initiated renegotiation;- mitigate known problems.
https://www.ssllabs.com/projects/best-practices/
Deployment phase practices
Error handling
Error messages:
Information disclosure
HTTP-response status codes:
Information disclosure
<customErrors mode="On" />
<customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx" />
Oracle is a weird-machine, answering the attacker questions within its functionality.
The most famous example: padding oracle.
Oracles creation
― Using custom error handlers and views with universal messages about them.
― The implementation of transaction support at the level of:• methods (try-catch-finally);• workflow states.
― The exclusion of side-channels:• HTTP-response status codes;• time-delays.
Error handling practices
Client-side security
― X-Content-Type-Options {nosniff} disables MIME-type recognition in the IE (http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx)
― X-XSS-Protection {0 | 1 | 1; mode=block} controls XSS-filter in the IE (http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx)
4 HTTP-headers
― X-Frame-Options {DENY | SAMEORIGIN | ALLOW-FROM uri} defines the possibility of opening a document in a frame (http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00)
― X-Content-Security-Policy | Content-Security-Policy | X-WebKit-CSP {…} defines the Content Security Policy (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
4 HTTP-headers
How developers use a CSP
* based on poll results http://www.rsdn.ru/?poll/33884 as of 20 may 2013
Main supported directives:
― (connect|font|frame|img|media|object|script|style)-src uri limits the URI that can be accessed from the tags of the document
― default-src uri defines defaults for all src-directives
― report-uri uri defines the URI for policy violation messages
― sandbox flags defines a sandbox for iframe elements which restricts a set of states for their content (where flags: allow-same-origin | allow-top-navigation | allow-forms | allow-scripts)
Content Security Policy
Access Control
Identification:establishing identity
Authentication:proven establishing identity
Authorization:assigning rights to identity
Phases of access control
Passwords complexity
Password entropy:L=log2(nm),
where n is the size of multiple allowed symbols, m is the actual password length.
Password efficiency the relation of entropy to its actual length (in bits).
The increase of entropy by 1 bit doubles the maximal brute-force iterations number.
The rise of the entropy through the increase of a password is more effective, than through
alphabet power increase.
Passwords complexity
The password complexity should be limited below the entropy, defined in security requirements.
The examples of the entropy increase rules:• a set of maximal available character groups should
be used as source alphabet;• at least one symbol from each group should be in
the password;• the symbols pertaining to one or other group
should not be met on neighbor positions in the password;
• the number of symbols pertaining to each group shall be the same;
• the same symbol shall not be met in password more than once.
Passwords complexity
The user shall have a chance to create a strong password from the first attempt.
The control of dictionary password should be implemented without fanaticism like «guess, which password is not in the list of TOP 30M of internet-passwords».
The password rotation should be avoided except the following:
• privileged accounts;• standard accounts.
Passwords complexity
Account blocking after n unsuccessful login attempts => DoS-condition
The introduction of timed delays or anti-automation measures is more preferable.
Brute-forcing may be performed both through passwords for the definite user, and through users for the definite password.
Authentication form is one of the most popular types of oracles.
Accounts Lockout
Password recovery form should not be the oracle for obtaining the users list.
One field for entering an e-mail address and one message about successful sending of the letter with a link for password reset.
The form for entering the new password, not being the user session, opens upon the click on a link.
Any other implementations lead to occurrence of vulnerabilities!
Passwords Recovering
― secret words;― links for password reset;― session identifiers;― any other data, allowing to obtain authenticated
user session,
are authentication equivalents of passwords,to confidentiality of which the same requirements should be imposed!
Password Equivalents
P = hash(password, salt)
Cryptographic hashing functions are not functions for hashing passwords. PBKDF2, bcrypt, scrypt ,etc. should be used for creation of passwords hashes.
The salt length should be sufficient to ensure entropy >= 128 bits for any password, allowed by the security policy.
The main salt assignment is to prevent the attacks on dictionaries and rainbow tables.
Storing Account Data
Cryptography handmade
The entropy of a session token should not be less than 128 bits (token generation using the SRNG or encryption).
Transfer of token should be made in cookie-parameter with flags httponly and secure.
The new token should be created, and the old one should be deleted, after each authentication attempt and upon time-out expiration.
Token deletion should be implemented both on the client-side and on the server-side.
Session management
Example: session fixation
Example: session fixation
The whole available business logic functionality should be distributed explicitly between the roles. A guest is also the role.
Presentation layer: • information disclosure about unavailable
functionality
Business logic layer:• presence of a functionality before authorization
Data layer:• Access control without consideration of the
requested data
Inefficient authorization
Example: bypassing authorization
Example: bypassing authorization
HTTP - response:
{ "d": { "__type" : "Customer:#Web", "Address" : "3 Childers St", "CustomerID" : "3", "Email" : "[email protected]", "FirstName" : "Bruce", "Postcode" : "3000", "State" : "VIC", "Suburb" : "Melbourne" }}
HTTP - request:
Example: bypassing authorization
Preliminary data handling
― Typing is a creation of the specific object type of input data from the string literal (parsing and deserialization).
― Validation is a data checking for compliance with the established criteria:• grammatical;• semantic.
― Sanitization is a matching of data with grammar permitted by security policy.
Approaches to data handling
Typing and validation are on the input, sanitization is on the output!
Look! Don't confuse…
Input data are the formal language.
Some languages are much harder to recognize than others.
For some, recognition is undecidable.
The more complicated the language, the harder it is to form the criteria toinput data describing a set of systemconfigurations.
The generalized approach
Testing the equivalence of finite automata or deterministic stack automata* is decidable.
Such testing is undecidable for non-deterministic stack automata and more powerful models of computation.
In the first case the complete coverage by tests of the processing data language parser elements or their static analysis is possible.
In the second case it is not!
The generalized approach
Steps on implementation of a secure data handling:
Simplification or decomposition of input data language to the set of regular and deterministic context-free grammars.
Implementation of checking input data in the code (typing/validation) in accordance with their grammar should take place as early as possible in the request processing cycle.
Implementation of sanitizing output data in the code, built in accordance with the grammar of the receiving side, should take place as near as possible to their output.
The generalized approach
The vulnerability criteria to attacks of arbitrary injections
The method of formation of output data DOUTPUT on the basis of input data DINPUT is vulnerable to injection attacks, if the number of nodes in the parse tree DOUTPUT depends on the content of
DINPUT
Application example
Example: LINQ Injection
public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort){ var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir));
int total = query.ToList().Count;
query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total);}
Example: LINQ Injection
public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort){ var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir));
int total = query.ToList().Count;
query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total);}
Example: LINQ Injection
public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort){ if (!Regex.IsMatch(dir, "(?-m:)(?i:)^asc|desc$")) dir = "ASC"; if (!Regex.IsMatch(sort, "(?-m:)(?i:)^customerid|companyname|contactname|phone|fax|region$")) sort = "CustomerID"; var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir));
var total = query.ToList().Count; query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total);}
Example: LINQ Injection
public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort){ if (!Regex.IsMatch(dir, "(?-m:)(?i:)^asc|desc$")) dir = "ASC"; if (!Regex.IsMatch(sort, "(?-m:)(?i:)^customerid|companyname|contactname|phone|fax|region$")) sort = "CustomerID"; var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir));
var total = query.ToList().Count; query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total);}
Example: XSS
The ASPX page fragment:
<p>You are now leaving this site - we're no longer responsible!</p> <p><asp:Literal runat="server" ID="litLeavingTag" /></p>
Its code behind fragment:
var newUrl = Request.QueryString["Url"];var tagString = "<a href=" + newUrl + ">continue</a>";litLeavingTag.Text = tagString;
Example: XSS
The ASPX page fragment:
<p>You are now leaving this site - we're no longer responsible!</p> <p><asp:Literal runat="server" ID="litLeavingTag" /></p>
Its code behind fragment:
var newUrl = Request.QueryString["Url"];var tagString = "<a href=" + newUrl + ">continue</a>";litLeavingTag.Text = tagString;
The request result: http://host.domain/?url=><script>alert('XSS')</script:
<p><a
href=><script>alert('XSS')</script>continue</a></p>
Example: XSS
The ASPX page fragment:
<p>You are now leaving this site - we're no longer responsible!</p> <p><asp:Literal runat="server" ID="litLeavingTag" /></p>
Its code behind fragment:
var newUrl = Request.QueryString["Url"];var tagString = "<a href=" + Server.HtmlEncode(newUrl) + ">continue</a>";litLeavingTag.Text = tagString;
Example: XSS
The ASPX page fragment:
<p>You are now leaving this site - we're no longer responsible!</p> <p><asp:Literal runat="server" ID="litLeavingTag" /></p>
Its code behind fragment:
var newUrl = Request.QueryString["Url"];var tagString = "<a href=" + Server.HtmlEncode(newUrl) + ">continue</a>";litLeavingTag.Text = tagString;
The request result: http://host.domain/?url=><script>alert('XSS')</script:
<p><a href=><script>alert('XSS')</script>continue</a></p>
Demo: how to blow up NPP through XSS
Workflowcontrol
The workflow is well described through states and transition rules between them.
The security policy should be defined and its forced control implemented for all the workflows.
It is necessary to avoid the occurrence of the recursive ways and cycles in a workflow, and to consider the possibility of integrity violation of the shared data.
The current configuration of the flow need to be stored before trust boundaries, but not after it.
The control of integrity workflow
Authenticity of a request source, initiating the transition on workflow, is subject to the mandatory control.
The widespread approach consists in the use of two tokens on each request (one is kept before the trust boundary, and the other one is transferred outside its scope) in order to control the authenticity by comparing them.
The implementation of the control is necessary only for requests, changing the state of the system.
The authenticity control of the initiator operation
Example: CSRF
Example: CSRF
Example: CSRF
...<input type="button" value="Update status" onclick="return UpdateStatus()" />...<script language="javascript" type="text/javascript">// <![CDATA[ function UpdateStatus() { var service = new Web.StatusUpdateService(); var statusUpdate = document.getElementById('txtStatusUpdate').value; service.UpdateStatus(statusUpdate, onSuccess, null, null); }
function onSuccess(result) { var statusUpdate = document.getElementById('txtStatusUpdate').value = ""; __doPostBack('MainContent_updStatusUpdates', ''); }// ]]></script>
Example: CSRF
[OperationContract] public void UpdateStatus(string statusUpdate) { if (!HttpContext.Current.User.Identity.IsAuthenticated) throw new ApplicationException("Not logged on"); var dc = new VulnerableAppDataContext(); dc.Status.InsertOnSubmit(new Status { StatusID = Guid.NewGuid(), StatusDate = DateTime.Now, Username = HttpContext.Current.User.Identity.Name, StatusUpdate = statusUpdate }); dc.SubmitChanges();}
Example: CSRF
[OperationContract] public void UpdateStatus(string statusUpdate) { if (!HttpContext.Current.User.Identity.IsAuthenticated) throw new ApplicationException("Not logged on"); var dc = new VulnerableAppDataContext(); dc.Status.InsertOnSubmit(new Status { StatusID = Guid.NewGuid(), StatusDate = DateTime.Now, Username = HttpContext.Current.User.Identity.Name, StatusUpdate = statusUpdate }); dc.SubmitChanges();}
Example: CSRF
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> <script src="http://localhost:85/ScriptResource.axd?d=4sSlXLx8QpYnLirlbD... <script src="http://localhost:85/ScriptResource.axd?d=oW55T29mrRoDmQ0h2E... <script src="http://localhost:85/StatusUpdateService.svc/jsdebug" type="...
<script language="javascript" type="text/javascript"> // <![CDATA[ var service = new Web.StatusUpdateService(); var statusUpdate = "hacky hacky"; service.UpdateStatus(statusUpdate, null, null, null); // ]]> </script> </head> <body> You've been CSRF'd! </body> </html>
Example: CSRF
Example: CSRFprotected string GetToken(){ if (Session["Token"] == null) { Session["Token"] = Guid.NewGuid(); } return Session["Token"].ToString();}...function UpdateStatus(){ var service = new Web.StatusUpdateService(); var statusUpdate = document.getElementById('txtStatusUpdate').value; var token = "<%= GetToken() %>"; service.UpdateStatus(statusUpdate, token, onSuccess, null, null);}...[OperationContract]public void UpdateStatus(string statusUpdate, string token) { var sessionToken = HttpContext.Current.Session["Token"]; if (sessionToken == null || sessionToken.ToString() != token) { throw new ApplicationException("Invalid token"); }...
Example: CSRFprotected string GetToken(){ if (Session["Token"] == null) { Session["Token"] = Guid.NewGuid(); } return Session["Token"].ToString();}...function UpdateStatus(){ var service = new Web.StatusUpdateService(); var statusUpdate = document.getElementById('txtStatusUpdate').value; var token = "<%= GetToken() %>"; service.UpdateStatus(statusUpdate, token, onSuccess, null, null);}...[OperationContract]public void UpdateStatus(string statusUpdate, string token) { var sessionToken = HttpContext.Current.Session["Token"]; if (sessionToken == null || sessionToken.ToString() != token) { throw new ApplicationException("Invalid token"); }...
Implementation of other business logic
Business logic workflows should possess not only by the properties of necessity and sufficiency for their implementation, but also minimality.
Any states and transition rules, implementing «a little bit» more functionality than it is necessary for the current task should be simplified or restricted.
<?=@`$c`?>
PHP arithmetic expressions calculator (the Turing completeness is the foundation for the future, the
code is minimal by now).
The functional excessiveness
Example: accessing hidden datavar fieldName = Request["field"] ?? "Id"; var minValue = int.Parse(Request["min"]); var maxValue = int.Parse(Request["max"]);
var queryTemplate = string.Format( "SELECT Id, Nickname, Rating, MessageCount, TopicCount FROM Users WHERE {0} >= @minValue AND {0} <= @maxValue ORDER BY {0}", fieldName.Replace("'", string.Empty). Replace(" ", string.Empty). Replace("\\", string.Empty). Replace(",", string.Empty). Replace("(", string.Empty). Replace(")", string.Empty),);
var selectCommand = string.Format(queryTemplate, debugStr);
var cmd = new SqlCommand(selectCommand, dataConnection);
cmd.Parameters.Add(new SqlParameter("@minValue", minValue));cmd.Parameters.Add(new SqlParameter("@maxValue", maxValue));
...
/users/filter.aspx?field={fieldName}&min={minBalue}&max={maxValue}
Example: accessing hidden datavar fieldName = Request["field"] ?? "Id"; var minValue = int.Parse(Request["min"]); var maxValue = int.Parse(Request["max"]);
var queryTemplate = string.Format( "SELECT Id, Nickname, Rating, MessageCount, TopicCount FROM Users WHERE {0} >= @minValue AND {0} <= @maxValue ORDER BY {0}", fieldName.Replace("'", string.Empty). Replace(" ", string.Empty). Replace("\\", string.Empty). Replace(",", string.Empty). Replace("(", string.Empty). Replace(")", string.Empty),);
var selectCommand = string.Format(queryTemplate, debugStr);
var cmd = new SqlCommand(selectCommand, dataConnection);
cmd.Parameters.Add(new SqlParameter("@minValue", minValue));cmd.Parameters.Add(new SqlParameter("@maxValue", maxValue));
...
http://host.domain/users/filter.aspx?field=password&min=a&max=a
Example: mass-assignment
public class User { public int Id { get; set; } public string UserName { get; set; } public string Password { get; set; } public bool IsAdmin { get; set; }}
public class UserController : Controller{ IUserRepository _userRepository; public UserController(IUserRepository userRepository) { _userRepository = userRepository; }
public ActionResult Edit(int id) { var user = _userRepository.GetUserById(id); return View(user); }
[HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); UpdateModel(user); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } }}
Model: Controller:
Example: mass-assignment
public class User { public int Id { get; set; } public string UserName { get; set; } public string Password { get; set; } public bool IsAdmin { get; set; }}
public class UserController : Controller{ IUserRepository _userRepository; public UserController(IUserRepository userRepository) { _userRepository = userRepository; }
public ActionResult Edit(int id) { var user = _userRepository.GetUserById(id); return View(user); }
[HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); UpdateModel(user); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } }}
Model: Controller:
Example: mass-assignment
public class User { public int Id { get; set; } public string UserName { get; set; } public string Password { get; set; } public bool IsAdmin { get; set; }}
public class UserController : Controller{ IUserRepository _userRepository; public UserController(IUserRepository userRepository) { _userRepository = userRepository; }
public ActionResult Edit(int id) { var user = _userRepository.GetUserById(id); return View(user); }
[HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); TryUpdateModel(user, includeProperties: new[] { "UserName", "Password" }); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } }}
Model: Controller:
Example: mass-assignment
public class User { public int Id { get; set; } public string UserName { get; set; } public string Password { get; set; } public bool IsAdmin { get; set; }}
public class UserController : Controller{ IUserRepository _userRepository; public UserController(IUserRepository userRepository) { _userRepository = userRepository; }
public ActionResult Edit(int id) { var user = _userRepository.GetUserById(id); return View(user); }
[HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); TryUpdateModel(user, includeProperties: new[] { "UserName", "Password" }); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } }}
Model: Controller:
Security Development Lifecycle
Microsoft SDL
Recommended topics:
― Pre-SDL:• Introduction to the SDL;• Essential Software Security Training for the Mic
rosoft SDL .
― Requirements phase:• Privacy in Software Development;
Training
Recommended topics:
― Design, implementation and :• Basics of Secure Design, Development and Test
ing;
• Introduction to Threat Modeling;• SDL Quick Security References;• SDL Developer Starter Kit.
Training
SDL practices:
― establish security and privacy requirements;
― create quality gates/bug bars;
― perform security and privacy risk assessments.
Requirements
SDL practices:
― establish design requirements;
― attack surface analysis/reduction;
― threat modeling.
Design
SDL practices:
― use approved tools;
― deprecate unsafe functions;
― perform static analysis.
Implementation
SDL practices:
― perform dynamic analysis;
― fuzz-testing;
― attack surface review.
Verification
SDL practices:
― create an incident response plan:• participants;• patch-management strategy;• plans to securing 3rd-party code.
― conduct final security review.
― certify release and archive.
Release
SDL practices:
― execute incident response plan:• advisory analysis;• risk assessment;• patch release and deployment;• client notification;• information disclosure.
Response
SDL implies linearity of the development process, however, SDL practices are well-adapts to agile approaches through their distribution into three categories:
― one-time,executes once
― per-sprint,executes on every sprint
― bucket,at least one practice from the list (bucket) should be executed on each sprint
SDL and Agile
― establish security and privacy requirements;
― perform security and privacy risk assessments;
― establish design requirements;
― attack surface analysis/reduction;
― create an incident response plan.
One-time practices
― learning;― threat modeling;― use approved tools;― deprecate unsafe functions;― perform static analysis;― conduct final security review;― certify release and archive.
Sprint practices
― create quality gates/bug bars;
― perform dynamic analysis;
― fuzz-testing;
― attack surface review.
Bucket pratcies
Thank you for attention!Any questions?
Vladimir Kochetkov
[email protected]@kochetkov_v
web applications security researcherPositive Technologies
Materials of the following works were used in the presentation : ― “OWASP Top 10 for .NET Developers” by Troy
Hunt― “The Science of Insecurity” by Len Sassaman,
Meredith L. Patterson, Sergey Bratus― “
The Essence of Command Injection Attacks in Web Applications” by Zhendong Su, Gary Wassermann
― “Modeling Computer Insecurity” by Sophie Engle, Sean Whalen, Matt Bishop
Copyrights
