StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 World

100 %
0 %
Information about StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web...
Technology

Published on November 26, 2008

Author: startpad

Source: slideshare.net

Description

Damon Cortesi of Alchemy Security presents the most effective ways to plug the most common holes found in web services. Learn about XSS, SQL injection, and why you should care about these things now instead of later.

Hacking and Compliance in a Web 2.0 World Damon P. Cortesi, CISSP Director @ Alchemy Security Stats Nut | Security Geek | Builder of Tools

Damon P. Cortesi, CISSP

Director @ Alchemy Security

Stats Nut | Security Geek | Builder of Tools

$ whoami Connecticut >> Chicago >> Seattle (2006) @dacort on Twitter ( http://tweetstats.com ) Security Consultant, recently self-employed Destroyer of Web Apps and Dual-Cores

Connecticut >> Chicago >> Seattle (2006)

@dacort on Twitter ( http://tweetstats.com )

Security Consultant, recently self-employed

Destroyer of Web Apps and Dual-Cores

$ cat ~/.plan Web 2.0 Security Things you still need to watch out for. E-commerce Startups and Compliance What is this PCI thing you speak of? Privacy Policy and Data Breach Notification Laws. And maybe if we’re lucky...demo time.

Web 2.0 Security

Things you still need to watch out for.

E-commerce Startups and Compliance

What is this PCI thing you speak of?

Privacy Policy and Data Breach Notification Laws.

And maybe if we’re lucky...demo time.

Web 2.0 Frameworks Rails, Django, CakePHP Rapid Development, Data abstraction Alleviates common security pain points SQL Injection Cross-Site Scripting (kind of ...) Typical challenges still present

Rails, Django, CakePHP

Rapid Development, Data abstraction

Alleviates common security pain points

SQL Injection

Cross-Site Scripting (kind of ...)

Typical challenges still present

The “kind of” - XSS As of Django 1.0 (Sep 2008), HTML is auto-escaped YAYYYYYYYYYYYY! Does Rails? ------------------------- No Does Google App Engine? -------- No Really? Yup, really. (No domain-wide cookies, phew!) Does ASP.NET ---------------------- On built-in controls Also has built-in request validation

As of Django 1.0 (Sep 2008), HTML is auto-escaped

YAYYYYYYYYYYYY!

Does Rails? ------------------------- No

Does Google App Engine? -------- No

Really? Yup, really. (No domain-wide cookies, phew!)

Does ASP.NET ---------------------- On built-in controls

Also has built-in request validation

Define Briefly SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary code. dpc’ OR ‘a’=’a xp_cmdshell XSS - Unsanitized data being re-displayed and interpreted in the browser. <script>alert(document.cookie);</script>

SQL Injection - Unsanitized data being passed to a database, potentially executing arbitrary code.

dpc’ OR ‘a’=’a

xp_cmdshell

XSS - Unsanitized data being re-displayed and interpreted in the browser.

<script>alert(document.cookie);</script>

XSS - The Bad, The Ugly XSS 101 - Executes user input in browser context Typical test: “><script>alert(‘dcash’)</script> “site:appspot.com search” on Google 156,000 Results First 30 results, at least 4 XSS-vulnerable apps So...why is this bad? “ ><script>alert(‘dcash’)</script>

XSS 101 - Executes user input in browser context

Typical test: “><script>alert(‘dcash’)</script>

“site:appspot.com search” on Google

156,000 Results

First 30 results, at least 4 XSS-vulnerable apps

So...why is this bad?

XSS Scenarios Arbitrary JavaScript Execution Page/HTML inserts, deletes Browser control, exploit download Cookie monsters

Arbitrary JavaScript Execution

Page/HTML inserts, deletes

Browser control, exploit download

Cookie monsters

Fixing XSS Primarily - HTML/URL Encoding, Proper Escaping <%= h “<b>dacort</b>” %> &lt;b&gt;dacort&lt;/b&gt; Validation && Sanitization - Regexes Rails Routes ‘ :controller/show/:id’, :id => /d+/, :action ... ActiveRecord validates_format_of

Primarily - HTML/URL Encoding, Proper Escaping

<%= h “<b>dacort</b>” %> &lt;b&gt;dacort&lt;/b&gt;

Validation && Sanitization - Regexes

Rails Routes

‘ :controller/show/:id’, :id => /d+/, :action ...

ActiveRecord validates_format_of

More XSS Prevention Secure Cookie Flag (GMail, again...) https://site.com (Inject link to image on http ://site.com ) Uses HTTPS cookie if “secure” flag not set HTTPOnly Cookie Flag Can’t be accessed using <script> Use innerText , not innerHTML

Secure Cookie Flag (GMail, again...)

https://site.com

(Inject link to image on http ://site.com )

Uses HTTPS cookie if “secure” flag not set

HTTPOnly Cookie Flag

Can’t be accessed using <script>

Use innerText , not innerHTML

Cross-Site Request Forgery Browsing circa 1998 One window. One site. Browsing circa 2008

Browsing circa 1998

One window. One site.

Browsing circa 2008

CSRF++ Daily browsing - authenticated to many sites at once GET style attacks <img src=” http://x.com/message/123/delete ”/> Cookies sent with this request POST style attacks Generally combined with JavaScript Due to lack of form tokens GMail Hack (There’s a new one!!)

Daily browsing - authenticated to many sites at once

GET style attacks

<img src=” http://x.com/message/123/delete ”/>

Cookies sent with this request

POST style attacks

Generally combined with JavaScript

Due to lack of form tokens

GMail Hack (There’s a new one!!)

CSRF GET <img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/> No tokens? Logged in? Valid message? “Pwned” POST requests not the solution

<img src=” http://x.com/message/123/delete ”/> <img src=” http://x.com/message/124/delete ”/> <img src=” http://x.com/message/125/delete ”/> <img src=” http://x.com/message/126/delete ”/> <img src=” http://x.com/message/.../delete ”/>

No tokens? Logged in? Valid message?

“Pwned”

POST requests not the solution

CSRF POST

GMail Analysis GMail Create Filter (GET URL) “at” variable == “GMAIL_AT” cookie value Using CSRF (or XSS?) on malicious page Steal GMAIL_AT, submit GET request above

GMail Create Filter (GET URL)

“at” variable == “GMAIL_AT” cookie value

Using CSRF (or XSS?) on malicious page

Steal GMAIL_AT, submit GET request above

Third-Party Components You installed what?? Drupal Plugins Wordpress Plugins Themes, too! ASP.NET Components Is that code secure? Does it execute commands? Does it utilize network? Funky encoding...

You installed what??

Drupal Plugins

Wordpress Plugins

Themes, too!

ASP.NET Components

Is that code secure?

Does it execute commands?

Does it utilize network?

Funky encoding...

What to Look For? Find input vectors Request.[Cookies|Form|QueryString] $_GET, $_POST, $_REQUEST (<-- careful) params[:id] Make sure output is protected Encoding to browser, Escaping to database, etc

Find input vectors

Request.[Cookies|Form|QueryString]

$_GET, $_POST, $_REQUEST (<-- careful)

params[:id]

Make sure output is protected

Encoding to browser, Escaping to database, etc

Poor Design = Poor Security Example Startup FreeMail (names changed ... ) RSS feed for your Inbox Google does it, why can’t we? No authentication No SSL No security

Example Startup FreeMail (names changed ... )

RSS feed for your Inbox

Google does it, why can’t we?

No authentication

No SSL

No security

Flash Security Flash - Fantastic base on which to build dynamic sites crossdomain.xml - Allows Flash to access data on different domains BAD : <allow-access-from domain=&quot;*&quot;/> Can ultimately allow for compromise of user data (cookies) if trusted domain is vulnerable to XSS, etc

Flash - Fantastic base on which to build dynamic sites

crossdomain.xml - Allows Flash to access data on different domains

BAD : <allow-access-from domain=&quot;*&quot;/>

Can ultimately allow for compromise of user data (cookies) if trusted domain is vulnerable to XSS, etc

Some Other Things... Keeping systems/software up-to-date Rails < 2.1.1? -- SQL Injection bug JumpBox (Server Provisioning) uses Rails 2.1.0 Curious - How do you manage security updates? Infrastructure Security Do _you_ know your external network presence? Have all _your_ default passwords been changed?

Keeping systems/software up-to-date

Rails < 2.1.1? -- SQL Injection bug

JumpBox (Server Provisioning) uses Rails 2.1.0

Curious - How do you manage security updates?

Infrastructure Security

Do _you_ know your external network presence?

Have all _your_ default passwords been changed?

And a few more... Multiple layers of restriction Have a phpMyAdmin Internet-accessible? Do you ... Restrict access by IP address? Rename the default location? Have authentication enabled? Process . Process . Process .

Multiple layers of restriction

Have a phpMyAdmin Internet-accessible?

Do you ...

Restrict access by IP address?

Rename the default location?

Have authentication enabled?

Process . Process . Process .

One last thing ... Not always some über-technical buffer overflow sploit... Access database on unprotected share demo/demo password Email on confirmation page Are people thinking securely?

Not always some über-technical buffer overflow sploit...

Access database on unprotected share

demo/demo password

Email on confirmation page

Are people thinking securely?

Password Security 250 passwords later... 5 Minutes Later

Switching Gears Compliance

Compliance

We <3 Our Data Some of that data is restricted, though! Personally Identifiable Information (PII) Data Breach Notification Laws Payment Card Industry (Credit Cards, PCI) So you’re building a web service... ...what do you need to know?

Some of that data is restricted, though!

Personally Identifiable Information (PII)

Data Breach Notification Laws

Payment Card Industry (Credit Cards, PCI)

So you’re building a web service...

...what do you need to know?

Planning and Process 44 states have data breach notification laws Name, address, email Social Security Number Passport ID, License Number If you are compromised and the above is unencrypted and compromised - you must notify data owners.

44 states have data breach notification laws

Name, address, email

Social Security Number

Passport ID, License Number

If you are compromised and the above is unencrypted and compromised - you must notify data owners.

Data Breach/Privacy Policy Data Breach Laws are why services such as Twitter and Evernote have this in their Privacy Policy. If Evernote learns of a security system breach we may attempt to notify you and provide information on protective steps, if available, through the e-mail address that you supplied during registration or posting a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing. -- http://evernote.com/about/privacy/ We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on this Site in the most expedient time possible and without unreasonable delay. -- http://twitter.com/privacy

Data Breach Laws are why services such as Twitter and Evernote have this in their Privacy Policy.

If Evernote learns of a security system breach we may attempt to notify you and provide information on protective steps, if available, through the e-mail address that you supplied during registration or posting a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing. -- http://evernote.com/about/privacy/

We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on this Site in the most expedient time possible and without unreasonable delay. -- http://twitter.com/privacy

PCI PCI only applies to you if you “store, process, or transmit cardholder data.” Want the PCI compliance monkey off your back? “ It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else do it for you.” And if you must store, process, or transmit ... call us.

PCI only applies to you if you “store, process, or transmit cardholder data.”

Want the PCI compliance monkey off your back?

“ It’s simple, just don’t ever store, process, or transmit cardholder data - let someone else do it for you.”

And if you must store, process, or transmit ... call us.

PCI If You Have To Cardholder data is defined as the primary account number (“PAN,” or credit card number) and other data obtained as part of a payment transaction, including the following data elements: PAN Cardholder Name Expiration Date Service Code Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks

Cardholder data is defined as the primary account number (“PAN,” or credit card number) and other data obtained as part of a payment transaction, including the following data elements:

PAN

Cardholder Name

Expiration Date

Service Code

Sensitive Authentication Data: (1) full magnetic stripe data, (2) CAV2/CVC2/CVV2/CID, and (3) PINs/PIN blocks

Thanks [email_address] http://xkcd.com/327/

[email_address]

Add a comment

Related presentations

Related pages

StartPad Countdown 3 - (Patent Pending) - Technology

Domestic Patent Pending 10-2009-0045751 World Patent Pending ... StartPad Countdown 6 - ACLU 2.0: ... Startup Security: Hacking and Compliance in a Web 2.0 ...
Read more

Group 2 privacy and me in a web 2.0 world final - Education

2. What is Internet Security? ... StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 World.
Read more

PageInsider - Information about all domains

Copyrights © PageInsider. All Rights Reserved. By using this site, you agree to the Privacy Policy and Terms & Conditions ...
Read more

Security101, but better! | Aten Labs

Security101, but better! ... php and rails rather than a sort of ‘introduction to personal security’, ... Hacking and Compliance in a Web 2.0 World
Read more

Aten Labs | San Diego's Premier IT Security Consultancy ...

... part 2 from Dan ... The need for security is ... the momentum the discussion had and the event turned into a hacking 101 lab where I just ...
Read more