Cakes & diesel fuel

What every developer needs to know about application security

Jon Are Rakvåg
Capgemini

Appsec?

Building robust applications for the real world

No one is better qualified to break your applications than you are!

Security patterns

Antipattern: Security by obscurity


public void checkAdminCookie(HttpServletRequest request){
    for (Cookie cookie : request.getCookies()) {
        if (cookie.getName().equals("admin") && 
            cookie.getValue().equals("true"){
	            setAdminMode();
        }
    }
}

Don't trust the client

Don't store secrets on the client

Don't allow the client to make security decisions

Including client side input validation

Don't trust any data from the client

Parameters from GET, POST, HEAD, PUT...
Any part of URL
http headers (incl cookies)

Never trust user input!

(It'll give you fleas)

Really!

Defense in depth

Don't rely on a thin perimeter of security

Have overlapping controls

The principle of least privilege

Not everyone needs access to the nuclear arsenal

The usual suspects

SQL injection
Cross site scripting
Session hijacking
Cross site request forgery

SQL injection

Fooling the DB server


public void updateUser(String userSuppliedName, long userID){
    String query = "UPDATE users SET name='" +
	userSuppliedName + "' WHERE id=" + userID;
	
    getJdbcTemplate().execute(query);
}


    SELECT email FROM users WHERE username='$userInput';

Input: jon
SELECT email FROM users WHERE username='jon';

Input: hack'; UPDATE users SET passwd='abc' WHERE username='admin 
SELECT email FROM users WHERE username='hack';
UPDATE users SET passwd='abc' WHERE username='admin';

Photo: Unknown

Demo

Exploting a basic SQLi vulnerability

Fixing SQL injection


public void updateUser(String userSuppliedName, long userID){
    String query = "UPDATE users SET name='" +
	userSuppliedName + "' WHERE id=" + userID;
	
    getJdbcTemplate().execute(query);
}


public void updateUser(String userSuppliedName, long userID){
    String query = "UPDATE users SET name=? WHERE id=?";
    
    getJdbcTemplate().update(
	query, new Object[]{userSuppliedName, userID});
}

SQL injection summary

Terrible!
Easy fix

Cross site scripting (XSS)

Fooling the webserver

Reflected XSS

Demo

Exploting a normal reflected XSS vulnerability

Photo: Sahil Anand

XSS attack goals

Attacks against the application

Integrity and confidentiality are gone!

Attacks against the client

Installing malware on the user's computer

Fixing XSS

Data on the way in: Validation

Strict validation is very effective!

Blacklisting (< > " ' ...) less so, but still useful

Lisa O'Reilly?

Data on the way out: escaping

Encoding the data so that command characters are "disarmed"


http://yoursite.com/hello.jsp?name=<script>alert('This is XSS');</script>

Vulnerable, unescaped use of input:
						
In jsp:		<p>Hello, ${name}</p>
Resulting html:	<p>Hello, <script>alert('This is XSS');</script></p>

Safe, html-escaped use of input:
						
In jsp:		<p>Hello, <c:out value="${name}"/></p>
Resulting html:	<p>Hello, &lt;script&gt;alert(&#39;This is XSS&#39;)&lt;/script&gt;</p>

The challenge: escape for the correct context, everywhere

Other forms of XSS

Stored XSS

User input stored on the server, then included in html

DOM based XSS

Scripts reading user data and then

writing html(.innerHtml, .outerHtml, .html(), document.write, createElement)

or executing (eval(), setInterval(), setTimeout(), location.replace)

XSS summary

Very, very widespread
Bad, but often* limited to single sessions
Difficult to get right
Use input validation, output escaping and consider implementing a Content Security Policy

Session hijacking

http is stateless


JSESSIONID=y2rzQ9JRgrP9J3vCX3phJ1XJbDdgLqgDSBYM7qBRGSDQr7PdnF1B!-1147520699;

Steal the cookie - steal the session!

Protecting the session cookie

1. Transport layer encryption (TLS/SSL)

2. Cookie flags:

httpOnly - avoid access through XSS
secure - avoid clear text transmission

3. Re-authentication

Cross Site Request Forgery (CSRF)

Fooling the browser's session handling

Demo

Predictable requests to a site can be forged

Fixing CSRF

Adding unpredictability


<form action="account.jsp">
    <input type="hidden" name="csrf_token" 
	   value="FRUjQxPbyqmTtuXxip2tOWEqLFd">
	   
    Username:  <input type="hidden" name="username" value="user">
    Password:  <input type="password" name="password">
    ...
</form>

CSRF summary

Easy & effective attack
Easy fix (tokens)

Wrap up

1. Appsec must be solved in the app layer

2. Security patterns

Do not trust user input!

3. The usual suspects

SQLi

XSS

Session issues

CSRF

Cakes & diesel fuel

What every developer needs to know about application security

Appsec?

Building robust applications for the real world

No one is better qualified to break your applications than you are!

Security patterns

Antipattern: Security by obscurity

Don't trust the client

Don't store secrets on the client

Don't allow the client to make security decisions

Don't trust any data from the client

Never trust user input!

(It'll give you fleas)

Defense in depth

The principle of least privilege

The usual suspects

SQL injection

Fooling the DB server

Demo

Fixing SQL injection

SQL injection summary

Cross site scripting (XSS)

Fooling the webserver

Reflected XSS

Reflected XSS

Demo

XSS attack goals

Attacks against the application

Attacks against the client

Fixing XSS

Data on the way in: Validation

Data on the way out: escaping

Other forms of XSS

Stored XSS

DOM based XSS

XSS summary

Session hijacking

Protecting the session cookie

Cross Site Request Forgery (CSRF)

Fooling the browser's session handling

Demo

Fixing CSRF

Adding unpredictability

CSRF summary

Wrap up

1. Appsec must be solved in the app layer

2. Security patterns

3. The usual suspects

More reading

Jon Are Rakvåg | jonare@jonare.no | @jonarer