Application security workshop


Jon Are Rakvåg

@jonarer

Agenda

  1. Intro
  2. Cross site scripting (XSS)
  3. Cross site request forgery (CSRF)
  4. Broken security features
  5. Misconfiguration
  6. Assorted issues
  7. Cryptography
  8. Injection
  9. Summary

Intro

Goals

Hands-on appsec experience

Appsec != security features

Tools of the trade

Resources

KWASHC

The website

Cross Site Scripting (XSS)

Fooling your app to include *my* malicious JS

Reflected XSS

Reflected XSS

Demo

So what?

The attacker can now:

  • Change everything the user is shown
  • Manipulate all requests to the server
  • Forge new requests
  • Send sensitive data to third party server
  • Steal the session?
  • Probably install malware on the client

Other forms of XSS


Stored XSS

User input stored on the server, then included as html

DOM based XSS (client side)

Scripts reading user data and then

writing html(.innerHtml, .outerHtml, .html(), document.write, createElement)

or executing (eval(), setInterval(), setTimeout(), new Function() or location.replace)

XSS mitigations

  • Escape output
  • Validate input
  • Avoid user data in dangerous JS functions
  • Write user data as text in JS (.text() etc)
  • Protect session cookies (httpOnly)
  • Set a Content Security Policy (CSP)
  • Use a mature front end framework
    •

Your turn

Cross Site Request Forgery (CSRF)

Fooling the browser's session handling


Demo


Predictable requests to a site can be forged

Fixing CSRF

Adding unpredictability


<form action="account.jsp">
<input type="hidden" name="csrf_token" value="FRUjQxPbyqmTtuXxip2tOWEqLFd">

Username:  <input type="hidden" name="username" value="user">
Password:  <input type="password" name="password">
...
</form>

Your turn

Missing or broken security features

Input validation

The first line of defense

Do not trust user input

Validate all the things!

Do

  1. Parse strings to proper objects or enums
  2. ...or whitelist characters
  3. Validate server side

Do not

  1. Blacklist characters (', ", <, >...)
  2. Blacklist whole strings (SELECT, <script>...)
  3. Only validate client side (JS, HTML5, thick client...)

Validation limitations

  • We often don't know in what context the data will be used
  • Functional limitations (Lisa O'Reilly? Henrik L'Abée-Lund? Passwords? Discussions of JavaScript?)

-> validate as strictly as you can given the functional constraints

Malicious code

(or misplaced dev/test features)

Unvalidated redirects

Abusing users' trust in your site

Demo

Your turn

Misconfiguration

Magic frameworks

...and insecure defaults

Broken security

through simple misconfiguration

Improper error handling

Technical error messages are interesting!

-> Detailed logs serveside, generic messages to the client

Your turn

Assorted issues

Click-jacking

Demo

Known vulnerable components

Demo

Real world known vulnerable components mitigation

Your turn

Cryptography

is hard

Cryptography != obfuscation

Do

  1. Cheat! Use COTS, frameworks, established services, best practices and the like
  2. Expect the encryption to be broken at some point
  3. Hire some help. Seriously. Crypto is hard.

Do not

  1. Roll your own crypto!
  2. Use established crypto in new innovative ways

Password storage

(You should probably use some form of LDAP server, but let's look at password storage best practice)

Your turn

Injection

KWASHC hasn't got any injection tasks, but it's a serious issue. See this SQL injection example, but don't forget XML, LDAP or OS command injection.

Summary

Security features ⊂ application security

Bad things happen when you trust user input

OWASP is a great community resource

Check out owasp.org or come join us in Oslo

Links