2015 09-18-jug summer camp
2 likes•1,589 views
The document discusses securing code through proper authorization and access control. It recommends avoiding hard-coded authorization rules and instead using a centralized access control system. The document outlines some common anti-patterns like untrusted data driving access decisions and discusses how improper access controls can enable data tampering or disclosure of confidential information.
![2)
Use
a
cryptographically
strong
credential-‐
specific
salt
• protect(
[salt]
+
[password]
);
• Use
a
32char
or
64char
salt
(actual
size
dependent
on
protection
function);
• Do
not
depend
on
hiding,
splitting,
or
otherwise
obscuring
the
salt](https://image.slidesharecdn.com/2015-09-18-jugsummercamp-160115054731/85/2015-09-18-jug-summer-camp-43-320.jpg)
![3a)
Impose
difficult
verification
on
the
attacker
and
defender
•PBKDF2([salt]
+
[password],
c=140,000);
•Use
PBKDF2 when
FIPS
certification
or
enterprise
support
on
many
platforms
is
required
•Use
Scrypt where
resisting
any/all
hardware
accelerated
attacks
is
necessary
but
enterprise
support
and
scale
is
not.
(bcrypt is
also
a
reasonable
choice)](https://image.slidesharecdn.com/2015-09-18-jugsummercamp-160115054731/85/2015-09-18-jug-summer-camp-44-320.jpg)
![3b)
Impose
difficult
verification
on
only the
attacker
•HMAC-‐SHA-‐256(
[private
key],
[salt]
+
[password]
)
•Protect
this
key
as
any
private
key
using
best
practices
•Store
the
key
outside
the
credential
store
•Build
the
password-‐to-‐hash
conversion
as
a
separate
webservice (cryptograpic isolation).](https://image.slidesharecdn.com/2015-09-18-jugsummercamp-160115054731/85/2015-09-18-jug-summer-camp-45-320.jpg)
![//import
java.security and
java.crypto and
java.util needed
//
Based on
recommendation from NIST
SP800-‐132.pdf
public
class
PasswordEncryptionService {
public
boolean authenticate(String
attemptedPassword,
byte[]
encryptedPassword,
byte[]
salt)
throws NoSuchAlgorithmException,
InvalidKeySpecException {
byte[]
encryptedAttemptedPassword =
getEncryptedPassword(attemptedPassword,
salt);
return
Arrays.equals(encryptedPassword,
encryptedAttemptedPassword);
}
public
byte[]
getEncryptedPassword(String
password,
byte[]
salt)
throws NoSuchAlgorithmException,
InvalidKeySpecException {
String
algorithm =
"PBKDF2WithHmacSHA1’’;
//
SHA1
recommende by
nist
int derivedKeyLength =
160;
int iterations =
20000;
//
minimum
1000
its from NIST
KeySpec spec =
new
PBEKeySpec(password.toCharArray(),
salt,
iterations,
derivedKeyLength);
SecretKeyFactory f
=
SecretKeyFactory.getInstance(algorithm);
return
f.generateSecret(spec).getEncoded();
}
public
byte[]
generateSalt()
throws NoSuchAlgorithmException {
SecureRandom random =
SecureRandom.getInstance("SHA1PRNG");
byte[]
salt =
new
byte[8];
random.nextBytes(salt);
return
salt;
SecurePasswordStorage](https://image.slidesharecdn.com/2015-09-18-jugsummercamp-160115054731/85/2015-09-18-jug-summer-camp-48-320.jpg)
2015 09-18-jug summer camp
- 1. 42 minutes to secure your code…. Sébastien Gioria [email protected] OWASP France Leader & Evangelist JUG Summer Camp 18 Septembre 2015 LaRochelle -‐ France
- 2. Agenda • OWASP ? • Secure Coding ? • 10 simply principles to secure code • Controlling code security • Q&A Beer J 2
- 3. 2 http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist, ‣OWASP ISO Project & OWASP SonarQube Project Leader ‣Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France/@AppSecAcademy2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. ‣Legal expert for Cour of Appeal of Poitiers
- 5. OWASP publications ! • Publications : – Top10 Application Security Risk ; bestseller – Testing Guide ; second bestseller – OWASP Cheat Sheets !!! – Application Security Verification Standard ; not the best well known document – OpenSAMM : improve your application security – OWASP Secure Contract Annex – OWASP Top10 for ... (mobile, cloud, privacy, ...) • Tools / API – OWASP Zed Attack Proxy ; replace WebScarab with a lot of new functionalities – OWASP ESAPI : API for securing your Software – OWASP AppSensor ; a IDS/IPS in the heart of your software – OWASP Cornucoppia ; application security play with cards – OWASP Snake and ladder : play Top10 and many more....
- 7. Yes, this is you !
- 8. Some Stats.... (c) IBM March 2014
- 11. Be accurate
- 17. @Inject EntityManager em; @Transactional public User updateEmail(String username,String email) { TypedQuery<User> q = em.createQuery( String.format(”update Users set email ‘%s’ where username = '%s’", email, username), User.class); return q.getSingleResult(); }
- 18. Parametrize ! don't Jeopardize !!! String eMail= request.getParameter("email") ; String userName= request.getParameter("username"); //SQL PreparedStatement pstmt = con.prepareStatement("update Users set email = ? where username = ?); pstmt.setString(1, eMail); pstmt.setString(2, userName); //JPA Query safeQuery = entityManager.createQuery( "update Users u SET u.email = ?1 WHERE u.username = ?2"); safeQuery.setParameter(1, eMail) ; safeQuery.setParameter(2, userName); safeQuery.executeUpdate();
- 19. Moral ! NEVER re-implements security mechanisms that are approuved in a core library !! This is the same thing for crypto and other mechanisms that are not security....
- 20. public final class InsertEmployeeActionextends Action{ public ActionForward execute(ActionMappingmapping,ActionForm form, HttpServletRequest request,HttpServletResponseresponse)throws Exception{ Obj1 service= new Obj1(); ObjForm objForm = (ObjForm) form; InfoADT adt = new InfoADT(); BeanUtils.copyProperties(adt,objForm); String searchQuery= objForm.getqueryString(); String payload = objForm.getPayLoad(); try { service.doWork(adt); / /do somethingwith thedata ActionMessages messages = new ActionMessages(); ActionMessagemessage= new ActionMessage("success",adt.getName()); messages.add(ActionMessages.GLOBAL_MESSAGE,message); saveMessages(request, messages ); request.setAttribute("Record",adt); return (mapping.findForward("success")); } catch( DatabaseExceptionde) { ActionErrors errors = new ActionErrors(); ActionError error = new ActionError("error.employee.databaseException" + “Payload:“+payload); errors.add(ActionErrors.GLOBAL_ERROR,error ); saveErrors(request,errors ); return (mapping.findForward("error: "+ searchQuery)); } } } Spot the vuln(s) !
- 21. XSS risks • Session Hijacking • Site Defacement • Network Scanning • Undermining CSRF Defenses • Site Redirection/Phishing • Load of Remotely Hosted Scripts • Data Theft • Keystroke Logging • Attackers using XSS more frequently
- 22. <
- 23. <
- 24. Encoding Output Characters Decimal Hexadecimal HTML Character Set Unicode " (double quotation marks) " " " u0022 ' (single quotation mark) ' ' ' u0027 & (ampersand) & & & u0026 < (less than) < < < u003c > (greater than) > > > u003e Safe ways to represent dangerous characters in a web page
- 25. OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No third party libraries or configuration necessary • This code was designed for high-availability/high- performance encoding functionality • Simple drop-in encoding functionality • Redesigned for performance • More complete API (uri and uri component encoding, etc) in some regards. • Java 1.5+
- 26. (3) Validate All Inputs
- 28. OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html- sanitizer/wiki/AttackReviewGroundRules. • It allows for simple programmatic POSITIVE policy configuration. No XML config. • Actively maintained by Mike Samuel from Google's AppSec team! • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
- 29. • Upload Verification – Filename and Size validation + antivirus • Upload Storage – Use only trusted filenames + separate domain • Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml". • Image Upload Verification – Enforce proper image size limits – Use image rewriting libraries – Set the extension of the stored image to be a valid image extension – Ensure the detected content type of the image is safe • Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar) – Ensure structured uploads such as an add-on follow proper standard
- 31. What is Access Control? • Authorization is the process where a system determines if a specific user has access to a resource • Permission: Represents app behavior only • Entitlement: What a user is actually allowed to do • Principle/User: Who/what you are entitling • Implicit Role: Named permission, user associated – if (user.isRole(“Manager”));; • Explicit Role: Named permission, resource associated – if (user.isAuthorized(“report:view:3324”);;
- 32. Access Control Anti-Patterns • Hard-coded role checks in application code • Lack of centralized access control logic • Untrusted data driving access control decisions • Access control that is “open by default” • Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy
- 33. Access Controls Impact • Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-‐level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data
- 34. void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu) } } HardCode Auth Rule
- 35. void editProfile(User u, EditUser eu) { if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { // do stuff } } Policy evolution....
- 36. 36
- 37. Hard-‐Coded Roles • Makes “proving” the policy of an application difficult for audit or Q/A purposes • Any time access control policy needs to change, new code need to be pushed • RBAC(http://en.wikipedia.org/wiki/Role-‐ based_access_control) is often not granular enough • Fragile, easy to make mistakes
- 38. Never Depend on Untrusted Data • Never trust request data for access control decisions • Never make access control decisions in JavaScript • Never make authorization decisions based solely on: hidden fields cookie values form parameters URL parameters anything else from the request • Never depend on the order of values sent from the client
- 39. Best Practice: Centralized AuthZ • Define a centralized access controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access control decisions go through these simple API’s • Centralized logic to drive policy behavior and persistence • May contain data-‐driven access control policy information
- 40. int userId= request.getInt(”userID"); //Best to get it from sessionID.... if (validateUser(userId) ) { if ( currentUser.isPermitted( ”module:function:" + userId) ) { log.info(userId + “are permitted to access ."); doStuff(userId); } else { log.info(userId + “ is notallowed to access!"); throw new AuthorizationException (userId); } } Should be like this...
- 41. Establish Authentication and Identity Controls
- 42. 1) Do not limit the type of characters or length of user password within reason • Be wary of systems that allow unlimited password sizes (Django DOS Sept 2013) • 2) Use a cryptographically strong credential-‐specific salt • 3) Impose difficult verification • on the attacker and defender : use PBKDF2 or script • on only the attacker : use HMAC-‐SHA-‐256
- 43. 2) Use a cryptographically strong credential-‐ specific salt • protect( [salt] + [password] ); • Use a 32char or 64char salt (actual size dependent on protection function); • Do not depend on hiding, splitting, or otherwise obscuring the salt
- 44. 3a) Impose difficult verification on the attacker and defender •PBKDF2([salt] + [password], c=140,000); •Use PBKDF2 when FIPS certification or enterprise support on many platforms is required •Use Scrypt where resisting any/all hardware accelerated attacks is necessary but enterprise support and scale is not. (bcrypt is also a reasonable choice)
- 45. 3b) Impose difficult verification on only the attacker •HMAC-‐SHA-‐256( [private key], [salt] + [password] ) •Protect this key as any private key using best practices •Store the key outside the credential store •Build the password-‐to-‐hash conversion as a separate webservice (cryptograpic isolation).
- 46. Password1!
- 47. Require 2 identity questions <Last name, account number, email, DOB <Enforce lockout policy Ask one or more good security questions <https://www.owasp.org/index.php/Choosing_and_Using_Security_ Questions_Cheat_Sheet Send the user a randomly generated token via out-‐of-‐band <app, SMS or token Verify code in same web session <Enforce lockout policy Change password <Enforce password policy Changing Password
- 48. //import java.security and java.crypto and java.util needed // Based on recommendation from NIST SP800-‐132.pdf public class PasswordEncryptionService { public boolean authenticate(String attemptedPassword, byte[] encryptedPassword, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException { byte[] encryptedAttemptedPassword = getEncryptedPassword(attemptedPassword, salt); return Arrays.equals(encryptedPassword, encryptedAttemptedPassword); } public byte[] getEncryptedPassword(String password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException { String algorithm = "PBKDF2WithHmacSHA1’’; // SHA1 recommende by nist int derivedKeyLength = 160; int iterations = 20000; // minimum 1000 its from NIST KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, derivedKeyLength); SecretKeyFactory f = SecretKeyFactory.getInstance(algorithm); return f.generateSecret(spec).getEncoded(); } public byte[] generateSalt() throws NoSuchAlgorithmException { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); byte[] salt = new byte[8]; random.nextBytes(salt); return salt; SecurePasswordStorage
- 49. • Authentication Cheat Sheet – https://www.owasp.org/index.php/Authentication_Cheat_Sheet • Password Storage Cheat Sheet – https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • Forgot Password Cheat Sheet – https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • Session Management Cheat Sheet – https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • ASVS AuthN and Session Requirements – https://www.owasp.org/index.php/OWASP_Application_Security_Verific ation_Standard_Project • Choose Security Questions – https://www.owasp.org/index.php/Choosing_and_Using_Security_Quest ions_Cheat_Sheet
- 51. • What benefits do HTTPS provide? – Confidentiality, Integrity and Authenticity – Confidentiality: Spy cannot view your data – Integrity: Spy cannot change your data – Authenticity: Server you are visiting is the right one
- 52. Encryption in Transit (HTTPS/TLS) • HTTPS configuration best practices – https://www.owasp.org/index.php/Transport_L ayer_Protection_Cheat_Sheet – https://www.ssllabs.com/projects/best- practices/
- 53. • Certificate Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet • HSTS (Strict Transport Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-‐Transport-‐Security: max-‐age=31536000 • Forward Secrecy – https://whispersystems.org/blog/asynchronous-‐security/ • Certificate Creation Transparency – http://certificate-‐transparency.org • Browser Certificate Pruning – Etsy/Zane Lackey
- 54. HSTS – Strict Transport Security • HSTS (Strict Transport Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-‐Transport-‐Security: max-‐age=31536000; includeSubdomains • Forces browser to only make HTTPS connection to server • Must be initially delivered over a HTTPS connection
- 56. Logs and errors
- 57. Risks ? • Error messages can disclose information valuable to an attacker • Failure can lead to an unhandled state, which can lead to denial of service – Unhandled failures can lead to malicious behavior being unnoticed
- 58. Fail Securely ! • Not Just catching exception • Not Just logging exception/errors Handle all failures securely and return the system to a proper state
- 59. Design Patterns • Don't assume that an error condition won't occur • It's what the attackers want you to assume • Errors are like accidents, you don't expect them, but they happen • Any code that can throw an exception should be in a Try Block • Handle all possible exceptions • Use Finally Blocks: leaving files open or exceptions defined after use creates resource leaks and possible system failure • Short specific Try Blocks give you more control over the error state
- 60. App Layer Intrusion Detection • Great detection points to start with – Input validation failure server side when client side validation exists – Input validation failure server side on non-user editable parameters such as hidden fields, checkboxes, radio buttons or select lists – Forced browsing to common attack entry points – Honeypot URL (e.g. a fake path listed in robots.txt like e.g. /admin/secretlogin.jsp)
- 61. App Layer Intrusion Detection • Others – Blatant SQLi or XSS injection attacks – Workflow sequence abuse (e.g. multi-part form in wrong order) – Custom business logic (e.g. basket vs catalogue price mismatch) – Further Study: • “libinjection: from SQLi to XSS” – Nick Galbreath • “Attack Driven Defense” – Zane Lackey
- 62. OWASP AppSensor (Java) • Project and mailing list https://www.owasp.org/index.php/OWASP_A ppSensor_Project • Four-page briefing, Crosstalk, Journal of Defense Software Engineering • http://www.crosstalkonline.org/storage/issue- archives/2011/201109/201109-Watson.pdf
- 65. Bad Design
- 66. Security Architecture and Design Strategic effort • Business, technical and security stakeholders • Functional and non-‐functional security properties • Different flavors/efforts based on SDL/culture Example: state • Should you use the request? • Should you use a web session? • Should you use the database? These decisions have dramatic security implications
- 67. Trusting Input • Treating all client side data as untrusted is important, and can be tied back to trust zones/boundaries in design/architecture. • Ideally we want to consider all tiers to be untrusted and build controls at all layers, but this is not practical or even possible for some very large systems.
- 68. Security Architecture and Design Additional Considerations • Overall Architecture/Design • Trust Zones/Boundaries/Tiers 1. User Interface, API (Webservices), 2. Business Layer (Custom Logic), 3. Data Layer (Keys to the Kingdom) 4. What sources can/cannot be trusted? • What is inside/outside of a trust zone/boundary • Specific controls need to exist at certain layers • Attack Surface
- 69. Controlling code in one picture
- 70. Pentest or code review for CISO Top10 Web Pentest Code Review A1-‐Injection ++ +++ A2-‐Broken Authentication and Session Management ++ + A3-‐Cross-‐Site Scripting (XSS) +++ +++ A4-‐Insecure Direct Object References + +++ A5-‐Security Misconfiguration + ++ A6-‐Sensitive Data Exposure ++ + A7-‐Missing Function Level Access Control + + A8-‐Cross-‐Site Request Forgery (CSRF) ++ + A9-‐Using Components with Known Vulnerabilities +++ A10-‐Unvalidated Redirects and Forwards + +
- 71. Pentesting and code review for a developer
- 72. 10 reasons to use .... • Written in Java J • Integrated with CI Tools (Jenkins/Hudson/Bamboo) • Modular (plugins by languages) • Developer tools • Dashboard • OWASP project J • Open-‐Source (and commercial too)
- 75. LAST BUT NOT LEAST....
- 76. Lack of knowledge... String myString = "insecure"; myString.replace("i","1") // do Stuff
- 77. Good Try...but...catch J public class BadCatch { public void mymethodErr1() { try { //do Stuff } catch (SecurityException se){ System.err.println (se); } } }
- 78. Nice comments // Pattern to match the string Pattern myPattern = "bword1W+(?:w+/W+){1,6}?word2b"; String updated = MYCONSTANT1.replaceAll(mypattern, "$2"); // i iterate from 0 to 10 for (int i=0; i <10 ; i++) { // do stuff myMethod(updated); }
- 79. Unit testing • In computer programming, unit testing is a software testing method by which individual units of source code, sets of one or more computer program modules together with associated control data, usage procedures, and operating procedures, are tested to determine whether they are fit for use.. (c) Wikipedia