Don’t trust user input Kirk Jackson, RedShield security.ac.nz, 25 Aug 2019
Building a secure web app
Vulnerability Scan Configuration Review Penetration Testing Production Proxy IDS DLP File integrity monitoring Attacks AV Web Server Firewall Web app firewall SIEM App Config RASP Agent IAM Security Threat Monitoring Reviews modelling Cloud workflow Deployment protection Configuration Security SDLC Management Training OS Hardening Identity Policies Security Governance SAST App Release Patch Standard Operating Testing Automation Management Procedures IAST DAST
Vulnerability Scan Configuration Review Penetration e r u Testing c e s Production Proxy s ’ t i IDS DLP g n i y f i r e V File integrity monitoring Attacks Hosting it securely AV Web Server Firewall Web app firewall SIEM App Config RASP Agent IAM Security Threat Monitoring Reviews modelling Building it securely Cloud workflow Deployment protection Configuration Security SDLC Management Training OS Hardening Identity Policies Security Governance SAST App Release Patch Standard Operating Testing Automation Management Procedures IAST DAST
Approximate cost: $4.2m
Building a secure web app ✓
But what if there are bugs?
Penetration Testing Production Proxy Attacks Web Server Firewall Web app firewall App RASP Security Threat Reviews modelling Business logic weaknesses Deployment Security will need a new app release SDLC Training Security SAST App Release Testing Automation IAST DAST
XSS
GET /Product/Search?SearchTerm= ghost HTTP/1.1 Host: www.0-days.net Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 ! g n i h t Accept: y n a t s text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,i u r t t ’ n mage/apng,*/*;q=0.8,application/signed-exchange;v=b3 o D Referer: http://www.0-days.net/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: .AspNetCore.Antiforgery.9TtSrW0hzOs=CfDJ8JVmqLgybchGooENk8b3J2Arp7 JPwBPHmd6ZFeABp7WkL3Oad7vmVBUmgjuLe7B3p8KApo1sdYkvdxqdkwqN1XS3YjCV eoOlLfwdrFSH8PltvmwuVnhUJNpl3pF3ys9YA8LISJVZAeSo69A2QYDedxc
e h t f o k c a t t A e h T ! S S X y l d a e D 12
Beware and warning! This book is difgerent from other The wrong choice could end in books. disaster - even death. You and YOU ALONE are in charge of But don’t despair. At anytime, YOU what happens in this story. can go back and make another choice, alter the path of your story, There are dangers, choices, and change its result. adventures and consequences. YOU must use all of your numerous talents and much more of your enormous intelligence. Turn to page 14.
The beginning You are an intrepid web developer Javascript was invented in 1995 ● named Justice, aiming to protect Cross-site scripting was ● your application as best as you can. invented shortly after Armed with your trusty list of websites, you begin your quest to rid the world of XSS! Do you understand XSS? Go to Page 19. Want to learn more? Go to Page 15.
XSS is everywhere 60% of bug payouts by Google 21.7% of bugs found on Bug Crowd are cross-site scripting Almost all sites have XSS* Injected javascript can do anything that your users can do Bug Crowd’s 2018 State of Bug Bounty report Go to Page 16. (* Source: anecdotal)
HTML = code + data A single HTML page mixes both <html> code and data <body> <h1>Hello!</h1> It’s all jumbled together <script> var urchin_id = "61143"; The browser doesn’t know who </script> wrote the HTML: </body> </html> The site creator? ● The end user? ● Go to Page 17.
An attack User enters their name: <html> <body> <h1> Hello <script> alert(“Hello!”); The page renders the name in an </script> HTML context </h1> </body> </html> Go to Page 18.
An attack The user’s data can be inserted into <h1>Hello <%= name %></h1> many difgerent contexts on a page: <input value="<%= name %>"> HTML element ● <a href="/?name=<%= name %>"> HTML attribute ● <style> h1 {color: <%= name %>; } URL query parameter ● CSS value ● <script> Javascript value ● var name='<%= name %>'; ... </script> ● or a combination of the above ● Go back to Page 14.
Fixing XSS Fix the output: Or, fix the input: Understand the context that you’re Restrict the input to your application outputting data: to only safe characters HTML Validation ● ● URL Whitelists ● ● Attribute ● Javascript ● … ● If you’ve fixed all your XSS, goto Page 21. Encode data to make it safe in that context If you’ve got known XSS to fix, go to Page 20.
e h t f o k c a t t A e h T ! S S X y l d a e D www.owasp.org.nz 20
Name = kirk&<'" HTML Encoding: <h1>Hello <%= name %></h1> <h1>Hello kirk&<'"</h1> Attribute Encoding: <input value="<%= name %>"> <input value="kirk&<'""> URL Encoding: <a href="/?name=<%= name %>"> <a href="/?name=kirk%26%3c%27%22">
SQL Injection
SQL Injection Video of sqlmap Files extracted
GET /Product/Search?SearchTerm= ghost HTTP/1.1 Host: www.0-days.net Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 ! g n i h t Accept: y n a t s text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,i u r t t ’ n mage/apng,*/*;q=0.8,application/signed-exchange;v=b3 o D Referer: http://www.0-days.net/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: .AspNetCore.Antiforgery.9TtSrW0hzOs=CfDJ8JVmqLgybchGooENk8b3J2Arp7 JPwBPHmd6ZFeABp7WkL3Oad7vmVBUmgjuLe7B3p8KApo1sdYkvdxqdkwqN1XS3YjCV eoOlLfwdrFSH8PltvmwuVnhUJNpl3pF3ys9YA8LISJVZAeSo69A2QYDedxc
Don’t trust user input Kirk Jackson, RedShield security.ac.nz, 25 Aug 2019
Recommend
More recommend