SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL - PowerPoint PPT Presentation

SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL 1 — FSec 2016

2 — FSec 2016

ONCE UPON A TIME... 3 — FSec 2016

WE WROTE OUR OWN CODE 4 — FSec 2016

ALL OF IT. 5 — FSec 2016

so we knew what was in it. we knew every little bit. 6 — FSec 2016

WHO IS THIS GUY? 7 — FSec 2016

Luka Kladaric (1985) started doing web stuff around 1997 javascript before jQuery server-side with ASP/VBScript (~1999) ran away to PHP (~2002) ran away to Python (~2013) ran away to devops 8 — FSec 2016

Today we "know better" than to code everything from scratch 9 — FSec 2016

So we rely on frameworks 10 — FSec 2016

and libraries & a bunch of 3rd party code 11 — FSec 2016

we outsource authentication... 12 — FSec 2016

logging... 13 — FSec 2016

database interaction... 14 — FSec 2016

API connectivity... 15 — FSec 2016

everything that isn't strictly unique to the problem we're solving 16 — FSec 2016

this presents a RTFM problem 17 — FSec 2016

How does this problem manifest itself? 18 — FSec 2016

Story time! (Demo 1) 19 — FSec 2016

Example Co builds their first webapp > an internal dashboard at control.example.com > authentication? 20 — FSec 2016

21 — FSec 2016

22 — FSec 2016

23 — FSec 2016

But if the servers only ever see HTTP, how will they know about HTTPS? 24 — FSec 2016

Spoiler: they won't (not by default anyway) 25 — FSec 2016

What we'd like to see 26 — FSec 2016

27 — FSec 2016

28 — FSec 2016

Fixes: > respect X-Forwarded-Proto header 29 — FSec 2016

watch out for various components treating security headers differently 30 — FSec 2016

> SSL config change triggers audit 31 — FSec 2016

> remove http from oauth whitelist 32 — FSec 2016

> HSTS headers 1 1 HTTP Strict Transport Security 33 — FSec 2016

difficult to catch, browsers don't report this as bad behavior 34 — FSec 2016

Story time! (Demo 2) 35 — FSec 2016

36 — FSec 2016

37 — FSec 2016

if you've ever set up oAuth 38 — FSec 2016

for multiple apps 39 — FSec 2016

against the same provider 40 — FSec 2016

... did you bother setting up separate oAuth clients? 41 — FSec 2016

yeah. 42 — FSec 2016

43 — FSec 2016

Story time! (demo 3) 44 — FSec 2016

Cookie: session=.eJxljssKgkAYRl8l_rWJl1ScnW kLC8msaBEik046po7YGF7w3Su3bg7f4vBxR M1Zl-C6g3BpcVqS6M1xWQOSN4ZqKrJqatMX y0NLzg.CrvTRg.5bTUddcAEVMFMth_I uPteZT0OjA; HttpOnly; Path=/ 45 — FSec 2016

How is cookie signed 46 — FSec 2016

Flask 47 — FSec 2016

Django 48 — FSec 2016

49 — FSec 2016

50 — FSec 2016

SECRET_KEY being configured badly is next to impossible to catch 51 — FSec 2016

All of these combined mean: 52 — FSec 2016

spear phishing vector 53 — FSec 2016

privilege escalation 54 — FSec 2016

forced insecure comms 55 — FSec 2016

attacker traffic indistinguishable from regular traffic 56 — FSec 2016

the LB here isn't to blame 57 — FSec 2016

people have ancient bookmarks pointing to http 58 — FSec 2016

ALL THINGS BEING EQUAL BUT RUNNING ON A SINGLE MACHINE THIS WOULD STILL BE A VULNERABLE SETUP 59 — FSec 2016

HSTS IS A MUST 60 — FSec 2016

Story time! (Demo 4) 61 — FSec 2016

CSRF protection disabled yup. found this one too. 62 — FSec 2016

IT COMES WITH THE THING LEAVE CSRF PROTECTION ALONE 63 — FSec 2016

TAKEAWAYS UNDERSTAND THE STUFF YOU USE BETTER. 64 — FSec 2016

BE MORE VIGILANT WITH CODE REVIEWS ON SECURITY-IMPACTING STUFF 65 — FSec 2016

BRING IN A FRESH PAIR OF EYES EVERY ONCE IN A WHILE 66 — FSec 2016

This talk is not an endorsement to roll everything yourself. 67 — FSec 2016

THANK YOU LUKA KLADARIC // L@K.HR // @KLL 68 — FSec 2016