+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Crash Course In Brain Surgery
1. Crash Course in Brain Surgery*
A Primer for Developers
* By “brain” I mean application and by “surgery” I mean security
Bruno Morisson <morisson@genhex.org> Codebits 2009
2. About me
• InfoSec Consultant & IT Security Operations
Manager @ Commet (Oni Telecom)
• ~10 years in InfoSec
• CISSP/CISA/ISO27001 Lead Auditor
• Background as a Linux/Unix sysadmin
• Background as a C developer
• Know enough Perl/Python for my needs
• Not a developer!!!
2
3. Why ?
Buffer Overflows
OS Command Injection
Null Pointer Deref.
Business Logic
Format Strings
User Authentication
XSS
Session Management
CSRF
Password Management
SQL Injection
Encra^Hyption
RFI
Access Control
LDAP Injection
…
3
4. Brain Surgery ?!?
• You can’t expect to learn brain surgery in
~40 minutes
• You shouldn’t expect to learn application
security in ~40 minutes
4
9. Objective
• Raise awareness on application security
(and security in general)
• Think like an attacker
• Understand to those who do
9
10. Security Mindset
“Good engineering involves thinking about
how things can be made to work; the
security mindset involves thinking about
how things can be made to fail.”
Bruce Schneier
10
11. Security
• Security is about Managing Risks
Risk = P(Threat x Vulnerability x Impact)
11
12. How secure are your apps ?
• How do you measure your apps’
security ?
# of bugs ?
# of bugs per line of code ??
# of bugs per code ???
…
• More important, how do you avoid
security bugs in your apps!!!
12
15. So you think you’re secure?
• Just because you develop in
{C,Perl,Python,Ruby,PHP,Java,<insert favorite language here>} it doesn’t
mean your app is secure!
• Understand and know that you will fail
• Assess risks, and define controls
15
16. User Input Validation
• Buffer Overflows / XSS / SQLi /…
• Applications don’t correctly validate what
the user inputs
• Trust but verify
16
17. Cross Site Scripting
....is a type of computer security
vulnerability typically found in web
applications which enable malicious
attackers to inject client-side script into
web pages viewed by other users.
Source: Wikipedia
17
18. Cross Site Scripting
• Example app code (pseudo code):
...
$search = $_GET[‘search’];
$query = ‘SELECT * FROM DOCS where BODY
LIKE “%$search%”;
$result = sql_query($query);
print “Here are the results to your query $search”;
print_results($result);
…
18
19. Cross Site Scripting
• Application use:
http://secureserver/?search=application+security
19
20. Cross Site Scripting
• Application abuse:
– What if the user inputs some JavaScript ??
• The attacker can potentially own the
user’s browser… but how ?
• Typically through social engineering or
your own web app
20
21. Cross Site Scripting
• Back in 2002... “Multiple XSS
Vulnerabilities in PHPNuke 6.0”
• In aprox. 1 hour “audit” 7 XSS
vulnerabilities discovered (in 22 different
input fields)
• All allowed any user to hijack other users’
sessions
21
22. Cross Site Scripting
• In 2009… StrongWebMail Contest. US
$10.000 Prize
• Everyone had the login and password.
• “Ultra” secure webmail system, confirmation
of login using a cellphone.
• Owned by XSS.
22
24. Cross Site Scripting
• What can you do ?
– Filter the input…
…and the output
• Ask yourself:
– Do we really need to use HTML ?
– What is the intended input ?
– Are we outputting what we expect ?
Unfortunately developers tend to blacklist…
24
25. Cross Site Scripting
• But blacklist what ?
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=javascript:&#
97;lert('XSS')>
<IMG
SRC=javasc�
0114ipt:al�
101rt('XS�
83')>
…
25
26. Cross Site Scripting
• Use a positive security model
– If you expect a name, why accept numbers or
punctuation ?
– If you expect a date, why accept “<“ or “>” ?
– If you do expect HTML, make sure it is well
filtered (that’s the hard part…)
26
27. Injection
• Not only SQL.
• Technique first mentioned in 1998 by rain forest
puppy in Phrack 54
• OS injection is possibly older.
• LDAP is another target for injection.
27
28. Injection
...
$search = $_GET[‘search’];
$query = ‘SELECT * FROM DOCS where BODY
LIKE “%$search%”’;
$result = sql_query($query);
print “Here are the results to your query
$search”;
print_results($result);
…
28
29. Injection
• Impact ?
– Heartland Security Breach: 130 million credit
and debit cards
– Cost of the breach: US$12.6 Million
29
32. Injection
• How do we protect ?
– Not so different from XSS. Same principles:
– Filter user input
– Whitelist what you know it’s safe
– Use stored procedures and views
– More ideas in a couple of slides…
32
33. More Input Validation
• Cookies
• Headers (Referrer!)
• Any variables!
– There’s no such thing as hidden fields!
– User IDs ?
– Application flow
– Etc..
33
34. More Input Validation
• Example:
– Application checks the “Referrer” to ensure
the user comes from an allowed origin.
– Who sets the Referrer ? Oooops…
34
35. More Input Validation
• Example:
– If you trust the “hidden” field UserID, and the
user sends it as “admin”, shouldn’t you verify
it ?
– Use HMACs.
– More on this in a few slides
35
36. Identification, Authentication and
Authorization
• Most people don’t know the difference!
• Identification is easy!
• The hard part is authenticating and
authorizing…
36
37. Passwords & Login
• Lots of problems:
– Storage / Encryption ?
– Recovery ?
– Quality ?
– Bots / CAPTCHAs
• Why not outsource it ?
37
38. Sessions
• Lots of problems:
– Unique
– Unreplayable
– Unpredictable
– Logging user off
• Use a proven framework
38
39. Access Control
• How many apps use more than one
database user ?
• If in certain parts of the app the user just
needs to read (SELECT), why should it be
able to write (INSERT/UPDATE) ?
• Does every part of the app need to read
every table in the database ?
39
40. Access Control
• The same applies to any object (on a
database or not)
• If in certain parts of the app the user just
needs to read information, why should it
be able to write or change information?
• Does every part of the app need to
access every piece of information ?
40
42. Access Control
• Not those models…
– Biba (integrity)
– Bell-LaPadula (Confidentiality)
– Chinese-Wall (Brewer-Nash) (Conflicts of
interest)
• Don’t reinvent the wheel…
42
43. Access Control
• Define a security model for your app.
• How many profiles should you need ?
• Which are the access needs for each
profile ?
• Implement the model with the controls
you have.
• Implement controls you don’t have, but
can.
43
44. Access Control
• Ensure each subject has access to and
only to the objects it is allowed to
access!!!
44
45. Encraption
• Encryption is hard
• Don’t come up with new algorithms.
They’ll suck.
• Don’t come up with new implementations.
See previous point.
45
49. Business Logic
• If the logic is flawed, the app is flawed
• Example:
– In a homebanking system, the user can
transfer -€2000 to a different account.
– Oooops…
49
50. Business Logic
• More examples
– On a site that sells electronics, the user
bought 10 TV sets for €1000 each, and
bought -20 Stereos for €500 each.
– Oooops…
50
51. Business Logic
• And more…
– On a site that sells movie tickets, the user can
choose the sit, and it stays locked until the
payment is done, for a max. of 10 minutes.
– The user automates this, for every sit in the
room, every 10 minutes.
– Oooops…
51
52. Business Logic
• Still more…
– A company made a promotion, where you
had to play a game (flash), using a special ID
from their soda bottles.
– The top user had about 10x more points than
the 2nd place.
– Results from each game were submitted from
the flash application…
– Oooops…
52
53. Business Logic
• Ok, Last one:
– An E-Commerce site had special discount
coupons they sent their customers.
– Someone discovered the coupons codes
where predictable.
– Oooops…
53
54. Wrap-Up
• Always expect the worse
• Start thinking about security ASAP in the SDL
• Define a security model
• Analyze data flows and entry points
• Test the security of your app before the bad
guys do
• Rinse & Repeat
54
55. Community
• InfoSec-Pros-PT – Mailing-List and
LinkedIn Group (~377 members)
• http://groups.google.com/group/InfoSec-Pros-PT
• http://www.linkedin.com/groups?gid=112919
• Confraria Security&IT (Networking)
• Monthly informal meetings & dinner
• Free
• http://www.linkedin.com/groups?gid=1859900
55