WebAppSec @ Ibuildings in 2014

Web Application Security 2014
@ Ibuildings
Boy Baukema
29th January 2014, Vlissingen

Wednesday, February 5, 14

Fear Uncertainty and Doubt (FUD)
Adobe / Apple / Drupal.org / Evernote / LinkedIn
Facebook / NYT / PHP.net
Java 0-days
SSL BREACH
High Profile customers targets:

‣ AbuseHub
‣ MijnDomein
‣ RTLNieuws
Windows XP EOL in April ’14

2

What to do?

‣ OWASP Top 10 2013
‣ Status (Secure) Software Development Lifecycle
‣ OWASP ASVS 2013
‣ OWASP ASVS Bingo!

3

Security is a cross-cutting concern
'Thuisrouter directeur ook interessant voor hackers'

4

OWASP Top 10 (2013) time!

5

A1-Injection

‣ SQL Injection
‣ HTML Injection
‣ XML Injection
• XML External Entities (XXE)

‣ JavaScript Injection
‣ CSS Injection

6

A2-Broken Authentication and Session Management

‣ Session Fixation
‣ Missing Session Timeout
‣ Login over HTTP
‣ Unprotected Password Reset

7

HTTP Strict Transport Security
Strict-Transport-Security:

‣ max-age=60000;
‣ includeSubDomains

8

A3-Cross-Site Scripting (XSS)

‣ Stored
‣ Reflected
‣ DOM based
See Injection.

9

Content-Security-Policy
Content-Security-Policy(-Report-Only):

‣ default-src 'none';
‣ script-src https://cdn.mybank.net;
‣ style-src https://cdn.mybank.net;
‣ img-src https://cdn.mybank.net;
‣ connect-src https://api.mybank.com;
‣ frame-src 'self'
‣ report-uri /my_amazing_csp_report_parser;
IE10+, FF4+, Chrome 14+, (iOS)Safari 5.1+, Android 4.4+
http://caniuse.com/contentsecuritypolicy

10

A4-Insecure Direct Object References

11

A5-Security Misconfiguration

‣ Out of date PHP version (PHP<5.3, <5.4 after July)
‣ admin/admin
‣ Stack traces
‣ php.ini
• max_execution_time= 0
• session.cookie_httponly = Off
• session.cookie_secure = Off
• allow_url_fopen = On
• See: PhpSecInfo

12

A6-Sensitive Data Exposure

‣ Unsalted passwords
‣ Unencrypted Credit Cards
‣ Passwords / Session tokens over HTTP

13

A7-Missing Function Level Access Control

14

A8-Cross-Site Request Forgery (CSRF)

15

A9-Using Components with Known Vulnerabilities

16

A10-Unvalidated Redirects and Forwards

17

BONUS: Clickjacking

18

X-Frame-Options
DENY
The page cannot be displayed in a frame, regardless
of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the
same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the
specified origin.
IE8+,Chrome 4+, FF 3.6+ Safari 4+

19

SSDLC

Secure Software Development LifeCycle

20

Secure Software Development Life Cycle

Source: http://pentestmag.com/security-and-the-software-development-life-cycle/

21

Requirements / Functional Design
Threat
modeling

Security
Requirements

22

Architecture & Design / Technical Design

‣ Web App Review

23

Development / Implementation

‣ Secure Coding Practices
‣ Whitebox Testing

24

Development: Secure Coding Guidelines

‣ Use only POST for credentials
‣ Notify users when a password reset occurs
‣ Re-authenticate users prior to performing critical
operations

‣ Logout functionality should be available from all pages
protected by authorization

‣ Generate a new session identifier on any reauthentication

‣ Logging controls should support both success and failure
of specified security events

Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf 25

Development: (360) Code Reviews

26

Testing

‣ Greybox testing

27

Deployment

‣ Greybox security testing by third party

28

Maintenance / SLA

‣ Black box quarterly
‣ Grey box annually
‣ Monitoring
‣ Security Patches

29

Training

‣ Basic WebAppSec training
‣ Secure Coding training
‣ QA & Testing training

30

OWASP ASVS 2013

31

Security Checklist

32

Leveling up
Requirements:
164
136
47

33

Scope

34

Requirements
V1. Authentication

V8. Communication Security

V2. Session Management

V9. HTTP Security

V3. Access Control

V10. Malicious Controls

V4. Input Validation

V11. Business Logic

V5. Cryptography (at Rest)

V12. Files and Resources

V6. Error Handling and
Logging

V13. Mobile

V7. Data Protection

35

An example

36

Annotated ASVS 2013

37

An AASVS Requirement has...

‣ Short Title
‣ Long Title
‣ Verification PASS
‣ Verification FAIL
‣ Verification Help
‣ [Verification Help for PHP]
‣ [Verification Help for Drupal]
‣ [Verification Help for Symfony 2]
‣ Related Resources
38

Security Audit Template

‣ Introduction
• Target Of Verification
• Scope
• Confidentiality

‣ Document History, TOC
‣ Conclusions
‣ V1 - V13
‣ Appendix A: Source Code analysis
‣ Appendix B: Third Party libraries
39

Risk Rating

Source: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

40

OWASP ASVS 2013 and the SSDLC

41

FAQ

‣ So we must be fully
ASVS compliant?

‣ ...?

42

ASVS BINGO!

43

BINGO!

44

Prizes

45

Bootcamp

46

Verify it

47

Your Script for today
100 Fork the Template to your personal space.
220 Pop the ‘TODO’ stack of Requirements
221 If no Requirement, GOTO 350
230 Assign the Requirement (mark with your name).
231 Verify Requirement.
232 Report the results.
240 Push Requirement in the ‘DONE’ stack
241 GOTO 220
350 Review the DONE stack.

48

WebAppSec @ Ibuildings in 2014

Recommended

Recommended

More Related Content

Similar to WebAppSec @ Ibuildings in 2014

Similar to WebAppSec @ Ibuildings in 2014 (20)

More from Boy Baukema

More from Boy Baukema (9)

Recently uploaded

Recently uploaded (20)

WebAppSec @ Ibuildings in 2014