1 / 51

Paul Jacobs The iSchool University of Maryland Wednesday, May 1, 2019

INFM 603: Session 11 Application Security. Paul Jacobs The iSchool University of Maryland Wednesday, May 1, 2019. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States See http://creativecommons.org/licenses/by-nc-sa/3.0/us/ for details.

mcmullen
Download Presentation

Paul Jacobs The iSchool University of Maryland Wednesday, May 1, 2019

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFM 603: Session 11Application Security Paul Jacobs The iSchool University of Maryland Wednesday, May 1, 2019 This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United StatesSee http://creativecommons.org/licenses/by-nc-sa/3.0/us/ for details

  2. Today’s Topics • Overview of Security Issues (as They Pertain to Web Enabled Applications) • Sample Threats and Basic Strategies for Preventing Security Problems • Some Resources

  3. Why Security is So Important Every Site, Every Application is Vulnerable Many attackers do not care whom they are attacking – why? Most attacks go unpunished, many undetected Software is by nature imperfect Good security can be complex, confusing, burdensome, perhaps costly Costs of Inattention can be Tremendous Lost productivity Lost revenues Damage to reputation Harm to constituents Overview of Security Issues Threats and Strategies Resources

  4. Some Examples Web Site Hijacking Denial of Service Data Breach/Theft of Service Malicious Code/MalWare/RansomWare . . . Overview of Security Issues Threats and Strategies Resources

  5. Before We Dive In – Some Tips Determine where the real risks/costs are, e.g.: Compromising your constituents Lost productivity Loss of access/services during key periods Recognize that most security flaws are human-created Think “phishing” Think “careless” Focus business/process changes on the critical areas, work with experts as needed, and always inventory/monitor Overview of Security Issues Threats and Strategies Resources

  6. Overview of Security Issues Threats and Strategies Resources

  7. OWASP Top 10 (cont’d) Overview of Security Issues Threats and Strategies Resources

  8. LAYERS & RISKS 2001(c)WhiteHat Security, Inc.

  9. Threats and strategies

  10. Injection Allowing code (SQL, shell script, or other) to execute from outside “boundary of trust” (e.g., via HTTP) Note that server-side scripts need permissions that outside users don’t have – injection thus allows unauthorized users to gain access With all security, each flaw can allow unauthorized users to gain access via other flaws How to protect: Validate all user input: “All injection flaws are input validation errors” Carefully construct queries – use prepared statements Overview of Security Issues Threats and Strategies Resources

  11. SQL Injection - Example $txtUserId = $_POST[“uid”]; $txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; What’s wrong with the above? What happens if user enters “1101 OR 1=1”? Can we anticipate all cases where this might cause problems? Overview of Security Issues Threats and Strategies Resources

  12. PHP MySQLi – Prepared Statements (1) <?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDB";// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);} Overview of Security Issues Threats and Strategies Resources

  13. PHP MySQLi – Prepared Statements (2) // prepare and bind$stmt = $conn->prepare(“SELECT id FROM authors “ . “WHERE name = ?”);$stmt->bind_param(“s”, $_GET[“name”]);// set parameters and execute$stmt->execute();echo "New records created successfully";$stmt->close();$conn->close();?> Overview of Security Issues Threats and Strategies Resources

  14. Injection - Summary • Among the most common, and most dangerous, security threats • Requires attention, care, multipronged effort to prevent: • Preventing code that allows user execution (SAST and DAST – static and dynamic application security testing, tools) • Validating and constraining input Overview of Security Issues Threats and Strategies Resources

  15. Broken Authentication “Compromised” passwords, keys, or session tokens or other ability to “assume” others’ identity As with injection, very dangerous because it allows unauthorized users to gain potentially unlimited access Hard to protect against because there are so many different ways information can be compromised Overview of Security Issues Threats and Strategies Resources

  16. How Do Passwords Get Stolen? • They exist unencrypted somewhere (e.g., file, database, script) • They are “scraped”, “sniffed”, “phished”, or otherwise given accidentally • They appear on a distributed password list Overview of Security Issues Threats and Strategies Resources

  17. How Do Passwords Get Stolen? <?php // Now get all the data // Create connection $database = new mysqli("localhost", "testuser1", “testuser123", "testuser1_pets"); // Check connection if ($database->connect_error) { die("Connection failed: " . $database->connect_error); } $petname = $_REQUEST['petname']; // first query - get the data, ownerID and FoodID from the Pets table if ( !( $result = $database->query ( "SELECT Breed,Eats,OwnerID FROM Pets WHERE Name = '$petname'") ) ) print ("Warning! could not execute query <br />" ); $row = $result->fetch_assoc(); $foodid = $row["Eats"]; $petbreed = $row["Breed"]; $ownerid = $row["OwnerID"]; . . . Overview of Security Issues Threats and Strategies Resources

  18. What Makes a Good Password? • Does length matter? • Do special characters matter? • Why do you get instructions like “must be at least 8 characters, at least one number, at least one upper case and lower case character, at least one symbol, and can’t repeat the same character more than twice?” Overview of Security Issues Threats and Strategies Resources

  19. What Makes a Good Password? (cont’d) • It hasn’t already been compromised • It isn’t a default (like “password” or “admin”) • It isn’t on any known password list (like “iloveyou2”) • Is “3971” a good password? What about “x$5gq”? How about “glizwchbed”? • How many possible passwords are there of four characters? Of 6? Why do most sites require 8 characters, then? Overview of Security Issues Threats and Strategies Resources

  20. Ashley Madison • One of many, but among the most famous public data breaches of all time • 60 gigabytes of user data, including passwords, stolen from a dating site aimed at married people • Much bad behavior, false denials involving nearly all parties • A great source of material on bad passwords Overview of Security Issues Threats and Strategies Resources

  21. Bad Passwords • https://github.com/danielmiessler/SecLists/tree/master/Passwords • From Ashley Madison (just a sample): paul paul0398 paul05 paul0712 paul08 paul0821 paul10 paul101 paul11 Paul12 paul1201 paul123 paul14 paul1926 Paul1941 PAUL1963 paul1969 paul1980 paul1994 paul1995 paul2000 paul2006 paul2020 paul2363 paul2676 paul2yax paul30 paul32 paul321 paul3340 paul3577 paul36 paul4 paul41 paul4450 paul4853 Paul4Ever paul4play paul4u paul5395tv paul55 Paul5563 Paul5814 paul5860 paul6114 paul62 paul6666 paul6697 paul69 paul7 paul70000 paul71 paul7575 paul773 paul84 paul88 paul91 paul9398 paul98 iloveu iloveu07 iloveu09 iloveu1 iloveu12 iloveu123 iloveu123456 iloveu1313 iloveu2 ILoveU2009 iloveu212 iloveu22 iloveu2209 iloveu247 iloveu29 iloveu4 iloveu4ever iloveu79 iloveu81 iloveuakhiiloveuanailoveubabeiloveubujjiiloveudoiloveujaaniloveujujubee iloveukimiloveukuttyiloveuleailoveumoreiloveupamiloveupuiloveurafiloveurajl iloveurdick69 iloveureeiloveus iloveus26 iloveusa iloveusc1 iloveusmciloveusomuchiloveutoiloveutooilovevagina Ilovevdub9 ilovevickyilovewandailoveweed iloveweed1 ilovewi11 ilovewillIlovewivesilovewomeniloveyamiiloveyaraf Iloveyayi1 iloveyoou21 iloveyou iloveyou_8 iloveyou01 iloveyou021991 iloveyou040809 iloveyou069 iloveyou07 iloveyou09 iloveyou1 iloveyou10 iloveyou11 iloveyou1968 iloveyou1985 iloveyou2 iloveyou20 iloveyou2009 iloveyou216 iloveyou22 iloveyou24 iloveyou3 Iloveyou4 iloveyou44 iloveyou501 iloveyou56 iloveyou6 iloveyou69 … iloveyoutoo iloveyu2 iloveyu315 iloveyuliiloveyuo Overview of Security Issues Threats and Strategies Resources iluv iluv13ia iluv269 Iluv2bhom iluv2bme iluv2fk Iluv2fly ILUV2LICK ILUV2nds22 ILUV2RUN iluv2shop iluv2ski iluv2swap iluv2swing iluv2x ILUV420 iluv69 iluv6942 iluvaaroniluvabcockiluvacting iluvAD1 iluvadamIluvali iluvali05 iluvamy5 iluvashleyiluvasiansiluvb iluvbbciluvberniluvbethiluvbillyiluvbjiluvbobiluvbreniluvbrian ILUVBRYAN iluvbudda0 iluvbuddyiluvcaniluvcheryl iluvchris6 iluvcindyiluvcockiluvcodyiluvcolliniluvcrissiluvcsmiluvcss iluvct69 ILUVCUNT iluvda6387 iluvdaveiluvdavidiluvdeidreiluvdick iluvdiddyiluvdustyiluvdvailuvehaneen iluvfb33 iluvfeetiluvfuknuiluvgaryiluvgarybiluvgeiluvhaley iluvhead2 iluvheine iluvhim1 iluvhondasiluvindiangirlsiluvjackiluvjakeiluvjasiluvjo iluvjoe1 iluvjon1210 iluvjonahiluvjoni iluvjrc3 iluvjw12 iluvkarly iluvkh199 iluvkim iluvkim29 iluvkmriluvktiluvkunok iluvla01 iluvlarailuvlarryiluvlenailuvlifeiluvliz iluvm627 iluvmaria1 iluvmary iluvme2 iluvme4ks iluvmeniluvmhiluvmikeiluvmilfiluvmkr iluvmom1 iluvmpiluvmusiciluvmvsuiluvmyfamilyiluvmyselfiluvmywrv iluvnewyoriluvnickIluvNJ iluvonly1 iluvphatpussy269 iluvpoohiluvporn ILUVPREM iluvpussc4 iluvpussy iluvpussy2 . . .ILUVYOU

  22. One-Way Hashing Functions (e.g., Argon2 or PBKDF2) • What is “hashing”? • A computer term for calculating a mathematical function on strings (e.g. add the ASCII values of all the characters, divide by 11, and take the remainder) • Very widely used internally by computers to store and match stuff efficiently (e.g. search term index) • Generally, doesn’t have to be 1:1 (sometimes you can have many strings hash to the same “buckets” and then just compare more later) • What’s the idea of “one-way hashing”? • The hash “keys” (the values computed) will match if the strings are identical (e.g. if someone knows the password) • You can’t reverse the process (i.e. to get the password if you know the key) Overview of Security Issues Threats and Strategies Resources

  23. One-Way Hashing Example https://antelle.github.io/argon2-browser/ • Notes – “Salt” is some random but consistent data to make the hash function unique – Argon2 and PBKDF2 are “Salted” hashes • Defense against “Rainbow table” – a method of reversing a hash function using a dump of a password hash table Overview of Security Issues Threats and Strategies Resources

  24. Stored Passwords Example • Linux password file sample (only available to root): aabdela1:$6$L8eCBiuK$rif2jO8fx436nUoD1ZD3wwR0BlMRxVgBRVDVFYogFBNJER7lBF83oL4SvbFw2yDiJKpBODfstms.pxzAs58zn0:17431:0:99999:7::: saldugha:$6$hW2M7Liz$HsMV9m5K9hThU.OkDDF0d6fOH5VptaS85s9XqjDb/s2VjEI9WPt9uYzUmryfnx2rGw7pBB/A3pbg/JoaQTLpl0:17433:0:99999:7::: deniscai:$6$DPZ6Dk7k$lNK6q6XD8aBfQnUm6sawsEE8gfrBFx8NcmJnlJuasshQHB7yiWzEhgw94zRAoIzm5lI7FhAiwMNEGDtfLPdX81:17433:0:99999:7::: kchavda:$6$gyqSivup$6W2mMDFImmXs4GGwQxxFcsLVU0h9ktN5h8cQNXZTsG/sK5qKA6OurCO0F2mprUCw11y5yKZGWAgngfvoHp85v/:17433:0:99999:7::: rimadesh:$6$T834UZPm$mGw62C5W2jS2yQWX4JqYCOl7RgbE5jW6gSU6B7Rqnt1QWU.ehsZgK.BanJOvOrAVmHqPnn6.BQRHdhGEWika21:17433:0:99999:7::: mgiezema:$6$t5KmHosX$qZe6QRhQH.aecfo70sZE10JJNS9It.Jk0dOe0pssJ0Dy4PAPECvkI/yyIgLgc53RfCtpzv1jEJ.NJ/SrNrZPU0:17433:0:99999:7::: alisha27:$6$hIlAUGYJ$JUOt2Zg6nhAKYBHw.S2WyGhyFDHAWOpab5keEzrdoWlJSPdClmWS5mvjOpfpL2D6IwVxgYudyMWsy8C3VfjYk/:17433:0:99999:7::: vkori:$6$Uhyb2oyY$hRcAxtKsNsiqvaq8EY7fQytjt8xVmP7TND348c0gzHxrA/JxNdFhQ2LVlPjNwXpXANyjvK.VwN3abgi./u1SZ.:17433:0:99999:7::: ramleen7:$6$HzqMUSKu$1H4v1C1uC.h3KGJrdx9Fuxsgap0nsleHkrscGRyOlUO3oSD7kg87Xq6awv699wbobCR8nJ5WcpJDSZuBvhPoB/:17433:0:99999:7::: meii:$6$jV7eWrf.$qq1E2eebVbOT2IYY3ydfeMxQPQwQIEpC2/suk.fN7k1bAW4AgX4XIZClYKYa4NifTuCprjGv0oCVcofFaKmVq1:17433:0:99999:7::: lpeters4:$6$ydix0goc$9FDDD/9hZ4UShn9AgEbFUtD2CxE9yPki8o3sZ27rkCQqAy0X6dYwQBy14bBktc6qVIZyONJC1.elUa5VGRt4v0:17433:0:99999:7::: yroberts:$6$R4fOWTm2$Ib/2CbLgKmAx3xbdhlBNyVVF/0bQGdI1V1R0r3rO15r1KOObxEQWifKhQY5wk6e8jizqDMv33UmDGEKFK.diA0:17433:0:99999:7::: rrubio:$6$v/K7oaIV$UzBNNhtZnonYRDUxlbdQTT.aV0aL/Ju3odO7u7KEgzlOn1EzaholQbPcB8iXp1qMSB5hhzFyhfXHMKVeqolky1:17433:0:99999:7::: gschuler:$6$NB.1pbp2$O6domD1Y4KGhtdjvcwk0oL3k3L12Hh1g8dNMDq0OK/fhAltBqafZ7CzOaSxR8M4E8UA3Ihna1PbJyQhnfWY2P0:17433:0:99999:7::: asteinhe:$6$zRVIO4En$5d21f2q9BrfTZio4kyLKem/dD.Zz7DpqoUaXIaip.7RA5zLUSxGv9n/Q8QsEQmEgA6N9.pMZaiZKIjg0ZqCY7/:17433:0:99999:7 Overview of Security Issues Threats and Strategies Resources

  25. Multi-Level (Multi-Factor) Authentication • Prevents robots, password “stuffing”, and other “brute force” attempts to break into passworded sites/data • Examples include authenticating by device/MAC address, CAPTCHA (“I am not a robot”), temporary codes by e-mail or text, etc. • Note – can be relatively unobtrusive (e.g. “remember me”) or not (e.g. CAPTCHAs) Overview of Security Issues Threats and Strategies Resources

  26. Authentication Issues - Summary • Very dangerous, but at least easy to understand • Steps to prevent: • One-way hash function for storing passwords – never unencrypted • Multi-factor authentication – block all “brute force” attempts • Test and control for weak or known passwords (e.g., check against known lists) • Monitor/control for multiple attempts/log attempts Overview of Security Issues Threats and Strategies Resources

  27. Sensitive Data Exposure Data, such as credit card numbers, passwords, confidential information, is stored or transmitted unencrypted Even if stored encrypted, may be unencrypted when it is being used and exposed via SQL injection/session hijacking Overview of Security Issues Threats and Strategies Resources

  28. HOW DID IT Happen?

  29. Session Hijacking • A “session” is what connects you and your data to an application, when that application is handling many other users at the same time • A “cookie” has become the standard Internet lingo for the data structure that keeps track of your session. That way it seems seamless every time the application comes back to you (e.g., shopping cart) • Using “packet sniffing” or other means to monitor traffic, or by gaining access through other methods, a hacker can steal the “session cookie”, thereby gaining access to any data that would have been available to the authorized user during the session (often referred to as a “man in the middle” – MITM – attack) Overview of Security Issues Threats and Strategies Resources

  30. Sensitive Data - Summary • Very common, but can be prevented • Steps to prevent: • Only store data that must be stored • Encrypt everything using secure schemes • Prevent caching if possible • Make sure data is transmitted encrypted (e.g. using TLS) Overview of Security Issues Threats and Strategies Resources

  31. XML External Entity (XXE) Older XML processors allow references to entities/resources that are not public Hackers send sample XML files with embedded references (e.g., to /etc/passwd) and thus gain access to private information Overview of Security Issues Threats and Strategies Resources

  32. What is SOAP? • Simple Object Access Protocol • A Framework for XML “Middleware” – A Way of Exchanging Information Between Web Services/Applications • A SOAP Message Contains, Effectively an Encapsulated Function Call or Response POST /InStock HTTP/1.1 Host: www.example.org Content-Type: application/soap+xml; charset=utf-8 Content-Length: 299 SOAPAction: "http://www.w3.org/2003/05/soap-envelope" <?xml version="1.0"?> <soap:Envelopexmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org/stock/Manikandan"> <soap:Header> </soap:Header> <soap:Body> <m:GetStockPrice> <m:StockName>GOOGLE</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope> Overview of Security Issues Threats and Strategies Resources

  33. XXE - Summary • Like injection and other means, allows hackers to get access to private information • Steps to prevent: • Disable external references • Use “white lists” to identify trusted XML sources • Use latest version of SOAP and other XML processors Overview of Security Issues Threats and Strategies Resources

  34. Broken Access Control For example, /etc/passwd is publicly readable (and used to contain encrypted passwords) Many servers allow access to files by default Many servers (including ours) allow public reading by default Overview of Security Issues Threats and Strategies Resources

  35. Broken Access Control - Example Overview of Security Issues Threats and Strategies Resources

  36. Broken Access Control - Summary • Very simple, but people can be careless • Steps to prevent: • Default to making everything private (what UMD does) • Disable listing features • Log access attempts and violations Overview of Security Issues Threats and Strategies Resources

  37. Security Misconfiguration Very similar to broken authentication, but often involves leaving defaults in place or failing to correct known vulnerabilities Overview of Security Issues Threats and Strategies Resources

  38. Cross-Site Scripting (XSS) (also CSRF – Request Forgery) Second most prevalent security weakness (found in 2/3 of applications) When users are allowed to input HTML (often), they may be able to run arbitrary Javascript as well. By sending Javascript code to a user’s browser, attackers can do all kinds of bad things (hijack sessions, engage in defacing/”malvertising”/etc.) Why our site does not allow Jquery code to run from your laptop Overview of Security Issues Threats and Strategies Resources

  39. XSS Example • A blog/forum site displays the latest comment, but a user “posts” a script as a comment • The site then inadvertently becomes an accomplice to the attacker, who now can run code in another user’s browser • Once in control of the browser, the script can: • Monitor keystrokes using AddEventListener • Convey other information to another site • Hijack a session cookie • Insert a fake login form/phishing form <html> Latest comment: <script>...</script> </html> Overview of Security Issues Threats and Strategies Resources

  40. Validate/Sanitize/Escape https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data • Validate user input – e.g. make sure text is text, make sure a zip code is a zip code, etc. • Sanitize input – e.g., strip all tags, < and >, check for non-UTF-8 characters, etc. • Escape – securing output – before rendering any output, make sure it includes only the allowable parts (e.g., don’t send javascript expected user HTML to the browser) Overview of Security Issues Threats and Strategies Resources

  41. Validation Criteria • Data type (string, integer, real, etc…) • Allowed character set • Minimum and maximum length • Whether null is allowed • Whether the parameter is required or not • Whether duplicates are allowed • Numeric range • Specific legal values (enumeration) • Specific patterns (regular expressions) Overview of Security Issues Threats and Strategies Resources

  42. Validation in WordPress - Example $safe_zipcode = intval( $_POST['my-zipcode'] ); if ( ! $safe_zipcode ) { $safe_zipcode = ''; } if ( strlen( $safe_zipcode ) > 5 ) { $safe_zipcode = substr( $safe_zipcode, 0, 5 ); } update_post_meta( $post->ID, 'my_zipcode', $safe_zipcode ); Overview of Security Issues Threats and Strategies Resources

  43. Sanitizing in WordPress - Example <input type="text" id="title" name="title" /> $title = sanitize_text_field( $_POST['title'] ); update_post_meta( $post->ID, 'title', $title ); • Sanitize_txt_field would do the following: • Check for valid UTF-8 • Convert single < characters, etc.: • from “<” to “&lt;” • from “>” to “&gt;” • from “(” to “&#40;” • from “)” to “&#41;” • from “#” to “&#35;” • from “&” to “&#38;” • Strip all tags • Remove line breaks, tabs, etc. • Strip octets (extra 8-bit characters, or special characters) • WordPress provides a bunch of sanitize functions, such as sanitize_email(), sanitize_file_name(), sanitize_title(), sanitize_user(), etc. Overview of Security Issues Threats and Strategies Resources

  44. Escaping in WordPress - Example <h4><?php echo esc_html( $title ); ?></h4> <imgsrc="<?php echo esc_url( $great_user_picture_url ); ?>" /> • These functions (note - written in PHP, like the previosu examples) prevent user input that includes XSS, incorrect HTML, other potential problems from being inadvertently passed to the browser • “Follow the whitelist philosophy” Overview of Security Issues Threats and Strategies Resources

  45. XSS - Summary • Very common, holes can be detected but take effort to prevent • Steps to prevent: • Use frameworks that automatically escape content • Follow validate-sanitize-escape framework • See e.ghttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Overview of Security Issues Threats and Strategies Resources

  46. Insecure Deserialization Prevalence unknown, but very dangerous (allows hackers to obtain arbitrary priveleges) Similar to hijacking; a session cookie can be “serialized” (e.g. encoded in XML/JSON), modified, and then used to penetrate the app. Overview of Security Issues Threats and Strategies Resources

  47. Deserialization - Summary • Very dangerous, although it’s not known exactly how it’s being used • Steps to prevent: • Allow only certain objects to be deserialized • Encrypt cookies and user data • Like other features, log and monitor everything Overview of Security Issues Threats and Strategies Resources

  48. Components with Known Vulnerabilities Once security flaws become known, they are often fixed or patched At that point, it becomes very dangerous to use an out of date version Overview of Security Issues Threats and Strategies Resources

  49. Insufficient Logging & Monitoring Hackers often gain access through repeated attempts Maintaining logs, alerts and audit trails can: Help to detect and prevent problems Help to respond after something goes wrong Overview of Security Issues Threats and Strategies Resources

More Related