490 likes | 616 Views
Why hackers don’t care about your firewall. Seba Deleersnyder seba@owasp.org. Sebastien Deleersnyder?. 5 years developer experience 11 years information security experience Managing Technical Consultant SAIT Zenitel Belgian OWASP chapter founder OWASP board member www.owasp.org
E N D
Why hackers don’t care about your firewall • Seba Deleersnyder • seba@owasp.org
Sebastien Deleersnyder? • 5 years developer experience • 11 years information security experience • Managing Technical ConsultantSAIT Zenitel • Belgian OWASP chapter founder • OWASP board member • www.owasp.org • Co-organizer www.BruCON.org
OWASP World OWASP is a worldwidefree and open community focused on improving the security of application software. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
Myth • We are secure because we have a firewall • 75% of Internet Vulnerabilities are at Web Application Layer * • *Gartner Group (2002 report)
Security evolution? Source: Gunnar Peterson (Arctec Group)
A firewall friendly protocol • = • “a skull friendly bullet” • (Bruce Schneier)
Your security “perimeter” has huge holes at the application layer Custom Developed Application Code Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATIONATTACK App Server Web Server Hardened OS Network Layer Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
example: SQL-injectionattack • Select user_informationfrom user_tablewhere username=’input username’ and password=’input password’ Select user_informationfrom user_tablewhere username=’’ or 1=1-– ‘ and password=’abc’
RockYou? • December 2009 • a hacker used SQL Injection techniquesto hack the database of RockYou • RockYou creates applications for MySpace, Facebook, ... • Result • data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) • the data also containedemail-addresses and passwordsfor 3rd party sites • Question: how many of those users use the same password for other sites too?
XSS = Cross-site Scripting • Web application vulnerability • Injection of code into web pages viewedbyothers XSS = new buffer overflow Javascript = new Shell Code
XSSED.ORG Still not fixed (with redirection): http://www.google.com/search?btnI&q=allinurl:http://www.xssed.com/
Insecure Direct Object References Illustrated • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065
Security Misconfiguration Illustrated Database Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code App Configuration Development Framework App Server QA Servers Web Server Hardened OS Insider Test Servers Source Control
Serving up malware A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days. "Of the 128 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent.”(sep 2010) Reason: unpatched WordPress
Failure to Restrict URL Access Illustrated • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own
Encrypt customer data? • customer data, 77 Million compromised.(potentially CCs as well)
Jobs by CNN? • http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW
Download http://www.owasp.org/index.php/Top_10
SAMM Security Practices • The Security Practices cover all areas relevant to software security assurance • Each one is a ‘silo’ for improvement
Build “Your” Roadmap • Gap analysis: • Capturing scores from detailed assessments versus expected performance levels • Demonstrating improvement • Capturing scores from before and after an iteration of assurance program build-out • Ongoing measurement • To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations
OWASP Projects Are Alive! 2010 … 2007 2005 2003 2001 43
Upcoming local events • OWASP Chapter meetings: • 23-May - Brussels: • The Ghost of XSS Past, Present and Future – A Defensive Tale (by Jim Manico, Infrared Security) • 16-Jun - Brussels: • The OWASP AppSensor Project (by Colin Watson, Watson Hall Ltd) • How to become Twitter's admin: An introduction to Modern Web Service Attacks (by Andreas Falkenberg, RUB) • OWASP AppSec Europe – Dublin – Jun 7-9 • BruCON– Brussels – Sep 19-22 • OWASP BeNeLux – Luxembourg Nov-30/Dec-1
Subscribe mailing list www.owasp.be Keep up to date! 47
Want to support OWASP? Become member, annual donation of: $50 Individual $5000 Corporate enables the support of OWASP projects, mailing lists, conferences, podcasts,grants and global steering activities… 48