1 / 39

Securing Open Source Projects with OWASP Guide 2.0

Securing Open Source Projects with OWASP Guide 2.0. By Andrew van der Stock April, 2005 vanderaj@owasp.org. What is OWASP?. Open Web Application Security Project Non-profit, volunteer driven organization All members are volunteers All work is donated by sponsors

rio
Download Presentation

Securing Open Source Projects with OWASP Guide 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Open Source Projects with OWASP Guide 2.0 By Andrew van der Stock April, 2005 vanderaj@owasp.org

  2. What is OWASP? • Open Web Application Security Project • Non-profit, volunteer driven organization • All members are volunteers • All work is donated by sponsors • Provide free resources to the community • Publications, Articles, Standards • Testing and Training Software • Local Chapters & Mailing Lists • Supported through sponsorships • Corporate support through financial or project sponsorship • Personal sponsorships from members

  3. OWASP Guide 2.0 • Three years in the making • Major new version • Complete from the ground re-write • Adopts OWASP Top 10 approach • Now has information on web services! • Currently: • Three times the length of the old standard • More than three times the amount of controls • Deals with nearly all web application security issues

  4. Developer standards Threat Risk Modelling Phishing Credit Card Handling Web Services 18 new authentication 11 new authorization 12 new session management (including CSRF) Error/Log/Audit Data Validation Interpreter Injection (includes LDAP and XML) File System Admin interfaces Unicode/Locale/I18N Buffer overflows Cryptography Privacy Configuration SQA Deployment Maintenance Massive overhaul

  5. Current State • Easily more useful than 1.1.1 and Top 10 • Of the 28 chapters: • 4 are done: content finished, peer reviewed and edited • Most have more content than 1.1.1 and are useful • 7 are empty or incomplete • We need more volunteers: • Content authors • Technical Editors • Peer Reviewers • Helps if you can spel gud and no wat grama is

  6. Helping a FOSS project the right way • XMB as case study • 1.8 had over 12 public vulnerabilities in the time I was running it as my primary board • 1.9 was late, but I wanted to fix it so it was secure • Be or become part of the project • Work with the lifecycle • Start by harm minimization – fix the old project first • Fix and test • Refactor old crap out of existence

  7. Case Study: XMB Result • 1.8 has been retired • Too hard to fix due to PHP brain damage • Insufficient dev resources to fix • 1.9.1 is a high quality release • 1.9.1 has been out for 8 months so far without a public vulnerability • Far faster and more scalable than 1.8 • From my own extensive testing, 1.9.1 has a few weaknesses, but it should be safe from attack (for now!)

  8. Case study: phpBB • Tried to help the phpBB project just after 2.0.13 came out • Good motives • Shared my own infrastructure with it • Needed to test out OWASP 2.0 with PHP code and FOSS methodologies • Hundreds of thousands of boards, millions use phpBB • Bad motives • None • What happened next does not make me proud, but phpBB and their fan boys are more than 50% to blame

  9. What happened • I’d like to show you my original post • But they deleted it • Because if I reposted links to Bugtraq posts, that would be used by “hackers” • I was going to do a demo on phpBB 2.0.13 for you here as I found a few things • No time to get these issues fixed prior to this presentation • Very low inclination to help them as they will NOT take patches from the public

  10. More background My second post was to area51 Beware: Here be anoraks and trolls! This become an absolute ****-fight I was accused of wanting to fork phpBB (which the GPL allows), steal developers (why steal devs who missed delivery for so long AND are poor at security?), and all sorts of other bad motives I responded in like. Not one of my proudest moments

  11. I smell a rat! – An actual post • LOL!!! There are different ways to become part of any team whatsoever. I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door?Is it really a pretext of doing a code review and when it's rejected by the legitimate dev team, all of sudden turns up as phpBB "reviewed" or "improved" something like that? Just wondering:-)

  12. How not to help • Don’t respond to the well meaning anoraks and fan boys • They are vocal and may even seem knowledgeable, but they don’t represent the developers • Don’t respond to the trolls • They are vocal but they cannot help • Don’t tell the trolls that they are trolls or even imply that they have roughly the IQ of a warm room. In Celsius. • They get really annoyed, and their whining overwhelms your message • Don’t educate the great unwashed • They really don’t care and will try to shoot you down

  13. How not to help • Don’t get angry • If you don’t tolerate fools gladly, don’t respond to them • Don’t get offended when the most offensive posts pop up • Hubris • When the developers finally responded, the mood was so negative that my chances of “helping” were negligible

  14. What happens back in the real world?

  15. Well… what to do? • ajv: Stick to writing the standard and helping those who want to be helped • phpBB: Grow up! • You have millions of users who rely on your software • You violate their trust and are directly responsible for all their lost data. • Particularly when you refuse help, and then pat yourselves on the back for getting rid of the help • ISPs and hosters will only take so many defacements before banning insecure crap. Don’t become that crap

  16. Demo Using OWASP Guide 2.0 with phpBB 2.0.13

  17. Ingredients • phpBB 2.0.13 • xAMP (Apache, MySQL, PHP) • Latest OWASP Guide 2.0 • Firefox and the web developer extension • Something like grep

  18. Threat Risk Model • Primary assets: • Reputation • User posts and attachments • Who are the motivated attackers? • Script kiddies • Defacers • Motivated attackers – rare • This attack session is more like a pen test than a structured security review • We will not find everything: ~ 5-25% • No time to do a proper weighting

  19. Authentication • Guide 2.0 has approximately 20 authentication controls • Only a fraction are relevant to BBS / Forum • Work through them systematically • Items to look for include: • Data validation • Crypto and Password storage • SQL and LDAP injections • Cookie and client-side session handlers • Infrastructure accounts used

  20. Authorization • Main aim of a pen-test: • Perform authenticated actions without authorization • Perform admin actions without authorization • Main aim of a security review: • Inspect coverage • Inspect centralized authorization checking code • Check error handling and pathways • Things to check for • Implicit trust in client side tokens (Cookies, headers, form fields, etc) • Coverage

  21. Session Management • Cryptographically secure session IDs • Session fixation controls • Check to see if IP address change allows replay • Check to see if tampering with HTTP headers is noticed • HttpOnly; blocking of TRACE and TRACK • IFRAME exploits (_top) • Session Riding attack vectors: • Random page tokens • URL arguments • Lack of confirmations or undo

  22. Error/Log/Audit Handling • Error handling in phpBB is not good • Due to PHP 3.x compatibility • Log handling in phpBB is non-existent • No idea what happens in admin areas • No idea what happens during attacks • There is no audit trail within phpBB • No event management triggers (login, change password, logout, etc) • No triggers in the database • Could be argued that forum software doesn’t need audit trails

  23. Data validation • The MOST important control • GPCE and HTTP headers • PHP is notorious for GPC -> $var. PHP 4 almost fixed this. • Many apps put the bad behavior back. NO! NO! NO! NO! • phpBB is one of them • What to look for? • Look for coverage • Look for validation libraries • Check error pathways • Check business rule validation • Look for system() fopen() shellexec() exec() passthru() • Look for safe-mode choices within the code (see config as well)

  24. Interpreter injection • phpBB has four interpreters: • HTML through templates (which use eval()) • PHP through eval() • SQL through the database layer • OS through fopen() and friends for optional template caching • Luckily, no LDAP or XML in phpBB 2.0.x • No such luck in 3.0! • XML used for Jabber and admin • LDAP used for authentication • Each of these has their own special challenges

  25. Canocalization • The process of making Unicode and HTTP encodings “real” to the underlying application • Major issues include: • Double and n-deep encodings • UTF-8 and UTF-16 overlong representations • “Best effort” canocalization • Buffer overruns • Homographs

  26. File System • Objective is to ensure that file system access is as secure as possible • Things to look for include: • Sandbox / chroot jail out of bound inclusions • Defacement via new file creation • File system permissions (ACLs) • Minimalist permissions • Auditing • Abuse of file system access to run commands (either as a first or second order attack)

  27. Buffer overflows • The current Guide has been brought up to date • Includes: • Heap, Stack, Integer, and Unicode overflows • A huge issue for people writing in dangerous languages • Use compiler features! Correct then fast • Not a huge issue for ASP.NET, PHP or J2EE programmers • Except if you call the OS

  28. Administrative Interfaces • Users are not admins • Admins are not users • REQUIRED BY LAW IN THE US • REQUIRED by ISO 17799 • To be effective, ensure that admin application uses completely different RDBMS users • Prefer separate servers and access control lists • Section revived from an earlier Top 10 document • Completely overhauled • Needs finishing

  29. Cryptography • Cryptography is hard • This new text presents best practices and items to look out for • Primary controls: • Use published standards • Use them well • Do not store secrets unless you have to • Inter-related with Privacy chapter • Partially complete, needs finishing

  30. Privacy • Objective is to ensure that the tracks left by an application are minimalist and safe (enough) • Major controls: • Laws in effect • Look for browser droppings (cookies, history, logs, etc) • The (in)-effectiveness of cache control • GET vs POST • What SSL really hides • New chapter inspired by a couple of paragraphs in the old Guide 1.1.1 • Partially complete, needs finishing

  31. Configuration • Objective: to ensure that an application is safe out of the box • Major controls: • Minimal attack surface area - what’s on by default • Least privilege file permissions • Packaging • Documentation • Code signing • New chapter, partially complete

  32. PHP Configuration • Look for safe-mode: • safe_mode • safe_mode_gid • safe_mode_include_dir • safe_mode_exec_dir • safe_mode_allowed_env_vars • safe_mode_protected_env_vars • open_basedir • disable_functions • disable_classes

  33. Software Quality Assurance • Bwahahahahahaha! • Testing Excuses • We don’t have enough devs to do that • That’s what betas are for • More eyes = fewer bugs • Suggest use of SimpleUnit and HTTPUnit • Include security tests

  34. Deployment • Safe to install out of the box • Applications should not require world writeable files • Minimum attack surface area • Your app should be safe to deploy even if it’s half way installed • PHP apps should: • work with or require safe-mode restrictions • Magic quotes is evil – Be one way or the other • Old GPC behavior – do not re-introduce it • phpBB: • Install/ contrib/ must go • Small window of opportunity to take over box during installation

  35. Maintenance • Be up front with users about your support plans • Even if there’s no reason to deploy, release 2-4 times a year • Refactor bad code • Pull up bug fixes from the next version (and vice versa) • Only do security and performance fixes in x.y.z releases • Consider using a “Windows Update” type of facility or at least a “Check current version”

  36. Where to go from here? • OWASP • Likely to finish around June if we’re lucky • You can get drafts and contribute now! • phpBB: • LART application • Need to train developers in secure coding techniques • Need to assist code review with the developers and implement fixes

  37. Resources • OWASP • http://www.owasp.org/ • This presentation can be found at: • http://www.greebo.net/owasp/secureossguide20.ppt • phpBB • http://www.phpBB.com/ • Firefox’s Web Developer • http://www.chrispederick.com/work/firefox/webdeveloper/ • Chris Shifflett’s PHP security web sites: • http://shiflett.org/ • http://phpsec.org/

  38. What you can do! • Don’t be phpBB (or ajv) • Download OWASP Guide 2.0 and read it • Use threat modeling to find the most important issues • Fix the problems in your applications now! • Security is not a one time shot: • Starts when you have the bright idea • Thinking Evil™ helps, but is not the entire solution • Ends when the last copy of your app is decommissioned

More Related