SlideShare a Scribd company logo

Updated Mvc Web security updated presentation

Download as PPT, PDF
John Staveley
John Staveley

OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering

Related slideshows

Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
 
1 of 71
Web Security By John Staveley DDDNorth 01/10/2016 https://uk.linkedin.com/in/johnstaveley/ @johnstaveley
Overview Why Security? – (case studies) Who are the hackers? How? – (with solutions) SecurityEssentials.sln (https://github.com/johnstaveley/SecurityEssentials) ...and then on the server Further resources Summary Questions
Who am I? John Staveley Mvc.net developer Not a security expert!
Why Security? - Some headlines ZdNet 2014, “Hundreds of millions of records have been stolen this year through hacks and data breaches as a result of poor, or flawed security.” Davos 2015, “Every time we talked to a top 500 company about cyber-security, they'd say to us: 'talk to my technology guy', now the board of directors and the CEOs of the companies pay attention. There is a new sense of urgency" – Head of a security company FSB 2013, 41% of small businesses are a victim of cyber crime.
Why Security? - Some example breaches Sony – films, confidential email, payroll Target – 110 million records lost including credit card details. Current cost $110m Home Depot – 56m credit card, 53m email addresses JPMorgan – 10s of millions of customers data lost BadUSB ICloud celebrity pictures Snapchat – 13Gb of data Ebay – 145 million user records lost. $220m loss Heartbleed etc
Why Security? - and the rest...
Why Security? Loss of reputation Blacklisting Litigation Fines e.g. Data protection act, PCI compliance Suicides (Ashley Madison)
Who are the hackers?  Script kiddies  Hacktivists  Insiders  Organised Crime – Russian Business Network  Advanced Persistent Threat
Who are they? - hackers for hire
What we will/won't cover  WILL:  Web application security (MVC)  DDOS  Social Engineering  WON'T:  Physical security  Network security  Trojans, Worms, Viruses  IDS, Firewalls, Honey pots  Internal threats  Advanced persistent threats
Presentation Approach  OWASP Top 10  Not for profit  Cover all technologies  Reviewed every 3 years  Helps you prioritise  Chapter outline  What is the hack?  Who has been affected by it?  What are the mitigations/countermeasures?  Questions  DEMO  SecurityEssentials.sln
1 – SQL Injection
SQL Injection – What is it?
SQL Injection – What is it? string strQry = "SELECT * FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'"; EXEC strQry Put in username field: Admin' And 1=1 – SELECT * FROM Users WHERE UserName='Admin' And 1=1 --' AND Password='' Put in password field: '; DROP TABLE Users -- SELECT * FROM Users WHERE UserName='' AND Password=''; DROP TABLE Users –' http://www.not-secure.com/products?Id=14 Havij
SQL Injection - Examples  Sony Playstation 2011 - “Worst gaming community data breach of all-time.”  77 million accounts affected  12 million had unencrypted credit card numbers  Site was down for a month  CyberVor, Aug 2014 – Used botnet to steal billion passwords from 400,000 sites
SQL Injection - Countermeasures  Assume all input is evil – validate everything  Use an ORM like EF/NHibernate  Use stored procedures  Don't use EXEC sp_executesql @strQuery  Reduce SQL account permissions  Concept: Least Privilege
2 - Broken authentication and session management  Password security  Session Hijacking  Weak Account Management
Password Security  What is it? - Storage, Policy and entry  Password storage  Plain text = No security (http://plaintextoffenders.com/)  Base64 encoding = No security  Avoid Encryption – can be broken  Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)  Common hashes can be googled  Use a salt  Don't use RC4, MD4, MD5 and SHA-1  HashCat  Use PBKDF2, SCrypt, Bcrypt, (Argon2)  Passwords Policy:  Enforce minimum complexity  Do not reject special characters  Validate passwords against a list of known bad passwords  Do not allow personal information in the password  Password Entry:  Don't disallow paste on a web page
Password Security - Examples  Case Study: Richard Pryce  Case Study: Ebay May 2014  Up to 145 million users affected  $200m loss  Poor password encryption blamed  Case Study: LinkedIn 2012  6.5 million user accounts stolen by Russian criminals
Password Security - Examples  SecurityEssentials.sln pwd: Hash, checking, strength
Session hijacking – The What
Session Hijacking – The how  Concept – Man In The Middle (MITM)  Opening up the browser  CSRF  Sensitive data exposure  DEMO: Session stealing using document.cookie=""
Session Hijacking - Countermeasures  Counter client code access of cookies (Anti-XSS): HttpOnly  Counter auth token 'Sniffing' – Use HttpsOnly (MITM)  <forms loginUrl="~/Account/Login" timeout="60" requireSSL="true" slidingExpiration="false"/>  Private error logging/trace  Reducing session timeout reduces exposure  Track sessions - session invalidated during logoff?  SecurityEssentials.sln web.config with transforms
Weak account management – What is it?  Account enumeration, Owning the account  Why? – Sensitive data – Admin privileges  Registration  Logon  Remember me  Password reset  Change account details  Logoff  Call Centre
Weak account management – Case Study
Weak account management – Case Study  News contained details Sarah Palin used Yahoo mail  Security Information  Birthday?  2 minutes on Wikipedia  Zip Code?  Wallisa only has 2 postcodes  Where did you meet your spouse?  High School  => Password reset
Weak account management – Case Studies  Case Study: Find my phone in iCloud/iBrute 2014
Weak account management - Countermeasures (1)  Account enumeration - Can occur on registration, logon or password reset forms e.g. Password Reset:  Success - “An account reset key has been emailed to you”  Failure - “That user account does not exist”  Success or Failure - “An account reset key has been emailed to you”  Use Https ([RequireHttps]) to protect sensitive data (MITM)
Weak account management - Countermeasures (2)  Brute force Logon - Do not lock out on incorrect logon – DOS  Brute force Registration/Password reset: – CAPTCHA and/or throttling to prevent brute force  Verify email address by sending an email  Re-challenge user on key actions e.g. prompt for old password when entering new password  Log and send email when any account state changes
Weak account management - Countermeasures (3)  Password reset  Don't send new password out – DOS  Send email with expiring token (1 hour)  Security questions: Concise, Specific, has a large range of answers, low discoverability, constant over time  Never roll your own membership provider or session management – use the default one in the framework  Outsource the solution e.g. Azure Active Directory or OpenId  SecurityEssentials.sln – Account Management process, anti-enumeration and brute force by throttling and CAPTCHA, logging, email verification, email on change, activity log, auto-complete off, increase logon time failure
3 – Cross Site Scripting (XSS)
Cross site scripting (XSS) – What is it? www.mysite.com/index?name=Guest Hello Guest! www.mysite.com/index?name=<b>Guest<b> Hello Guest! www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script> Hello Guest! www.mysite.com/index?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real- xssattackexamples.com/";}</script> www.mysite.com/index?name=<script>Insert evil script here</script>
Cross site scripting (XSS) – What is it? Encoded data vs unencoded e.g. &lt;b&gt;Guest&lt;b&gt; vs <b>Guest</b> Cookie theft! <script>alert(document.cookies)</script> Concept: Don't trust your users! Reflected vs Persisted XSS Attack Vector: Social Network, Email etc
Cross site scripting (XSS) – Examples  Case Study: Legal Helpdesk  Enabler:  Session stealing  DOS  Sensitive data exposure  Ebay, Sep 2014  About.com, Oct 2014 – 99.98% of links susceptible – Mar 2015 – still unpatched
Cross site scripting (XSS) - Countermeasures Validate untrusted data – don't trust your users! Sources of data – html post, urls, excel/csv import, import of database Mvc3 - “A potentially dangerous Request.Form value was detected from the client”, except: What if you want to post HTML? [AllowHTML] Countermeasure: Encode reflected data Mvc3 encodes Html by default Except @Html.Raw(Model.MyStuff) For 'safe' HTML fragments use WPL (AntiXSS) Library for HTML, CSS, URL, JavaScript, LDAP etc Concept: Black vs White listing SecurityEssentials: Incorporation of AntiXSS Library Comparison with ASP.Net web forms
4 – Insecure Direct Object References
Insecure direct object references – what is it? www.mysite.com/user/edit/12345 // Insecure public ActionResult Edit(int id) { var user = UnitOfWork.UserRepository.Get(e => e.Id == id); return View("Details", new UserViewModel(user); } // Secure public ActionResult Edit(int id) { var user = UnitOfWork.UserRepository.Get(e => e.Id == id); // Establish user has right to edit the details if (user.Id != UserIdentity.GetUserId()) { HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have permission to edit these details")); return View("Error", error); } return View("Edit", new UserViewModel(user); }
Insecure direct object references - Examples  Immobilise Jan 2015  Citigroup, 2011 – 200,000 customer details exposed
Insecure direct object references - Countermeasures  Check the user has permission to see a resource – Don't expose internal keys externally – Map keys to user specific temporary non-guessable ones to prevent brute force  Frequently overlooked: – Ajax calls – Obfuscation of paths does not work – Passing sensitive data in urls  SecurityEssentials.sln User edit
5 – Security Misconfiguration
Security Misconfiguration – What is it?  Unnecessary features enabled e.g. FTP, SMTP on a web server, ports opened  Default accounts and passwords still enabled and unchanged  Errors reveal internal implementation e.g. Trace.axd
Security Misconfiguration - Examples  Webcams, Nov 2014  Secure Elmah, Google inurl:elmah.axd “error log for”
Security Misconfiguration - Countermeasures  Encrypt connection string  Server retail mode  Ensure application is set for production – automate using MVC config transforms  SecurityEssentials.sln web.config
6 – Sensitive Data Exposure
Sensitive Data exposure – What is it?  Email addresses  Contents of emails  Passwords  Auth token  Credit card details  Private pictures
Sensitive Data exposure - Examples  Snapchat Jan 2014 – Phone number upload feature brute forced  Tunisian ISP – Login pages for Gmail, Yahoo, and Facebook – Pulls the username and password, and encodes it with a weak cryptographic algorithm  Wifi Pineapple
Sensitive Data exposure - Countermeasures  Use and enforce SSL/TLS – [RequireSSL]  Google: “SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.”  StartSSL.com or letsencrypt.org  HSTS header and HSTS preload  Encrypt sensitive data in storage  Disclosure via URL  Browser auto-complete  Don't store it! e.g. CVV code  SecurityEssentials forcing SSL/TLS, HSTS header, prevent server information disclosure, web.config
7 – Missing Function Level Access Control
Missing Function Level Access Control – What is it?  Checking the user has permission to be there  www.mysite.com/admin (Requires admin role!)
Missing Function Level Access Control - Countermeasures  Path level in web.config  Method level attribute e.g. [Authorize(Roles=”Admin”)]  Controller level Authorize attribute  Any point in code using identity features in .net (System.Web.Security.Roles.IsUserInRole(userName, roleName)  Use [NonAction]  Don't show links on UI to unauthorised functions  Don't make server side checks depend solely on information provided by the attacker  Obfuscating links is no protection  Least Privilege  SecurityEssentials.sln unit tests
8 – Cross Site Request Forgery
Cross-Site request forgery - What is it?  Attacker sends malicious link  <img src=”www.mysite.com/logoff” />  Requires to be logged on
Cross-Site request forgery - Examples TP-Link Routers, Mar 2014  300,000 routers reprogrammed  DNS Servers changed  Exploit known for over a year Brazil 2011, 4.5m DSL routers reprogrammed
Cross-Site request forgery - Countermeasures  Exploits predictable patterns, tokens add randomness to request @Html.AntiForgeryToken() <input name="__RequestVerificationToken" type="hidden" value="NVGfno5qe...... .......yYCzLBc1" />  Anti-forgery token [ValidateAntiForgeryToken]  NB: Ajax calls  ASP.Net web forms  SecurityEssentials (controller and ajax)
9 - Using components with known vulnerabilities  Case Study: WordPress, 2013  3 Year old admin module  10s of thousands of sites affected  No Brute force protection  Possible effects:  Circumvent access controls  SQL Injection, XSS, CSRF  Vulnerable to brute force login  NuGet – keep updated  Apply Windows Update  OWASP Dependency Checker  SecurityEssentials.sln NuGet
10 - Unvalidated redirects and forwards – What is it?  Attacker presents victim with an (obfuscated) url e.g. https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/  User logs into safe, trusted site  Redirects to nasty site, malicious content returned  Any redirecting url is vulnerable  MVC3 vulnerable
Unvalidated redirects and forwards - Countermeasures MVC4 problem solved (for login):
Form Overposting – What is it? [HttpPost] public ViewResult Edit(User user) { TryUpdateModel( … } [HttpPost] public ViewResult Edit([Bind(Include = "FirstName")] User user) { TryUpdateModel( … ,propertiesToUpdate, … }
DDOS – What is it?  Account lock out  Site running slow in browser  Server unable to fulfil a request
DDOS - Examples  Case Study: Meetup, Mar 2014 – $300 – Site down for days
DDOS - Examples ZdNet, 2015: Global DDOS attacks increase 90% on last year
DDOS – How and countermeasures Protocol exploits such as ICMP, SYN, SSDP flood XSS Being popular System exploits - covered by fixes from MS generally Botnets Ambiguous regex Not closing connections Filling up error log Long running page Outsource the solution - Cloudfare
Social Engineering – What is it?  You are the weakest link in the security terrain. e.g phishing, spear phishing (12 emails sent => 90% success rate).  People want to help  Nobody thinks they are a target  Virtually no trace of the attack
Social Engineering - Examples  Spam  Shoulder surfing  Found treasure (e.g. USB drive)  Case study: Email password reset  Denial of service and social engineering
Social Engineering - Countermeasures  Less than 1% of security budget is spent on people  Notifications  Principle of least privilege  Logging and two factor authentication
Securing your site – Code Cheat sheet (1)  Don't trust your users!  Use an ORM  Use a strong account management process  Captcha/throttling  Defeat account enumeration  Hash passwords, encrypt data  Least Privilege  Use and enforce SSL  Encode all output  Secure direct object references  [Authorize]/[Authorize(Roles=””)] users  Conceal errors and trace  Use antiforgery tokens
Securing your site – Code Cheat sheet (2)  Keep components up to date  Validate redirects  Form overposting  DDOS  Headers  Train staff in social engineering
...and once on the server  Apply a good SSL policy on the server: http://www.ssllabs.com/projects/best-practises/  Poodle, Freak, Drown  Encrypt the connection string on the production server  Enable retail mode on the production server  Patch the server  Run on your site to check security standards are enforced https://www.ssllabs.com/ssltest/
Further Resources  OWASP Top 10  Pluralsight courses  CEH Certification  ZdNet  SecurityNow podcast
Summary  Hacks have been increasing in number and sophistication  OWASP Top 10  Specific solutions in Mvc (SecurityEssentials.sln)
Any Questions? @johnstavele

More Related Content

Updated Mvc Web security updated presentation

  • 1. Web Security By John Staveley DDDNorth 01/10/2016 https://uk.linkedin.com/in/johnstaveley/ @johnstaveley
  • 2. Overview Why Security? – (case studies) Who are the hackers? How? – (with solutions) SecurityEssentials.sln (https://github.com/johnstaveley/SecurityEssentials) ...and then on the server Further resources Summary Questions
  • 3. Who am I? John Staveley Mvc.net developer Not a security expert!
  • 4. Why Security? - Some headlines ZdNet 2014, “Hundreds of millions of records have been stolen this year through hacks and data breaches as a result of poor, or flawed security.” Davos 2015, “Every time we talked to a top 500 company about cyber-security, they'd say to us: 'talk to my technology guy', now the board of directors and the CEOs of the companies pay attention. There is a new sense of urgency" – Head of a security company FSB 2013, 41% of small businesses are a victim of cyber crime.
  • 5. Why Security? - Some example breaches Sony – films, confidential email, payroll Target – 110 million records lost including credit card details. Current cost $110m Home Depot – 56m credit card, 53m email addresses JPMorgan – 10s of millions of customers data lost BadUSB ICloud celebrity pictures Snapchat – 13Gb of data Ebay – 145 million user records lost. $220m loss Heartbleed etc
  • 6. Why Security? - and the rest...
  • 7. Why Security? Loss of reputation Blacklisting Litigation ��Fines e.g. Data protection act, PCI compliance Suicides (Ashley Madison)
  • 8. Who are the hackers?  Script kiddies  Hacktivists  Insiders  Organised Crime – Russian Business Network  Advanced Persistent Threat
  • 9. Who are they? - hackers for hire
  • 10. What we will/won't cover  WILL:  Web application security (MVC)  DDOS  Social Engineering  WON'T:  Physical security  Network security  Trojans, Worms, Viruses  IDS, Firewalls, Honey pots  Internal threats  Advanced persistent threats
  • 11. Presentation Approach  OWASP Top 10  Not for profit  Cover all technologies  Reviewed every 3 years  Helps you prioritise  Chapter outline  What is the hack?  Who has been affected by it?  What are the mitigations/countermeasures?  Questions  DEMO  SecurityEssentials.sln
  • 12. 1 – SQL Injection
  • 13. SQL Injection – What is it?
  • 14. SQL Injection – What is it? string strQry = "SELECT * FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'"; EXEC strQry Put in username field: Admin' And 1=1 – SELECT * FROM Users WHERE UserName='Admin' And 1=1 --' AND Password='' Put in password field: '; DROP TABLE Users -- SELECT * FROM Users WHERE UserName='' AND Password=''; DROP TABLE Users –' http://www.not-secure.com/products?Id=14 Havij
  • 15. SQL Injection - Examples  Sony Playstation 2011 - “Worst gaming community data breach of all-time.”  77 million accounts affected  12 million had unencrypted credit card numbers  Site was down for a month  CyberVor, Aug 2014 – Used botnet to steal billion passwords from 400,000 sites
  • 16. SQL Injection - Countermeasures  Assume all input is evil – validate everything  Use an ORM like EF/NHibernate  Use stored procedures  Don't use EXEC sp_executesql @strQuery  Reduce SQL account permissions  Concept: Least Privilege
  • 17. 2 - Broken authentication and session management  Password security  Session Hijacking  Weak Account Management
  • 18. Password Security  What is it? - Storage, Policy and entry  Password storage  Plain text = No security (http://plaintextoffenders.com/)  Base64 encoding = No security  Avoid Encryption – can be broken  Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)  Common hashes can be googled  Use a salt  Don't use RC4, MD4, MD5 and SHA-1  HashCat  Use PBKDF2, SCrypt, Bcrypt, (Argon2)  Passwords Policy:  Enforce minimum complexity  Do not reject special characters  Validate passwords against a list of known bad passwords  Do not allow personal information in the password  Password Entry:  Don't disallow paste on a web page
  • 19. Password Security - Examples  Case Study: Richard Pryce  Case Study: Ebay May 2014  Up to 145 million users affected  $200m loss  Poor password encryption blamed  Case Study: LinkedIn 2012  6.5 million user accounts stolen by Russian criminals
  • 20. Password Security - Examples  SecurityEssentials.sln pwd: Hash, checking, strength
  • 22. Session Hijacking – The how  Concept – Man In The Middle (MITM)  Opening up the browser  CSRF  Sensitive data exposure  DEMO: Session stealing using document.cookie=""
  • 23. Session Hijacking - Countermeasures  Counter client code access of cookies (Anti-XSS): HttpOnly  Counter auth token 'Sniffing' – Use HttpsOnly (MITM)  <forms loginUrl="~/Account/Login" timeout="60" requireSSL="true" slidingExpiration="false"/>  Private error logging/trace  Reducing session timeout reduces exposure  Track sessions - session invalidated during logoff?  SecurityEssentials.sln web.config with transforms
  • 24. Weak account management – What is it?  Account enumeration, Owning the account  Why? – Sensitive data – Admin privileges  Registration  Logon  Remember me  Password reset  Change account details  Logoff  Call Centre
  • 25. Weak account management – Case Study
  • 26. Weak account management – Case Study  News contained details Sarah Palin used Yahoo mail  Security Information  Birthday?  2 minutes on Wikipedia  Zip Code?  Wallisa only has 2 postcodes  Where did you meet your spouse?  High School  => Password reset
  • 27. Weak account management – Case Studies  Case Study: Find my phone in iCloud/iBrute 2014
  • 28. Weak account management - Countermeasures (1)  Account enumeration - Can occur on registration, logon or password reset forms e.g. Password Reset:  Success - “An account reset key has been emailed to you”  Failure - “That user account does not exist”  Success or Failure - “An account reset key has been emailed to you”  Use Https ([RequireHttps]) to protect sensitive data (MITM)
  • 29. Weak account management - Countermeasures (2)  Brute force Logon - Do not lock out on incorrect logon – DOS  Brute force Registration/Password reset: – CAPTCHA and/or throttling to prevent brute force  Verify email address by sending an email  Re-challenge user on key actions e.g. prompt for old password when entering new password  Log and send email when any account state changes
  • 30. Weak account management - Countermeasures (3)  Password reset  Don't send new password out – DOS  Send email with expiring token (1 hour)  Security questions: Concise, Specific, has a large range of answers, low discoverability, constant over time  Never roll your own membership provider or session management – use the default one in the framework  Outsource the solution e.g. Azure Active Directory or OpenId  SecurityEssentials.sln – Account Management process, anti-enumeration and brute force by throttling and CAPTCHA, logging, email verification, email on change, activity log, auto-complete off, increase logon time failure
  • 31. 3 – Cross Site Scripting (XSS)
  • 32. Cross site scripting (XSS) – What is it? www.mysite.com/index?name=Guest Hello Guest! www.mysite.com/index?name=<b>Guest<b> Hello Guest! www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script> Hello Guest! www.mysite.com/index?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real- xssattackexamples.com/";}</script> www.mysite.com/index?name=<script>Insert evil script here</script>
  • 33. Cross site scripting (XSS) – What is it? Encoded data vs unencoded e.g. &lt;b&gt;Guest&lt;b&gt; vs <b>Guest</b> Cookie theft! <script>alert(document.cookies)</script> Concept: Don't trust your users! Reflected vs Persisted XSS Attack Vector: Social Network, Email etc
  • 34. Cross site scripting (XSS) – Examples  Case Study: Legal Helpdesk  Enabler:  Session stealing  DOS  Sensitive data exposure  Ebay, Sep 2014  About.com, Oct 2014 – 99.98% of links susceptible – Mar 2015 – still unpatched
  • 35. Cross site scripting (XSS) - Countermeasures Validate untrusted data – don't trust your users! Sources of data – html post, urls, excel/csv import, import of database Mvc3 - “A potentially dangerous Request.Form value was detected from the client”, except: What if you want to post HTML? [AllowHTML] Countermeasure: Encode reflected data Mvc3 encodes Html by default Except @Html.Raw(Model.MyStuff) For 'safe' HTML fragments use WPL (AntiXSS) Library for HTML, CSS, URL, JavaScript, LDAP etc Concept: Black vs White listing SecurityEssentials: Incorporation of AntiXSS Library Comparison with ASP.Net web forms
  • 36. 4 – Insecure Direct Object References
  • 37. Insecure direct object references – what is it? www.mysite.com/user/edit/12345 // Insecure public ActionResult Edit(int id) { var user = UnitOfWork.UserRepository.Get(e => e.Id == id); return View("Details", new UserViewModel(user); } // Secure public ActionResult Edit(int id) { var user = UnitOfWork.UserRepository.Get(e => e.Id == id); // Establish user has right to edit the details if (user.Id != UserIdentity.GetUserId()) { HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have permission to edit these details")); return View("Error", error); } return View("Edit", new UserViewModel(user); }
  • 38. Insecure direct object references - Examples  Immobilise Jan 2015  Citigroup, 2011 – 200,000 customer details exposed
  • 39. Insecure direct object references - Countermeasures  Check the user has permission to see a resource – Don't expose internal keys externally – Map keys to user specific temporary non-guessable ones to prevent brute force  Frequently overlooked: – Ajax calls – Obfuscation of paths does not work – Passing sensitive data in urls  SecurityEssentials.sln User edit
  • 40. 5 – Security Misconfiguration
  • 41. Security Misconfiguration – What is it?  Unnecessary features enabled e.g. FTP, SMTP on a web server, ports opened  Default accounts and passwords still enabled and unchanged  Errors reveal internal implementation e.g. Trace.axd
  • 42. Security Misconfiguration - Examples  Webcams, Nov 2014  Secure Elmah, Google inurl:elmah.axd “error log for”
  • 43. Security Misconfiguration - Countermeasures  Encrypt connection string  Server retail mode  Ensure application is set for production – automate using MVC config transforms  SecurityEssentials.sln web.config
  • 44. 6 – Sensitive Data Exposure
  • 45. Sensitive Data exposure – What is it?  Email addresses  Contents of emails  Passwords  Auth token  Credit card details  Private pictures
  • 46. Sensitive Data exposure - Examples  Snapchat Jan 2014 – Phone number upload feature brute forced  Tunisian ISP – Login pages for Gmail, Yahoo, and Facebook – Pulls the username and password, and encodes it with a weak cryptographic algorithm  Wifi Pineapple
  • 47. Sensitive Data exposure - Countermeasures  Use and enforce SSL/TLS – [RequireSSL]  Google: “SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.”  StartSSL.com or letsencrypt.org  HSTS header and HSTS preload  Encrypt sensitive data in storage  Disclosure via URL  Browser auto-complete  Don't store it! e.g. CVV code  SecurityEssentials forcing SSL/TLS, HSTS header, prevent server information disclosure, web.config
  • 48. 7 – Missing Function Level Access Control
  • 49. Missing Function Level Access Control – What is it?  Checking the user has permission to be there  www.mysite.com/admin (Requires admin role!)
  • 50. Missing Function Level Access Control - Countermeasures  Path level in web.config  Method level attribute e.g. [Authorize(Roles=”Admin”)]  Controller level Authorize attribute  Any point in code using identity features in .net (System.Web.Security.Roles.IsUserInRole(userName, roleName)  Use [NonAction]  Don't show links on UI to unauthorised functions  Don't make server side checks depend solely on information provided by the attacker  Obfuscating links is no protection  Least Privilege  SecurityEssentials.sln unit tests
  • 51. 8 – Cross Site Request Forgery
  • 52. Cross-Site request forgery - What is it?  Attacker sends malicious link  <img src=”www.mysite.com/logoff” />  Requires to be logged on
  • 53. Cross-Site request forgery - Examples TP-Link Routers, Mar 2014  300,000 routers reprogrammed  DNS Servers changed  Exploit known for over a year Brazil 2011, 4.5m DSL routers reprogrammed
  • 54. Cross-Site request forgery - Countermeasures  Exploits predictable patterns, tokens add randomness to request @Html.AntiForgeryToken() <input name="__RequestVerificationToken" type="hidden" value="NVGfno5qe...... .......yYCzLBc1" />  Anti-forgery token [ValidateAntiForgeryToken]  NB: Ajax calls  ASP.Net web forms  SecurityEssentials (controller and ajax)
  • 55. 9 - Using components with known vulnerabilities  Case Study: WordPress, 2013  3 Year old admin module  10s of thousands of sites affected  No Brute force protection  Possible effects:  Circumvent access controls  SQL Injection, XSS, CSRF  Vulnerable to brute force login  NuGet – keep updated  Apply Windows Update  OWASP Dependency Checker  SecurityEssentials.sln NuGet
  • 56. 10 - Unvalidated redirects and forwards – What is it?  Attacker presents victim with an (obfuscated) url e.g. https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/  User logs into safe, trusted site  Redirects to nasty site, malicious content returned  Any redirecting url is vulnerable  MVC3 vulnerable
  • 57. Unvalidated redirects and forwards - Countermeasures MVC4 problem solved (for login):
  • 58. Form Overposting – What is it? [HttpPost] public ViewResult Edit(User user) { TryUpdateModel( … } [HttpPost] public ViewResult Edit([Bind(Include = "FirstName")] User user) { TryUpdateModel( … ,propertiesToUpdate, … }
  • 59. DDOS – What is it?  Account lock out  Site running slow in browser  Server unable to fulfil a request
  • 60. DDOS - Examples  Case Study: Meetup, Mar 2014 – $300 – Site down for days
  • 61. DDOS - Examples ZdNet, 2015: Global DDOS attacks increase 90% on last year
  • 62. DDOS – How and countermeasures Protocol exploits such as ICMP, SYN, SSDP flood XSS Being popular System exploits - covered by fixes from MS generally Botnets Ambiguous regex Not closing connections Filling up error log Long running page Outsource the solution - Cloudfare
  • 63. Social Engineering – What is it?  You are the weakest link in the security terrain. e.g phishing, spear phishing (12 emails sent => 90% success rate).  People want to help  Nobody thinks they are a target  Virtually no trace of the attack
  • 64. Social Engineering - Examples  Spam  Shoulder surfing  Found treasure (e.g. USB drive)  Case study: Email password reset  Denial of service and social engineering
  • 65. Social Engineering - Countermeasures  Less than 1% of security budget is spent on people  Notifications  Principle of least privilege  Logging and two factor authentication
  • 66. Securing your site – Code Cheat sheet (1)  Don't trust your users!  Use an ORM  Use a strong account management process  Captcha/throttling  Defeat account enumeration  Hash passwords, encrypt data  Least Privilege  Use and enforce SSL  Encode all output  Secure direct object references  [Authorize]/[Authorize(Roles=””)] users  Conceal errors and trace  Use antiforgery tokens
  • 67. Securing your site – Code Cheat sheet (2)  Keep components up to date  Validate redirects  Form overposting  DDOS  Headers  Train staff in social engineering
  • 68. ...and once on the server  Apply a good SSL policy on the server: http://www.ssllabs.com/projects/best-practises/  Poodle, Freak, Drown  Encrypt the connection string on the production server  Enable retail mode on the production server  Patch the server  Run on your site to check security standards are enforced https://www.ssllabs.com/ssltest/
  • 69. Further Resources  OWASP Top 10  Pluralsight courses  CEH Certification  ZdNet  SecurityNow podcast
  • 70. Summary  Hacks have been increasing in number and sophistication  OWASP Top 10  Specific solutions in Mvc (SecurityEssentials.sln)

Editor's Notes

  1. Ask who works as a developer? Who works using Mvc? Who has ever been hacked?
  2. http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/ http://www.bbc.co.uk/news/30925696 the World Economic Forum has issued a report that warns failing to improve cyber security could cost the global economy $3tn http://www.fsb.org.uk/news.aspx?rec=8083 Costs its members around £785 million per year Average loss is £6000 per company 20 per cent of members have not taken any steps to protect themselves from a cyber crime
  3. http://www.csoonline.com/article/2130877/data-protection/the-15-worst-data-security-breaches-of-the-21st-century.html http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/ Memos leaked from Sony which criticised members of the government Target - U.S. sales were “meaningfully weaker.” The company’s chief information officer, tasked with internal security, resigned three months into the new year. Icloud - Over a hundred nude photos, some extremely explicit, were posted in total on the infamous discussion board 4chan Snapchat - 13 gigabytes of data -- including photos and videos -- were pilfered by hackers, which eventually made its way to image sharing site 4chan. Ebay – emails and postal addresses
  4. Most companies conceal the attacks or are unaware of them
  5. http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/ https://hackerslist.com/ Marketplace for people wanting to hire hackers, offers bounties. 500 hacking jobs have been put to the bid since the site&amp;apos;s launch last year. Submitted anonymously by the site&amp;apos;s users, hackers then seek to outbid each other to secure the work, which ranges from breaking into email accounts to taking down websites. The variety of jobs is far-ranging; from breaking into Gmail accounts to corporate email and taking down websites in revenge. Surprisingly, many jobs listed on the site are for the purpose of education -- with customers pleading for hackers to break into school systems in order to change grades. Other jobs include de-indexing pages and photos from search engines, acquiring client lists from competitors and retrieving lost passwords. There is a &amp;apos;responsible use policy&amp;apos; on the website.
  6. http://xkcd.com/327/
  7. http://www.csoonline.com/article/2128432/data-protection/sony-apologizes—details-playstation-network-attack.html The initial attack was disguised as a purchase, so wasn&amp;apos;t flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall, http://www.scmagazine.com/researchers-discover-two-sql-injection-flaws-in-wordpress-security-plugin/article/369851/ Two SQL injection vulnerabilities in the All In One WordPress Security and Firewall plugin for blogging platform WordPress. The All In One WordPress Security and Firewall plugin “reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques,” according to WordPress.org. It has more than 400,000 downloads. http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ http://www.business2community.com/tech-gadgets/russian-hackers-means-website-0979723#!bLWV8O The attack is performed by the bot finding any blank fields that can be typed into, such as comment boxes, searches and other blank boxes. The bot then starts working to see if the site can be hacked into and secure information compromised, such as: Names, Addresses, Passwords, Credit card numbers.
  8. http://youtu.be/pTDGz7vN3NE?t=12s
  9. http://www.independent.co.uk/news/fine-for-boy-who-hacked-into-pentagon-1274204.html 16 at the time,found guilty and fined £1,200. Got a D grade in A-level computer science, downloaded material about artificial intelligence and battlefield management systems http://www.bbc.co.uk/news/technology-27503290 Not disclosed how the hack took place. No financial data was lost. Took 3 months to disclose the breach. http://en.wikipedia.org/wiki/2012_LinkedIn_hack All accounts were decrypted
  10. https://haveibeenpwned.com/
  11. http://www.wired.com/2008/09/palin-e-mail-ha/
  12. http://www.wired.com/2008/09/palin-e-mail-ha/ Story posted on 4Chan the stronghold of the Anonymous griefer collective
  13. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all Google account taken over and deleted, twitter account used to tweet racist remarks, iPhone, iPad and MacBook remotely wiped. Could have used two factor authentication to prevent this. Google display last 4 digits of CC number in clear, Apple uses the last 4 digits as security. Apple requires billing address which the hacker got from doing a whoise search on his web domain Apple issues a temporary password to mail account despite the caller not being able to answer security questions. Apple email was used to hack gmail, which was used to reset twitter account. Every time you order pizza you give the delivery boy everything you need to reset your account and take over your life. Devices were wiped just to prevent him getting back in, everything was done for a 3 letter twitter handle. The same process the hackers used has subsequently been verified on other accounts.
  14. http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9
  15. http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9 Find my phone login page was vulnerable whereas the other logins were not, combining this with a list of common passwords enabled the hack. The speech that outlined the vulnerability took place at the Def Con conference in Russia on Aug. 30, Read more: http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9#ixzz3Qs0Hbh2H Http://anti-captcha.com/
  16. http://www.makeuseof.com/tag/ebay-security-breach-reconsider-membership/ http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/ 98m monthly visitors. A security researcher disclosed Monday that &amp;quot;at least 99.88%&amp;quot; of all topic links and all domains and sub-domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks. These attacks are open to anyone. About.com have not responded even 3 months later. Search field on main page is also affected
  17. http://m.bbc.co.uk/news/technology-30686697 Immobolise recommended by most of the uk police. person&amp;apos;s name and address, as well as a list of valuables and a rough estimate of how much each item is worth. It is thought that more than four million people use the service. Fixed quickly http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/ The hackers wrote a script that automatically repeated an insecure direct object reference attack tens of thousands of times to steal credit card information.
  18. http://www.bbc.co.uk/news/technology-30896765 Xbox and PlayStation gaming networks offline over Christmas.2014 Database of 14,241 people who signed up was captured with usernames and passwords in plain text. Hack was made over AJAX
  19. http://www.bbc.co.uk/news/technology-30121159 Russian based site, subsequently taken down providing thousands of live feeds to web cams and baby monitors which still have the default passwords set. Older versions of hardware had no or a default hardware and remote access was on be default. The admin of the site did not consider himself a hacker has he&amp;apos;d performed no hacking. The manufacture changed the login process requiring users to change the password when they first logged in. Foscam was the most commonly listed brand, followed by Linksys and then Panasonic. This is not the first time problems with Foscam cameras have been highlighted. In 2013, a family based in Houston, Texas revealed that they had heard a voice shouting lewd comments at their two-year old child coming out of their Foscam baby monitor. They provided a software fix for this.
  20. http://www.bbc.co.uk/news/technology-25572661 usernames and phone numbers for 4.6 million Snapchat accounts have been downloaded by hackers http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/ Injected JavaScript is customized for each site&amp;apos;s login form. Encodes the username and password with a weak crypto algorithm passed to a URL with a randomly generated five character key is added. The GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad https://www.youtube.com/watch?v=mf5ipnmvDxE
  21. http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html D-Link, Micronet, Tenda, TP-Link and other manufacturers affected. administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks. CSRF techniques to attack routers when their administration interfaces
  22. Meetup.com DDOS: http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/ In the time the servers were down 60000 meetups took plaece. Meetup has refused to pay the small ransom as it believes doing so would make the perpetrators of the attacks demand more money. Meetup confirms it’s now working with Cloudflare to help with the DDoS
  23. DDOS ZdNet: http://www.zdnet.com/article/global-ddos-attacks-increase-90-percent-on-last-year/ Distributed denial-of-service (DDoS) attacks nearly doubled since 2013. one campaign generating 106Gbps of malicious traffic The exploitation of web vulnerabilities, the addition of millions of exploitable internet-enabled devices, and botnet building. Rise in IoT and networked devices increases the ability to attack United States and China continued as the lead source countries for DDoS traffic Software-as-a-service and cloud-based technologies, came in as the second most targeted industry
  24. http://youtu.be/mwoXrF5N_F8?t=17m54s
  25. http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/ Demoed at black hat conf an ordinary USB pen drive can be turned into an automated hacking tool. SB controller chips&amp;apos; firmware offer no protection from reprogramming The exploit if currently zero-day A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic. A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot. There&amp;apos;s no effective way to detect a corrupted USB device There are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can&amp;apos;t be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.
  26. http://xkcd.com/1354/
  27. https://www.ssllabs.com/projects/best-practices/ Www.asafaweb.com