Updated Mvc Web security updated presentation
- 1. Web Security
By John Staveley
DDDNorth 01/10/2016
https://uk.linkedin.com/in/johnstaveley/
@johnstaveley
- 2. Overview
Why Security?
– (case studies)
Who are the hackers?
How?
– (with solutions)
SecurityEssentials.sln
(https://github.com/johnstaveley/SecurityEssentials)
...and then on the server
Further resources
Summary
Questions
- 4. Why Security? - Some headlines
ZdNet 2014, “Hundreds of millions of records have been
stolen this year through hacks and data breaches as a result
of poor, or flawed security.”
Davos 2015, “Every time we talked to a top 500 company
about cyber-security, they'd say to us: 'talk to my technology
guy', now the board of directors and the CEOs of the
companies pay attention. There is a new sense of urgency" –
Head of a security company
FSB 2013, 41% of small businesses are a victim of cyber
crime.
- 5. Why Security? - Some example breaches
Sony – films, confidential email, payroll
Target – 110 million records lost including credit card details.
Current cost $110m
Home Depot – 56m credit card, 53m email addresses
JPMorgan – 10s of millions of customers data lost
BadUSB
ICloud celebrity pictures
Snapchat – 13Gb of data
Ebay – 145 million user records lost. $220m loss
Heartbleed
etc
- 7. Why Security?
Loss of reputation
Blacklisting
Litigation
��Fines e.g. Data protection act, PCI compliance
Suicides (Ashley Madison)
- 8. Who are the hackers?
Script kiddies
Hacktivists
Insiders
Organised Crime – Russian Business Network
Advanced Persistent Threat
- 10. What we will/won't cover
WILL:
Web application security (MVC)
DDOS
Social Engineering
WON'T:
Physical security
Network security
Trojans, Worms, Viruses
IDS, Firewalls, Honey pots
Internal threats
Advanced persistent threats
- 11. Presentation Approach
OWASP Top 10
Not for profit
Cover all technologies
Reviewed every 3 years
Helps you prioritise
Chapter outline
What is the hack?
Who has been affected by it?
What are the mitigations/countermeasures?
Questions
DEMO
SecurityEssentials.sln
- 14. SQL Injection – What is it?
string strQry = "SELECT * FROM Users WHERE
UserName='" + txtUser.Text + "' AND Password='" +
txtPassword.Text + "'";
EXEC strQry
Put in username field: Admin' And 1=1 –
SELECT * FROM Users WHERE UserName='Admin'
And 1=1 --' AND Password=''
Put in password field: '; DROP TABLE Users --
SELECT * FROM Users WHERE UserName='' AND
Password=''; DROP TABLE Users –'
http://www.not-secure.com/products?Id=14
Havij
- 15. SQL Injection - Examples
Sony Playstation 2011 - “Worst gaming community data
breach of all-time.”
77 million accounts affected
12 million had unencrypted credit card numbers
Site was down for a month
CyberVor, Aug 2014 – Used botnet to steal billion
passwords from 400,000 sites
- 16. SQL Injection - Countermeasures
Assume all input is evil – validate everything
Use an ORM like EF/NHibernate
Use stored procedures
Don't use EXEC sp_executesql @strQuery
Reduce SQL account permissions
Concept: Least Privilege
- 17. 2 - Broken authentication and session management
Password security
Session Hijacking
Weak Account Management
- 18. Password Security
What is it? - Storage, Policy and entry
Password storage
Plain text = No security (http://plaintextoffenders.com/)
Base64 encoding = No security
Avoid Encryption – can be broken
Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)
Common hashes can be googled
Use a salt
Don't use RC4, MD4, MD5 and SHA-1
HashCat
Use PBKDF2, SCrypt, Bcrypt, (Argon2)
Passwords Policy:
Enforce minimum complexity
Do not reject special characters
Validate passwords against a list of known bad passwords
Do not allow personal information in the password
Password Entry:
Don't disallow paste on a web page
- 19. Password Security - Examples
Case Study: Richard Pryce
Case Study: Ebay May 2014
Up to 145 million users affected
$200m loss
Poor password encryption blamed
Case Study: LinkedIn 2012
6.5 million user accounts stolen by Russian criminals
- 22. Session Hijacking – The how
Concept – Man In The Middle (MITM)
Opening up the browser
CSRF
Sensitive data exposure
DEMO: Session stealing using document.cookie=""
- 23. Session Hijacking - Countermeasures
Counter client code access of cookies (Anti-XSS): HttpOnly
Counter auth token 'Sniffing' – Use HttpsOnly (MITM)
<forms loginUrl="~/Account/Login" timeout="60" requireSSL="true"
slidingExpiration="false"/>
Private error logging/trace
Reducing session timeout reduces exposure
Track sessions - session invalidated during logoff?
SecurityEssentials.sln web.config with transforms
- 24. Weak account management – What is it?
Account enumeration, Owning the account
Why?
– Sensitive data
– Admin privileges
Registration
Logon
Remember me
Password reset
Change account details
Logoff
Call Centre
- 26. Weak account management – Case Study
News contained details Sarah Palin used Yahoo mail
Security Information
Birthday?
2 minutes on Wikipedia
Zip Code?
Wallisa only has 2 postcodes
Where did you meet your spouse?
High School
=> Password reset
- 28. Weak account management - Countermeasures (1)
Account enumeration - Can occur on registration, logon or
password reset forms e.g. Password Reset:
Success - “An account reset key has been emailed to you”
Failure - “That user account does not exist”
Success or Failure - “An account reset key has been
emailed to you”
Use Https ([RequireHttps]) to protect sensitive data (MITM)
- 29. Weak account management - Countermeasures (2)
Brute force Logon - Do not lock out on incorrect logon –
DOS
Brute force Registration/Password reset:
– CAPTCHA and/or throttling to prevent brute force
Verify email address by sending an email
Re-challenge user on key actions e.g. prompt for old
password when entering new password
Log and send email when any account state changes
- 30. Weak account management - Countermeasures (3)
Password reset
Don't send new password out – DOS
Send email with expiring token (1 hour)
Security questions: Concise, Specific, has a large range of answers, low
discoverability, constant over time
Never roll your own membership provider or session
management – use the default one in the framework
Outsource the solution e.g. Azure Active Directory or
OpenId
SecurityEssentials.sln – Account Management process,
anti-enumeration and brute force by throttling and
CAPTCHA, logging, email verification, email on change,
activity log, auto-complete off, increase logon time failure
- 32. Cross site scripting (XSS) – What is it?
www.mysite.com/index?name=Guest
Hello Guest!
www.mysite.com/index?name=<b>Guest<b>
Hello Guest!
www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script>
Hello Guest!
www.mysite.com/index?name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
www.mysite.com/index?name=<script>Insert evil script here</script>
- 33. Cross site scripting (XSS) – What is it?
Encoded data vs unencoded
e.g. <b>Guest<b> vs <b>Guest</b>
Cookie theft!
<script>alert(document.cookies)</script>
Concept: Don't trust your users!
Reflected vs Persisted XSS
Attack Vector: Social Network, Email etc
- 34. Cross site scripting (XSS) – Examples
Case Study: Legal Helpdesk
Enabler:
Session stealing
DOS
Sensitive data exposure
Ebay, Sep 2014
About.com, Oct 2014 – 99.98% of links susceptible
– Mar 2015 – still unpatched
- 35. Cross site scripting (XSS) - Countermeasures
Validate untrusted data – don't trust your users!
Sources of data – html post, urls, excel/csv import, import of
database
Mvc3 - “A potentially dangerous Request.Form value was
detected from the client”, except:
What if you want to post HTML? [AllowHTML]
Countermeasure: Encode reflected data
Mvc3 encodes Html by default
Except @Html.Raw(Model.MyStuff)
For 'safe' HTML fragments use WPL (AntiXSS) Library for
HTML, CSS, URL, JavaScript, LDAP etc
Concept: Black vs White listing
SecurityEssentials: Incorporation of AntiXSS Library
Comparison with ASP.Net web forms
- 37. Insecure direct object references – what is it?
www.mysite.com/user/edit/12345
// Insecure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
return View("Details", new UserViewModel(user);
}
// Secure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
// Establish user has right to edit the details
if (user.Id != UserIdentity.GetUserId())
{
HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have
permission to edit these details"));
return View("Error", error);
}
return View("Edit", new UserViewModel(user);
}
- 38. Insecure direct object references - Examples
Immobilise Jan 2015
Citigroup, 2011
– 200,000 customer details exposed
- 39. Insecure direct object references - Countermeasures
Check the user has permission to see a resource
– Don't expose internal keys externally
– Map keys to user specific temporary non-guessable ones to
prevent brute force
Frequently overlooked:
– Ajax calls
– Obfuscation of paths does not work
– Passing sensitive data in urls
SecurityEssentials.sln User edit
- 41. Security Misconfiguration – What is it?
Unnecessary features enabled e.g. FTP, SMTP on a web
server, ports opened
Default accounts and passwords still enabled and
unchanged
Errors reveal internal implementation e.g. Trace.axd
- 43. Security Misconfiguration - Countermeasures
Encrypt connection string
Server retail mode
Ensure application is set for production – automate using
MVC config transforms
SecurityEssentials.sln web.config
- 45. Sensitive Data exposure – What is it?
Email addresses
Contents of emails
Passwords
Auth token
Credit card details
Private pictures
- 46. Sensitive Data exposure - Examples
Snapchat Jan 2014
– Phone number upload feature brute forced
Tunisian ISP
– Login pages for Gmail, Yahoo, and Facebook
– Pulls the username and password, and encodes it with a weak
cryptographic algorithm
Wifi Pineapple
- 47. Sensitive Data exposure - Countermeasures
Use and enforce SSL/TLS – [RequireSSL]
Google: “SSL/TLS accounts for less than 1% of the CPU
load, less than 10KB of memory per connection and less
than 2% of network overhead.”
StartSSL.com or letsencrypt.org
HSTS header and HSTS preload
Encrypt sensitive data in storage
Disclosure via URL
Browser auto-complete
Don't store it! e.g. CVV code
SecurityEssentials forcing SSL/TLS, HSTS header, prevent
server information disclosure, web.config
- 49. Missing Function Level Access Control – What is it?
Checking the user has permission to be there
www.mysite.com/admin (Requires admin role!)
- 50. Missing Function Level Access Control - Countermeasures
Path level in web.config
Method level attribute e.g. [Authorize(Roles=”Admin”)]
Controller level Authorize attribute
Any point in code using identity features in .net
(System.Web.Security.Roles.IsUserInRole(userName,
roleName)
Use [NonAction]
Don't show links on UI to unauthorised functions
Don't make server side checks depend solely on
information provided by the attacker
Obfuscating links is no protection
Least Privilege
SecurityEssentials.sln unit tests
- 52. Cross-Site request forgery - What is it?
Attacker sends malicious link
<img src=”www.mysite.com/logoff” />
Requires to be logged on
- 53. Cross-Site request forgery - Examples
TP-Link Routers, Mar 2014
300,000 routers reprogrammed
DNS Servers changed
Exploit known for over a year
Brazil 2011, 4.5m DSL routers reprogrammed
- 54. Cross-Site request forgery - Countermeasures
Exploits predictable patterns, tokens add randomness to
request
@Html.AntiForgeryToken()
<input name="__RequestVerificationToken" type="hidden"
value="NVGfno5qe...... .......yYCzLBc1" />
Anti-forgery token
[ValidateAntiForgeryToken]
NB: Ajax calls
ASP.Net web forms
SecurityEssentials (controller and ajax)
- 55. 9 - Using components with known vulnerabilities
Case Study: WordPress, 2013
3 Year old admin module
10s of thousands of sites affected
No Brute force protection
Possible effects:
Circumvent access controls
SQL Injection, XSS, CSRF
Vulnerable to brute force login
NuGet – keep updated
Apply Windows Update
OWASP Dependency Checker
SecurityEssentials.sln NuGet
- 56. 10 - Unvalidated redirects and forwards – What is it?
Attacker presents victim with an (obfuscated) url e.g.
https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/
User logs into safe, trusted site
Redirects to nasty site, malicious content returned
Any redirecting url is vulnerable
MVC3 vulnerable
- 58. Form Overposting – What is it?
[HttpPost]
public ViewResult Edit(User user)
{ TryUpdateModel( … }
[HttpPost]
public ViewResult Edit([Bind(Include = "FirstName")] User user)
{ TryUpdateModel( … ,propertiesToUpdate, … }
- 59. DDOS – What is it?
Account lock out
Site running slow in browser
Server unable to fulfil a request
- 62. DDOS – How and countermeasures
Protocol exploits such as ICMP, SYN, SSDP flood
XSS
Being popular
System exploits - covered by fixes from MS generally
Botnets
Ambiguous regex
Not closing connections
Filling up error log
Long running page
Outsource the solution - Cloudfare
- 63. Social Engineering – What is it?
You are the weakest link in the security terrain. e.g
phishing, spear phishing (12 emails sent => 90% success
rate).
People want to help
Nobody thinks they are a target
Virtually no trace of the attack
- 64. Social Engineering - Examples
Spam
Shoulder surfing
Found treasure (e.g. USB drive)
Case study: Email password reset
Denial of service and social engineering
- 65. Social Engineering - Countermeasures
Less than 1% of security budget is spent on people
Notifications
Principle of least privilege
Logging and two factor authentication
- 66. Securing your site – Code Cheat sheet (1)
Don't trust your users!
Use an ORM
Use a strong account management process
Captcha/throttling
Defeat account enumeration
Hash passwords, encrypt data
Least Privilege
Use and enforce SSL
Encode all output
Secure direct object references
[Authorize]/[Authorize(Roles=””)] users
Conceal errors and trace
Use antiforgery tokens
- 67. Securing your site – Code Cheat sheet (2)
Keep components up to date
Validate redirects
Form overposting
DDOS
Headers
Train staff in social engineering
- 68. ...and once on the server
Apply a good SSL policy on the server:
http://www.ssllabs.com/projects/best-practises/
Poodle, Freak, Drown
Encrypt the connection string on the production server
Enable retail mode on the production server
Patch the server
Run on your site to check security standards are enforced
https://www.ssllabs.com/ssltest/
- 70. Summary
Hacks have been increasing in number and sophistication
OWASP Top 10
Specific solutions in Mvc (SecurityEssentials.sln)
Editor's Notes
- Ask who works as a developer?
Who works using Mvc?
Who has ever been hacked?
- http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
http://www.bbc.co.uk/news/30925696
the World Economic Forum has issued a report that warns failing to improve cyber security could cost the global economy $3tn
http://www.fsb.org.uk/news.aspx?rec=8083
Costs its members around £785 million per year
Average loss is £6000 per company
20 per cent of members have not taken any steps to protect themselves from a cyber crime
- http://www.csoonline.com/article/2130877/data-protection/the-15-worst-data-security-breaches-of-the-21st-century.html
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/3/
Memos leaked from Sony which criticised members of the government
Target - U.S. sales were “meaningfully weaker.” The company’s chief information officer, tasked with internal security, resigned three months into the new year.
Icloud - Over a hundred nude photos, some extremely explicit, were posted in total on the infamous discussion board 4chan
Snapchat - 13 gigabytes of data -- including photos and videos -- were pilfered by hackers, which eventually made its way to image sharing site 4chan.
Ebay – emails and postal addresses
- Most companies conceal the attacks or are unaware of them
- http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/
https://hackerslist.com/
Marketplace for people wanting to hire hackers, offers bounties. 500 hacking jobs have been put to the bid since the site&apos;s launch last year. Submitted anonymously by the site&apos;s users, hackers then seek to outbid each other to secure the work, which ranges from breaking into email accounts to taking down websites. The variety of jobs is far-ranging; from breaking into Gmail accounts to corporate email and taking down websites in revenge. Surprisingly, many jobs listed on the site are for the purpose of education -- with customers pleading for hackers to break into school systems in order to change grades. Other jobs include de-indexing pages and photos from search engines, acquiring client lists from competitors and retrieving lost passwords. There is a &apos;responsible use policy&apos; on the website.
- http://xkcd.com/327/
- http://www.csoonline.com/article/2128432/data-protection/sony-apologizes—details-playstation-network-attack.html
The initial attack was disguised as a purchase, so wasn&apos;t flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall,
http://www.scmagazine.com/researchers-discover-two-sql-injection-flaws-in-wordpress-security-plugin/article/369851/
Two SQL injection vulnerabilities in the All In One WordPress Security and Firewall plugin for blogging platform WordPress. The All In One WordPress Security and Firewall plugin “reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques,” according to WordPress.org. It has more than 400,000 downloads.
http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
http://www.business2community.com/tech-gadgets/russian-hackers-means-website-0979723#!bLWV8O
The attack is performed by the bot finding any blank fields that can be typed into, such as comment boxes, searches and other blank boxes. The bot then starts working to see if the site can be hacked into and secure information compromised, such as: Names, Addresses, Passwords, Credit card numbers.
- http://youtu.be/pTDGz7vN3NE?t=12s
- http://www.independent.co.uk/news/fine-for-boy-who-hacked-into-pentagon-1274204.html
16 at the time,found guilty and fined £1,200. Got a D grade in A-level computer science, downloaded material about artificial intelligence and battlefield management systems
http://www.bbc.co.uk/news/technology-27503290
Not disclosed how the hack took place. No financial data was lost. Took 3 months to disclose the breach.
http://en.wikipedia.org/wiki/2012_LinkedIn_hack
All accounts were decrypted
- https://haveibeenpwned.com/
- http://www.wired.com/2008/09/palin-e-mail-ha/
- http://www.wired.com/2008/09/palin-e-mail-ha/
Story posted on 4Chan the stronghold of the Anonymous griefer collective
- http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all
Google account taken over and deleted, twitter account used to tweet racist remarks, iPhone, iPad and MacBook remotely wiped.
Could have used two factor authentication to prevent this.
Google display last 4 digits of CC number in clear, Apple uses the last 4 digits as security.
Apple requires billing address which the hacker got from doing a whoise search on his web domain
Apple issues a temporary password to mail account despite the caller not being able to answer security questions.
Apple email was used to hack gmail, which was used to reset twitter account.
Every time you order pizza you give the delivery boy everything you need to reset your account and take over your life.
Devices were wiped just to prevent him getting back in, everything was done for a 3 letter twitter handle.
The same process the hackers used has subsequently been verified on other accounts.
- http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9
- http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9
Find my phone login page was vulnerable whereas the other logins were not, combining this with a list of common passwords enabled the hack. The speech that outlined the vulnerability took place at the Def Con conference in Russia on Aug. 30,
Read more: http://uk.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9#ixzz3Qs0Hbh2H
Http://anti-captcha.com/
- http://www.makeuseof.com/tag/ebay-security-breach-reconsider-membership/
http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
98m monthly visitors. A security researcher disclosed Monday that &quot;at least 99.88%&quot; of all topic links and all domains and sub-domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks. These attacks are open to anyone.
About.com have not responded even 3 months later. Search field on main page is also affected
- http://m.bbc.co.uk/news/technology-30686697
Immobolise recommended by most of the uk police. person&apos;s name and address, as well as a list of valuables and a rough estimate of how much each item is worth. It is thought that more than four million people use the service. Fixed quickly
http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/
The hackers wrote a script that automatically repeated an insecure direct object reference attack tens of thousands of times to steal credit card information.
- http://www.bbc.co.uk/news/technology-30896765
Xbox and PlayStation gaming networks offline over Christmas.2014
Database of 14,241 people who signed up was captured with usernames and passwords in plain text.
Hack was made over AJAX
- http://www.bbc.co.uk/news/technology-30121159
Russian based site, subsequently taken down providing thousands of live feeds to web cams and baby monitors which still have the default passwords set.
Older versions of hardware had no or a default hardware and remote access was on be default.
The admin of the site did not consider himself a hacker has he&apos;d performed no hacking.
The manufacture changed the login process requiring users to change the password when they first logged in.
Foscam was the most commonly listed brand, followed by Linksys and then Panasonic.
This is not the first time problems with Foscam cameras have been highlighted. In 2013, a family based in Houston, Texas revealed that they had heard a voice shouting lewd comments at their two-year old child coming out of their Foscam baby monitor. They provided a software fix for this.
- http://www.bbc.co.uk/news/technology-25572661
usernames and phone numbers for 4.6 million Snapchat accounts have been downloaded by hackers
http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-and-passwords/12429/
Injected JavaScript is customized for each site&apos;s login form. Encodes the username and password with a weak crypto algorithm passed to a URL with a randomly generated five character key is added. The GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad
https://www.youtube.com/watch?v=mf5ipnmvDxE
- http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html
D-Link, Micronet, Tenda, TP-Link and other manufacturers affected. administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks. CSRF techniques to attack routers when their administration interfaces
- Meetup.com DDOS: http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/
In the time the servers were down 60000 meetups took plaece.
Meetup has refused to pay the small ransom as it believes doing so would make the perpetrators of the attacks demand more money.
Meetup confirms it’s now working with Cloudflare to help with the DDoS
- DDOS ZdNet: http://www.zdnet.com/article/global-ddos-attacks-increase-90-percent-on-last-year/
Distributed denial-of-service (DDoS) attacks nearly doubled since 2013.
one campaign generating 106Gbps of malicious traffic
The exploitation of web vulnerabilities, the addition of millions of exploitable internet-enabled devices, and botnet building.
Rise in IoT and networked devices increases the ability to attack
United States and China continued as the lead source countries for DDoS traffic
Software-as-a-service and cloud-based technologies, came in as the second most targeted industry
- http://youtu.be/mwoXrF5N_F8?t=17m54s
- http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/
Demoed at black hat conf an ordinary USB pen drive can be turned into an automated hacking tool.
SB controller chips&apos; firmware offer no protection from reprogramming
The exploit if currently zero-day
A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.
There&apos;s no effective way to detect a corrupted USB device
There are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can&apos;t be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.
- http://xkcd.com/1354/
- https://www.ssllabs.com/projects/best-practices/
Www.asafaweb.com