SlideShare a Scribd company logo

Why Web Security Matters!

P
Philippe De Ryck

A talk about the importance of Web security, tailored towards IT people of local municipalities. This was an invited talk at the information day on online security for the municipalities of Flemish Brabant (Belgium).

Related slideshows

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
1 of 41
Download to read offline
Why Web Security Matters! Philippe De Ryck @PhilippeDeRyck
2 Years Ago in the “News” … 2 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
The Agenda for Today 3
About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § Focus on (client-side) Web security § Responsible for the Web Security training program § Dissemination of knowledge and research results § Target audiences include industry and researchers § Main author of the Primer on Client-Side Web Security § 7 attacker models, broken down in 10 capabilities § 13 attacks and their countermeasures § Overview of security best practices
Who Uses Portable Computers? 5
And Who Are You Most Afraid Of? 6
7 https://www.flickr.com/photos/jeepersmedia/16091161616/ http://deredactie.be/cm/vrtnieuws/binnenland/1.2163105 http://www.clickx.be/nieuws/134342/telenet-laat-je-surfen-via-de-modem-van-je-buren/ http://www.engadget.com/2010/07/01/starbucks-begins-offering-free-one-click-wifi-access-in-us-and-c/
What Happens when You Submit a Form 8 GET login.html 200 OK Html page Fill out form POST login.php username: Philippe password: ... 200 OK Html page Open site
Form Data on the Network 9
You May Think an Attacker Needs This … 10
While He Actually Only Needs This … 11
Network Sniffing Is Straightforward 12 § Sniffing can be a completely passive attack § Just listen to the traffic and analyze it later § HTTPS protects you against network-based attacks § It encrypts the traffic, so that nobody else can read it
So Problem Solved Then? 13
So Problem Solved Then? 14
So Problem Solved Then? 15 http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
There Is More besides Sniffing 16 Here you go Fake HTML page GET index.html 200 OK Html page Open site
There Is More besides Sniffing 17 § Instead of this … § You get this ...
SSL Stripping 18 § Instead of this … § You get this …
SSL Stripping 19 GET http://websec.be 200 OK Response page POST http://www.websec.be GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… websec.be
Preventing SSL Stripping with HSTS 20 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000;
HTTPS Is Really Worth the Effort 21 § An attacker on the network level can § Read all unprotected traffic, regardless of which application § Modify content from the browser to the server § Modify content form the server to the browser § Remove HTTPS if only used for specific pages or form submissions • This attack is called SSL Stripping and is very dangerous § Essentially take full control of the Web page § All of these attacks are invisible for most users § Even security experts fall for these if not paying attention § But a correct HTTPS deployment counters all of this …
How to Deploy HTTPS Correctly 22 § Configure your HTTPS with a valid certificate § These used to be expensive, but now there are free options § Let’s encrypt is backed by the EFF and offers free HTTPS certs § Deploy your entire website over HTTPS § Partial HTTPS still leaves you vulnerable against numerous attacks § The performance impact is very limited nowadays § Many major sites have switched to full HTTPS § Use state-of-the-art security techniques § HTTP Strict Transport Security (HSTS)
Back to the Video with Weird Usernames 23 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
Verifying a User’s Credentials 24 GET login.html 200 OK Html page POST login.php username: Philippe password: … 200 OK Html page Lookup User Check Password Load User Info
Communicating with a Database 25 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) ID username password email role 1 Administrator au28sj348aj2 administrator@gmail.com admin 2 Philippe secret philippe.deryck@cs.kuleuven.be Editor 3 … … … …
Communicating with a Database 26 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: philippe Password: secret SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘ Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
Communicating with a Database 27 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: superman Password: kryptonite SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
Communicating with a Database 28 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator Password: luckyguess SELECT * FROM users WHERE username = ‘administrator��AND password = ‘luckyguess‘
Communicating with a Database 29 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ��� AND password = ‘ + password + ‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’-- Administrator– au28sj348aj2– administrator@gmail.com – admin
Communicating with a Database 30 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: ‘ OR ‘1’ = ‘1’-- Password: SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’-- Administrator – au28sj348aj2– administrator@gmail.com – admin Philippe – secret – philippe.deryck@cs.kuleuven.be – editor …
SQL Injection Attacks Are Problematic 31 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
SQL Injection Attacks Are Problematic 32 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack § The problem stretches beyond login forms § Everywhere where data is used in a query, injection exists § The payload that is injected can be anything … UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘ Email: philippe@gmail.com Username: philippe’; DROP DATABASE website;-- UPDATE users SET email = ‘philippe@gmail.com‘ WHERE username = ‘philippe‘; DROP DATABASE website;--
SQL Injection Attacks Are Problematic 33 https://xkcd.com/327/
Prepared Statements against SQL Injection 34 § An injection attack is caused by confusing data and code § The database cannot distinguish the query and the data anymore § It does not know what the intended behavior of the query was § Prepared statements declare the query up front § Data is inserted separately, and will never be interpreted as code SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’ SELECT * FROM users WHERE username = ‘administrator’--
Preventing SQL Injection Attacks 35 § The only correct defense is using Prepared Statements § Every language supports prepared statements § Is only a small effort to do this right in the application’s code § Escaping is often considered as an alternative defense § Dangerous characters (like ‘ and --) are replaced with safe versions § This approach is less effective and more error prone § Defending against SQL injection is technically not difficult § But it requires explicit action from the developer
Why Web Security Matters!
A Quick Recap … 37 § Mobile computers and Wifi networks have changed the Web § Enabler of astonishing scenarios and applications § But security has become a lot more important as well § Network-level attacks have become much easier § Anyone sitting nearby can target a wireless user § Users are not necessarily the victim, but their employer may be § HTTPS offers protection against network-level attacks § Realize that it is important, and switch everything to HTTPS § Deploy it correctly, and keep your configuration up to date
A Quick Recap … 38 § SQL injection is a very old vulnerability § But it’s still very relevant today, as aptly illustrated in this talk § SQL injection can be very harmful § One of the major sources of data leaks § Can even give the attacker full control over your database § Preventing SQL injection is not difficult § Requires a bit of effort from the developer, but not very much § But you need to explicitly protect against these attacks
Managing Your Application’s Security 39 § You are not a security expert, and nobody expects you to be § Be knowledgeable about basic Web security concepts § Be involved in building the threat model of your application § Be aware of the contemporary Web security landscape § Find trustworthy people for the technical security aspects § Instruct your contractor to explicitly take security into account § Ask for evidence that they are knowledgeable about security § Verify the list of technical goals with a knowledgeable person
Managing Your Application’s Security 40 § Make security goals an explicit requirement § Contractors should deliver projects that follow current best practices § Plenty of resources available, for example from OWASP § Think about liability, and see if you can transfer it § Verify the security of your applications § Many companies can perform security reviews of your applications § Should be mandatory for critical systems • Passing a security review as a final requirement before delivering a project
Why Web Security Matters! Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://distrinet.cs.kuleuven.be/events/websecurity/ @PhilippeDeRyck

More Related Content

Why Web Security Matters!

  • 1. Why Web Security Matters! Philippe De Ryck @PhilippeDeRyck
  • 2. 2 Years Ago in the “News” … 2 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
  • 3. The Agenda for Today 3
  • 4. About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § Focus on (client-side) Web security § Responsible for the Web Security training program § Dissemination of knowledge and research results § Target audiences include industry and researchers § Main author of the Primer on Client-Side Web Security § 7 attacker models, broken down in 10 capabilities § 13 attacks and their countermeasures § Overview of security best practices
  • 5. Who Uses Portable Computers? 5
  • 6. And Who Are You Most Afraid Of? 6
  • 8. What Happens when You Submit a Form 8 GET login.html 200 OK Html page Fill out form POST login.php username: Philippe password: ... 200 OK Html page Open site
  • 9. Form Data on the Network 9
  • 10. You May Think an Attacker Needs This … 10
  • 11. While He Actually Only Needs This … 11
  • 12. Network Sniffing Is Straightforward 12 § Sniffing can be a completely passive attack § Just listen to the traffic and analyze it later § HTTPS protects you against network-based attacks § It encrypts the traffic, so that nobody else can read it
  • 13. So Problem Solved Then? 13
  • 14. So Problem Solved Then? 14
  • 15. So Problem Solved Then? 15 http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
  • 16. There Is More besides Sniffing 16 Here you go Fake HTML page GET index.html 200 OK Html page Open site
  • 17. There Is More besides Sniffing 17 § Instead of this … § You get this ...
  • 18. SSL Stripping 18 § Instead of this … § You get this …
  • 19. SSL Stripping 19 GET http://websec.be 200 OK Response page POST http://www.websec.be GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… websec.be
  • 20. Preventing SSL Stripping with HSTS 20 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000;
  • 21. HTTPS Is Really Worth the Effort 21 § An attacker on the network level can § Read all unprotected traffic, regardless of which application § Modify content from the browser to the server § Modify content form the server to the browser § Remove HTTPS if only used for specific pages or form submissions • This attack is called SSL Stripping and is very dangerous § Essentially take full control of the Web page § All of these attacks are invisible for most users § Even security experts fall for these if not paying attention § But a correct HTTPS deployment counters all of this …
  • 22. How to Deploy HTTPS Correctly 22 § Configure your HTTPS with a valid certificate § These used to be expensive, but now there are free options § Let’s encrypt is backed by the EFF and offers free HTTPS certs § Deploy your entire website over HTTPS § Partial HTTPS still leaves you vulnerable against numerous attacks § The performance impact is very limited nowadays § Many major sites have switched to full HTTPS § Use state-of-the-art security techniques § HTTP Strict Transport Security (HSTS)
  • 23. Back to the Video with Weird Usernames 23 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
  • 24. Verifying a User’s Credentials 24 GET login.html 200 OK Html page POST login.php username: Philippe password: … 200 OK Html page Lookup User Check Password Load User Info
  • 25. Communicating with a Database 25 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) ID username password email role 1 Administrator au28sj348aj2 administrator@gmail.com admin 2 Philippe secret philippe.deryck@cs.kuleuven.be Editor 3 … … … …
  • 26. Communicating with a Database 26 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: philippe Password: secret SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘ Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
  • 27. Communicating with a Database 27 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: superman Password: kryptonite SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
  • 28. Communicating with a Database 28 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator Password: luckyguess SELECT * FROM users WHERE username = ‘administrator‘AND password = ‘luckyguess‘
  • 29. Communicating with a Database 29 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’-- Administrator– au28sj348aj2– administrator@gmail.com – admin
  • 30. Communicating with a Database 30 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: ‘ OR ‘1’ = ‘1’-- Password: SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’-- Administrator – au28sj348aj2– administrator@gmail.com – admin Philippe – secret – philippe.deryck@cs.kuleuven.be – editor …
  • 31. SQL Injection Attacks Are Problematic 31 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
  • 32. SQL Injection Attacks Are Problematic 32 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack § The problem stretches beyond login forms § Everywhere where data is used in a query, injection exists § The payload that is injected can be anything … UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘ Email: philippe@gmail.com Username: philippe’; DROP DATABASE website;-- UPDATE users SET email = ‘philippe@gmail.com‘ WHERE username = ‘philippe‘; DROP DATABASE website;--
  • 33. SQL Injection Attacks Are Problematic 33 https://xkcd.com/327/
  • 34. Prepared Statements against SQL Injection 34 § An injection attack is caused by confusing data and code § The database cannot distinguish the query and the data anymore § It does not know what the intended behavior of the query was § Prepared statements declare the query up front § Data is inserted separately, and will never be interpreted as code SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’ SELECT * FROM users WHERE username = ‘administrator’--
  • 35. Preventing SQL Injection Attacks 35 § The only correct defense is using Prepared Statements § Every language supports prepared statements § Is only a small effort to do this right in the application’s code § Escaping is often considered as an alternative defense § Dangerous characters (like ‘ and --) are replaced with safe versions § This approach is less effective and more error prone § Defending against SQL injection is technically not difficult § But it requires explicit action from the developer
  • 37. A Quick Recap … 37 § Mobile computers and Wifi networks have changed the Web § Enabler of astonishing scenarios and applications § But security has become a lot more important as well § Network-level attacks have become much easier § Anyone sitting nearby can target a wireless user § Users are not necessarily the victim, but their employer may be § HTTPS offers protection against network-level attacks § Realize that it is important, and switch everything to HTTPS § Deploy it correctly, and keep your configuration up to date
  • 38. A Quick Recap … 38 § SQL injection is a very old vulnerability § But it’s still very relevant today, as aptly illustrated in this talk § SQL injection can be very harmful § One of the major sources of data leaks § Can even give the attacker full control over your database § Preventing SQL injection is not difficult § Requires a bit of effort from the developer, but not very much § But you need to explicitly protect against these attacks
  • 39. Managing Your Application’s Security 39 § You are not a security expert, and nobody expects you to be § Be knowledgeable about basic Web security concepts § Be involved in building the threat model of your application § Be aware of the contemporary Web security landscape § Find trustworthy people for the technical security aspects § Instruct your contractor to explicitly take security into account § Ask for evidence that they are knowledgeable about security § Verify the list of technical goals with a knowledgeable person
  • 40. Managing Your Application’s Security 40 § Make security goals an explicit requirement § Contractors should deliver projects that follow current best practices § Plenty of resources available, for example from OWASP § Think about liability, and see if you can transfer it § Verify the security of your applications § Many companies can perform security reviews of your applications § Should be mandatory for critical systems • Passing a security review as a final requirement before delivering a project
  • 41. Why Web Security Matters! Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://distrinet.cs.kuleuven.be/events/websecurity/ @PhilippeDeRyck