Some basic security controls you can (and should) implement in your web apps. Specifically this covers: 1 - Beyond SQL injection 2 - Cross-site Scripting 3 - Access Control

1. Big Security for Big Data 1
Big Security for Big Data
Ari Elias-Bachrach
Defensium llc
March 2014

2. Big Security for Big Data 2
About Me
Ari Elias-Bachrach
●
Application Security nerd, OWASP
fanboy
●
Help Development understand security
●
Help security understand development
●
Often get calls from developers that start
with “help!”

3. Big Security for Big Data 3
Your Data Is Important

4. Big Security for Big Data 4
This Talk Will Cover Some Important Security Controls
Beyond SQL Injection
Cross-Site Scripting
Access Control
<script>
//code...
</script>

5. Big Security for Big Data 5
For Years People Have Been Warned About SQL Injection
String id = Request.QueryString("SomeID")
string sql = "SELECT Product FROM myTable WHERE id
= '" + id + "'";
5'; drop table
myTable; #
SELECT Product FROM
myTable WHERE id = '5';
drop table myTable; #'

6. Big Security for Big Data 6
The Solution Is To Use Prepared Statements
String id = Request.QueryString("SomeID")
string sql = "SELECT Product FROM myTable WHERE id
= ?";
Statement = connection.prepareStatement(sql)
Statement.setString(1, id)

7. Big Security for Big Data 7
Many New RDBMS' Do Not Use SQL
Mongo does not use SQL, so it's not vulnerable to SQL
Injection.... right?

8. Big Security for Big Data 8
Many New RDBMS' Do Not Use SQL
The fundamental problem that led to SQL injection is the
lack of separation between commands and variables
Variables Command
Text Instructions
Not parsed Parsed

9. Big Security for Big Data 9
Mongo Can Still be Vulnerable With PHP
$collection->find(array(
"username" => $_GET['username'],
"passwd" => $_GET['passwd']
));
username=user&passwd[$ne]=foo

10. Big Security for Big Data 10
Mongo Can Still be Vulnerable With PHP
$collection->find(array(
"username" => user,
"passwd" => array("$ne" => foo)
));
username=user&passwd[$ne]=foo

11. Big Security for Big Data 11
Separate Variables and Commands
Return to the fundamental rule:
Separate Variables and Commands
Strong typing can be one way to do this
$collection->find(array(
"username" => (string)$_GET['username'],
"passwd" => (string)$_GET['passwd']
));

12. Big Security for Big Data 12
Separate Variables and Commands
Whatever system you may be working on in the
future, remember this law:
Separate Variables and Commands

13. Big Security for Big Data 13
Separate Variables and Commands
--http://us.php.net/manual/en/mongodb.execute.php

14. Big Security for Big Data 14
Separate Variables and Commands

15. Big Security for Big Data 15
Cross-Site Scripting (XSS) Occurs When An Attacker Can
Execute Code on Your User's Systems
Attacker can make your users execute arbitrary
code as if it was sent from your website
Client side attack <script>
//code...
</script>

16. Big Security for Big Data 16
Cross-Site Scripting (XSS) Occurs When An Attacker Can
Execute Code on Your User's Systems
Bob
Hi Bob
Hi Request.QueryString("name")

17. Big Security for Big Data 17
Cross-Site Scripting (XSS) Occurs When An Attacker Can
Execute Code on Your User's Systems
name=<script>...</script>
Hi <script>...</script>
Http://server/page.jsp?name=<script>...</script>
This code is now executed in the domain of the
website that “sent” it, and it can access that page's
DOM

18. Big Security for Big Data 18
Cross-Site Scripting (XSS) Occurs When An Attacker Can
Execute Code on Your User's Systems
So What?
●
Change page contents
●
Steal Cookies
●
Redirect to another page
●
Change form actions

19. Big Security for Big Data 19
The Solution is To Properly Encode All Untrusted Outputs
< &lt;
> &gt;
& &amp;
' &#x27;
“ &quot;
/ &#x2F;

20. Big Security for Big Data 20
The Solution is To Properly Encode All Untrusted Outputs
<body>
Hi
&lt;script&gt;alert(document.
cookie);&lt;&#x2F;script&gt;
</body></html>
http://server/page.asp?name=<script>alert(document.cookie)</script>

21. Big Security for Big Data 21
Encoding is Context Dependent
<a href=”x” attribute=UNTRUSTED DATA>
< &lt;
' &#x27;
> &gt;
“ &quot;
& &amp;
/ &#x2F;
Can you execute code here
without using the six characters
encoded as part of HTML
encoding?
foo onmouseover=alert(document.cookie)

22. Big Security for Big Data 22
Encoding is Context Dependent
Different contexts call for different encoding rules
» <div>here</div> HTML context
» <tag attr=”here”> Attribute context
» <script>x='here'</script> JavaScript context
» <span style="property : here CSS context
» <a href=”http://here”> URL context

23. Big Security for Big Data 23
Encoding is Context Dependent
Different contexts call for different encoding rules
» <div>here</div> HTML context
» <tag attr=”here”> Attribute context
» <script>x='here'</script> JavaScript context
» <span style="property : here CSS context
» <a href=”http://here”> URL context
http://tinyurl.com/xss-prevent

24. Big Security for Big Data 24
A Good Encoding Library Can Save us A Lot of Time
Java:
Java Encoders Project
ESAPI
.net:
Microsoft Web Protection Library
PHP:
Reform
Ruby:
On By Default

25. Big Security for Big Data 25
Access Control Problems Usually Stem From Permissions
Creep
Every time a user needs to do something else, they ask for
(and get) more permissions

26. Big Security for Big Data 26
Use Role Based Access Control To Prevent Permission Creep
Bob
Group 1
Group 2

27. Big Security for Big Data 27
Use Role Based Access Control To Prevent Permission Creep
Bob
Group 1
Group 2

28. Big Security for Big Data 28
Conclusion
Beyond SQL Injection
Cross-Site Scripting
Role Based Access Control
<script>
//code...
</script>

29. Big Security for Big Data 29
Big Security for Big Data
Ari Elias-Bachrach
ari@defensium.com Defensium llc
@angelofsecurity http://www.defensium.com