SlideShare uma empresa Scribd logo

IBWAS 2010: Web Security From an Auditor's Standpoint

Luis Grangeia
Luis Grangeia

In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution? Presented at https://www.owasp.org/index.php/OWASP_IBWAS10

Tecnologia
1 de 47
Baixar para ler offline
Web Security From an Auditor's Standpoint What works, what doesn’t, what might. IBWAS „10 Luis Grangeia lgrangeia@sysvalue.com
About Me • IT Security Auditor since 2001 • First at SideStep, now at SysValue • Working mostly with Telco, Finance and Government sectors • Performed Web App Security Testing on: • Online banking • Stock brokerage • Online stores • Corporate Web sites • Internal Web apps
What will be covered today • Prologue: Web Application Security • Security Countermeasures, working or not? 1. SQL Injection 2. Cross Site Scripting 3. Virtual Keyboards • Welcome to the Social Web • Social Security, anyone? 
Prologue: Web Application Security Why are we talking about it?
Applications vs Infrastructure • Applications are the reason we go Online • Network infrastructure is just a means to that end • Infrastructure security is easy now (in comparison) Infrastructure security is now almost fully commoditized
The Web is Where it‟s At “The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited.” UK Security Breach Investigations Report 2010 An Analysis of Data Compromise Cases, 7Safe
Web Application Security is Hard No turn key products No easy solutions Every Application is different … That‟s why it‟s fun 
Security Countermeasures What works and what doesn‟t.
1. SQL Injection We are winning the battle for eradication.
SQL Injection: Context • Still leading the OWASP Top Ten • Eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
SQL Injection: Analysis • Hard to detect: • Good error handling prevents confident detection by automated tools • Web Application Firewalls mask the problem (attack pattern blacklisting) • Easy to exploit: • Automated attacks are possible (SQL Injection worms) • Even Blind SQLi can be attacked easily (eg. SQL Power Injector) • This makes it a easier do make a point
SQL Injection: Countermeasures Prevention | Mitigation is easy: • Possible to easily distinguish between Data (variables) and Control (code): • Use parameterized queries / prepared statements • New Web Development platforms are already performing Database Abstraction • Makes it a Platform problem, not a Developer‟s problem
SQL Injection: Conclusions • Problems that are easy to exploit, are easy to understand by customers/developers • Problems that are understood are more likely to get solved • Especially when the solution is easy to understand and easy to implement
SQL Injection: Conclusions We will eradicate the problem, because we have understood it completely and have a working simple solution that addresses the root cause
2. Cross Site Scripting We risk losing this battle unless we address its root cause.
Cross Site Scripting: Context • Second in the OWASP Top Ten • Like SQL Injection, eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
Misconceptions abound (not just around Web developers, also around some parts of the security community) “Oh, it triggers an alert() box, is that it?” “The user must click on a link in order to trigger the XSS attack.” “Sure, this attack might steal our customers sessions, but we use second-level authentication for financial transactions, so we’re safe.”
Cross Site Scripting: Risks • Useful for realistic phishing attacks • Cross site request forgery “boosts” the impact of XSS instances • Web Applications are increasingly multi-domain: • Facebook “like” buttons • Google maps iframes • Google analytics • Advertising banners • Etc. • A good exploitation means total control of all aspects of the communication between victim and Application.
Cross Site Scripting: Analysis • (Somewhat) Easier to detect: • In fact, good Web App Scanners do it quite well, with low false positives and low false negatives • More complex instances are still hard to spot and may be missed • Hard to exploit effectively: • While easy to trigger, good proof of concept code can be hard to write • The attack always depends of the “anatomy” of the Web App
Proving the Impact of XSS • We‟re not doing our best • We must prove to the developers the true impact of the problem • It‟s not easy, but it pays off!
Cross Site Scripting: Countermeasures Prevention | Mitigation is hard: • Also, it is a problem of distinguishing between Data (variables) and Control (code) • But there is no way to clearly make that distinction in HTML / Javascript • Input / Output sanitization is the only way, but it is hard: • Escaping output is dependent of document context: • HTML Content Elements, Common Attributes, Javascript Data Values, HTML Style Properties, etc.
Cross Site Scripting: Countermeasures (cont.) • There is no possible way of addressing the root cause unless we change the protocol (won‟t happen): • Remember, the root cause isn‟t malicious input/output, it‟s mixing user supplied data with control code • HTML5 won‟t really help: • Actually XSS will turn into a feature in HTML5  • See HTML5‟s “Channel Messaging” and “Cross-document messaging” • In fairness, there is one thing that might help against XSS in HTML5: • Sandboxed iframes
Cross Site Scripting: Countermeasures (cont.) • The solution is complex, take it out of the hands of Developers: • Seriously, do you expect a developer to remember this? • http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • Incorporate good, context aware output filtering in development platforms with template systems: • Google‟s “Automatic Context-Aware Escaping” • Ivan Ristić‟s “Canoe” • How long before .NET and Java adoption? • In the meantime, use Microsoft‟s Web Protection Library, AntiXSS • Consider changes to the underlying protocol to promote better distinction of Code and Data (I won‟t go there, for now )
Cross Site Scripting: Conclusions • Security Problems that are: • Somewhat easy to detect, but… • Hard to prove their real impacts, and… • Have a difficult to execute and hard to understand solution… …will be swept under the carpet! And Cross site scripting falls squarely into this category.
Cross Site Scripting: Conclusion This is a platform and protocol problem that is not well understood by developers. We are fighting a losing battle, unless we spend time developing platform-wide solutions, and at the same time, as auditors, make better proof-of-concept code, to drive research forward.
3. Virtual Keyboards We‟re doing it wrong!
Virtual Keyboards: Context • Introduced around summer 2003 in Portugal • Implemented by most major online banks • Response to a specific threat: • Malware that logged keystrokes in order to steal credentials
Virtual Keyboards are obsolete since day one. Really. We can stop the madness.
Virtual Keyboards: Problems • Mitigates only a specific instance of an attack: • “Key-logging malware” as opposed to “online credential stealing malware” • Fails to look at the big picture • Result of bad/outdated threat assessment • No “half-decent” malware uses key-logging anymore • In fact, key-logging results in a lot of useless data for the attacker
Virtual Keyboards: Threat not mitigated • Form grabbing is the method of choice for grabbing credentials; • All credentials end up in a Web form • Some banks try to mask the POST‟ed credentials using Javascript encryption • doesn‟t really work, the key is in the previous HTTP response • Typical behavior (ex. W32/Qhost.JE): • Trojan injects a DLL into Internet Explorer • The DLL hooks HttpSendRequestA • The hook grabs POST data and uploads it to a FTP server All of this works with or without SSL, with or without a virtual keyboard.
Virtual Keyboards More of a problem than a solution: • Fails to protect against current attack methods • Gives a false sense of security • Introduce new attack vectors: • Shoulder surfing • Induces the user to choose a weaker (easier to “type”) password
Virtual Keyboards: Threats Mitigated (for completeness sake) To be fair, virtual keyboards protect against this: • Wireless keyboard sniffing • Use encryption, corded keyboards • Hardware key-loggers • Look at your hardware ports, don‟t leave computer unattended in insecure locations
Virtual Keyboards: Conclusion Don‟t be afraid to remove a security countermeasure that doesn‟t work. Educate the public so that this “security theater” is exposed.
The Social Web Revolution Social Security, anyone?
The Social Revolution – Facebook • Facebook connects over 500 million users • That‟s around 30% of all Internet users worldwide It‟s more than 7% of the World‟s Population (est.)
Before talking infosec… • Before talking about possible security uses for the social graph, we must be able to decentralize it • Too much power is concentrated on a single organization • Either use Facebook‟s graph alongside other tools, or build a distributed social graph altogether: • Possible and doable: check the Diaspora Project
How can security benefit from the social graph Facebook is already showing us how: • Facebook Messages: • Spam filtering by looking at your friend connections • Has the potential to be virtually foolproof mitigating spam. • There are still possible bumps down the road, but the idea has potential
Using the Social Graph to Improve SSL Warning: crazy idea ahead.
SSL is OK, but Already Shows Age Two roles of SSL/TLS: • Authenticating the endpoints • Providing transport integrity and confidentiality through encryption • The authentication is based on the trust of organizations that are organized in a hierarchy, originating in root CA‟s that are “imposed” on us
The confidence issue “Directly or indirectly, there are more than 650 different organizations that function as trusted CA‟s for either Internet Explorer or Firefox” (source: EFF SSL Observatory) All you need is to break the security of one to break the SSL model…
SSL: What are the threats • There are reports stating that MiTM attacks against SSL are being performed using certificates generated by rogue CAs: • By governments (espionage) • By Law Enforcement • “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” • Christopher Soghoian and Sid Stammy, April 2010 • “Law Enforcement Appliance Subverts SSL” • Wired Threat Level, March 24, 2010
Challenge: Defeating Local MiTM Attacks “You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” Abraham Lincoln
Defeating Local MiTM Attacks by “Friendsourcing” • Assuming no malicious entity is omnipotent on the Internet (not even governments): • SSL MiTM attacks will always be localized (to an ISP or a specific country) • So, in order to validate the authenticity of a Web site, one can request that an online friend (or a random group, or all of them) visits the same site and checks the certificate for us. • In geographically distinct locations • Using different computers and ISP‟s • We only authenticate if all (or most) our friends data matches up.
Defeating Local MiTM Attacks by “Friendsourcing” • The devil is in the details… • Just an idea for discussion, for now • Assumes we can securely authenticate friends and pass private messages along the social graph • Can be complemented by historic data: • “the certificate has changed even though the previous certificate had an expiry date well in the future” • The general idea is to create the possibility of a custom security model for authentication based on a Web of Trust, and not on a hierarchy of “Trusted Authorities” • There are endless opportunities for the social graph…
Thank You Q&A Luis Grangeia, SysValue lgrangeia@sysvalue.com

Recomendados

SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 

Recomendados

SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsLuis Grangeia
 
RSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecRSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecLuis Grangeia
 

Mais conteúdo relacionado

Mais procurados

BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 

Mais procurados (20)

BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 

Destaque

RSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecRSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecLuis Grangeia
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Confraria Security And IT - End Point Security
Confraria Security And IT - End Point SecurityConfraria Security And IT - End Point Security
Confraria Security And IT - End Point SecurityLuis Grangeia
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && WirelessLuis Grangeia
 

Destaque (6)

Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
RSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecRSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do Infosec
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Confraria Security And IT - End Point Security
Confraria Security And IT - End Point SecurityConfraria Security And IT - End Point Security
Confraria Security And IT - End Point Security
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
 

Semelhante a IBWAS 2010: Web Security From an Auditor's Standpoint

The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Web security
Web securityWeb security
Web securitydogangcr
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber securitySupercharged graph visualization for cyber security
Supercharged graph visualization for cyber securityCambridge Intelligence
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptxDedy Hariyadi
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event Kyos
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerIBM Security
 

Semelhante a IBWAS 2010: Web Security From an Auditor's Standpoint (20)

The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Web security
Web securityWeb security
Web security
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Confidence web
Confidence webConfidence web
Confidence web
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber securitySupercharged graph visualization for cyber security
Supercharged graph visualization for cyber security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a Hacker
 

Último

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Último (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

IBWAS 2010: Web Security From an Auditor's Standpoint

  • 1. Web Security From an Auditor's Standpoint What works, what doesn’t, what might. IBWAS „10 Luis Grangeia lgrangeia@sysvalue.com
  • 2. About Me • IT Security Auditor since 2001 • First at SideStep, now at SysValue • Working mostly with Telco, Finance and Government sectors • Performed Web App Security Testing on: • Online banking • Stock brokerage • Online stores • Corporate Web sites • Internal Web apps
  • 3. What will be covered today • Prologue: Web Application Security • Security Countermeasures, working or not? 1. SQL Injection 2. Cross Site Scripting 3. Virtual Keyboards • Welcome to the Social Web • Social Security, anyone? 
  • 4. Prologue: Web Application Security Why are we talking about it?
  • 5. Applications vs Infrastructure • Applications are the reason we go Online • Network infrastructure is just a means to that end • Infrastructure security is easy now (in comparison) Infrastructure security is now almost fully commoditized
  • 6.
  • 7. The Web is Where it‟s At “The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited.” UK Security Breach Investigations Report 2010 An Analysis of Data Compromise Cases, 7Safe
  • 8. Web Application Security is Hard No turn key products No easy solutions Every Application is different … That‟s why it‟s fun 
  • 9. Security Countermeasures What works and what doesn‟t.
  • 10. 1. SQL Injection We are winning the battle for eradication.
  • 11. SQL Injection: Context • Still leading the OWASP Top Ten • Eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
  • 12. SQL Injection: Analysis • Hard to detect: • Good error handling prevents confident detection by automated tools • Web Application Firewalls mask the problem (attack pattern blacklisting) • Easy to exploit: • Automated attacks are possible (SQL Injection worms) • Even Blind SQLi can be attacked easily (eg. SQL Power Injector) • This makes it a easier do make a point
  • 13. SQL Injection: Countermeasures Prevention | Mitigation is easy: • Possible to easily distinguish between Data (variables) and Control (code): • Use parameterized queries / prepared statements • New Web Development platforms are already performing Database Abstraction • Makes it a Platform problem, not a Developer‟s problem
  • 14. SQL Injection: Conclusions • Problems that are easy to exploit, are easy to understand by customers/developers • Problems that are understood are more likely to get solved • Especially when the solution is easy to understand and easy to implement
  • 15. SQL Injection: Conclusions We will eradicate the problem, because we have understood it completely and have a working simple solution that addresses the root cause
  • 16. 2. Cross Site Scripting We risk losing this battle unless we address its root cause.
  • 17. Cross Site Scripting: Context • Second in the OWASP Top Ten • Like SQL Injection, eight years ago it was much worse: • But the problem was not actively exploited • Not many knew how (good and bad guys alike) • There was lower hanging fruit • Now it‟s in the spotlight
  • 18. Misconceptions abound (not just around Web developers, also around some parts of the security community) “Oh, it triggers an alert() box, is that it?” “The user must click on a link in order to trigger the XSS attack.” “Sure, this attack might steal our customers sessions, but we use second-level authentication for financial transactions, so we’re safe.”
  • 19. Cross Site Scripting: Risks • Useful for realistic phishing attacks • Cross site request forgery “boosts” the impact of XSS instances • Web Applications are increasingly multi-domain: • Facebook “like” buttons • Google maps iframes • Google analytics • Advertising banners • Etc. • A good exploitation means total control of all aspects of the communication between victim and Application.
  • 20. Cross Site Scripting: Analysis • (Somewhat) Easier to detect: • In fact, good Web App Scanners do it quite well, with low false positives and low false negatives • More complex instances are still hard to spot and may be missed • Hard to exploit effectively: • While easy to trigger, good proof of concept code can be hard to write • The attack always depends of the “anatomy” of the Web App
  • 21. Proving the Impact of XSS • We‟re not doing our best • We must prove to the developers the true impact of the problem • It‟s not easy, but it pays off!
  • 22. Cross Site Scripting: Countermeasures Prevention | Mitigation is hard: • Also, it is a problem of distinguishing between Data (variables) and Control (code) • But there is no way to clearly make that distinction in HTML / Javascript • Input / Output sanitization is the only way, but it is hard: • Escaping output is dependent of document context: • HTML Content Elements, Common Attributes, Javascript Data Values, HTML Style Properties, etc.
  • 23. Cross Site Scripting: Countermeasures (cont.) • There is no possible way of addressing the root cause unless we change the protocol (won‟t happen): • Remember, the root cause isn‟t malicious input/output, it‟s mixing user supplied data with control code • HTML5 won‟t really help: • Actually XSS will turn into a feature in HTML5  • See HTML5‟s “Channel Messaging” and “Cross-document messaging” • In fairness, there is one thing that might help against XSS in HTML5: • Sandboxed iframes
  • 24. Cross Site Scripting: Countermeasures (cont.) • The solution is complex, take it out of the hands of Developers: • Seriously, do you expect a developer to remember this? • http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • Incorporate good, context aware output filtering in development platforms with template systems: • Google‟s “Automatic Context-Aware Escaping” • Ivan Ristić‟s “Canoe” • How long before .NET and Java adoption? • In the meantime, use Microsoft‟s Web Protection Library, AntiXSS • Consider changes to the underlying protocol to promote better distinction of Code and Data (I won‟t go there, for now )
  • 25. Cross Site Scripting: Conclusions • Security Problems that are: • Somewhat easy to detect, but… • Hard to prove their real impacts, and… • Have a difficult to execute and hard to understand solution… …will be swept under the carpet! And Cross site scripting falls squarely into this category.
  • 26. Cross Site Scripting: Conclusion This is a platform and protocol problem that is not well understood by developers. We are fighting a losing battle, unless we spend time developing platform-wide solutions, and at the same time, as auditors, make better proof-of-concept code, to drive research forward.
  • 27. 3. Virtual Keyboards We‟re doing it wrong!
  • 28. Virtual Keyboards: Context • Introduced around summer 2003 in Portugal • Implemented by most major online banks • Response to a specific threat: • Malware that logged keystrokes in order to steal credentials
  • 29. Virtual Keyboards are obsolete since day one. Really. We can stop the madness.
  • 30. Virtual Keyboards: Problems • Mitigates only a specific instance of an attack: • “Key-logging malware” as opposed to “online credential stealing malware” • Fails to look at the big picture • Result of bad/outdated threat assessment • No “half-decent” malware uses key-logging anymore • In fact, key-logging results in a lot of useless data for the attacker
  • 31. Virtual Keyboards: Threat not mitigated • Form grabbing is the method of choice for grabbing credentials; • All credentials end up in a Web form • Some banks try to mask the POST‟ed credentials using Javascript encryption • doesn‟t really work, the key is in the previous HTTP response • Typical behavior (ex. W32/Qhost.JE): • Trojan injects a DLL into Internet Explorer • The DLL hooks HttpSendRequestA • The hook grabs POST data and uploads it to a FTP server All of this works with or without SSL, with or without a virtual keyboard.
  • 32. Virtual Keyboards More of a problem than a solution: • Fails to protect against current attack methods • Gives a false sense of security • Introduce new attack vectors: • Shoulder surfing • Induces the user to choose a weaker (easier to “type”) password
  • 33. Virtual Keyboards: Threats Mitigated (for completeness sake) To be fair, virtual keyboards protect against this: • Wireless keyboard sniffing • Use encryption, corded keyboards • Hardware key-loggers • Look at your hardware ports, don‟t leave computer unattended in insecure locations
  • 34. Virtual Keyboards: Conclusion Don‟t be afraid to remove a security countermeasure that doesn‟t work. Educate the public so that this “security theater” is exposed.
  • 35. The Social Web Revolution Social Security, anyone?
  • 36.
  • 37. The Social Revolution – Facebook • Facebook connects over 500 million users • That‟s around 30% of all Internet users worldwide It‟s more than 7% of the World‟s Population (est.)
  • 38. Before talking infosec… • Before talking about possible security uses for the social graph, we must be able to decentralize it • Too much power is concentrated on a single organization • Either use Facebook‟s graph alongside other tools, or build a distributed social graph altogether: • Possible and doable: check the Diaspora Project
  • 39. How can security benefit from the social graph Facebook is already showing us how: • Facebook Messages: • Spam filtering by looking at your friend connections • Has the potential to be virtually foolproof mitigating spam. • There are still possible bumps down the road, but the idea has potential
  • 40. Using the Social Graph to Improve SSL Warning: crazy idea ahead.
  • 41. SSL is OK, but Already Shows Age Two roles of SSL/TLS: • Authenticating the endpoints • Providing transport integrity and confidentiality through encryption • The authentication is based on the trust of organizations that are organized in a hierarchy, originating in root CA‟s that are “imposed” on us
  • 42. The confidence issue “Directly or indirectly, there are more than 650 different organizations that function as trusted CA‟s for either Internet Explorer or Firefox” (source: EFF SSL Observatory) All you need is to break the security of one to break the SSL model…
  • 43. SSL: What are the threats • There are reports stating that MiTM attacks against SSL are being performed using certificates generated by rogue CAs: • By governments (espionage) • By Law Enforcement • “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” • Christopher Soghoian and Sid Stammy, April 2010 • “Law Enforcement Appliance Subverts SSL” • Wired Threat Level, March 24, 2010
  • 44. Challenge: Defeating Local MiTM Attacks “You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” Abraham Lincoln
  • 45. Defeating Local MiTM Attacks by “Friendsourcing” • Assuming no malicious entity is omnipotent on the Internet (not even governments): • SSL MiTM attacks will always be localized (to an ISP or a specific country) • So, in order to validate the authenticity of a Web site, one can request that an online friend (or a random group, or all of them) visits the same site and checks the certificate for us. • In geographically distinct locations • Using different computers and ISP‟s • We only authenticate if all (or most) our friends data matches up.
  • 46. Defeating Local MiTM Attacks by “Friendsourcing” • The devil is in the details… • Just an idea for discussion, for now • Assumes we can securely authenticate friends and pass private messages along the social graph • Can be complemented by historic data: • “the certificate has changed even though the previous certificate had an expiry date well in the future” • The general idea is to create the possibility of a custom security model for authentication based on a Web of Trust, and not on a hierarchy of “Trusted Authorities” • There are endless opportunities for the social graph…
  • 47. Thank You Q&A Luis Grangeia, SysValue lgrangeia@sysvalue.com