SlideShare uma empresa Scribd logo

Defending web applications v.1.0

Transferir como PPTX, PDF
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

Version 1.0 of Defending Web Application, a presentation to developers on how to improve web application security.

Tecnologia
1 de 40
Defending Web Applications
Introduction • Who am I? – Security assessor for ITSO-SPA – Worked for TSB beginning March, 1999 • Technical support of national web applications • Security testing – Moved to ITSO October, 2012 – Am NOT a developer • Wrote the TSB portal and first instances of defect tracking used by the Judiciary
Overview Guidance for security controls • Specifying baseline requirements – “Lock a user account for 30 minutes after 10 invalid authentication attempts in a 30 minute period” • Specifying “best practices” – Store passwords as a salted hash • Specifying security principles – Never trust any input that comes from the client
Overview • Authentication – Login Page – Passwords – Password Storage – Password Reset • Session Management – Session Management – Session Token – Cookies • Specific Attacks – Clickjacking – Cross Site Request Forgery (CSRF) – SQL Injection (SQLi) – Cross-site Scripting (XSS) • Configuration – SSL – HTTP Response Headers – Miscellaneous
Who are our threats? • Nation-states • Political activists • Motivated criminals – organized crime • Attackers with no motive against the organization • Script kiddies • Automated attacks – worms, virus, Trojan horse • Disgruntled staff • End users
How do we defend against these varied threats?
Some basic principles • Do not “roll your own” – Do not create your own encryption algorithms – Do use Web development frameworks when possible – Do use a secure random number generator • java.security.SecureRandom • System.Security.Cryptography.RNGCryptoServiceProvider • Never trust any input that comes from the client • Never store secrets in plain text • Don’t be helpful • Employ a mechanism to detect important events • Assume a potential attacker knows • Assume eventual compromise
AUTHENTICATION Defending Web Applications
Login Page • System Use notification • Only load login page over HTTPS • Submit over HTTPS • Do not echo password when entered • Do not retain password in cache • Provide consistent, standard error messages to prevent username enumeration
System Use notification
Load and submit login page over SSL
Do not echo or retain passwords
Login error messages For example • Invalid account, invalid password – “Invalid username/password” • Valid account, invalid password – “Password is incorrect”
Passwords • Complexity Requirements – At least eight characters long – No more than three repeated characters – At least four alphabetic characters – At least one number – Changed every 180 days
Passwords • Brute Force Protections – Enforce a limit of 10 consecutive invalid access attempts by a user during a 30-minute time period – Automatically lock the account minimum of 1 hour when the maximum number of unsuccessful attempts is exceeded
These considerations should be addressed anywhere in the application the user is asked to authenticate
Passwords • Do not transmit the password in plain text – The URL – Logs – Error messages • Do not store in plain text – Database – Client-side – Email
Password Storage • Do store the password as a salted hash • Do use a random number generator to create the salt • Do use a salt that is the same size as the hash output function • Do use a secure hash, such as SHA256 • Do always hash on the server • Do not use a salt more than once • Do use a standard library, such as PBKDF2 or bcrypt, for Key Stretching
Password Storage – bcrypt public class BcryptHashingExample { public static void main(String[] args) throws NoSuchAlgorithmException { String originalPassword = "password"; String generatedSecuredPasswordHash = BCrypt.hashpw(originalPassword, BCrypt.gensalt(12)); System.out.println(generatedSecuredPasswordHash); boolean matched = BCrypt.checkpw(originalPassword, generatedSecuredPasswordHash); System.out.println(matched); } } Output: $2a$12$WXItscQ/FDbLKU4mO58jxu3Tx/mueaS8En3M6QOVZIZLaGdWrS.pK true
Password Reset • Do not send the password to the user • Do not disable the user’s account • Do not let the user change the password after answering security questions • Do email a random, single-use token • Do not send any user account information in the link • Do expire the token – After a set amount of time – After use – After a successful login
SESSION MANAGEMENT Defending Web Applications
Session Management • Do use a Web development framework • Do implement an inactivity and absolute timeout • Do provide a means for the user to logout • Do destroy the session server-side on logout or after timeout • Do not allow concurrent logins from different workstations
Session ID • Generated by the application • Do renew after any privilege level change • Do change the default name to prevent fingerprinting • Do have a length greater than 20 bytes (160 bits) • Do have sufficient entropy (randomness) • Do not store secret data in the session ID • Do not allow in URLs, logs or error messages • Do treat as any other client-side input
Cookies • Do set – HTTPOnly – Secure – Path – Domain – Expire • Do not store sensitive data in cookies
SPECIFIC ATTACKS Defending Web Applications
Clickjacking • Set HTTP Header (X-Frames-Options)
CSRF • Include an anti-CSRF token – Unique per user and per session – Tied to a single user session – Large random value – Generated by a cryptographically secure RNG
CSRF • One way to implement – Generate Token, store server side for the session – Add token as a hidden parameter to a form – When form is submitted, check that the submitted token matches the token saved server-side
SQL Injection • Parameterize Queries The following is an example of Java code which is vulnerable to SQL injection: String query = "SELECT * FROM users WHERE userid ='"+ userid + "'" + " AND password='" + password + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(query);
SQL Injection • Parameterize Queries Here is the same code properly parameterized: PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE userid=? AND password=?"); stmt.setString(1, userid); stmt.setString(2, password); ResultSet rs = stmt.executeQuery();
XSS On submit • Enforce input field type and lengths • Validate fields • Ensure option selects and radio contain only sent values On render: • Set correct content type • Set safe character set (UTF-8) • Output encode all user data according to context • Set input constraints
File Upload • Do – Scan with Anti-Virus – Check for expected file extension – Check file content-type – Check file size – Use a new name – Store outside of web root – Deny access to file except through application – Strip away extraneous content
CONFIGURATION Defending Web Applications
SSL • Do use secure ciphers suites • Do force HTTPS (all points from login to logout) • Do use valid SSL certificates • Do not allow mixed mode – All CSS, images, JavaScript, etc. must be served over SSL
Headers - Remediation • Unset: Server, X-Powered-By, X-AspNet- Version • X-Frame-Options • Cache-Control • Content-Type
Headers - Preventative • X-Content-Type-Options • X-XSS-Protection • Strict-Transport-Security • X-Content-Security-Policy • Character set (UTF-8)
Misc. • Do not enable directory browsing • Do not allow direct access to objects • Do not allow verbose error messages • Do implement sufficient auditing and logging
Summary
Questions & Answers
References • http://howtodoinjava.com/2013/07/22/how-to-generate-secure-password-hash-md5-sha-pbkdf2- bcrypt-examples/ • https://crackstation.net/hashing-security.htm • http://arr.gr/blog/2012/02/password-hashing-revisited/ • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Secure_Coding_Principles • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_Management_Im plementation • https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet#OWASP_Top_Ten_Cheat_Sheet • http://www.troyhunt.com/2013/05/hack-yourself-first-how-to-go-on.html#PasswordStorage • http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html

Recomendados

CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsSam Bowne
 
Java Regular Expression PART I
Java Regular Expression PART IJava Regular Expression PART I
Java Regular Expression PART IOXUS 20
 
Sar writingv2
Sar writingv2Sar writingv2
Sar writingv2Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Regex 101
Regex 101Regex 101
Regex 101Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Regular Expressions 101 Introduction to Regular Expressions
Regular Expressions 101 Introduction to Regular ExpressionsRegular Expressions 101 Introduction to Regular Expressions
Regular Expressions 101 Introduction to Regular ExpressionsDanny Bryant
 
SQLmap
SQLmapSQLmap
SQLmapTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 

Recomendados

CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsSam Bowne
 
Java Regular Expression PART I
Java Regular Expression PART IJava Regular Expression PART I
Java Regular Expression PART IOXUS 20
 
Sar writingv2
Sar writingv2Sar writingv2
Sar writingv2Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Regex 101
Regex 101Regex 101
Regex 101Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Regular Expressions 101 Introduction to Regular Expressions
Regular Expressions 101 Introduction to Regular ExpressionsRegular Expressions 101 Introduction to Regular Expressions
Regular Expressions 101 Introduction to Regular ExpressionsDanny Bryant
 
SQLmap
SQLmapSQLmap
SQLmapTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheCloudsKoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheCloudsTobias Koprowski
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheCloudsKoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheCloudsTobias Koprowski
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingAgile Testing Alliance
 
a
aa
aSandeep Kumar
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Security chapter6
Security chapter6Security chapter6
Security chapter6FLYMAN TECHNOLOGY LIMITED
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYNishant Pawar
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Mais conteúdo relacionado

Semelhante a Defending web applications v.1.0

CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheCloudsKoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheCloudsTobias Koprowski
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheCloudsKoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheCloudsTobias Koprowski
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYNishant Pawar
 

Semelhante a Defending web applications v.1.0 (20)

CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheCloudsKoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheCloudsKoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking Authentication
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
a
aa
a
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking Authentication
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Security chapter6
Security chapter6Security chapter6
Security chapter6
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Defending web applications v.1.0

  • 2. Introduction • Who am I? – Security assessor for ITSO-SPA – Worked for TSB beginning March, 1999 • Technical support of national web applications • Security testing – Moved to ITSO October, 2012 – Am NOT a developer • Wrote the TSB portal and first instances of defect tracking used by the Judiciary
  • 3. Overview Guidance for security controls • Specifying baseline requirements – “Lock a user account for 30 minutes after 10 invalid authentication attempts in a 30 minute period” • Specifying “best practices” – Store passwords as a salted hash • Specifying security principles – Never trust any input that comes from the client
  • 4. Overview • Authentication – Login Page – Passwords – Password Storage – Password Reset • Session Management – Session Management – Session Token – Cookies • Specific Attacks – Clickjacking – Cross Site Request Forgery (CSRF) – SQL Injection (SQLi) – Cross-site Scripting (XSS) • Configuration – SSL – HTTP Response Headers – Miscellaneous
  • 5. Who are our threats? • Nation-states • Political activists • Motivated criminals – organized crime • Attackers with no motive against the organization • Script kiddies • Automated attacks – worms, virus, Trojan horse • Disgruntled staff • End users
  • 6. How do we defend against these varied threats?
  • 7. Some basic principles • Do not “roll your own” – Do not create your own encryption algorithms – Do use Web development frameworks when possible – Do use a secure random number generator • java.security.SecureRandom • System.Security.Cryptography.RNGCryptoServiceProvider • Never trust any input that comes from the client • Never store secrets in plain text • Don’t be helpful • Employ a mechanism to detect important events • Assume a potential attacker knows • Assume eventual compromise
  • 9. Login Page • System Use notification • Only load login page over HTTPS • Submit over HTTPS • Do not echo password when entered • Do not retain password in cache • Provide consistent, standard error messages to prevent username enumeration
  • 11. Load and submit login page over SSL
  • 12. Do not echo or retain passwords
  • 13. Login error messages For example • Invalid account, invalid password – “Invalid username/password” • Valid account, invalid password – “Password is incorrect”
  • 14. Passwords • Complexity Requirements – At least eight characters long – No more than three repeated characters – At least four alphabetic characters – At least one number – Changed every 180 days
  • 15. Passwords • Brute Force Protections – Enforce a limit of 10 consecutive invalid access attempts by a user during a 30-minute time period – Automatically lock the account minimum of 1 hour when the maximum number of unsuccessful attempts is exceeded
  • 16. These considerations should be addressed anywhere in the application the user is asked to authenticate
  • 17. Passwords • Do not transmit the password in plain text – The URL – Logs – Error messages • Do not store in plain text – Database – Client-side – Email
  • 18. Password Storage • Do store the password as a salted hash • Do use a random number generator to create the salt • Do use a salt that is the same size as the hash output function • Do use a secure hash, such as SHA256 • Do always hash on the server • Do not use a salt more than once • Do use a standard library, such as PBKDF2 or bcrypt, for Key Stretching
  • 19. Password Storage – bcrypt public class BcryptHashingExample { public static void main(String[] args) throws NoSuchAlgorithmException { String originalPassword = "password"; String generatedSecuredPasswordHash = BCrypt.hashpw(originalPassword, BCrypt.gensalt(12)); System.out.println(generatedSecuredPasswordHash); boolean matched = BCrypt.checkpw(originalPassword, generatedSecuredPasswordHash); System.out.println(matched); } } Output: $2a$12$WXItscQ/FDbLKU4mO58jxu3Tx/mueaS8En3M6QOVZIZLaGdWrS.pK true
  • 20. Password Reset • Do not send the password to the user • Do not disable the user’s account • Do not let the user change the password after answering security questions • Do email a random, single-use token • Do not send any user account information in the link • Do expire the token – After a set amount of time – After use – After a successful login
  • 22. Session Management • Do use a Web development framework • Do implement an inactivity and absolute timeout • Do provide a means for the user to logout • Do destroy the session server-side on logout or after timeout • Do not allow concurrent logins from different workstations
  • 23. Session ID • Generated by the application • Do renew after any privilege level change • Do change the default name to prevent fingerprinting • Do have a length greater than 20 bytes (160 bits) • Do have sufficient entropy (randomness) • Do not store secret data in the session ID • Do not allow in URLs, logs or error messages • Do treat as any other client-side input
  • 24. Cookies • Do set – HTTPOnly – Secure – Path – Domain – Expire • Do not store sensitive data in cookies
  • 26. Clickjacking • Set HTTP Header (X-Frames-Options)
  • 27. CSRF • Include an anti-CSRF token – Unique per user and per session – Tied to a single user session – Large random value – Generated by a cryptographically secure RNG
  • 28. CSRF • One way to implement – Generate Token, store server side for the session – Add token as a hidden parameter to a form – When form is submitted, check that the submitted token matches the token saved server-side
  • 29. SQL Injection • Parameterize Queries The following is an example of Java code which is vulnerable to SQL injection: String query = "SELECT * FROM users WHERE userid ='"+ userid + "'" + " AND password='" + password + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(query);
  • 30. SQL Injection • Parameterize Queries Here is the same code properly parameterized: PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE userid=? AND password=?"); stmt.setString(1, userid); stmt.setString(2, password); ResultSet rs = stmt.executeQuery();
  • 31. XSS On submit • Enforce input field type and lengths • Validate fields • Ensure option selects and radio contain only sent values On render: • Set correct content type • Set safe character set (UTF-8) • Output encode all user data according to context • Set input constraints
  • 32. File Upload • Do – Scan with Anti-Virus – Check for expected file extension – Check file content-type – Check file size – Use a new name – Store outside of web root – Deny access to file except through application – Strip away extraneous content
  • 34. SSL • Do use secure ciphers suites • Do force HTTPS (all points from login to logout) • Do use valid SSL certificates • Do not allow mixed mode – All CSS, images, JavaScript, etc. must be served over SSL
  • 35. Headers - Remediation • Unset: Server, X-Powered-By, X-AspNet- Version • X-Frame-Options • Cache-Control • Content-Type
  • 36. Headers - Preventative • X-Content-Type-Options • X-XSS-Protection • Strict-Transport-Security • X-Content-Security-Policy • Character set (UTF-8)
  • 37. Misc. • Do not enable directory browsing • Do not allow direct access to objects • Do not allow verbose error messages • Do implement sufficient auditing and logging
  • 40. References • http://howtodoinjava.com/2013/07/22/how-to-generate-secure-password-hash-md5-sha-pbkdf2- bcrypt-examples/ • https://crackstation.net/hashing-security.htm • http://arr.gr/blog/2012/02/password-hashing-revisited/ • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Secure_Coding_Principles • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_Management_Im plementation • https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet#OWASP_Top_Ten_Cheat_Sheet • http://www.troyhunt.com/2013/05/hack-yourself-first-how-to-go-on.html#PasswordStorage • http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html