Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

Protecting Web Applications with ESAPI
and AppSensor
Manuel Lopez Arredondo
manuel.lopez@owasp.org

“The cost of cybercrime is greater than the
combined effect on the global economy of
trafficking in marijuana, heroin and cocaine”|
http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking
http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/

Why Security is important?
Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.

Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.
Why Security is important?

Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend
commercial products or services
What is OWASP
6

Community Driven
30,000 Mail List Participants
200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
69 Academic Supporters
What is OWASP
7

OWASP Guadalajara Chapter
What do we have to offer?
• Community of security professional
• Monthly meetings
• Mailing List
• Presentations
• Workshops
• Open forums for discussion
• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date

Quality Resources
200+ Projects
15,000+ downloads of tools, documentation
250,000+ unique visitors
800,000+ page views (monthly)
What is OWASP
9

50%
10% 40%
Quality Resources
10

A1 – Injection
• Tricking an application into including unintended commands in the data sent to
an interpreter
Injection means…
• Take strings and interpret them as commands
• SQL, OS Shell, LDAP, XPath, Hibernate, etc…
Interpreters…
• Many applications still susceptible (really don’t know why)
• Even though it’s usually very simple to avoid
SQL injection is still quite common
• Usually severe. Entire database can usually be read or modified
• May also allow full database schema, or account access, or even OS level access
Typical Impact

SQL Injection – Illustrated
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
HTTP
request

SQL
query

DB Table


HTTP
response


"SELECT * FROM
accounts WHERE
acct=‘’ OR
1=1--’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
3. Application forwards attack to
the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the
user
Account:
SKU:
Account:
SKU:

A2 – Cross-Site Scripting (XSS)
• Raw data from attacker is sent to an innocent user’s browser
Occurs any time…
• Stored in database
• Reflected from web input (form field, hidden field, URL, etc…)
• Sent directly into rich JavaScript client
Raw data…
• Try this in your browser – javascript:alert(document.cookie)
Virtually every web application has this problem
• Steal user’s session, steal sensitive data, rewrite web page, redirect user to
phishing or malware site
• Most Severe: Install XSS proxy which allows attacker to observe and direct all
user’s behavior on vulnerable site and force user to other sites
Typical Impact

Cross-Site Scripting Illustrated
Application with
stored XSS
vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a
malicious script into a web
page that stores the data
on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s
browser with full access to
the DOM and cookies
Custom Code
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions

Project Leader: Chris Schmidt, Chris.Schmidt@owasp.org
Purpose: A free, open source, web application security control library
that makes it easier for programmers to write lower-risk applications
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
16

ESAPI - Vision
 Build a common set of security controls for
today's most popular programming languages.
 Have interfaces in common across programming
languages as much as possible and natural.
 Provide at least a simple reference implementation
for each security control to serve as example if not
useful in itself.
 Easily extensible
 Provide functionality that is most often needed,
but lacking (or inconsistent) in various frameworks
/ languages.

Using ESAPI (1 of 3)
 Getting started
 https://www.owasp.org/index.php/Category:OWASP_Enter
prise_Security_API
 Download: http://code.google.com/p/owasp-esapi-
java/
 ESAPI Cheat Sheet:
https://www.owasp.org/index.php/ESAPI_Cheat_Sheet
 ESAPI Swingset: http://code.google.com/p/owasp-
esapi-java-swingset/

 Getting help
 ESAPI User mailing list (focuses on Java version):
https://lists.owasp.org/mailman/listinfo/esapi-
user
 ESAPI Developer mailing list:
https://lists.owasp.org/mailman/listinfo/esapi-dev
 ESAPI Project page: http://www.esapi.org/ (coming
soon)

 Getting involved
 Many other language implementations, all
playing catch up
 ESAPI for Java version needs help with user
documentation
 ESAPI 2.1 (Java) starting soon
 ESAPI Swingset and Swingset Interactive → Port
to use ESAPI 2.0

Custom Enterprise Web Application
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
ExceptionHandling
Logger
IntrusionDetector
SecurityConfiguration
Existing Enterprise Security Services/Libraries

Potential Enterprise ESAPI Cost
Savings

Basic ESAPI Approach – Examples
 In Java:
String input = request.getParameter( "input" );
// Throws ValidationException or IntrusionException
// if problem
String cleaned =
ESAPI.validator().getValidInput("Secure input
example",
input,
"SafeString", //
regex spec
200, // max lengyh
false, // no nulls
true); //
canonicalize
String safeHTML =
ESAPI.encoder().encoderForHTML(cleaned);

 In PHP:
$cleanTmp = array(); // local in scope
$cleanParams = array(); // local in scope
$cleanTmp['username'] =
ESAPI::getValidator()->getValidInput(
"Secure input example",
$input,
"SafeString",
200, false, true);
$cleanParams['username'] =
ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);
Basic ESAPI Approach – Examples

OWASP ESAPI Project Scorecard
Feature Set vs. Programming
Language
Authentication 2.0 1.4 1.4 1.4 2.0
planned
Identity 2.0 1.4 1.4 1.4 2.0
planned
Access Control 2.0 1.4 1.4 1.4 1.4 2.0
planned
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???
Encryption 2.0 1.4 1.4 1.4 1.4 2.0
Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBD
WAF 2.0

Source Code and Javadoc
Online Now!
http://code.google.com/p/owasp-esapi-java

AppSensor
Project Leader(s): Michael Coates, John Melton, Colin Watson
Purpose: Defines a conceptual framework and methodology that offers
prescriptive guidance to implement intrusion detection and automated
response into an existing application.
Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)
https://www.owasp.org/index.php/AppSensor
Create attack aware applications
27

Detecting Attacks
the Right Way
• Detect INSIDE the Application
• Automatic Detection
• Comprehensive
• Minimize False Positives
• Understand Business Logic
• Immediate Response
• No Manual Efforts Required

Detection Points
Implementing AppSensor
Application Log Server AppSensor Brain
Response Listener

Take aways
• Open Source solutions
• Low cost and low effort
• Think out of the box for development teams
• Techniques used on the Industry
• OWASP Google Summer of Code 2013
https://www.owasp.org/index.php/GSoC

About OWASP
• Online since December 1st 2001
• Not-for-profit charitable organization
• OPEN Everything at OWASP is radically transparent from our finances to
our code.
• INNOVATION OWASP encourages and supports innovation/experiments
for solutions to software security challenges.
• GLOBAL Anyone around the world is encouraged to participate in the
OWASP community.
• INTEGRITY OWASP is an honest and truthful, vendor agnostic, global
community.
• https://www.owasp.org/index.php

Application Developers
New attacks/ defense guideline
Cheat Sheets
Web Goat-emulator-designed to teach web application security lessons

Application Testers and Quality Assuran
Testing guide
Penetration testing tools
Application Security Verification Standard Project

OWASP ZAP Proxy/ WebScarab / CSRF Tester

OWASP Testing Framework
4. Web Application Penetration Testing
•4.2 Information Gathering
•4.3 Configuration Management Testing
•4.4 Business logic testing
•4.5 Authentication Testing
•4.6 Authorization Testing
•4.7 Session Management Testing
•4.8 Data Validation Testing
•4.9 Testing for Denial of Service
•4.10 Web Services Testing
•4.11 Ajax Testing
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

Application Project Management and Staff
45
Define the process
SDLC
Code Review
Code review tool
http://codecrawler.codeplex.com/Release/ProjectReleases.aspx
http://orizon.sourceforge.net

Business advantages of being
associated with OWASP
• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that
application security is important and that the organization is working to take necessary steps to properly address
application security risk in their businesses
• The organization itself gets security benefit at reduced costs
– Security code review tools are free
– Lots of open & free security testing tools
– Security guidelines & best practices
• Opportunity to endorse organization's logo in OWASP events, conferences, & website
• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world
on owasp mailing lists and linked 'in group
– If you are looking to expand your business in emerging market here is an opportunity to reach out
• When organization becomes a supporter of a security community it helps employees, partners, suppliers and
customers to understand the value & importance of security, and improves application security throughout the
whole supply chain
• Membership options : https://www.owasp.org/index.php/Membership

Subscribe mailing list
https://www.owasp.org/index.php/Guadalajara
Chapter Leaders:
Eduardo Cerna
Mauel Lopez
Join Us !

App Sensor Design
Demo App
Embedded
AppSensor
Response
AppSensor “Brain”
App Logs

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (7)

Similar to Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

Similar to Protección web con ESAPI y AppSensor [GuadalajaraCON 2013] (20)

More from Websec México, S.C.

More from Websec México, S.C. (20)

Recently uploaded

Recently uploaded (20)

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

Editor's Notes