Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Similar documents
Web Application Penetration Testing


EasyCrypt passes an independent security audit

COMP9321 Web Application Engineering

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

C1: Define Security Requirements

Client Side Security And Testing Tools

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Web basics: HTTP cookies

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Solutions Business Manager Web Application Security Assessment

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

RKN 2015 Application Layer Short Summary

Web Security. Thierry Sans

Web basics: HTTP cookies

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Tabular Presentation of the Application Software Extended Package for Web Browsers

COMP9321 Web Application Engineering

Bypassing Web Application Firewalls

COMP9321 Web Application Engineering

Requirements from the Application Software Extended Package for Web Browsers

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Developing ASP.NET MVC Web Applications (486)

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Uniform Resource Locators (URL)

P2_L12 Web Security Page 1

Ruby on Rails Secure Coding Recommendations

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Application Firewall Subscription on Cyberoam UTM appliances

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Security. Philippe Bogaerts

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Certified Secure Web Application Engineer

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

GOING WHERE NO WAFS HAVE GONE BEFORE

Application vulnerabilities and defences

Chrome Extension Security Architecture

Robust Defenses for Cross-Site Request Forgery Review

FREQUENTLY ASKED QUESTIONS

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

WEB SECURITY: XSS & CSRF

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Copyright

Introduction to Ethical Hacking

Common Websites Security Issues. Ziv Perry

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Web Application Security

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Robust Defenses for Cross-Site Request Forgery

Content Security Policy

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Manipulating Web Application Interfaces a New Approach to Input Validation Testing. AppSec DC Nov 13, The OWASP Foundation

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

SQL Injection how far does the rabbit hole go? OWASP 5 November The OWASP Foundation

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Biting the Hand that Feeds You

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Security Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION. Services provided to: [LOGO(s) of company providing service to]

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

OWASP TOP 10. By: Ilia

The security of Mozilla Firefox s Extensions. Kristjan Krips

Application Design and Development: October 30

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

FlightPATH. User Manual:

Penetration Testing. James Walden Northern Kentucky University

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Penetration Test Report

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Securing ArcGIS Services

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

More attacks on clients: Click-jacking/UI redressing, CSRF

SECURE CODING ESSENTIALS

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

The requirements were developed with the following objectives in mind:

Web Security IV: Cross-Site Attacks

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Web security: an introduction to attack techniques and defense methods

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

s642 web security computer security adam everspaugh

HTML5 a clear & present danger

Transcription:

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Our Observations The same old code-level problems Input Validation, Parameter Manipulation, Authorization Bypass, Privilege Escalation, Reliance on Browser Security, etc, etc, etc Can we EVER prevent these? Developer Training? There are always mistakes Negative Security Model? Almost always can bypass Positive Security Model? Very difficult to implement 2

What should we do? Root Cause Analysis: Problem: The application allowed the user to do something they shouldn't have been able to do Solution: Only allow the user do what the application expects them to be able to do How??? Look at what the application presents to the user If an option is not presented, don t let them use it If we don t ask the user for it, don t accept it! 3

Secure Parameter Filter (SPF) What is SPF? Embedded application Security Filter Analyses incoming requests and outgoing responses Every URL and input value requires a security token Generated on-the-fly as pages are rendered Exceptions can be defined for certain pages/inputs Deployed at the application level No involvement from server administrator required 4

Secure Parameter Filter (SPF) Designed to protect against: Input Tampering & Injection Query String, Cookies, Form Inputs URI Tampering Forced Browsing Forgery, Hijacking / Cross-Site Attacks Session-Based Tokenization 5

How it Works Output Filter Analyzes HTTP output to determine what is presented Only URLs and inputs presented to the user are permitted on subsequent requests Append Cryptographic Token on each URL Link HREF, Form ACTION, Script & Frame SRC Insert unique GUID on each form and record form input profile (name, type, disabled/read-only) Encrypt eligible embedded Form input values ASP.NET Machine Key 6

How it Works Input Filter Analyzes HTTP request to ensure it is for only authorized URLs and inputs By default, only pre-determined entry points are permitted without a proper request token Inspect free-form text inputs against specified regular expressions (optional) 7

How it Works FRAMEWORK HANDLER SPF CUSTOM CODE APPLICATION USERS IIS WEB/APP SERVER INTERNAL WEB/APP SERVER PROCESSING 8

Applied Cryptography in SPF Encrypted Inputs 16 Random Bytes Pre-Pended to Each Value Produces Unique Cipher Text (similar to IV) Uses ASP.NET Machine Key to Encrypt Appends Time Stamp & SHA1 HMAC Cipher Text Time Stamp Source IP Address Source Guid (SPF Cookie) 9

Applied Cryptography in SPF Tokenized Elements Appends Time Stamp & SHA1 HMAC Plain-Text (URL, Query String) Time Stamp Source IP Address Source Guid (SPF Cookie) HMAC Key derived from ASP.NET Machine Key 10

Configuration Requirements Default Protection Settings (Required) Protection Scope (URI, QueryString, Forms, Cookies) Main Application Entry Point (URL) Exceptions to Default Settings (Optional) Global Exceptions (Form Inputs, Cookies) URI Exceptions (URI, Query String, Form Inputs) 11

Configuration Options Automatic Run-time Configuration Updates Ineligible inputs are automatically granted exceptions INPUT TYPE=TEXT, TEXAREA, etc Black List Regular Expression Filter Used to optionally block malicious input strings Two Modes of Operation Passive: Silent logging of all failed requests Active: Failed requests are rejected 12

Supported Content Types HTML Analyzer Uses HTML Agility Pack JavaScript Analyzer Custom functions with arguments that include URLs and request parameters dopostback(eventtarget, eventargument) Native properties that contain URLs location.href, window.location, etc 13

SPF Reverse Proxy Test Cases IIS7 Reverse Proxy allows SPF to protect any web application Used to perform testing against several applications Can be leveraged to determine compatibility with SPF SPF TESTER / EVALUATOR SPF REVERSE PROXY (IIS7) WEB/APP SERVER 14

Live Demonstration DEMO 15

Questions Justin Clarke - justin @ gdssecurity. com Andrew Carey Nairn andrew @ gdssecurity. com GDS Blog: http://www.gdssecurity.com/l/b 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback