OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Similar documents
Certified Secure Web Application Security Test Checklist

Solutions Business Manager Web Application Security Assessment

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Aguascalientes Local Chapter. Kickoff

SECURITY TESTING. Towards a safer web world

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Bank Infrastructure - Video - 1

Welcome to the OWASP TOP 10

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Copyright

Certified Secure Web Application Engineer

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

F5 Application Security. Radovan Gibala Field Systems Engineer

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

CSWAE Certified Secure Web Application Engineer

Application Security Approach

Sichere Software vom Java-Entwickler

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Applications Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Application Security. Philippe Bogaerts

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

OWASP TOP OWASP TOP

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Application Penetration Testing

Application Layer Security

Web Application Threats and Remediation. Terry Labach, IST Security Team

COMP9321 Web Application Engineering


Exploiting and Defending: Common Web Application Vulnerabilities

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

N different strategies to automate OWASP ZAP

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Application vulnerabilities and defences

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Web Applications Penetration Testing

OWASP TOP 10. By: Ilia

1 About Web Security. What is application security? So what can happen? see [?]

WHY CSRF WORKS. Implicit authentication by Web browsers

Curso: Ethical Hacking and Countermeasures

Web Security, Summer Term 2012

Web Security, Summer Term 2012

GOING WHERE NO WAFS HAVE GONE BEFORE

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Your Turn to Hack the OWASP Top 10!

Web Application Whitepaper

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Combating Common Web App Authentication Threats

INNOV-09 How to Keep Hackers Out of your Web Application

PRESENTED BY:

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

EasyCrypt passes an independent security audit

Security Testing White Paper

Top 10 Web Application Vulnerabilities

Bugcrowd v1.6 - Nov. 2, 2018

Certified Secure Web Application Secure Development Checklist

Domino Web Server Security

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Security Best Practices. For DNN Websites

P2_L12 Web Security Page 1

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

COMP9321 Web Application Engineering

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Robust Defenses for Cross-Site Request Forgery Review

Vulnerabilities in online banking applications

Web Application Security GVSAGE Theater

C1: Define Security Requirements

Contents. xvii xix xxiil. xxvii

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Scan Report Executive Summary

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Multi-Post XSRF Web App Exploitation, total pwnage

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

HP 2012 Cyber Security Risk Report Overview

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Information Security CS 526 Topic 8

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Transcription:

Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand

Worldwide Community www.owasp.org 2 2

My Contact Info and Web Places Me Mobile, Thailand Email Blog The CEP Blog Blog The (ISC)2 Blog ACIS Professional Center The UNIX and Linux Forums LinkedIn Tim Bass +66832975101 tim@unix.com www.thecepblog.com blog.isc2.org www.acisonline.net www.unix.com www.linkedin.com/in/timbass 3

Our Agenda First, A Brief Review of the Top 10 #7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third, Proxy Caches are a Serious Threat Poorly written session management code is the vulnerability Simple testing scenario(s) and a warning. 4

Top 10 2007 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access http://www.owasp.org/index.php/top_10 5

Top 10 2007 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access http://www.owasp.org/index.php/top_10 6

Brief Top 10 Review 7. Broken Authentication and Session Management 7

7. Broken Authentication and Session Management Description Flaws in HTTP authentication and session management frequently involve the failure to protect credentials and session tokens through their lifecycle. Affected Environments All web application frameworks are vulnerable to authentication and session management flaws 8

7. Broken Authentication and Session Management Vulnerabilities Flaws in main authentication mechanism Password management Session Timeout Threats Proxy caches (discussed in this presentation) 9

7. Broken Authentication and Session Management Verifying Security Applications should properly authenticate users and protect their session credentials Ineffective: Automated scanning tools Effective: Combination of code reviews and testing Protection Maintain secure communications and credential storage Use single authentication mechanism where applicable Create a new session upon authentication Ensure the logout link destroys all pertinent data Do not expose credentials in URL or logs Update: Test against aggressive proxy scenarios 10

7. Broken Authentication and Session Management Example References 1. http://www.owasp.org/index.php/guide_to_authentication 2. http://www.owasp.org/index.php/reviewing_code_for_authentication 3. http://www.owasp.org/index.php/testing_for_authentication has so many web application security tools, papers and guides, all FREE for you to use! 11

Our Agenda First, A Brief Review of the Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third, Proxy Caches are a Serious Threat Poorly written session management code is the vulnerability Simple testing scenario(s) and a warning. 12

GoogleDocs Account Before.. 13

A Typical Day in GoogleDocs.. 14

GoogleDocs Account After.. 15

GoogleDocs Account After.. 16

Mr. Wodnizki says. 17

Mr. Wodnizki says. I deleted all. 18

Google teamwork 19

Google says. We ve fixed the code.. 20

Our Agenda First, A Brief Review of the Top 10 7. Broken Authentication and Session Management Second, A Funny Thing Happened in GoogleDocs Third, Proxy Caches are a Serious Threat Poorly written session management code is the (flaw) vulnerability Simple testing scenario(s) and a warning. 21

Proxy Caches are a Serious Everyday Threat Proxy caches, combined with poorly written session management code, can easily lead to serious security flaws. Web application developers have no control over proxy caches in the Internet. Developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies. Caches are the Threat. Bad Code is the Flaw. 22

Developers Must Assume a Full Time Proxy Cache Threat Exists Web developers cannot know whether their content is consumed directly or via a (transparent) proxy cache. Developers cannot assume that the HTTP responses will be delivered to the intended client. Moreover, developers cannot be sure that the target browser even receives the intended content. For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there s no guarantee it will be consumed by the intended web browser. 23

Developers Must Assume a Full Time Proxy Cache Threat Exists For example, this fact-of-life on the Internet can result in multiple web clients being sent the same Set-Cookie HTTP headers. Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients but they can and do. 24

SSL is Critical, But Not Foolproof SSL must be used on ALL web transactions that require confidentiality and privacy. However, SSL is not foolproof. For example, web developers may not correctly set the "Encrypted Sessions Only" cookie property. Incorrectly configured secure servers will send HTTPS cookies in the open, unencrypted. 25

SSL is Critical, But Not Foolproof SSL must be used on ALL web transactions that require confidentiality and privacy. However, SSL is not foolproof. For example, web developers may not correctly set the "Encrypted Sessions Only" cookie property. Incorrectly configured secure servers will send HTTPS cookies in the open, unencrypted. 26

Testing Scenario- Single Server, Single Cache WEB CLIENT WEB CLIENT Very Aggressive Proxy Cache WEB SERVER WEB CLIENT Simple Test Scenario (HTTP and HTTPS) 27

Testing Scenario- Test Third Party Web Apps WEB CLIENT Illustrative Purposes Only WEB CLIENT Your Very Aggressive Proxy Cache Google Docs! WEB CLIENT Anyone can build and test against their own aggressive proxy! 28

Some Takeaways of this Presentation Criminals can easily configure aggressive caches and look for vulnerabilities in web application session management code, including unencrypted cookies. Criminals can then seek to attack from ISPs that have aggressive proxy cache management policies. This means that all (risk critical) web applications should be completely tested against an aggressive proxy cache to insure that criminals cannot exploit a basic configuration in the Internet. - This is huge. 29

References Blog Posts A New Security Breach in Google Docs Revealed http://www.thecepblog.com/2008/09/15/a-new-security-breach-in-google-docs-revealed/ Proxy Caches are a Challenging Threat to Internet Security http://www.thecepblog.com/2008/10/05/proxy-caches-are-a-challenging-threat-to-internet-security/ Automated HTTPS Cookie Hijacking http://fscked.org/blog/fully-automated-active-https-cookie-hijacking 30

Thank You! 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback