Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AppSecUSA 2013: Insecure Expectations

Matt Konda
November 21, 2013

AppSecUSA 2013: Insecure Expectations

This talk introduces a simple web testing framework and a vulnerable application. By writing tests with security implications we can illustrate issues, show how to test for them, and when we use behavior driven language (Cucumber) we can even express security issues as business features!

Matt Konda

November 21, 2013
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. demo cucumber --name "person is restricted from putting input into

    a field that will be executed by the system"
  2. root cause def destroy! @project = Project.find(params[:id])! ! name =

    @project.name! `rm /tmp/#{name}.log` ! ! @project.destroy! ! respond_to do |format|! format.html { redirect_to projects_url }! format.json { head :no_content }! end! end! ! ! What if @project.name is : ! "; cat /etc/passwd > public/passwd.html;”!
  3. Feature: person is restricted from accessing project they do not

    own Scenario: person accesses a project  that is not theirs  Given a new project created by a user When a different person attempts to access the project Then the system should prevent access
  4. Given(/^a new project created by a user$/) do! uuid =

    SecureRandom.uuid! @user1 = "fb_user_1_#{uuid}@jemurai.com"! register_as_user(@user1, "password")! new_project("Insecure Direct Object Reference #{uuid}", ! "Forceful Browsing Desc")! @url = current_url ! end! ! When(/^a different person attempts to access the project$/) do! logout(@user1)! uuid = SecureRandom.uuid! @user2 = "fb_user_2_#{uuid}@jemurai.com"! register_as_user(@user2, "password")! end! ! Then(/^the system should prevent access$/) do! visit @url! expect(page).not_to have_content "Forceful Browsing Desc"! end
  5. handy http://localhost:3000/projects?name=%27A%27%29%20or%201=1%20-- def index! email = current_user.email! !conditions = "owner

    LIKE '#{email}'"! !if params[:name]! !! conditions = "name like #{params[:name]} " + conditions! !end! !@projects = Project.find(:all, :conditions=>conditions)! !! respond_to do |format|! format.html # index.html.erb! format.json { render json: @projects }! end! end SELECT "projects".* FROM "projects" ! WHERE (name like 'A') or 1=1 -- owner LIKE '[email protected]') For illustration
  6. Feature: user is prevented from putting XSS in project form

    fields! ! A user wants to be sure that others users can't ! put XSS in the projects pages! ! in order to ensure that their sessions and information are safe.! ! ! ! @javascript! ! Scenario Outline: xss attempt! ! ! Given the field is "<fieldname>"! ! ! When the value is "<value>"! ! ! Then the field result should be "<result>"! ! ! ! ! ! Scenarios: xss in fields! ! ! ! | fieldname | value | result |! ! ! ! | project[name] | ProjectName | noxss |! ! ! ! | project[name] | ProjectName <script>alert('project[name]- >xss');</script> | xss |! ! ! ! | project[description] | ProjectDescription <script>alert('project[description]->xss');</script> | noxss |! ! ! ! ! ! ! !
  7. new_project("XSS Name #{@field} #{uniq}","XSS Desc #{@field}"+ uniq)! click_link 'Edit'! fill_in

    @field, :with => @value! click_button "Update Project"! if @result == "xss" ! # This should have xss in it...did it stick?! alerted = false! begin ! page.driver.browser.switch_to.alert.accept ! alerted = true! rescue ! end! if alerted! fail("XSS Used to create Popup in #{@field} with #{@value}") ! else! puts "Good news, no xss where expected."! end! else! expect(page).to have_content @value! end
  8. Feature: user is protected from malicious content and having their

    page framed! ! A user wants to be sure that effective browser protections are enabled ! ! in order to ensure that their information is safe.! ! ! ! @javascript! ! Scenario Outline: check for secure headers attempt! ! ! Given a new project created by a user! ! ! And the page is "<page>"! ! ! When the header is "<header>"! ! ! Then the header value should be "<result>"! ! ! ! ! ! Scenarios: headers in pages! ! ! ! | page | header | result |! ! ! ! | projects/ | X-Frame-Options | DENY |! ! ! ! | projects/ | X-XSS-Protection | 1 |!
  9. ! cookies = Capybara.current_session.driver.browser.manage.all_cookies! csrf_token = Capybara.current_session.driver.browser.find_element(:xpath, "// meta[@name='csrf-token']").attribute('content');! #

    Switch mode to net::http! uri = URI.parse(url)! http = Net::HTTP.new(uri.host, uri.port) ! http.verify_mode = OpenSSL::SSL::VERIFY_NONE! request = Net::HTTP::Post.new(uri.request_uri)! request['Cookie'] = cookies ! request.set_form_data( { ! "_method" => "put", ! "authenticity_token" => "#{csrf_token}", ! "project[name]"=> "header updated and verified", ! "commit"=>"Update Project" })! response = http.request(request)! ! ...! ! if response[@header] == @result! #pass! else! fail("Header #{@header} not set to #{@result} as expected. ! Instead was #{response[@header]}.")! end!
  10. what if the dev writing the code were testing security

    cases along the way? ! MUCH smarter.
  11. current Tests • Injection / Sql Injection • Cross Site

    Scripting • Mass Assignment • Cross Site Request Forgery • Secure Headers • Sensitive Data Exposure (Session Cookie)
  12. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data with net::http and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect
  13. basically, I want to see owasp try to build community

    organizing with developers into a model that can be repeated
  14. Thanks! Justin Collins @presidentbeef Jeff Jarmoc @jjarmoc Ben Toews @mastahyeti

    Neil Matatall @ndm Aaron Bedra @abedra Jon Claudius @claudijd Chris Oliver @excid3 Chris Hildebrand @ckhrysze Jon Rose Brett Hardin @miscsecurity Elizabeth Hendrickson @testobsessed
  15. References • https://github.com/Jemurai/triage • https://bitbucket.org/mkonda/swtf/ • http://speakerdeck.com/mkonda • http://brakemanscanner.org •

    http://rails-sqli.org • https://github.com/twitter/secureheaders • http://testobsessed.com/wp-content/uploads/2011/04/ testheuristicscheatsheetv1.pdf • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
  16. features • person is restricted from putting input into a

    field that will be executed by the system • user is prevented from putting XSS in project form fields • user should not be able to set fields not shown in the form • user should not be able to submit forms in anothers session • user is protected from malicious content and having their page framed • users favorite album is in cookie