AppSecUSA 2013: Insecure Expectations

Transcript

1. insecure
   expectations Matt Konda @mkonda Jemurai.com

2. introduction

3. BACKGROUND ON ME

4. Thanks to family!

5. demo cucumber --name "person is restricted from putting input into

   a field that will be executed by the system"
6. None

7. root cause def destroy! @project = Project.find(params[:id])! ! name =

   @project.name! `rm /tmp/#{name}.log` ! ! @project.destroy! ! respond_to do |format|! format.html { redirect_to projects_url }! format.json { head :no_content }! end! end! ! ! What if @project.name is : ! "; cat /etc/passwd > public/passwd.html;”!

8. How many
   people here
   ! Write tests?

9. How many
   people here
   ! Use TDD?

10. How many
    people here
    ! Use BDD?

11. How many
    people here
    ! know of OWASP?

12. How many
    people here
    ! currently write security

    tests?

13. insecure expectations

14. rspec

15. -6 = 64.1 Trillion

16. None
17. None

18. bdd with cucumber

19. feature
    scenario
    ! given
    when
    then

20. Feature: person is restricted from accessing project they do not

    own Scenario: person accesses a project
    that is not theirs
    Given a new project created by a user When a different person attempts to access the project Then the system should prevent access

21. demo cucumber --name "person is restricted from accessing project they

    do not own"
22. None

23. Given(/^a new project created by a user$/) do! uuid =

    SecureRandom.uuid! @user1 = "fb_user_1_#{uuid}@jemurai.com"! register_as_user(@user1, "password")! new_project("Insecure Direct Object Reference #{uuid}", ! "Forceful Browsing Desc")! @url = current_url ! end! ! When(/^a different person attempts to access the project$/) do! logout(@user1)! uuid = SecureRandom.uuid! @user2 = "fb_user_2_#{uuid}@jemurai.com"! register_as_user(@user2, "password")! end! ! Then(/^the system should prevent access$/) do! visit @url! expect(page).not_to have_content "Forceful Browsing Desc"! end

24. introducing: triage https://github.com/Jemurai/triage

25. handy http://localhost:3000/projects?name=%27A%27%29%20or%201=1%20-- def index! email = current_user.email! !conditions = "owner

    LIKE '#{email}'"! !if params[:name]! !! conditions = "name like #{params[:name]} " + conditions! !end! !@projects = Project.find(:all, :conditions=>conditions)! !! respond_to do |format|! format.html # index.html.erb! format.json { render json: @projects }! end! end SELECT "projects".* FROM "projects" ! WHERE (name like 'A') or 1=1 -- owner LIKE '[email protected]') For illustration

26. introducing: SWTF

27. Security Web Testing Framework

28. Security WTF

29. features/env.rb

30. None

31. Feature: user is prevented from putting XSS in project form

    fields! ! A user wants to be sure that others users can't ! put XSS in the projects pages! ! in order to ensure that their sessions and information are safe.! ! ! ! @javascript! ! Scenario Outline: xss attempt! ! ! Given the field is "<fieldname>"! ! ! When the value is "<value>"! ! ! Then the field result should be "<result>"! ! ! ! ! ! Scenarios: xss in fields! ! ! ! | fieldname | value | result |! ! ! ! | project[name] | ProjectName | noxss |! ! ! ! | project[name] | ProjectName <script>alert('project[name]- >xss');</script> | xss |! ! ! ! | project[description] | ProjectDescription <script>alert('project[description]->xss');</script> | noxss |! ! ! ! ! ! ! !

32. new_project("XSS Name #{@field} #{uniq}","XSS Desc #{@field}"+ uniq)! click_link 'Edit'! fill_in

    @field, :with => @value! click_button "Update Project"! if @result == "xss" ! # This should have xss in it...did it stick?! alerted = false! begin ! page.driver.browser.switch_to.alert.accept ! alerted = true! rescue ! end! if alerted! fail("XSS Used to create Popup in #{@field} with #{@value}") ! else! puts "Good news, no xss where expected."! end! else! expect(page).to have_content @value! end

33. demo cucumber --name "user is prevented from putting XSS in

    project form fields"
34. None
35. None

36. tests in app Rails Application rspec / cucumber

37. tests out of app Rails Application: Triage Cucumber | SWTF

38. tests out of app Rails Application: Triage (Insecure) Cucumber |

    SWTF Rails Application: Triage (Secure)

39. means they can be easily adapted to test different apps

40. demo cucumber --name "user is protected from malicious content and

    having their page framed"
41. None

42. Feature: user is protected from malicious content and having their

    page framed! ! A user wants to be sure that effective browser protections are enabled ! ! in order to ensure that their information is safe.! ! ! ! @javascript! ! Scenario Outline: check for secure headers attempt! ! ! Given a new project created by a user! ! ! And the page is "<page>"! ! ! When the header is "<header>"! ! ! Then the header value should be "<result>"! ! ! ! ! ! Scenarios: headers in pages! ! ! ! | page | header | result |! ! ! ! | projects/ | X-Frame-Options | DENY |! ! ! ! | projects/ | X-XSS-Protection | 1 |!

43. ! cookies = Capybara.current_session.driver.browser.manage.all_cookies! csrf_token = Capybara.current_session.driver.browser.find_element(:xpath, "// meta[@name='csrf-token']").attribute('content');! #

    Switch mode to net::http! uri = URI.parse(url)! http = Net::HTTP.new(uri.host, uri.port) ! http.verify_mode = OpenSSL::SSL::VERIFY_NONE! request = Net::HTTP::Post.new(uri.request_uri)! request['Cookie'] = cookies ! request.set_form_data( { ! "_method" => "put", ! "authenticity_token" => "#{csrf_token}", ! "project[name]"=> "header updated and verified", ! "commit"=>"Update Project" })! response = http.request(request)! ! ...! ! if response[@header] == @result! #pass! else! fail("Header #{@header} not set to #{@result} as expected. ! Instead was #{response[@header]}.")! end!

44. take a vulnerable project

45. None

46. write tests that illustrate the security issues

47. try to illustrate how easy it would be to write

    security tests

48. in language everyone can understand

49. why is application scanning so hard?

50. what if the dev writing the code were testing security

    cases along the way?
    ! MUCH smarter.

51. exploratory testing

52. quiz •user should not be able to set fields not

    shown in the form

53. quiz •user should not be able to submit forms in

    anothers session

54. ARE STAKEHOLDERS ASKING FOR SECURITY?

55. but if you ask them about these features they might

    want them

56. current Tests • Injection / Sql Injection • Cross Site

    Scripting • Mass Assignment • Cross Site Request Forgery • Secure Headers • Sensitive Data Exposure (Session Cookie)

57. demo cucumber --name "users favorite album is in cookie"

58. None
59. None

60. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data with net::http and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect

61. OWASP Top 10 From: owasp.org

62. A natural extension is to make it easy to fuzz

    forms
63. None

64. there is no
    !

65. goal #1: Platform for educating developers

66. goal #2: language for communicating with business owners

67. goal #3: mechanism for making it easier to implement tests.

68. None

69. how many people have had a penetration test against their

    application?

70. instead of a pdf, what if we deliver findings with

    working tests!

71. what if a developer could fix a security issue by

    making the TEST pass.

72. wander

73. good: almost every client engagement benefits from OWASP

74. Bad: owasp meetings I have been to are predominantly security

    people

75. how do we “communicate”

76. cheat sheets

77. How many
    people here
    ! have attended developer

    conferences this year?
78. None

79. How many
    people here
    ! Commit to development

    projects?

80. Community organizing

81. ideas:
    ! Go to dev meetup
    go dev conference
    

    contribute to Oss
    listen

82. more ideas:
    ! identify technology leaders and approach them

83. make developer friends
    !

84. make developer friends
    !

85. more ideas:
    ! form an outreach subcommittee

86. more ideas:
    ! de-”criminalize” application security ignorance

87. more ideas:
    ! invite developers to speak

88. more ideas:
    ! find activities that developers can participate

    in at meetings

89. more ideas:
    ! emphasize developer contributions to owasp site

90. more ideas:
    ! get developers on the owasp board

91. more ideas:
    ! ???

92. basically, I want to see owasp try to build community

    organizing with developers into a model that can be repeated

93. Thanks! Justin Collins @presidentbeef Jeff Jarmoc @jjarmoc Ben Toews @mastahyeti

    Neil Matatall @ndm Aaron Bedra @abedra Jon Claudius @claudijd Chris Oliver @excid3 Chris Hildebrand @ckhrysze Jon Rose Brett Hardin @miscsecurity Elizabeth Hendrickson @testobsessed

94. References • https://github.com/Jemurai/triage • https://bitbucket.org/mkonda/swtf/ • http://speakerdeck.com/mkonda • http://brakemanscanner.org •

    http://rails-sqli.org • https://github.com/twitter/secureheaders • http://testobsessed.com/wp-content/uploads/2011/04/ testheuristicscheatsheetv1.pdf • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet

95. Thanks!

96. features • person is restricted from putting input into a

    field that will be executed by the system • user is prevented from putting XSS in project form fields • user should not be able to set fields not shown in the form • user should not be able to submit forms in anothers session • user is protected from malicious content and having their page framed • users favorite album is in cookie