Post on 04-Jan-2019
transcript
Web Application Security
• Security engineer during the day
• Design review
• Code review
• Pentest
• Developer/DevOps at night
• Docker/Nginx/Apache
• Rails/Go/Python/PHP
About me
Agenda
• Random thoughts and advice around web application security
• Case study on my personal website
• Future of web application security
What makes a web application secure?
Security needs to be easy and opt-out• Pick a framework with mature libraries for:
• Database management:
• Developers should rarely write SQL
• User management
• Developers shouldn’t need to write user management
• This is actually really hard to get right
• Output escaping in views:
• Not escaping data should be a conscious decision, not the default
Security needs to be easy and opt-out• Examples:
• Ruby-on-Rails, Spring, .Net framework with MVC, Angular
• Counter-examples:
• raw-PHP, raw-???
• The latest cool stuff on HN
Secure development• Really hard problem to solve
• Off-The-Shelf products are often limited:
• not based on your context
• not based on developers’ skill-set
• What is worse than a dev that you train on secure development and leave your organisation…
Don’t use blacklist
Using a blacklist is gambling on whether or not your security knowledge is and will stay stronger than your
strongest opponent's…
Example of how hard it is to create a white-list: https://fin1te.net/articles/safecurl-ssrf-protection-and-a-capture-the-bitcoins/
The Bug Factor• Way to measure security of a system (based on https://
en.wikipedia.org/wiki/Bus_factor)
• How many bugs away are you from
• a full compromise (shell)?
• your database on pastebin?
• …???
The Bug Factor
• Increasing your bug factor:
• Network segregation
• Principle of least privilege
• Defence in depth
Alerting
• Every time something triggers an error in your application, you should be notified (email, Slack, IRC)…
• This is not even a security problem… this happens to also solve a security problem
Transport Layer Security• Should be mandatory
• Very easy/cheap/minimal performance impact:
• AWS certificate manager
• Let’s encrypt
• HTTP vs self-signed certificate?
HTTP Security headers
• You can greatly improve the security of your web application by justing adding some HTTP headers:
• limit the impact of an XSS
• prevent being iframed.
• …
HTTP Security headers: HSTS• HTTP Strict Transport Security
• Ensure people always visit your site over TLS
• Strict-Transport-Security: max-age=31536000
• Supported by most browsers
• Effort to deploy/maintain: small
HTTP Security headers: CSP• Content-Security Policy
• Allow a developer to white-list content for CSS, JavaScript and Images
• 2 modes: report and block
• CSP 1 supported by most browsers, CSP 2 almost only supported by Chrome
• Effort to deploy/maintain: CSP 1 (high), CSP 2 (medium)
HTTP Security headers: HPKP
• HTTP Public Key Pinning
• Prevent rogue/compromised CA to intercept users’ communication
• Supported by Chrome and Firefox
• Effort to deploy/maintain: medium
Secrets and source code
• Keeping your keys and credentials outside of the source code is a difficult problem:
• Credentials can be packaged with the source code at build time
• Credentials can be on the system (file or environment variables)
What keeps an application secure over time?
A. Input filtering
B. Output escaping
C. A Web Application Firewall with a learning engine
D. Automated testing and automation
E. Chuck Norris
What keeps an application secure over time?
A. Input filtering
B. Output escaping
C. A Web Application Firewall with a learning engine
D. Automated testing and automation
E. Chuck Norris
Why?Security is constantly evolving, what will make your application secure is your ability to secure it now, but also to keep it secure over time.
To keep an application, it needs to be constantly patched (new attacks vector, new vulnerabilities in a dependency, …)
It’s not “Do you patch”, it’s “When do you patch”
Your application has security issues or potential security improvements, being able to easily test and deploy fixes or improvements will allow you to keep it secure
Spend your money on patching automation, not vulnerability management
Computing is cheap, people having meetings on risk assessment ain’t
Patching, patching, patching
http://martinfowler.com/bliki/FrequencyReducesDifficulty.html
If something is hard, do it often!
Case study: pentesterlab.com
• Pretty simple web application
• Manages users (registration, authentication, password reset, …)
• Allow to download public and private content
• Online exercises
• Ruby-on-Rails
• HTML escaping by default
• No need to write any SQL query
• I’m already subscribed to the security mailing-list
• Very smart people reviewed the codebase
• Very talented people are using it
Case study: pentesterlab.com
• Alerting:
• Exception notification library:
https://github.com/smartinez87/exception_notification
• User management:
• devise library (https://github.com/plataformatec/devise)
• Registration, Confirmation, Password Hashing, Lock-out…
Case study: pentesterlab.com
• Sharing public content (ISO file):
• Early version hosted on the same server
• Version 2:
• File stored in S3 with public access
• $$$ but easy management
Case study: pentesterlab.com
• Sharing public content (ISO file) - Current version:
• 4 Nginx servers sharing the same hostname and the same TLS certificate
• Synchronised using BitTorrentSync (Nginx webroot is a BitTorrentSync repository)
• “CDN on a budget”
• New node deployed in 5 minutes automatically (aside from DNS update) with Ansible
Case study: pentesterlab.com
Case study: pentesterlab.com
Master
ptl.io
ptl.ioptl.io ptl.io
• Sharing private content (ISO file):
• Current version:
• S3 with private files
• The server generates a link valid for X minutes (built-in S3 option)
• Harder to share the content with other people
Case study: pentesterlab.com
• Giving access to vulnerable systems:
• Common approach:
• VPN based
• Kind of annoying for me (user management)
• Kind of annoying for customers (setup, speed, connectivity)
Case study: pentesterlab.com
• Giving access to vulnerable systems:
• My approach:
• Only web applications
• One reverse proxy with DNS wildcard (????.libcurl.so always resolves to libcurl.so)
• Multiple vulnerable systems running in docker
Case study: pentesterlab.com
Case study: pentesterlab.com
Attackerlibcurl.so
exercise1
exercise2
http://ptl-1283933-12982021.libcurl.so
exercise3
Case study: pentesterlab.com
Attackerlibcurl.so
exercise1
exercise2
http://ptl-invalid-invalid.libcurl.so
exercise3
HTTP 302https://pentesterlab.com/
• Less public security research
• Exploit sales
• Enterprises struggling with dependency hell
• microservices
• docker
Future of web application security
• Better bugs:
• framework have more&more magic
• serialisation
• routing
• parameters handling (not everything is a string)
Future of web application security