@PhilippeDeRyck
DID WE LOSE THE BATTLE FOR A SECURE WEB?
PhilippeDeRyckGuestlecture“CapitaSelecta”,UCLL,December14th 2016
https://www.websec.be
@PhilippeDeRyck
ABOUT ME – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications− In-housetrainingprogramsatvariouscompanies−HostedwebsecuritytrainingcoursesatDistriNet (KULeuven)− Talksatvariousdeveloperconferences− Slides,videosandblogpostsonhttps://www.websec.be
§ Ihaveabroadsecurityexpertise,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity
§ PartoftheorganizingcommitteeofSecAppDev.org−Week-longcoursefocusedonpracticalsecurity
2
@PhilippeDeRyck 3
@PhilippeDeRyck
THE WEB STARTED OUT AS SERVER-CENTRIC
4
@PhilippeDeRyck
DATA BREACHES ARE SOPHISTICATED ATTACKS
5
@PhilippeDeRyck
COMMAND INJECTION IN 2016
https://securityledger.com/2016/12/vulnerability-prompts-warning-stop-using-netgear-wifi-routers/http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
6
@PhilippeDeRyck
THE SIN IOTSTANDS FOR SECURITY
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
7
@PhilippeDeRyck
THE SIN IOTSTANDS FOR SECURITY
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
root xc3511root vizxvroot adminadmin adminroot 888888root xmhdipcroot defaultroot juantechroot 123456root 54321support supportroot (none)admin passwordroot rootroot 12345user useradmin (none)root pass
admin admin1234root 1111admin smcadminadmin 1111root 666666root passwordroot 1234root klv123Administrator adminservice servicesupervisor supervisorguest guestguest 12345guest 12345admin1 passwordAdministrator 1234666666 666666888888 888888
ubnt ubntroot klv1234root Zte521root hi3518root jvbzdroot ankoroot zlxx.root 7ujMko0vizxvroot 7ujMko0adminroot systemroot ikwbroot dreamboxroot userroot realtekroot 00000000admin 1111111admin 1234admin 12345
8
@PhilippeDeRyck
THE SIN IOTSTANDS FOR SECURITY
https://twitter.com/MalwareTechBlog/status/
9
@PhilippeDeRyck
http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
TRADITIONAL SERVER-SIDE SECURITY PROBLEMS REMAIN …
10
@PhilippeDeRyck
http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
TRADITIONAL SERVER-SIDE SECURITY PROBLEMS REMAIN …
11
@PhilippeDeRyck
DATA BREACHES HAVE BECOME EXTREMELY COMMON
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
12
@PhilippeDeRyck
ACCOUNT COMPROMISE THROUGH PASSWORD REUSE
java -jar shard-1.5.jar -u [email protected] -p test123410:16:18.713 [+] Selected single-user single-password mode10:16:18.715 [+] Running 12 modules10:16:31.103 [+] [email protected]:test1234 - BitBucket
http://arstechnica.com/security/2016/07/password-reuse-tool-makes-it-easy-to-id-vulnerable-accounts-on-other-sites/
13
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
14
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/
15
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
16
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
http://arstechnica.com/security/2016/11/adultfriendfinder-hacked-exposes-400-million-hookup-users/
17
@PhilippeDeRyck
MEET SAGITTA BRUTALIS GTX1080
MD5 200000millionhashes/second
SHA1 68771millionhashes/second
SHA256 23012millionhashes/second
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
18
@PhilippeDeRyck
IMAGINE WHAT SECURITY IS LIKE IN THE CLIENT-CENTRIC WEB
19
@PhilippeDeRyck
HIJACKING VNCSERVERS WITH WEBSOCKETS
https://bugs.launchpad.net/nova/+bug/1409142
20
@PhilippeDeRyck
TOTALLY OWNING A BROWSER WITH XSS
http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/
21
@PhilippeDeRyck
READING EMAILS USING XSSVULNERABILITIES
http://www.zdnet.com/article/yahoo-fixes-flaw-letting-attacker-read-victims-emails/
22
@PhilippeDeRyck
EXTRACTING MALWARE FROM IMAGES USING JS
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
23
@PhilippeDeRyck
WTF?
@PhilippeDeRyck
HOW DO YOU KNOW IF YOU’RE COMPROMISED?
https://haveibeenpwned.com/
25
@PhilippeDeRyck
HOW DO YOU KNOW IF YOU’RE COMPROMISED?
https://haveibeenpwned.com/
26
@PhilippeDeRyck
GETTING CREDENTIAL STORAGE RIGHT
§Oldcommonpracticesnolongersuffice− Itusedtoberecommendedtouseasaltandahashingalgorithm−Buthashingalgorithmsaredesignedtobefast
§Modernapproachesusepassword-basedkeyderivationfunctions− Theiroriginalgoalistocreateakeyfromapasswordforcryptographicuse− Thesefunctionsareslowandresource-hungry,andwellsuitedforcredentialstorage− Examplesarebcrypt,scrypt andPBKDF2
8xNVIDIAGTX1080 200000millionMD5/second 68771millionSHA1/second 100thousandBCRYPT/second
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
Password
Test1234
Salt
s1L1GQbpvlksIfFOVmVQwu
SHA1
946e48b8c174c730e5111c9e7b5f4261b8f81b9a
27
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Algorithm 28
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Costparameter 29
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Salt 30
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Hash 31
@PhilippeDeRyck
PASSWORD MANAGERS ARE GAME CHANGERS
§ Passwordmanagersaddressthemostimportantproblemswithpasswords− Theyallowyoutogeneratelongandrandompasswords−Auniquepasswordforeveryapplicationavoidspasswordre-use−Autofillfeatureshelpprotectagainstphishing
32
@PhilippeDeRyck
ALOOK UNDER THE HOOD OF A PASSWORD MANAGER
secret123pazzwordGuessmeJ
Generatekeyfrommasterpassword
Providemasterpassword
Decryptdatabaseondevice
ThereCanBeOnlyOne
Syncencryptedfile
33
@PhilippeDeRyck
BUT MULTI-FACTOR AUTHENTICATION IS EVEN BETTER
https://www.yubico.com/products/yubikey-hardware/
34
@PhilippeDeRyck
FORTUNATELY,BROWSERS ARE TAKING SECURITY SERIOUSLY
§ SinceHTML5,newfeaturesaredesignedwithsecurityinmind−Newfeaturesshouldnotcreatevulnerabilitiesforlegacyapplications− Securitytakesprecedenceoverfunctionality,tobuildtowardsasecureweb
§ Browserstrytomakeasecuritystance−Bystartingtorejectorblockinsecurebehavior− Thisisaslowprocess,withlargegraceperiodstoavoidtoomuchbreakage
§ SincetheSnowdenrevelations,companiesarepushingforsecurityaswell−Manyinitiativesbackedbylargetechnologycompanies− Tryingtoconvinceuserstotakesecurityseriouslyaswell
35
@PhilippeDeRyck
AND IT’S WORKING …
36
https://nakedsecurity.sophos.com/2016/10/18/halfway-there-firefox-users-now-visit-over-50-of-pages-via-https/
@PhilippeDeRyck
WE HAVE BETTER SECURITY TOOLS THAN EVER
§Newtechnologiesgiveusmoredefensivecapabilities−WecanfinallygetridofXSSonceandforall−Wecandefendagainstattackswhichusedtobeimpossible
§Mainlyavailableasserver-drivenbrowser-enforcedpolicies− Specifiedbytheserver,customizedtotheapplicationathand−Deliveredtothebrowser,typicallyinanHTTPheader− Enforcedbythebrowser,ontheclient-sidecontext
§ Backwardscompatiblewitholderbrowsers−Unknownheadersaresimplyignored
37
@PhilippeDeRyck
SERVER-DRIVEN BROWSER-ENFORCED SECURITY POLICIES
§ Firstexamplearecookiesecurityflags− Setbytheserver,enforcedbythebrowser
§Numerousofthesepolicieshavebeenaddedtothebrowserrecently−HTTPStrictTransportSecurity−HTTPPublicKeyPinning−X-XSS-Protection−ContentSecurityPolicy− SubresourceIntegrity−Cross-OriginResourceSharing
38
@PhilippeDeRyck
GETTING WEB SECURITY RIGHT
§ Thedeveloper’ssecuritytoolboxisbetterthanever−Browsersaretakingsecurityseriously,andsoshouldyou…−Mostattackscanbecounteredwithcurrentlyavailabletechnologies
§ Buildingsecurewebapplicationsrequiresknowledge−Knowledgeaboutcommonthreatsagainstwebapplications−Knowledgeaboutcountermeasures,howtheyworkandhowtousethem
§ ItistimetotakeWebSecurityseriously−Protectyourapplicationsusingthelatesttechnologies− Setanexampleonhowtodoitright− Shareyourexperiences,helpothersadvanceaswell
39
@PhilippeDeRyck
BREAK
@PhilippeDeRyck
SECURING THE COMMUNICATION CHANNEL
@PhilippeDeRyck
3VARYING LEVELS OF HTTPS
(a)Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
(b)
(c)
42
@PhilippeDeRyck
WE HEAVILY DEPEND ON (INSECURE)WIFI
https://www.flickr.com/photos/djimison/222214205/ 43
@PhilippeDeRyck
AND THIS HAPPENS TO THE BEST OF US
http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/ 44
@PhilippeDeRyck
EAVESDROPPING IS CHILD’S PLAY
45
http://codebutler.com/firesheep/
@PhilippeDeRyck
THE COMMUNICATION CHANNEL IS INSECURE
§ ButweuseHTTPSforsensitivedata− Sufficienttocounterpassiveeavesdroppingattacks−Butwhataboutactivenetworkattacks?
46
ManintheMiddle ManontheSide
@PhilippeDeRyck
3VARYING LEVELS OF HTTPS
(a)Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
(b)
(c)
47
@PhilippeDeRyck
PREVENTING THE TRANSITION FROM HTTPTO HTTPS
48
@PhilippeDeRyck
PREVENTING THE TRANSITION FROM HTTPTO HTTPS
some-shop.com
Visithttp://some-shop.com
Welcome,pleaselogin
LoginasPhilippe
WelcomePhilippe
Visithttp://some-shop.com
LoginasPhilippe
WelcomePhilippe
RewriteHTTPStoHTTP
49
@PhilippeDeRyck
TIME TO MOVE TOWARDS HTTPS
some-shop.com
Visithttp://some-shop.com
Welcome,pleaselogin
LoginasPhilippe
WelcomePhilippe
Visithttps://some-shop.com
LoginasPhilippe
WelcomePhilippe
50
@PhilippeDeRyck
HTTPWEAKENS HTTPSSITES
https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
51
@PhilippeDeRyck
SNEAKY SSLSTRIPPING ATTACKS PREVENT THE USE OF HTTPS
52
@PhilippeDeRyck
SNEAKY SSLSTRIPPING ATTACKS PREVENT THE USE OF HTTPS
GET http://www.websec.be
200 OK<html>…</html>
www.websec.be
GET http://…
301 Moved …
GET https://…
200 OKRewriteHTTPSURLStoHTTP
POST http://www.websec.be
200 OK<html>…</html>
POST https://…
200 OKRewriteHTTPSURLStoHTTP
53
@PhilippeDeRyck
§ StrictTransportSecurityconvertsallHTTPrequeststoHTTPS
§ModernbrowserssupportHTTPStrictTransportSecurity(HSTS)−HTTPresponseheadertoenableStrictTransportSecurity−Whenenabled,thebrowserwillnotsendanHTTPrequestanymore
STRICT TRANSPORT SECURITY AGAINST SSLSTRIPPING
GET https://www.websec.be
200 OK<html>…</html>
www.websec.be
4 4 7 11Fromversion… 4.4.4 7.1
54
@PhilippeDeRyck
HSTSCAN BE ENABLED WITH A SIMPLE ONE-LINER
§ ThepolicyiscontrolledbytheStrict-Transport-Security header− max-age specifieshowlongthepolicyshouldbeenforcedinseconds−Makesurethisislongenoughtocovertwosubsequentvisits− Ifnecessary,thepolicycanbedisabledbysettingmax-age to0
§ Thepolicycanbeextendedtoautomaticallyincludesubdomains− ThisbehavioriscontrolledbytheincludeSubDomains flag−Beforeenablingthis,carefullyanalyzetheservicesyouarerunningonyourdomain
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000; includeSubDomains
55
@PhilippeDeRyck
HSTSIN ACTION
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
websec.be
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
www.websec.be
56
@PhilippeDeRyck
POLICY DETAILS OF HSTS
§HSTSdoesnotcareaboutTCPports−Policymatchesaredeterminedbasedonthehostnameonly−Port80istranslatedtoport443,butotherportsarepreserved
§HSTSpoliciescanonlybesetoverasecureconnection− Thecertificateusedmustbevalid−HSTSpoliciessetoninsecureconnectionsareignored
§ DisablingHSTSmustbedonebyexplicitlysettingmax-age to0−OmittingaHSTSheaderfromaHSTS-enabledhostdoesnothing
57
@PhilippeDeRyck
ENABLING HSTSIN PRACTICE
§ Thestep-by-stepguidetowardsenablingHSTS− SetupHTTPScorrectly− SendtheStrict-Transport-Security headerwithashortmax-age− Testyourconfiguration− Increasemax-ageaftersuccessfultesting
§ Chrome’snet-internals allowinspection− dynamic_sts istheHSTSmechanism
58
@PhilippeDeRyck
FUN FACT:CHROME HANDLES HSTSAS A REDIRECT
59
@PhilippeDeRyck
TIME TO GET ON THE HSTSTRAIN
https://trends.builtwith.com/docinfo/HSTS
60
@PhilippeDeRyck
BUT HOW DO YOU MAKE THE FIRST CONNECTION OVER HTTPS?
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
websec.be
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
www.websec.be
61
@PhilippeDeRyck
HSTS==TOFU
http://www.bbcgoodfood.com/howto/guide/ingredient-focus-tofu 62
@PhilippeDeRyck
PRELOADING HSTSINTO THE BROWSER
https://hstspreload.appspot.com/?
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
63
@PhilippeDeRyck
PRELOADING IS ON THE RISE
https://trends.builtwith.com/docinfo/HSTS
64
@PhilippeDeRyck
AWESOME SERVICES HELP IMPROVE HTTPSDEPLOYMENTS
https://letsencrypt.org/https://www.ssllabs.com/ssltest/https://observatory.mozilla.org/
65
@PhilippeDeRyck
COMMON MISCONCEPTIONS ABOUT HTTPS
http://www.httpvshttps.com/
HTTPSisbadforperformance
66
@PhilippeDeRyck
COMMON MISCONCEPTIONS ABOUT HTTPS
https://letsencrypt.org/
HTTPSiscomplexandexpensive
67
@PhilippeDeRyck
COMMON MISCONCEPTIONS ABOUT HTTPS
http://www.consumerreports.org/cro/news/2014/04/windows-xp-is-a-bigger-hacker-threat-than-heartbleed/index.htm
YoucanonlyrunoneHTTPSsiteperIPaddress
68
@PhilippeDeRyck
ALL INTERACTIONS SHOULD HAPPEN OVER HTTPS
§ ThereisabigpushforHTTPSontheWeb−GoogleusesHTTPSasarankingsignal−Activemixedcontentisblockedinmoderndesktopbrowsers− TheSecureContextsspecificationlimitsuseofsensitivefeatures
§ ThereisplentyofsupportforeasilyenablingHTTPS−RateyourdeploymentwiththeSSLServerTest−Getfree,automatedcertificatesfromLet’sEncrypt
§ ImproveyourHTTPSdeployment− EnableHTTPStrictTransportSecurity
69
https://www.ssllabs.com/ssltest/https://letsencrypt.org/
@PhilippeDeRyck
KNOWLEDGE IS THE KEY TO BUILDING SECURE APPLICATIONS
§ TheuseofHTTPSandHSTSisonlythetipoftheiceberg−Numerousnewsecuritypolicieshavebeenaddedinthelast5years
§ Thesenewtechnologiesrequireexplicitknowledgeandaction−Developersneedtoknowwhyandhowtousethem
§WeofferspecializedtrainingcoveringtheWebsecuritylandscape−Hostedtrainingcoursesandcustomizablein-housetrainings−Broadspectrumoftopics,suchasHTTPS,authentication,authorization,XSS−VariousWebtechnologies,includingmodernMVCframeworks(AngularJS,…)− Effectivecombinationoflecturesandhands-onsessions
70
@PhilippeDeRyck
NOW IT’S UP TO YOU …
Secure ShareFollow
https://www.websec.be [email protected] /in/philippederyck