InjectingSecurityControls

inSoftwareApplications

KatyAnton@KatyAnton

March14,2019

Aboutme

• Softwaredevelopmentbackground

• PrincipalApplicationSecurityConsultant-Veracode

• OWASPBristolChapterLeader

• Projectco-leaderforOWASPTop10ProactiveControls

(@OWASPControls)

Injection

CWEsinInjectionCategory

CWE-93:CRLFInjection

CWE-74Injection

CWE-943:ImproperNeutr.ofSpecialElinQuery

CWE-94:CodeInjection

CWE-91:XMLInjection

CWE-78:XSS

CWE-77:CommmandInjection

CWE-89:SQLInjection

CWE-90:LDAPInjection

Source:NVD

CWE-78:OSCmdInj

CWE-78:ArgumentInj

DecomposetheInjection

Get / Post DataFile Uploads

HTTP HeadersDatabase Data

Config files

SQLHTML XMLBash ScriptLDAP Query

SQL ParserHTML ParserXML Parser

ShellLDAP Parser

Input Output Parser

DatainterpretedasCode

ExtractSecurityControls

Input Output Parser

Vulnerability Encode Output Parameterize Validate InputSQL Injection R R XSS R R XML Injection(XPATH Injection) R R

OS Cmd Injection R R R LDAP Injection R R

Primary Controls Defence in depth

SensitiveDateExposure

DataatRestandinTransit

Vulnerabilities

Data Types Encryption Hashing

DataatRest:

RequirestheinitialvalueE.q:creditcard

R

DataatRest:

Doesn’trequiretheinitialvalueE.q:userpasswords

R

DatainTransit R

HowNottoDoit!

DataatRest:Vulnerabilities

encryption_key = PBKF2(password, salt, iterations, key_length);

In the same folder - 2 file:

The content of password.txt:

SecurityControls:Encryption

CryptographicStorage

StrongEncryptionAlgorithm:

• AES

KeyManagement

• Storeunencryptedkeysawayfromtheencrypteddata.

• ProtectkeysinaKeyVault(HashicorpVault/AmazonKMS)

• Keepawayfromhomegrownkeymanagementsolutions.

• Defineakeylifecycle.

• Buildsupportforchangingalgorithmsandkeyswhenneeded

• Documentproceduresformanagingkeysthroughthelifecycle

Source:https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

SecurityControls:PasswordStorage

UseaStrongAlgorithm:

•PBKDF2

•bcrypt

• scrypt

•Argon2i

• Java

•PHP-password_hash()supportsArgon2ifromversion7.2

Source:https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

SecurityControls:DatainTransit

TLSEverywhere!

•Client—>Applicationserver

•Server—>Non-browsercomponents

IntrusionDetection

“Ifapentesterisabletogetintoasystemwithoutbeingdetected,thenthereisinsufficientloggingandmonitoringinplace.“

SecurityControls

SecurityLogging:

Thesecuritycontrolthatdeveloperscanusetologsecurity

informationduringtheruntimeoperationofanapplication.

The6BestDetectionPointTypes

Goodattackidentifiers:

1. Authorisationfailures

2. Authenticationfailures

3. Client-sideinputvalidationbypass

4. Whitelistinputvalidationfailures

5. Obviouscodeinjectionattack

6. Highrateoffunctionuse

Source:https://www.owasp.org/index.php/AppSensor_DetectionPoints

IntrusionDetectionPointsExamples

RequestExceptions

• ApplicationreceivesGETwhenexpectingPOST

• AdditionalformorURLparameterssubmittedwithrequest

AuthenticationExceptions

• TheusersubmitsaPOSTrequestwhichonlycontainstheusernamevariable.The

passwordvariablehasbeenremoved.

• Additionalvariablesreceivedduringanauthenticationrequest(like‘admin=true’')

InputExceptions

• Inputvalidationfailureonserverdespiteclientsidevalidation

• Inputvalidationfailureonserversideonnon-usereditableparameters(hidden

fields,checkboxes,radiobuttons,etc)

Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints

VulnerableComponents

UsingSoftwareComponentswithKnownVulnerabilities

RootCause

•Difficulttounderstand•Easytobreak•Difficulttotest•Difficulttoupgrade• Increasetechnicaldebt

ComponentsExamples

Exampleofexternalcomponents:

• Opensourcelibraries-forexample:alogginglibrary

• APIs-forexample:vendorAPIs

• Libraries/packagesbyanotherteamwithinsamecompany

Example1:ImplementLoggingLibrary

• Third-party-provideslogginglevels:• FATAL,ERROR,WARN,INFO,DEBUG.

• Weneedonly:

• DEBUG,WARN,INFO.

SimpleWrapper

Helpsto:

•Exposeonlythefunctionalityrequired.•Hideunwantedbehaviour.

•Reducetheattacksurfacearea.•Updateorreplacelibraries.•Reducethetechnicaldebt.

Example2:Implementapaymentgateway

Scenario:

• VendorAPIs-likepaymentgateways

• Canhavemorethanpaymentgatewayoneinapplication

• Requiretobeinter-changed

AdapterDesignPattern

• Convertsfromprovidedinterfacetotherequired

interface.

• AsingleAdapterinterfacecanworkwithmany

Adaptees.

• Easytomaintain.

Your Code

Third-party code

Adapter

Example3:ImplementaSingleSign-On

• Libraries/packagescreatedbyanotherteaminthecompany

• Re-usedbymultipleapplications

• Commonpracticeinlargecompanies

FaçadeDesignPattern

•Simplifiestheinteraction

withacomplexsub-system

•Makeeasiertouseapoorly

designedAPI

• Itcanhideawaythedetails

fromtheclient.

•Reducesdependenciesontheoutsidecode.

SecureSoftwareStartsfromDesign!

WrapperTo expose only required functionality and hide unwanted behaviour.

Façade PatternTo simplify the interaction with a complex sub-system.

Adapter PatternTo convert from the required interface to provided interface

Your Code

Third-party code

Adapter

Howoften?

RickRescorla

• UnitedStatesArmyofficeofBritishorigin

• BorninHayle,Cornwall

• DirectorofSecurityforMorganStanleyin

WTC

SecurityControlsRecap

SecurityControlsRecap

Application Server

Operating System

Software Application Param Data

Param Queries

Key Management

SecureDate

Encode output

TLS

Validate Input

TLS

TLS

LogExceptions

Encode output

Mod

Mod

Encaps

Mod

Mod

Mod

Library

Mod

Mod

FinalTakeaways

FinalTakeaways

CWEsFocus on Security Controls

which prevent

FinalTakeaways

VerifyRegularly CWEsFocus on Security Controls

Thankyouverymuch

@KatyAnton