![XML External Entity (XXE) Injection
This attack may lead to the disclosure of confidential data, denial of
service, server side request forgery, port scanning from the perspective of
the machine where the parser is located, and other system impacts.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>
<foo>&xxe;</foo>
http://cwe.mitre.org/data/definitions/611.html](https://image.slidesharecdn.com/cm5securecodetraining1daysystemconfiguration-180716092224/85/Cm5-secure-code_training_1day_system-configuration-14-320.jpg)
![Apache hardening
• X-XSS Protection
Header set X-XSS-Protection “1; mode=block”
• Disable HTTP 1.0 Protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F]
• Disable SSL v2 & v3
SSLProtocol –ALL +TLSv1 +TLSv1.1 +TLSv1.2
• Disable Loading unwanted modules
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Include conf/extra/httpd-dav.conf
#LoadModule info_module modules/mod_info.so](https://image.slidesharecdn.com/cm5securecodetraining1daysystemconfiguration-180716092224/85/Cm5-secure-code_training_1day_system-configuration-20-320.jpg)
Cm5 secure code_training_1day_system configuration
- 1. SECURE CODE TRAINING System configuration DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER
- 2. Top 10 2013-A5-Security Misconfiguration https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
- 3. Configuration Best Practices • Turn off all unnecessary features by default. • Ensure that all switches and configuration for every feature is configured initially to be the safest possible choice. • Inspect the design to see if the less safe choices could be designed in another way. For example: change password journey. • Do not configure anything in preparation for an optionally deployable feature.
- 4. Prevent Security Misconfiguration The primary recommendations are to establish all of the following: • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. • Development, QA, and production environments should all be configured identically (different credentials). • A process for keeping software updated (dependencies, libs, pom.xml). • Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches. • Follows a specific hardening guide/checklist for every component in you stack.
- 5. Vulnerabilities in components Targeted at both the development community and the community of security practitioners, Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software weaknesses that can occur in software's architecture, design, code or implementation that can lead to exploitable security vulnerabilities. CWE was created to serve as a common language for describing software security weaknesses; serve as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts.
- 6. Common Weakness Scoring System (CWSS™) CWSS provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry. SANS TOP25
- 7. CWEs & CVEs Try it: https://cve.mitre.org/cgi- bin/cvekey.cgi?keyword=2017+java
- 8. Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. https://www.first.org/cvss/calculator/3.0 https://www.cvedetails.com/
- 9. OWASP Dependency Check • Project stated December 2011 (first published in 2012) • Performs Software Composition Analysis • Reports known vulnerabilities • Easy solution to the OWASP 2013 Top 10 A9 Using components with known vulnerabilities Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities. This plug-in can independently execute a Dependency- Check analysis and visualize results. Dependency-Check is able to identify Java and Python components, Node.js and Ruby Gem packages, and .NET assemblies.
- 10. Dependency-Check Jenkins Plugin Types (by CVE)
- 11. Dependency-Check Jenkins Plugin Categories (by CWE)
- 13. XML Parsers configuration 1. XML External Entity (XXE) Injection 2. XML Entity Expansion (Billion laughs)
- 14. XML External Entity (XXE) Injection This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> http://cwe.mitre.org/data/definitions/611.html
- 15. XML Entity Expansion (Billion laughs) The XML Entity expansion attack, exploits a capability in XML DTDs that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions. Malicious DoS
- 16. XML Parser Configuration PHP Xerces2 Sax Secure processing using StAX supports similar SupportDTD property that can be used to disable DTD processing. This is done by using the setProperty method on XMLInputFactory: XMLInputFactory xif = XMLInputFactory.newInstance(); xif.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,false);
- 17. Apache hardening • Remove Server Version Banner ServerTokens Prod ServerSignature Off • Protect binary and configuration directory permission # chmod –R 750 bin conf • Timeout value configuration (default 300) Timeout 60
- 18. Apache hardening • Disable directory browser listing <Directory /opt/apache/htdocs> Options –Indexes • Disable Etag heather FileETag None • Protect binary and configuration directory permission # chmod –R 750 bin conf
- 19. Apache hardening • HTTP Request Methods <LimitExcept GET POST HEAD> deny from all </LimitExcept> • Set cookie with HttpOnly and Secure flag Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure • Clickjacking Attack Header always append X-Frame-Options SAMEORIGIN
- 20. Apache hardening • X-XSS Protection Header set X-XSS-Protection “1; mode=block” • Disable HTTP 1.0 Protocol RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F] • Disable SSL v2 & v3 SSLProtocol –ALL +TLSv1 +TLSv1.1 +TLSv1.2 • Disable Loading unwanted modules #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so #Include conf/extra/httpd-dav.conf #LoadModule info_module modules/mod_info.so
- 21. Also keep in mind… • DNS subdomains • Admin consoles • Internal threats • Environment isolation (dev to prod) • Remote debugging • Other, suggestions?
- 22. SECURE CODE TRAINING INTENSIVE COURSE DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER References: https://www.owasp.org/index.php/Configuration https://www.owasp.org/index.php/Secure_Configuration_G uide