[OWASP Poland Day] Application security - daily questions & answers
Download as PPTX, PDF0 likes385 views
This document discusses various application security topics such as downloading files securely, handling secrets and temporary tokens, implementing third-party sites securely, privacy risks of third-party monitoring and analytics on sensitive pages, push notifications versus SMS, securely using FFmpeg and ImageMagick, serving user content securely, implementing cryptography securely, and applying rate limits. It provides advice on how to address each topic securely, such as only allowing certain schemes, ports and domains for file downloads, short expiration times for temporary tokens, sandboxing or isolating third-party components, and not implementing one's own crypto.
![Jira task:
Allow users to download files by a link
Developer:
<?php
file_get_contents($_POST['url']);
?>
Hacker:
url = file:///etc/passwd
url = http://10.0.0.2
Download file by a link and SSRF](https://image.slidesharecdn.com/owasp-applicationsecurity-171003211500/85/OWASP-Poland-Day-Application-security-daily-questions-answers-5-320.jpg)
[OWASP Poland Day] Application security - daily questions & answers
- 1. Application Security Daily questions & answers Sergey Belov Head of Application Security Mail.Ru Group
- 2. $ whoami ● Head of Application Security @ Mail.Ru Group ● Fan of web security ● https://sergeybelove.ru
- 3. Agenda ➔ Download file by a link ➔ Secret keys ➔ Temporary tokens ➔ 3rd party websites on the main domain ➔ 3rd party monitorings and sensitive data ➔ Push notifications vs SMS ➔ FFmpeg / ImageMagick ➔ Serving user content ➔ Crypto
- 4. Download file by a link
- 5. Jira task: Allow users to download files by a link Developer: <?php file_get_contents($_POST['url']); ?> Hacker: url = file:///etc/passwd url = http://10.0.0.2 Download file by a link and SSRF
- 6. What we should to check? 1. Scheme - http/https 2. destination_ip - not in local network / not in trusted zone 3. Check URL after redirections 4. destination_port (allows 80/443) 5. Race Condition - Resolving (IP is external - OK) - Trying to download file - new DNS resolve (!) - In step above attacker can respond with internal IP Solution: do only one resolve and pass this IP to http lib 1. Vulnerabilities of HTTP libraries (such as cURL) 2. IPv6 3. … 4. Create server in external network with API for such tasks 5. 2 network links - 1st for external and file downloading / 2nd for administration 6. You can be inspired by - https://github.com/fin1te/safecurl Download file by a link and SSRF
- 7. Secrets keys
- 8. Secret keys ● Keys for signing stateless things (sessions) ● Secret for crypto functions, anti-CSRF / password reset tokens etc ● Credentials for connecting to external API/Databases ● login:password for trackers / analytics ● Initialization vectors ● ... One main rule - do not hardcode them! Move them to config files / deploy via Puppet Hiera-Eyaml
- 10. Temporary tokens Examples ● Password remind ● Leave feedback ● Confirm action ● ... Threats ● access_log and incorrect ACL (developers can read it?) ● Email forwarding ● Browser history
- 11. These tokens: ● Should not start “real” session (like after login) ● Their lifetime is minimal and usually depends on business purposes (from minutes to months) ● Bind to the parameters for this action (order id, user, action) Temporary tokens
- 12. 3rd party websites on the main domain
- 13. 3rd party websites on the main domain Business want: ● Promo sites ● Sites with vacancies, blogs ● Sites from outsources ● Support / ticket systems ● Custom projects ● etc Could be opened at: http://example.com/projectname
- 14. What people do? ● Hosting on the same server ● proxy_pass + nginx How to implement it secure? ● Same top header for all pages and <iframe sandbox … > without allow-top-navigation + CSP ● Share user’s data with postMessage 3rd party websites on the main domain
- 15. 3rd party monitorings and sensitive data
- 16. Pages: - Password change - Credit card linking - Account recovery - 2 step auth handling - And other important pages Should not (not recommended) contain external trackers / analytics / any other statics (pictures, styles, etc.) from domains that do not belong to the company 3rd party monitorings and sensitive data
- 17. Push notification vs SMS
- 18. Interception of SMS: ● Attacks via SS7 (completely remotely) ● Targeted interception of SMS (you need to be physically near) ● Through IVR Spoofing (the success of an attack depends on the operator) in case the code is delivered instead of SMS by a call ● Malware ● Re-issue of SIM cards ● Work of special services Interception of Push Notifications: ● Vulnerabilities of Google / Apple / Microsoft ● Incorrect push subscription mechanism (backend problems - set the ID of your device and the victim user ID) ● It is possible to intercept through the privileged applications (for example, to transfer the push on the smart watches, to the multimedia system of the cars, etc.) Push notification vs SMS
- 19. How to switch from SMS to push notifications: 1) The first confirmation is via SMS. Here you can get device_id for push notifications 2) In push notifications do not transfer the secret data (the confirmation code) visually, do it in payload. The application itself will pull out and substitute this code for the action. 3) Test security of subscription API Push notification vs SMS
- 21. You are using FFmpeg? ImageMagick? Consider that any user can read any files on the server / execute any OS commands Attacks on video converters: a year later - https://www.phdays.ru/program/213682/ (Emil Lerner and Pavel Cheryomushkin) FFmpeg / ImageMagick
- 22. FFmpeg / ImageMagick In case if need it: - Do sandboxing (docker / SELinux / etc) - Deploy it in an isolated network - Create REST API - Disable everything that you don’t need (like demuxers - HLS)
- 24. Few rules 1) Serve from another domain (* .example-content-from-users.com) 2) Disable interpreters on the backend 3) If the file is private (attachment) - generate a temporary token and is check it when it is opened (for example, through nginx + LUA) Serving user content
- 25. Crypto
- 26. Crypto Do not implement your own cryptography even if it seems right to you
- 27. Do not know what to choose? ● Take your case ● Choose a popular framework / CMS (WP / Django / RoR) ● See how it's done there Crypto
- 28. Rate limits
- 29. Your methods should support: 1) The ability to restrict API calls to methods (by user with time shift) 2) Have the ability to monitor how many times a method is invoked (allows you to detect mass attacks) 3) Implement several rate limit methods: absolute (for example, 5 times a minute), after confirmation (after entering the captcha) Rate limits