SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL - - PowerPoint PPT Presentation

▶

Mar 31, 2023 98 likes •788 views

SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL 1 FSec 2016 2 FSec 2016 ONCE UPON A TIME... 3 FSec 2016 WE WROTE OUR OWN CODE 4 FSec 2016 ALL OF IT. 5 FSec 2016 so we knew what was in it. we knew every

SLIDE 1

SECURITY IN

THE AGE OF FRAMEWORKS

LUKA KLADARIC // L@K.HR // @KLL

1 — FSec 2016

SLIDE 2 2 — FSec 2016

SLIDE 3

ONCE UPON A TIME...

3 — FSec 2016

SLIDE 4

WE WROTE OUR OWN CODE

4 — FSec 2016

SLIDE 5

ALL OF IT.

5 — FSec 2016

SLIDE 6

so we knew what was in it. we knew every little bit.

6 — FSec 2016

SLIDE 7

WHO IS THIS GUY?

7 — FSec 2016

SLIDE 8 Luka Kladaric (1985) started doing web stuff around 1997 javascript before jQuery server-side with ASP/VBScript (~1999) ran away to PHP (~2002) ran away to Python (~2013) ran away to devops 8 — FSec 2016

SLIDE 9

Today we "know better" than to code everything from scratch

9 — FSec 2016

SLIDE 10

So we rely on frameworks

10 — FSec 2016

SLIDE 11

and libraries & a bunch of 3rd party code

11 — FSec 2016

SLIDE 12

we outsource authentication...

12 — FSec 2016

SLIDE 13

logging...

13 — FSec 2016

SLIDE 14

database interaction...

14 — FSec 2016

SLIDE 15

API connectivity...

15 — FSec 2016

SLIDE 16

everything that isn't strictly unique to the problem we're solving

16 — FSec 2016

SLIDE 17

this presents a RTFM problem

17 — FSec 2016

SLIDE 18

How does this problem manifest itself?

18 — FSec 2016

SLIDE 19

Story time! (Demo 1)

19 — FSec 2016

SLIDE 20

Example Co builds their first webapp > an internal dashboard at control.example.com > authentication?

20 — FSec 2016

SLIDE 21 21 — FSec 2016

SLIDE 22 22 — FSec 2016

SLIDE 23 23 — FSec 2016

SLIDE 24

But if the servers only ever see HTTP, how will they know about HTTPS?

24 — FSec 2016

SLIDE 25

Spoiler: they won't (not by default anyway)

25 — FSec 2016

SLIDE 26

What we'd like to see

26 — FSec 2016

SLIDE 27 27 — FSec 2016

SLIDE 28 28 — FSec 2016

SLIDE 29

Fixes: > respect X-Forwarded-Proto header

29 — FSec 2016

SLIDE 30

watch out for various components treating security headers differently

30 — FSec 2016

SLIDE 31

> SSL config change triggers audit

31 — FSec 2016

SLIDE 32

> remove http from oauth whitelist

32 — FSec 2016

SLIDE 33

> HSTS headers1

1 HTTP Strict Transport Security 33 — FSec 2016

SLIDE 34

difficult to catch, browsers don't report this as bad behavior

34 — FSec 2016

SLIDE 35

Story time! (Demo 2)

35 — FSec 2016

SLIDE 36 36 — FSec 2016

SLIDE 37 37 — FSec 2016

SLIDE 38

if you've ever set up oAuth

38 — FSec 2016

SLIDE 39

for multiple apps

39 — FSec 2016

SLIDE 40

against the same provider

40 — FSec 2016

SLIDE 41

... did you bother setting up separate oAuth clients?

41 — FSec 2016

SLIDE 42

yeah.

42 — FSec 2016

SLIDE 43 43 — FSec 2016

SLIDE 44

Story time! (demo 3)

44 — FSec 2016

SLIDE 45 Cookie: session=.eJxljssKgkAYRl8l_rWJl1ScnW kLC8msaBEik046po7YGF7w3Su3bg7f4vBxR M1Zl-C6g3BpcVqS6M1xWQOSN4ZqKrJqatMX y0NLzg.CrvTRg.5bTUddcAEVMFMth_I uPteZT0OjA; HttpOnly; Path=/ 45 — FSec 2016

SLIDE 46

How is cookie signed

46 — FSec 2016

SLIDE 47

Flask

47 — FSec 2016

SLIDE 48

Django

48 — FSec 2016

SLIDE 49 49 — FSec 2016

SLIDE 50 50 — FSec 2016

SLIDE 51

SECRET_KEY being configured badly is next to impossible to catch

51 — FSec 2016

SLIDE 52

All of these combined mean:

52 — FSec 2016

SLIDE 53

spear phishing vector

53 — FSec 2016

SLIDE 54

privilege escalation

54 — FSec 2016

SLIDE 55

forced insecure comms

55 — FSec 2016

SLIDE 56

attacker traffic indistinguishable from regular traffic

56 — FSec 2016

SLIDE 57

the LB here isn't to blame

57 — FSec 2016

SLIDE 58

people have ancient bookmarks pointing to http

58 — FSec 2016

SLIDE 59

ALL THINGS BEING EQUAL BUT RUNNING ON A SINGLE MACHINE THIS WOULD STILL BE A VULNERABLE SETUP

59 — FSec 2016

SLIDE 60

HSTS IS A MUST

60 — FSec 2016

SLIDE 61

Story time! (Demo 4)

61 — FSec 2016

SLIDE 62

CSRF protection disabled

yup. found this one too.

62 — FSec 2016

SLIDE 63

IT COMES WITH THE THING LEAVE CSRF PROTECTION ALONE

63 — FSec 2016

SLIDE 64

TAKEAWAYS

UNDERSTAND THE STUFF YOU USE BETTER.

64 — FSec 2016

SLIDE 65

BE MORE VIGILANT WITH CODE REVIEWS

ON SECURITY-IMPACTING STUFF

65 — FSec 2016

SLIDE 66

BRING IN A FRESH PAIR OF EYES

EVERY ONCE IN A WHILE

66 — FSec 2016

SLIDE 67

This talk is not an endorsement to roll everything yourself.

67 — FSec 2016

SLIDE 68

THANK YOU

LUKA KLADARIC // L@K.HR // @KLL

68 — FSec 2016