A talk given at #fullstackcon 2016

1. Gergely Nemeth
Surviving Web Security
github.com/gergely | twitter.com/nthgergo | gergely@risingstack.com

2. TRACE - NODE.JS MONITORING
https://trace.risingstack.com

3. WHAT DO THEY HAVE IN COMMON?

4. WHAT DO THEY HAVE IN COMMON?
TOGETHER, ALMOST 1 BILLION USER ACCOUNTS COMPROMISED
https://haveibeenpwned.com

5. 2014/2015 In Retrospect

6. Lots of high-profile vulnerabilities such as
Shellshock
Hearthbleed

7. an average of
158 days time-to-
fix security issues

8. in some industries security tickets may be
open for more
than 2 years

9. XSS affects 47%
CRFS affects 24%
of all web apps.

10. Enter Attack Trees

11. ATTACK TREES
“formal, methodical way of
describing the security of systems,
based on varying attacks”
Bruce Schneier

12. ATTACK TREES
Open safe
Pick lock Learn combo Cut open Bad setup
Find it written Learn from target
Blackmail Eavesdrop Bribe
Listen to convo Get target to say

13. ATTACK TREES
to get the most out of attack
trees, you have to combine
them with knowledge on the
attackers

14. ATTACK TREES
Open safe (P)
Pick lock (I) Learn combo (P) Cut open (P) Bad setup (I)
Find it written (I) Learn from target (P)
Blackmail (I) Eavesdrop (I) Bribe (P)
Listen to convo (P) Get target to say (I)

15. An Example Attack Tree
of a Trace Account

16. EXAMPLE ATTACK TREE OF A TRACE ACCOUNT
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

17. EXAMPLE ATTACK TREE OF A TRACE ACCOUNT

18. Secure the Transport
Layer

19. SECURE TRANSPORT LAYER
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

20. SECURE TRANSMISSION - SSL
HTTP is a clear-text
protocol

21. SECURE TRANSMISSION - SSL
Vulnerable against
man-in-the-middle
attacks

22. SECURE TRANSMISSION - SSL
HTTP is a clear-text
protocol - Always use
HTTPS

23. Defend Against Brute-
force attacks

24. BRUTE-FORCE ATTACKS
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

25. BRUTE-FORCE PROTECTION
var email = req.body.email
var limit = new Limiter({ id: email, db: db })
limit.get(function(err, limit) {
})

26. BRUTE-FORCE PROTECTION - TIMING ATTACKS
// the bad solution
if (userEnteredPassword === passwordFromDb) {
return true
}
return false

27. BRUTE-FORCE PROTECTION - TIMING ATTACKS
T R A C E T R A C E
T R A C E T R I C K
x

28. PASSWORDS - EQUALITY CHECK
Always use fixed-
time comparison

29. BRUTE-FORCE PROTECTION - TIMING ATTACKS
// the good solution
var cryptiles = require('cryptiles')
if (cryptiles.fixedTimeComparison(
userEnteredPassword,
passwordFromDb)
) {
return true
}
return false

30. Defend Against SQL
Injection Attacks

31. SQL INJECTION
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

32. DATA VALIDATION - SQL INJECTION
This attack vector consists of
injection of a partial or
complete SQL query via user
input

33. DATA VALIDATION - SQL INJECTION
select username, password from users where
username=$username
can become:
select username, password from users where
username=john or 1=1

34. DATA VALIDATION - SQL INJECTION
Defend against it with
parameterized queries /
prepared statements

35. DATA VALIDATION - SQL INJECTION
// paramaterized
query( "select name from emp where emp_id=$1",
[123] )
// prepared
query( {
name:"emp_name",
text:"select name from emp where emp_id=$1",
values:[123]
})

36. Defend Against Session
Hijack

37. SESSION HIJACK
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

38. Securing Cookies

39. COOKIES - COOKIE FLAGS
- secure - this attribute tells the browser to only send the cookie if the
request is being sent over HTTPS.
- HttpOnly - this attribute is used to help prevent attacks such as cross-
site scripting, since it does not allow the cookie to be accessed via
JavaScript.

40. Unwanted Javascript

41. DATA VALIDATION - XSS
- Reflected Cross Site Scripting occurs when the attacker injects
executable JavaScript code into the HTML response with specially
crafted links
- Stored Cross Site Scripting occurs when the application stores user
input which is not correctly filtered. It runs within the user’s browser
under the privileges of the web application.

42. DATA VALIDATION - XSS
Defend against it
with input validation

43. SECURITY HEADERS
- Strict-Transport-Security enforces secure (HTTP over SSL/TLS)
connections to the server
- X-Frame-Options provides clickjacking protection
- X-XSS-Protection enables the Cross-site scripting (XSS) filter built into
most recent web browsers
- Content-Security-Policy prevents a wide range of attacks, including
Cross-site scripting and other cross-site injections

44. Handling Dependencies

45. HANDLING DEPENDENCIES
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

46. HANDLING DEPENDENCIES
You are what
you require

47. HANDLING DEPENDENCIES
Use retire.js / the
NSP CLI
https://nodesecurity.io

48. HANDLING DEPENDENCIES
Update your
dependencies
frequently
https://greenkeeper.io

49. Environment Setup

50. RESTRICT DATABASE ACCESS
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency

51. ENVIRONMENT SETUP
Put your databases inside
a VPN with your
application servers

52. ENVIRONMENT SETUP
Be careful with
default passwords

53. ENVIRONMENT SETUP
At least 6.000+ Redis
instances are
compromised now

54. The Human Factor

55. 95% of all security
incidents involve
human error

56. We are the
weakest link

57. Security must
be part of the
agile workflow

58. Stories should
include acceptance
criteria for security

59. Given an unauthenticated
user
When tries to view her profile
Then redirected to the login
EXAMPLE STORY

60. Developers should
implement features
with security
requirements in mind

61. Developers should
implement features
with security
requirements in mind
LIKE
OWASP TOP 10

62. https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Injection
Weak authentication and
session management
XSS
Insecure Direct Object
References
Security Misconfiguration
Sensitive Data Exposure
Missing
Function
Level Access
Control
Cross Site Request Forgery
Using Components with
Known Vulnerabilities
Unvalidated Redirects and Forwards

63. Security is part
of your job!