Authentication is evolving. Customers are expecting much more from the user management experience in applications they are using today. Join us virtually for our upcoming "User Management - the next-gen of Authentication" meetup to learn about the secrets of building user management the right way, the secure way.
3. Sagi Rodin
● Developing since I was 15
● Managed R&D in startups
● Developed a high-scale modern
application platform @Check Point
● Founder of Frontegg
● Love smoking beef
About Me
20. What’s there to control?
Personal Security Settings
Organizational Security Policy (Passwords, MFA, Account Lockout)
Device Management
Enterprise SSO
Custom Roles and Permissions
API Token Management
Webhooks
Data privacy management
24. Build Abstract Level Roles Enforcement
Enforce permissions not roles
Enforce on frontend, backend and data layer
Don’t assume you know your customers
25. Create an Admin Portal Product Infrastructure
Allow teams to deploy
configuration screens
Allow customization of
Admin Portal
Allow roles enforcement on
Admin Portal
For Dev Team Convenience
26. What did we have so far?
Evolution in Products, Security and the Connection
between the two
How this is handled within modern apps
What do we want to expose
The three Rules of building a self-serve ready app
46. What will we cover today?
• Who is OWASP?
• What is OWASP Top 10?
• OWASP Top 10 – Overview and What's New
47. About Me
• >14 yr. in application security
• >9 yr. with Tufin – Lead Security Architect
• www.linkedin.com/in/furmanmichael/
• Blog https://ultimatesecurity.pro/
• Twitter @ultimatesecpro
• I like to travel, read books and listen to music
48. About
●Market Leader in Security Policy Automation
●Tufin is used by >2000 enterprises
To segment networks and connect applications
On-prem networks, firewalls, cloud and K8S
●We are the Security Policy Company!
49. Who is OWASP?
• Worldwide not-for-profit organization
• Founded in 2001
• OWASP - Open Web Application Security Project
• Mission is to make the software security visible.
50. OWASP Top 10
• Most successful OWASP Project
https://owasp.org/Top10/
• Ten most critical web application security flaws
• De facto application security standard
• Released every 3 - 4 years
• First released in 2004
• Current - 2021
51. OWASP Top 10 - 2021
• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)
52. OWASP Top 10 - 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring
53. What happened to …?
• Broken Access Control
• Cross-Site Scripting (XSS)
• XML External Entities (XXE)
• Insecure Deserialization
54. They are still here
• A03 Injection
• Cross-Site Scripting (XSS)
• A05 Security Misconfiguration
• XML External Entities
• A08 Software and Data Integrity Failures
• Insecure Deserialization
55. And even more …
• A03 Injection
• Cross-Site Scripting (XSS)
• A04 Insecure Design
• A05 Security Misconfiguration
• XML External Entities
• A08 Software and Data Integrity Failures
• Insecure Deserialization
• A10 Server Side Request Forgery (SSRF)
58. A01: Broken Access Control
• Moved up from fifth position
• Elevation of privilege or Privilege Escalation
• Acting as an admin when logged in as a user
• Acting as a user without being logged in
• Viewing or editing someone else's account
• IDOR - Insecure Direct Object References
• Cross-Origin Resource Sharing (CORS) misconfiguration
• Allows API access from unauthorized/untrusted origins
59. A01: Example 1
• Application provides the service:
• Attacker browses to target URLs:
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
https://example.com/app/getadminappInfo
60. A01: Example 2
• Unverified parameters to access:
• Attacker modifies the parameter:
pstmt.setString(1, request.getParameter(“account"));
ResultSet results = pstmt.executeQuery( );
https://example.com/app/accountInfo?account=notmyaccount
61. A01: How to Prevent
• Default behavior: deny access to resources
– Except for public resources
• Implement access control mechanisms
– On the server side
– All requests
• Minimize CORS usage
62. A01: Example 1
• Validate access on each request and prevent access for unauthorized users.
• Annotation example:
// implementation of getadminappInfo
if (“a user has admin access”) {
// return admin app Info
} else {
// authorization error
}
@PreAuthorize("hasPermision(‘admin’)")
// implementation of getadminappInfo
{
// return admin app Info
}
63. A01: Example 2
• Verify ownership / access:
pstmt.setString(1, request.getParameter("account"));
if (“a user has access to account”) {
ResultSet results = pstmt.executeQuery( );
} else {
// authorization error
}
64. A02: Cryptographic Failures
• Previously known as “A3 Sensitive Data Exposure”
– a broad symptom rather than a root cause
• Sensitive data is transmitted or stored in clear text
• Deprecated or weak cryptographic algorithms in use
• Default crypto keys in use
– proper key management or rotation missing
65. A02: How to Prevent
• Encrypt all sensitive data at rest
• Encrypt all data in transit
• Use TLS 1.2 or above
• Use HTTP Strict Transport Security (HSTS)
• Use up-to-date and strong standard algorithms and protocols
• Use proper key management
66. A03: Injection
• Slid down from first position
• Was the first one since OWASP Top Ten - 2010
• User input is not validated, filtered, or sanitized by the application
• User input is directly used or concatenated
• SQL injection
• OS Command Injection
67. A03: Example
• User input is directly used in the SQL call:
String query = "SELECT * FROM accounts
WHERE custID=‘” + request.getParameter("id") + "'";
68. A03: How to Prevent
• Do not pass user input directly to executable statements
• Prepared Statements
• Parameterized Queries
• Hibernate
69. A03: Example
• Use PreparedStatement:
String id = request.getParameter("id");
String query = "SELECT * FROM accounts WHERE custID = ? ";
PreparedStatement pstmt = connection.prepareStatement( id );
pstmt.setInt( 1, id);
ResultSet results = pstmt.executeQuery( );
70. A03: Don’t Forget About XSS
• Attackers can execute scripts in a victim’s browser
71. A03: How to Prevent XSS
• Input validation for user input
• Whitelist patterns
• Encode output
72. A04: Insecure Design
• A new category
• Pushing "shift-left“ approach
• A secure design can still have insecure implementation
• An insecure design cannot be fixed by an implementation
Implementation
Requirements Design Verification Release
73. A04: How to Implement
• Threat modeling
• Threat Modeling Manifesto
https://www.threatmodelingmanifesto.org/
• Secure Development Lifecycle (SDL)
https://ultimatesecurity.pro/post/sdl-meetup/
74. A05: Security Misconfiguration
• Missing security hardening
• Unnecessary features are enabled or installed
• Unnecessary ports
• Services
• Accounts
• Default accounts
• Default passwords
75. A05: How to Prevent
• Apply security hardening
• CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
• Close unnecessary ports
• Disable unnecessary services
• Remove default accounts
• Change default passwords
76. A05: What About XXE?
• Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML
document
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
77. A05: How to Prevent XXE
• Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet
'XXE Prevention’.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
• For additional details see the presentation:
https://ultimatesecurity.pro/post/xxe-meetup/
78. A06: Vulnerable and Outdated Components
• Software is vulnerable, unsupported, or out of date
• Apache Log4j (Log4Shell) Vulnerabilities
79. A06: How to Prevent
• Update software periodically
• Use Software Composition Analysis (SCA) tools
• Free or commercial tools
• OWASP Dependency-Check free tool
https://owasp.org/www-project-dependency-check/
80. A07: Identification and Authentication Failures
• Slid down from the second position
• Previously known as Broken Authentication
• Missing brute force protection
• Missing multi-factor authentication
• Using default, weak, or well-known passwords
• Password1 or "admin/admin"
• Reusing session identifier after successful login
• Exposing session identifier in the URL
81. A07: How to Prevent
• Implement brute force protection
• Implement multi-factor authentication
• Change default credentials
• Implement password complexity
• Rotate Session IDs after successful login
82. A08: Software and Data Integrity Failures
• New category
• Software and data integrity failures that does not protect against integrity violations
• SolarWinds 2020 Attack
83. A08: How to Prevent
• Use digital signatures to verify software
• Ensure you consume trusted repositories
84. A08: Remember Insecure Deserialization?
• Serialization is the process of translating data structures or object state into a format that can be stored or
transmitted and reconstructed later (deserialization)
• Insecure Deserialization - an attacker changes the object between serialization and deserialization
85. A08: How to Prevent Insecure Deserialization
• Don't accept serialized objects from untrusted sources
86. A09: Security Logging and Monitoring Failures
• Insufficient logging
• Logins
• Failed logins
• High-value transactions
• Logs are only stored locally
87. A09: How to Prevent
• Log important events with sufficient user context
• Username
• Client IP
• Time
88. A10: Server Side Request Forgery (SSRF)
• New category
• A web application is fetching a remote resource without validating the user-supplied URL
http://host/getImage?url=http://10.0.0.1 http://10.0.0.1
Response
Response from http://10.0.0.1
89. A10: Example 1
• Application provides the getImage service:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL URL = new URL(imageUrl);
InputStream is = url.openStream();
OutputStream os = response.getOutputStream();
// copy is to os and return a response
90. A10: SSRF CVEs
• CVE-2021-44224
• High Severity Apache HTTP Server CVE
• CVE-2021-26715
• Critical Severity MITREid OpenID Connect Server CVE
91. A10: How to Prevent
• Sanitize and validate all client-supplied input data
• Validate URL Components
• URL schema, port, and destination
• Do not send raw responses to clients
92. A10: Example 1
• Validate URL Components:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
// validate URL schema, port, and destination
104. “Is the act of proving an assertion, such as the identity of
a computer system user. In contrast with identification, the
act of indicating a person or thing's identity, authentication
is the process of verifying that identity.It might involve
validating personal identity documents, verifying the
authenticity of a website with a digital certificate,
determining the age of an artifact by carbon dating, or
ensuring that a product or document is not counterfeit.”
What is authentication
wikipedia
105. Let me know who you
are first!
Trying to access
a resource?
108. Broken: session management
Exposes session identifier in the URL.
Reuse session identifier after successful login.
Does not correctly invalidate Session IDs.
110. Fixing session management
Use a server-side, secure, built-in session manager
Session identifier should not be in the URL, be securely stored,
Invalidate sessions after logout, idle, and absolute timeouts
116. const axios = require('axios').default;
const url = 'https://api.attacked-company.com/login';
const commonPasswords = downloadCommonPasswords();
var idx = 0;
while (true) {
try {
const { accessToken } = await axios.post(url, {
email: 'john@doe.com',
password: commonPasswords[idx++]
});
takeoverAccount(accessToken);
} catch (e) {
console.log('could not authentication with that password. Will try
with the next one');
}
}
Hey, What is that
code doing?
118. Fixing automated attacks
Public APIS (Login, Signup, Reset password ETC)
- Recaptcha (v3)
- DDOS protected with IP based filtering
Authenticated APIs should be rate limited
- Limit or increasingly delay failed login
- Log failures and alerts
- Prepare to block sessions
121. Log everything - What are we looking for?
IP addresses / Forwarded
Origin / Referer
Headers / Cookies
User agents
122. Fixing automated attacks
Failed logins? This is what you should do
- Implement user lockout mechanisms
- Start delaying failed attempts
- be careful not to create a denial of service scenario
Log all failures and alert administrators when credential stuffing, brute
force, or other attacks are detected.
135. Broken API context
Bypassing access control checks by modifying the URL (parameter
tampering or force browsing), internal application state, or the HTML
page, or by using an attack tool modifying API requests.
Permitting viewing or editing someone else's account, by providing its
unique identifier (insecure direct object references)
136.
137.
138.
139. Fixing broken API context
Pass context from JWT to microservices via Reverse Proxy headers
140. Fixing broken API context
DON’T forget to remove incoming headers before proxying to
remove the risk of header tampering
141. Fixing broken API context
Try to avoid query/route params for REST API
If you are using query/route params for REST API:
- Use guards (!)
146. Common issues
Elevation of privilege
- Acting as a user without being logged in
- Acting as an admin when logged in as a user
147. Accessing non-privileged entities
Accessing a private Github repository
Accessing repository of a different team on the same organization
Accessing hidden features
Accessing features out of my subscription plan
148. Elevation of privilege - Common Techniques
Technique 1: Access Token Manipulation.
Technique 2: Non authenticated access
Technique 3: Access Token Manipulation.
Technique 4: Account Manipulation
150. Fixing API authorization
Except for public resources, deny by default.
Implement access control mechanisms once and re-use them throughout the
application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
Model access controls should enforce record ownership rather than accepting that
the user can create, read, update, or delete any record.
Unique application business limit requirements should be enforced by domain
models.