cat slave diary

Category: OWASP

  • It’s not opinion, Richard

    For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes:


    As far as the nature of the list goes, it’s important to realize that it’s based on a bunch of people’s opinions.

    Actually, no. My section is based upon hard core data from MITRE, as will the forthcoming OWASP Top 10.

    MITRE web app sec data

    The only entry which I forced into SANS Top 20 is CSRF because it’s REALLY important to fix over the next 12 months. We only get so many chances to speak to this particular audience and CSRF deserves attention. The OWASP Top 10 also has CSRF. Remote File include, which affects PHP more than most, is EXTREMELY heavily attacked. It’s actually the primary attack vector for PHP stacks. It belongs in the list. My mum can discover XSS – it belongs in there. SQL injection can be found via automated means and this is the worst bit – we have methods to utterly avoid it – if only devs would stop using vulnerable API! rdbms_query() should simply not be supported in future PHP releases. And ditto for other languages and frameworks.

    Worse still, Richard misses the forest completely when he says that “… it’s called an ‘attack targets’ document, since there’s nothing inherently ‘vulnerable’ about …”. It doesn’t really matter if it’s a weakness, action item, vulnerability or attack. If it’s something you should know about, it belongs in there. Like phishing, like webappsec, and so on. Don’t play semantics when people are at risk. That’s the job of cigarette and oil companies.

    It’s basically impossible to find out how much certain types of attacks net criminals, or how much pain identity theft victims suffer, or how much a life is worth when an attack takes out vulnerable biomedical equipment. I’d rather have my blog spammed by hundreds of scripts than one single skilled and motivated attacker take over the host this blog resides on due to security defects in WP. A simple numerical attack number is useless. A simple $$$ figure is going to be wrong and misleading. It’s impossible to *rate* attacks.

    We must do it via vulnerabilities discovered, and I’ve done that.

    So for us, MITRE data is as good as it’s going to get, and I’ve used that for the top 4, plus one item which is going to be the major form of weakness/vulnerability/attack as folks work out how horrible it is to use CSRF resistant software, and it’s going to get worse when Ajax enabled apps do *everything* via XHR, rather than just a subset of their functionality.

    Rohit did a great job herding many, many cats. I really wanted 10 things in there for developers to check and do as web app sec vulnerabilities are now the Top 11 or so attacks. But SANS is a system administration resource, and thus they turned the focus around for system administrators. Fair enough. That’s why we have links to OWASP for those folks who need it.

    For Richard to state that the SANS document is my opinion, I don’t think so. I concentrated heavily on fact. In other related news, the OWASP Top 10 is nearing that happy point when it will need peer reviewing. If you’re interested, come join the Top 10 mail list at OWASP.

    ps. that graph above although it is the MITRE data does not indicate the Top 10 headings. We’ve got something special for you all! 🙂

  • SANS Top 20

    The SANS Top 20 2006 update has been posted.

    SANS Top 20 2006

    I helped write the C1 Web App Sec section:
    C1. Web Applications

    We’re working on the updated OWASP Top 10 2007 which interlinks with that. It’s an interesting experience writing something like this for a completely different audience than web developers. As it’s coding issues, the SANS folks wanted things like configuration changes which system administrators could change and improve the security. But that’s not what this section is about.

    Hopefully, next year, we can get more focus on the changes organizations who write or buy code can do to improve their security. In the near term, when it’s done, check the OWASP Top 10 2007. It’s very cool and has CSRF in it!

  • Survey at Casa de Grossman

    Jeremiah sent me a survey to fill in. Normally, I don’t like participating in surveys, but this time I made an exception. Jeremiah noted that my responses, although not quite in the boxes he had set out, were still actually pretty useful.

    So here are my responses:

    1. How many code reviews did you do in 2006?

    I do a few but very large code reviews, each involving more than 100,000 lines of code. So although not high in number, the programs process literally billions of dollars in transactions every day. Therefore, extreme care needs to be taken. I am not a automated scanner boy and would be negligent if I only used a tool like PMD or LAPSE to find my findings.

    2. What reporting standard do you use?

    Jeremiah’s choices here did not include many of the normals, including CWE / CVE from Mitre, OWASP anything (that said, Jeremiah has his own biases to WASC), etc. We also have regulatory regimes on top of webappsec specific lists, which are also not mentioned.

    I’m not sure of the validity of this question except to say that it should be the subject of more research.

    3. Do you use commercial application scanners during security assessments?

    Actually, no.

    I use PMD, Find Bugs, and LAPSE, all open source or freebie tools. They are for extreme low lying fruit, and in many cases, like not using “final” or “const” I never report on some of these findings as they have zero security impact.

    4. Average number of man-hours required to perform a thorough web application vulnerability assessment on the average commerce website?

    This should have been phrased to be PC “Average number of hours per review” as I know some hot chicks and some excellent queens working in our field. 🙂

    I do > 100 kLoc code bases, I was happy to see that folks are spending more than a week doing code reviews. I dare anyone to do a code review on a system which has > 40 systems it talks to directly, with over 200 seperate value functions and over 100 types of data assets in a week.

    Typically, for J2EE, I use the initial kLoc (as reported by sloccount) divide by 1000 to be the number of days and fatten the result by 25%. This works out most of the time. However, a revent Aspect Oriented Programming review using Spring Web Flow blew that estimate out of the water. 5000 lines took 2 weeks. ARGH. It pays to know your technology before you quote on a estimate, particularly if you’re doing fixed price code reviews.

    5. Do you recommend Web Application Firewalls?

    No.

    Unless the organization is a CMM level 5 organization that has nothing else to do and needs a new challenge. Seriously, unless the organization is able to tailor the WAF to the application and keep it up to date, WAFs, particularly appliance (=usually dumb) send the wrong message: that’s there’s a silver $25k bullet to your security problem. This is not the truth and I will not perpetuate it. In addition, such devices nearly always add complexity and add fire to the response | request splitting harm which is real and unavoidable when you add unnecessary devices.

    But an organization who sees it as defense in depth control, and is prepared to look after it, and investigate and escalate real problems rather than treat it as a “set and forget” will get a recommendation from me for a serious WAF tool, such as mod_security or similar.

    I’ve used mod_security to prevent DDoS against a customer a few years ago, and used properly, WAFs are an invaluable asset. But plonked in and forgotten, they are worse than useless – they give a false sense of security and cost a bucket of money that could have been used for a code review. Most (>90%) organizations in my view are simply not mature enough at IT security to look after them and thus should not use them.

    6. What do you think about the updated PCI Data Security Standard v1.1

    It’s a good start. However, in the latest edition automated scanner vendors are rubbing their hands with glee. We’re going to have SMEs pay a scanning firm for a clean bill of health (“We do the OWASP Top 10 as the PCI requires” — no you don’t, some of these issues are NP complete problems), and thus will get attacked by a business logic error, or a process error which scanners CANNOT find.

    I’m happy to work with PCI to fix up the next edition, but honestly, the most recent release is just better than before.

    7. Checking for XSS on public websites without permission?

    This is extreme grey area and I lean towards “illegal”.

    My personal take is that now that methods are well known to craft really bad JS malware, that poking a public website without authority is just dumb. Don’t do it. If the sites are based upon a public piece of software like UltimaBB or phpBB, sure, go ahead download the software and test offline. That’s what security research is all about. But don’t prod or take out public websites.

    In Australia, the computer crimes act and complementary state laws are deliberately vague to allow the book to be thrown at you. If you’re a nuisance, the terms of “unauthorized access” are so vague as to mean you are up a certain creek without a paddle if the owner takes offense. And it’s criminal, not civil trouble you’re in. Police are strapped for cash, and if they think they can obtain publicity and an easy conviction, they will come after you. That gets them more funds and resources if they are successful.
    Here’s the actual text. You decide:

    Computer trespass.

"9A. A person must not gain access to, or enter, a computer system or part
of a computer system without lawful authority to do so.
Penalty: 25 penalty units or imprisonment for 6 months."

    Daniel Cuthbert, an excellent OWASP contributor, was prosecuted and convicted under the much more nebulous UK Computer Misuse Act for having a go at a charity’s website. He now can’t emigrate to Australia, and had difficulty finding work in his chosen industry. Do not try this at home.

    http://www.samizdata.net/blog/archives/008118.html

  • MITRE Vulnerability trends released

    In September, MITRE talked about statistical proof that apps still suck on a mail list. In fact, web apps suck much more than any other form of vulnerability.

    MITRE was surprised that their data set was so popular, and cleaned it up and released it.

    http://cwe.mitre.org/documents/vuln-trends.html 

    These will form the basis of the OWASP Top 10 2007, and as I’m also working on the SANS Top 20 2006 will contain some or all of this detail, with some luck.

  • Reviewing Spring Web Flow apps (and JSTL and Spring Framework)

    Well, I’ve just had the (somewhat dubious) pleasure of reviewing my first Spring Web Flow app. Initially, I thought ARRRRGH Aspect Oriented Programming (AOP) dudes are on crack

    and then

    I got the Kool-Aid. Here’s the low down for all you l33t code reviewers: it makes doing code reviews extremely hard … and extremely easy.

    About a year and a bit ago, when I was (re-)writing the OWASP Guide, I realized that checklists don’t work. So how do you review code if you’re not looking for say Runtime.exec()? In my day job, technical issues such as cross-site scripting and SQL injections, although embarrasing, are hardly worthwhile compared to the sort of losses that can happen if business logic is wrong.

    Sure the checklist approach, particularly OWASP Guide 2.x, produces huge reports, but does it mean anything? In short, no. The value is where the business is. That means understanding what the code does. And along the way, you can have a look at the dangerous stuff, like XSS and SQL injections.
    So I started looking at flows more throughly. In normal J2EE programs, this can be a little tricky. In SOA, where apps are strung together dynamically, it seems like it’s impossible.

    flows.xml

    Start here and then find the sub-flows (often in flows/*.xml). If you know what you’re doing, you can produce a directed graph to understand the flows. This is key to understanding the important flows, and review them early and often.

    Once you have decided upon a particular flow, follow it from what I will call the home flow, through to completion.

    SWF uses continuations. This is different to many frameworks, but is closer to the way HTTP works in the real world. Tomorrow, we’ll look at what continuations are, and how to exploit them.

  • OSCON

    Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia.

    Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we can sort things out.

    OSCON: Awesome.

    My presentations went down well. I’ll upload the new presentations soon, but the Ajax Security demo went off really well. The room was overflowing with folks, so I’m really chuffed that so many of you decided to come.

    I’ll put up the Ajax XSS demo I did later, but please be aware that these demos are INSECURE by design, and only to test them on your internal systems. The trick is to:

    <img src="kitty.jpg" onLoad="... your javascript attack here ...">

    People forget there’s literally hundreds and possibly millions of ways to do XSS. Do NOT look for script or Javascript and think you’re done. That’s stupid. Make the output safe, it’s faster, it’s simpler, and it works.

    People

    I met so many folks who I had spoken to over the net, or e-mailed. Everyone is so nice and friendly, it’s incredible to meet the greats. I really enjoyed catching up with Chris and Laura, met the Schlossnagles for the first time (cool dudes, cute kids :), and of course, Wez.

    Unfortunately, due to the bad things going on in my personal life, I could not bring myself to hang out after hours as I was feeling extremely down, but life goes on. I was hoping to go out to Portland a bit more; maybe next time.

    Talks

    I went to a fair few webappsec related talks, and it’s truly gratifying to me that the developers had an entire stream dedicated to it. I really enjoyed the PHP Security hoe down – we had a wack job in the back row causing a bit of a stir, but after he left, the hour really flew.

    Portland

    I’ve never been here before. It’s a very nice city, great public transport. I’ll post some images soon as it’s very pretty this time of the year. It was a bit hot when I got here (about 40C) but it soon cooled down to mid 20’s and I’ve been happy with that. 🙂

    A friend through newbeetle.org picked me up from the airport last Sunday, and we went to her place and hung out for a while. She invited over a friend of hers, and I got to see her and her hubbie’s New Beetles (a nice Turbo S and a unired NBC), and her friend’s green Gecko TDI New Beetle. Very nice – I wish we could get that color in Australia. We had breakfast on Friday morning even though I was extremely tired (no sleep) and a bit sad, and she picked me up this morning to take me to the airport. I’m so impressed, I wish I could say I was as good a host when I have folks visiting. Thanks, Debbie – you set the standard!

    Next steps

    I’m off to SF next. I’m at the airport now. I have to spend a few hours this weekend getting stuff together to meet the CSO of a major partner of work’s, like running through the ESA presentations and ensuring that we have something constructive to talk about. I might need to go to Kinkos tomorrow and print off a few things unless my hotel has a printer I can use.

  • Press: Q&A on Ajax / SOA Security

    Colleen Frye from SearchAppSecurity.com, interviewed me via e-mail a couple of weeks ago on the OWASP Ajax security research and materials I’ve been pumping out. Although she asked for brief answers, to paraphrase Mark Twain, I didn’t have the time to write shorter answers.

    The results are now available for your reading pleasure.

    Part 1
    Part 2

  • OSCON 2006 – See you there!

    Just a quick note as to the quietness of the blog. I’m working on a few things:

    • my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up)
    • doing demos for the above
    • my slides for OWASP Melbourne, July 2006 meeting (this coming Wednesday! Details)
    • reconstructing my work laptop
    • the OWASP membership packs and other executive director project items
    • administrating Aussieveedubbers
    • writing a fresh Ajaxy UltimaBB installer
    • writing a proposal for a workable security architecture for PHP 6 which I want to present to Chris when I go to OSCON, and maybe earn myself an audience with Rasmus and the other PHP luminaries to discuss it over a beer or two and thus decrease my trolliness to those folks.

    and plus Tanya would like my body sometime as well. I’ve given up TV. Woe is me!

    See you at OSCON 2006.

    I’m also making an appearance at BlackHat and Defcon, and will be in SF in between those two conferences, and possibly in Salt Lake City before OSCON (depends on work). If you want a Thawte Notarization for the Web of Trust (free *real* fully trusted S/MIME certificates!), please bring photocopies of your photo ID and I’ll do it for free.

  • Updated Ajax Security presentation

    I’ve updated the Ajax presentation to the slide deck I gave at OWASP EU. New pictures. More content. More size! (4.3 MB)

    Get it here:

    Ajax Security (4.3 MB PDF)

  • OWASP EU – Day 2

    Excellent day again.

    I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust.


    – Leuven University

    The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan Ristic with much less time than he had intended. 🙁

    Ivan’s talk was pretty cool – he went through the stuff you’d expect of the author of the open source web application firewall, mod_security, discussing the four major features of the software. I’ve used it before in a DDoS attack, and it worked well.

    After the morning break, I went to the invited papers track. I think this was a good idea, and the quality of the ideas was good. I think it allowed people who are not conference whores like myself to get up and speak. And considering that only a small percentage of the attendees are native English speakers, I was pleasantly surprised at the quality of the English at the conference. Awesome.

    The session riding talk was cool, but again, they’re using a non-mainstream technology to fix the problems. I think people really need to start using the major technologies which are weak rather than using esoteric languages which take their fancy. PHP needs a lot of help, for example.

    After lunch, I went to Dinis’ tool heavy presentation on the stuff he’s made this last year. Awesome tools. Might see if they work under Mono on the Mac. Except for the report generator, which is basically a waste of time. As a customer I HATE (and I mean I will return your report and not pay you HATE) getting nessus or other tool output auto-gen’d from XML into PDF. I don’t pay the pound for my reports. I prefer short (10-20 page) reports which tell me what is wrong, carefully considered and rated. This is something that can be done in Word more easily than Dinis’ tool. I’m sure Dinis’ report writing tool (he’s a total XML freak 🙂 works for his customer, but I’m not interested. If it gets out in the big bad world, I hope it doesn’t catch on. Our value is our skilled interpretation, not 1000 page automated reports.

    After the last break, there was a panel discussion, which was far more lively than the previous day when everyone agreed with each other. It was hard as Gunnar let people speak who had more than their turn. There was one particular lady who just butted in all the time. I had my hand up for half an hour before I could a word in edge ways, thus not allowing me to state a couple of points about user security education which I vehemently disagreed with, but couldn’t as the flow had moved on. Oh well. I’ll butt in next year – being a good guy does not pay off if you want to be heard. Despite this, it was a good and lively session.

    Dave finished the conference up. After we had finished, Pravir Chandra and I went out to dinner. I wished a few more could hang around, but many needed to get on flights home, and several wanted to go back to Brussels for food. We had a good meal in the center of the old city. Awesome food.

    I think it was extremely valuable as a conference. If I can, I’ll be back next year.