SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL 1 — FSec 2016
Slide 1
Slide 2
2 — FSec 2016
Slide 3
ONCE UPON A TIME... 3 — FSec 2016
Slide 4
WE WROTE OUR OWN CODE 4 — FSec 2016
Slide 5
ALL OF IT. 5 — FSec 2016
Slide 6
so we knew what was in it. we knew every little bit. 6 — FSec 2016
Slide 7
WHO IS THIS GUY? 7 — FSec 2016
Slide 8
Luka Kladaric (1985) started doing web stuff around 1997 javascript before jQuery server-side with ASP/VBScript (~1999) ran away to PHP (~2002) ran away to Python (~2013) ran away to devops 8 — FSec 2016
Slide 9
Today we "know better" than to code everything from scratch 9 — FSec 2016
Slide 10
So we rely on frameworks 10 — FSec 2016
Slide 11
and libraries & a bunch of 3rd party code 11 — FSec 2016
Slide 12
we outsource authentication... 12 — FSec 2016
Slide 13
logging... 13 — FSec 2016
Slide 14
database interaction... 14 — FSec 2016
Slide 15
API connectivity... 15 — FSec 2016
Slide 16
everything that isn't strictly unique to the problem we're solving 16 — FSec 2016
Slide 17
this presents a RTFM problem 17 — FSec 2016
Slide 18
How does this problem manifest itself? 18 — FSec 2016
Slide 19
Story time! (Demo 1) 19 — FSec 2016
Slide 20
Example Co builds their first webapp > an internal dashboard at control.example.com
authentication? 20 — FSec 2016
Slide 21
21 — FSec 2016
Slide 22
22 — FSec 2016
Slide 23
23 — FSec 2016
Slide 24
But if the servers only ever see HTTP, how will they know about HTTPS? 24 — FSec 2016
Slide 25
Spoiler: they won't (not by default anyway) 25 — FSec 2016
Slide 26
What we'd like to see 26 — FSec 2016
Slide 27
27 — FSec 2016
Slide 28
28 — FSec 2016
Slide 29
Fixes: > respect X-Forwarded-Proto header 29 — FSec 2016
Slide 30
watch out for various components treating security headers differently 30 — FSec 2016
Slide 31
SSL config change triggers audit 31 — FSec 2016
Slide 32
remove http from oauth whitelist 32 — FSec 2016
Slide 33
HSTS headers 1 1 HTTP Strict Transport Security 33 — FSec 2016
Slide 34
difficult to catch, browsers don't report this as bad behavior 34 — FSec 2016
Slide 35
Story time! (Demo 2) 35 — FSec 2016
Slide 36
36 — FSec 2016
Slide 37
37 — FSec 2016
Slide 38
if you've ever set up oAuth 38 — FSec 2016
Slide 39
for multiple apps 39 — FSec 2016
Slide 40
against the same provider 40 — FSec 2016
Slide 41
... did you bother setting up separate oAuth clients? 41 — FSec 2016
Slide 42
yeah. 42 — FSec 2016
Slide 43
43 — FSec 2016
Slide 44
Story time! (demo 3) 44 — FSec 2016
Slide 45
Cookie: session=.eJxljssKgkAYRl8l_rWJl1ScnW kLC8msaBEik046po7YGF7w3Su3bg7f4vBxR M1Zl-C6g3BpcVqS6M1xWQOSN4ZqKrJqatMX y0NLzg.CrvTRg.5bTUddcAEVMFMth_I uPteZT0OjA; HttpOnly; Path=/ 45 — FSec 2016
Slide 46
How is cookie signed 46 — FSec 2016
Slide 47
Flask 47 — FSec 2016
Slide 48
Django 48 — FSec 2016
Slide 49
49 — FSec 2016
Slide 50
50 — FSec 2016
Slide 51
SECRET_KEY being configured badly is next to impossible to catch 51 — FSec 2016
Slide 52
All of these combined mean: 52 — FSec 2016
Slide 53
spear phishing vector 53 — FSec 2016
Slide 54
privilege escalation 54 — FSec 2016
Slide 55
forced insecure comms 55 — FSec 2016
Slide 56
attacker traffic indistinguishable from regular traffic 56 — FSec 2016
Slide 57
the LB here isn't to blame 57 — FSec 2016
Slide 58
people have ancient bookmarks pointing to http 58 — FSec 2016
Slide 59
ALL THINGS BEING EQUAL BUT RUNNING ON A SINGLE MACHINE THIS WOULD STILL BE A VULNERABLE SETUP 59 — FSec 2016
Slide 60
HSTS IS A MUST 60 — FSec 2016
Slide 61
Story time! (Demo 4) 61 — FSec 2016
Slide 62
CSRF protection disabled yup. found this one too. 62 — FSec 2016
Slide 63
IT COMES WITH THE THING LEAVE CSRF PROTECTION ALONE 63 — FSec 2016
Slide 64
TAKEAWAYS UNDERSTAND THE STUFF YOU USE BETTER. 64 — FSec 2016
Slide 65
BE MORE VIGILANT WITH CODE REVIEWS ON SECURITY-IMPACTING STUFF 65 — FSec 2016
Slide 66
BRING IN A FRESH PAIR OF EYES EVERY ONCE IN A WHILE 66 — FSec 2016
Slide 67
This talk is not an endorsement to roll everything yourself. 67 — FSec 2016
Slide 68
THANK YOU LUKA KLADARIC // L@K.HR // @KLL 68 — FSec 2016
