WebAppSec/MozSecureWorld: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
=[https://github.com/haoqili/MozSecWorld Code on GitHub]=
= Purpose =
= Purpose =
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Line 15: Line 16:
== Security Components & Controls ==
== Security Components & Controls ==
=== Authentication ===
=== Authentication ===
* Brute force prevention via adaptive CAPTCHA
* Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins)
* Password storage via bcrypt and system nonce
* Password storage via bcrypt (fred wenzel) and system nonce
* Account creation with blacklisted password support
* Account creation with blacklisted password support
* (Possible) Secure Password Reset  
* (Possible) Secure Password Reset  
Line 48: Line 49:
* X-frame-options in header options
* X-frame-options in header options


==== See that x/frame-option is denied ====
:P
Type:
 
> telnet 127.0.0.1 8000
 
> GET /en-US/msw/ HTTP/1.1
 
> press enter
 
Results:  See that '''x-frame-options: DENY''' is there! 
<pre>
telnet 127.0.0.1 8000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /en-US/msw/ HTTP/1.1
 
HTTP/1.0 200 OK
Date: Thu, 09 Jun 2011 23:41:32 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8
 
<!DOCTYPE html>
  <head>
  <title>Hi there</title>
  </head>
  <body>
 
  <h1>aaiiibarbari</h1>
 
  Hi do I have a good title?
 
            <ul>
                            <li><a href="/msw/sqlinjection/">page title: SQL Injection</a> </li>
                            <li><a href="/msw/xss/">page title: XSS</a> </li>
                    </ul>
   
  </body>
</html>
Connection closed by foreign host.
</pre>
 
 
==== Where playdoh set x-frame-option to "deny" ====
It's in ''vendor/src/commonware/commonware/response/middleware.py''
<pre>
from django.conf import settings
 
class FrameOptionsHeader(object):
    """
    Set an X-Frame-Options header. Default to DENY. Set
    response['x-frame-options'] = 'SAMEORIGIN'
    to override.
    """
 
    def process_response(self, request, response):
        if hasattr(response, 'no_frame_options'):
            return response
 
        if not 'x-frame-options' in response:
            response['x-frame-options'] = 'DENY'
</pre>
 
Also see ''vendor/src/commonware/commonware/response/decorators.py''
<pre>
from functools import wraps
 
from django.utils.decorators import available_attrs
 
 
def xframe_sameorigin(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response['x-frame-options'] = 'SAMEORIGIN'
        return response
    return _wrapped_view
 
 
def xframe_allow(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response.no_frame_options = True
        return response
    return _wrapped_view
 
 
def xframe_deny(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response['x-frame-options'] = 'DENY'
        return response
    return _wrapped_view
</pre>


=== Cookie Protection ===
=== Cookie Protection ===
Line 179: Line 84:
# Access Control
# Access Control
# Input Validation
# Input Validation
== Calendar ==
Reminder: Put in screenshots
<table border="1" cellpadding="2" cellspacing="0">
<tr>
<th>Week</th>
<th>Category</th>
<th>Items</th>
<th>Done</th>
</tr>
<tr>
<td> 1. 6/6 - 6/10</td> 
<td>
# Setup
# Cross Domain Controls
# Cookie Protection
</td>
<td>
# Get Django site set up with database
# x-frame-options
# HTTPOnly
</td>
<td>
# Done
# Done. Edit: 0
# To writeup
</td>
</tr>
<tr>
<td> 2. 6/13 - 6/17</td> 
<td>
* x Richtext with bleach
* -> Finish Check Cert
** (If have time) Set up MITM to verify check cert works.
</td>
<td>
* Input Validation
* HTTPS Validation</td>
<td>
a
</td>
</tr>
<tr>
<td>3. 6/20 - 6/24</td>
<td>
* SQL Injection
** Only use parametrization, not escaping (it's too weak and inconsistent)
** No false demo (for safety reasons)
** Demo of them typing in, and spitting out the results, be careful to have html entity encoding (done automatically in django, i.e.<nowiki> {{ userdata }} DON'T DO {{ userdata|safe }} </nowiki>)
* write up / buttons / css everything so far
* make wiki more readable
* watch OWASP videos
</td>
<td>
* Input Validation
* Cross Domain Controls (before)
* Cookie Protection (before)
</td>
<td>
a
</td>
</tr>
<tr>
<td>4. 6/27 - 7/1</td>
<td>
* Authentication - bcrypt / adaptive captcha
*# Enable default playdoh authentication (remember to switch to bcrypt(use default settings) + nonce (define it in config file!!) )
*# Set up pages to require auth and other pages that don't require auth (decorator design principle in Django "&" above method) ... login page and logout link (destroy session ID, first check if it's default)
*#* client: cookie expire old one, blank it out
*#* server: invalidate to prevent replay attacks
*#* --> see if it's one method, should be one method that does all of it
*# Captcha stuff
*## Demo how to use captcha like normal (with a form)
*## Look at ratelimiting by jsocol
*##* Target 1 username
*##* From 1 IP
</td>
<td></td>
<td>
a
</td>
</tr>
<tr>
<td>5. 7/3 - 7/8</td>
<td>
* Content Security Policy
** [https://wiki.mozilla.org/Security/CSP Mozilla's page on CSP]
** [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html W3's page on CSP]
</td>
<td></td>
<td>
a
</td>
</tr>
<tr>
<td>6. 7/11 - 7/15</td>
<td>
* Access Control (presentation business, data layers)
</td>
<td></td>
<td>
a
</td>
</tr>
<tr>
<td>7. 7/18 - 7/22</td>
<td>
* [http://pypi.python.org/pypi/cef CEF logging]
** create 1 event like log everytime there is a log-in
* File Handling
** [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Uploads guidelines]
</td>
<td></td>
<td>
a
</td>
</tr>
<tr>
<td>8. 7/25 - 7/29</td>
<td>
* Transport Security
** Have strict transport security header stuff
** Read [http://michael-coates.blogspot.com/2011/07/enhancing-secure-communications-with.html Michael's blog about it]
** Read [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS]
** Read [http://www.slideshare.net/michael_coates/ssl-screw-ups understand problem]
** click around burp should show no HTTP anytime
* Only SSL, all scripts, img, SSL everything SSL,
* On top, do STS (Strict Transport Security) --> for browser
* secure flag for all cookies
</td>
<td></td>
<td>
a
</td>
</tr>
<tr>
<td>Extra things</td>
<td>
* Attack Party and Fix
* Make it look nice
</td>
<td></td>
<td></td>
</tr>
<tr>
<td>End date: 8/12</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>


== Links References ==
== Links References ==

Latest revision as of 18:08, 18 July 2011

Code on GitHub

Purpose

A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.

Uses

  • Demonstration of secure application design
  • Explanation of importance and purpose of security features
  • Learning tool for others to reference
  • Testing site to validate effectiveness of security & design recommendations
  • Evaluation tool for pen testing individuals or tools

Design

Architecture

Python on Django via Playdoh

Security Components & Controls

Authentication

  • Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins)
  • Password storage via bcrypt (fred wenzel) and system nonce
  • Account creation with blacklisted password support
  • (Possible) Secure Password Reset

How

  • Login with database and different users

Access Control

  • Presentation, Business, Data Layer Access Control
    • Presentation and Data layers use decorators
    • Read about presentation layer protection
  • (Possible) Two tier design for admin account separation
    • The picture of separate control of changing passwords

Input Validation

  • Rich text handling via bleach
  • File upload support via secure file handling guidelines
  • File Handling
  • SQL
  • Content Security Policy
    • outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
  • (Possible) Third party service
  • (Possible) Third party hosted images. Initial processing and per visit processing?

Transport Security

  • Full & correct TLS
  • HTTP Strict Transport Security

How

Cross Domain Controls

  • X-frame-options in header options
P

Cookie Protection

  • Secure Flag
  • HTTPOnly Flag


How to check

  1. Get Burp
  2. Go to your site
  3. should see that ""Set-Cookie: HTTPOnly" in the HTTP Header Response

Roadmap

  1. X Setup playdoh & github
  2. X Running HelloWorld
  3. X Design Planning
  4. X Figure out how to do templates
  5. X Figure out how to put in database
  6. X Know how to make pages with templates
  7. X basic: x-frame-options
  8. LATER --> Install Apache basic: secure flag (June 9 pg2)
  9. X basic: httponly flag
  10. X Use bleach for rich text.
  11. LATER --> input the same --> output check for HTML, JS, XML (June 13 pg2)
  12. X Google Safe Browsing POST Lookup
  13. LATER --> Use Google Safe Browsing Local (June 14)
  14. add decorators for data and business layers
  15. read about presentation layer
  16. Complete initial presentation layer and CSS for basic item
  17. Authentication/login
  18. File upload stuff
  19. Write about page for each vulnerability
  20. Access Control
  21. Input Validation

Calendar

Reminder: Put in screenshots

Week Category Items Done
1. 6/6 - 6/10
  1. Setup
  2. Cross Domain Controls
  3. Cookie Protection
  1. Get Django site set up with database
  2. x-frame-options
  3. HTTPOnly
  1. Done
  2. Done. Edit: 0
  3. To writeup
2. 6/13 - 6/17
  • x Richtext with bleach
  • -> Finish Check Cert
    • (If have time) Set up MITM to verify check cert works.
  • Input Validation
  • HTTPS Validation

a

3. 6/20 - 6/24
  • SQL Injection
    • Only use parametrization, not escaping (it's too weak and inconsistent)
    • No false demo (for safety reasons)
    • Demo of them typing in, and spitting out the results, be careful to have html entity encoding (done automatically in django, i.e. {{ userdata }} DON'T DO {{ userdata|safe }} )
  • write up / buttons / css everything so far
  • make wiki more readable
  • watch OWASP videos
  • Input Validation
  • Cross Domain Controls (before)
  • Cookie Protection (before)

a

4. 6/27 - 7/1
  • Authentication - bcrypt / adaptive captcha
    1. Enable default playdoh authentication (remember to switch to bcrypt(use default settings) + nonce (define it in config file!!) )
    2. Set up pages to require auth and other pages that don't require auth (decorator design principle in Django "&" above method) ... login page and logout link (destroy session ID, first check if it's default)
      • client: cookie expire old one, blank it out
      • server: invalidate to prevent replay attacks
      • --> see if it's one method, should be one method that does all of it
    3. Captcha stuff
      1. Demo how to use captcha like normal (with a form)
      2. Look at ratelimiting by jsocol
        • Target 1 username
        • From 1 IP

a

5. 7/3 - 7/8

a

6. 7/11 - 7/15
  • Access Control (presentation business, data layers)

a

7. 7/18 - 7/22

a

8. 7/25 - 7/29
  • Transport Security
  • Only SSL, all scripts, img, SSL everything SSL,
  • On top, do STS (Strict Transport Security) --> for browser
  • secure flag for all cookies

a

Extra things
  • Attack Party and Fix
  • Make it look nice
End date: 8/12

Links References

MozSecureWorld_FAQ

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

Retrieved from "https://wiki.allizom.org/index.php?title=WebAppSec/MozSecureWorld&oldid=330583"