WebAppSec/MozSecureWorld: Difference between revisions
Jump to navigation
Jump to search
| (19 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=[https://github.com/haoqili/MozSecWorld Code on GitHub]= | |||
= Purpose = | = Purpose = | ||
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers. | A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers. | ||
| Line 48: | Line 49: | ||
* X-frame-options in header options | * X-frame-options in header options | ||
:P | |||
=== Cookie Protection === | === Cookie Protection === | ||
| Line 181: | Line 86: | ||
== Calendar == | == Calendar == | ||
Reminder: Put in screenshots | |||
<table border="1" cellpadding="2" cellspacing="0"> | <table border="1" cellpadding="2" cellspacing="0"> | ||
<tr> | <tr> | ||
| Line 194: | Line 101: | ||
# Setup | # Setup | ||
# Cross Domain Controls | # Cross Domain Controls | ||
# Cookie Protection | |||
</td> | </td> | ||
<td> | <td> | ||
# Get Django site set up with database | # Get Django site set up with database | ||
# x-frame-options | # x-frame-options | ||
# HTTPOnly | |||
</td> | </td> | ||
<td> | <td> | ||
# Done | # Done | ||
# Done | # Done. Edit: 0 | ||
# To writeup | |||
</td> | </td> | ||
</tr> | </tr> | ||
| Line 224: | Line 134: | ||
<td> | <td> | ||
* SQL Injection | * SQL Injection | ||
** Only use parametrization, not escaping (it's too weak and inconsistent) | |||
** No false demo (for safety reasons) | |||
** Demo of them typing in, and spitting out the results, be careful to have html entity encoding (done automatically in django, i.e.<nowiki> {{ userdata }} DON'T DO {{ userdata|safe }} </nowiki>) | |||
* write up / buttons / css everything so far | * write up / buttons / css everything so far | ||
* make wiki more readable | * make wiki more readable | ||
| Line 242: | Line 155: | ||
<td>4. 6/27 - 7/1</td> | <td>4. 6/27 - 7/1</td> | ||
<td> | <td> | ||
* | * Authentication - bcrypt / adaptive captcha | ||
*# Enable default playdoh authentication (remember to switch to bcrypt(use default settings) + nonce (define it in config file!!) ) | |||
*# Set up pages to require auth and other pages that don't require auth (decorator design principle in Django "&" above method) ... login page and logout link (destroy session ID, first check if it's default) | |||
*#* client: cookie expire old one, blank it out | |||
*#* server: invalidate to prevent replay attacks | |||
*#* --> see if it's one method, should be one method that does all of it | |||
*# Captcha stuff | |||
*## Demo how to use captcha like normal (with a form) | |||
*## Look at ratelimiting by jsocol | |||
*##* Target 1 username | |||
*##* From 1 IP | |||
</td> | </td> | ||
<td></td> | <td></td> | ||
| Line 254: | Line 177: | ||
<td>5. 7/3 - 7/8</td> | <td>5. 7/3 - 7/8</td> | ||
<td> | <td> | ||
* | * Content Security Policy | ||
** [https://wiki.mozilla.org/Security/CSP Mozilla's page on CSP] | |||
** [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html W3's page on CSP] | |||
</td> | </td> | ||
<td></td> | <td></td> | ||
| Line 273: | Line 198: | ||
</td> | </td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>7. 7/18 - 7/22</td> | <td>7. 7/18 - 7/22</td> | ||
<td> | <td> | ||
* [http://pypi.python.org/pypi/cef CEF logging] | |||
** create 1 event like log everytime there is a log-in | |||
* File Handling | * File Handling | ||
** [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Uploads guidelines] | |||
</td> | </td> | ||
<td></td> | <td></td> | ||
| Line 290: | Line 217: | ||
<td>8. 7/25 - 7/29</td> | <td>8. 7/25 - 7/29</td> | ||
<td> | <td> | ||
* | * Transport Security | ||
** Have strict transport security header stuff | |||
** Read [http://michael-coates.blogspot.com/2011/07/enhancing-secure-communications-with.html Michael's blog about it] | |||
** Read [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS] | |||
** Read [http://www.slideshare.net/michael_coates/ssl-screw-ups understand problem] | |||
** click around burp should show no HTTP anytime | |||
* Only SSL, all scripts, img, SSL everything SSL, | |||
* On top, do STS (Strict Transport Security) --> for browser | |||
* secure flag for all cookies | |||
</td> | |||
<td></td> | <td></td> | ||
<td> | <td> | ||
a | a | ||
</td> | </td> | ||
</tr> | |||
<tr> | |||
<td>Extra things</td> | |||
<td> | |||
* Attack Party and Fix | |||
* Make it look nice | |||
</td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td>End date: 8/12</td> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
Latest revision as of 18:08, 18 July 2011
Code on GitHub
Purpose
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Uses
- Demonstration of secure application design
- Explanation of importance and purpose of security features
- Learning tool for others to reference
- Testing site to validate effectiveness of security & design recommendations
- Evaluation tool for pen testing individuals or tools
Design
Architecture
Python on Django via Playdoh
Security Components & Controls
Authentication
- Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins)
- Password storage via bcrypt (fred wenzel) and system nonce
- Account creation with blacklisted password support
- (Possible) Secure Password Reset
How
- Login with database and different users
Access Control
- Presentation, Business, Data Layer Access Control
- Presentation and Data layers use decorators
- Read about presentation layer protection
- (Possible) Two tier design for admin account separation
- The picture of separate control of changing passwords
Input Validation
- Rich text handling via bleach
- File upload support via secure file handling guidelines
- File Handling
- SQL
- Content Security Policy
- outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
- (Possible) Third party service
- (Possible) Third party hosted images. Initial processing and per visit processing?
Transport Security
- Full & correct TLS
- HTTP Strict Transport Security
How
- Follow these rules
Cross Domain Controls
- X-frame-options in header options
- P
Cookie Protection
- Secure Flag
- HTTPOnly Flag
How to check
- Get Burp
- Go to your site
- should see that ""Set-Cookie: HTTPOnly" in the HTTP Header Response
Roadmap
- X Setup playdoh & github
- X Running HelloWorld
- X Design Planning
- X Figure out how to do templates
- X Figure out how to put in database
- X Know how to make pages with templates
- X basic: x-frame-options
- LATER --> Install Apache basic: secure flag (June 9 pg2)
- X basic: httponly flag
- X Use bleach for rich text.
- LATER --> input the same --> output check for HTML, JS, XML (June 13 pg2)
- X Google Safe Browsing POST Lookup
- LATER --> Use Google Safe Browsing Local (June 14)
- add decorators for data and business layers
- read about presentation layer
- Complete initial presentation layer and CSS for basic item
- Authentication/login
- File upload stuff
- Write about page for each vulnerability
- Access Control
- Input Validation
Calendar
Reminder: Put in screenshots
| Week | Category | Items | Done |
|---|---|---|---|
| 1. 6/6 - 6/10 |
|
|
|
| 2. 6/13 - 6/17 |
|
|
a |
| 3. 6/20 - 6/24 |
|
|
a |
| 4. 6/27 - 7/1 |
|
a |
|
| 5. 7/3 - 7/8 |
|
a |
|
| 6. 7/11 - 7/15 |
|
a |
|
| 7. 7/18 - 7/22 |
|
a |
|
| 8. 7/25 - 7/29 |
|
a |
|
| Extra things |
|
||
| End date: 8/12 |