WebAppSec/MozSecureWorld: Difference between revisions
Jump to navigation
Jump to search
| Line 15: | Line 15: | ||
== Security Components & Controls == | == Security Components & Controls == | ||
=== Authentication === | === Authentication === | ||
* Brute force prevention via adaptive CAPTCHA | * Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins) | ||
* Password storage via bcrypt and system nonce | * Password storage via bcrypt (fred wenzel) and system nonce | ||
* Account creation with blacklisted password support | * Account creation with blacklisted password support | ||
* (Possible) Secure Password Reset | * (Possible) Secure Password Reset | ||
Revision as of 21:41, 16 June 2011
Purpose
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Uses
- Demonstration of secure application design
- Explanation of importance and purpose of security features
- Learning tool for others to reference
- Testing site to validate effectiveness of security & design recommendations
- Evaluation tool for pen testing individuals or tools
Design
Architecture
Python on Django via Playdoh
Security Components & Controls
Authentication
- Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins)
- Password storage via bcrypt (fred wenzel) and system nonce
- Account creation with blacklisted password support
- (Possible) Secure Password Reset
How
- Login with database and different users
Access Control
- Presentation, Business, Data Layer Access Control
- Presentation and Data layers use decorators
- Read about presentation layer protection
- (Possible) Two tier design for admin account separation
- The picture of separate control of changing passwords
Input Validation
- Rich text handling via bleach
- File upload support via secure file handling guidelines
- File Handling
- SQL
- Content Security Policy
- outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
- (Possible) Third party service
- (Possible) Third party hosted images. Initial processing and per visit processing?
Transport Security
- Full & correct TLS
- HTTP Strict Transport Security
How
- Follow these rules
Cross Domain Controls
- X-frame-options in header options
See that x/frame-option is denied
Type:
> telnet 127.0.0.1 8000
> GET /en-US/msw/ HTTP/1.1
> press enter
Results: See that x-frame-options: DENY is there!
telnet 127.0.0.1 8000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /en-US/msw/ HTTP/1.1
HTTP/1.0 200 OK
Date: Thu, 09 Jun 2011 23:41:32 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>
<head>
<title>Hi there</title>
</head>
<body>
<h1>aaiiibarbari</h1>
Hi do I have a good title?
<ul>
<li><a href="/msw/sqlinjection/">page title: SQL Injection</a> </li>
<li><a href="/msw/xss/">page title: XSS</a> </li>
</ul>
</body>
</html>
Connection closed by foreign host.
Where playdoh set x-frame-option to "deny"
It's in vendor/src/commonware/commonware/response/middleware.py
from django.conf import settings
class FrameOptionsHeader(object):
"""
Set an X-Frame-Options header. Default to DENY. Set
response['x-frame-options'] = 'SAMEORIGIN'
to override.
"""
def process_response(self, request, response):
if hasattr(response, 'no_frame_options'):
return response
if not 'x-frame-options' in response:
response['x-frame-options'] = 'DENY'
Also see vendor/src/commonware/commonware/response/decorators.py
from functools import wraps
from django.utils.decorators import available_attrs
def xframe_sameorigin(view_fn):
@wraps(view_fn, assigned=available_attrs(view_fn))
def _wrapped_view(request, *args, **kwargs):
response = view_fn(request, *args, **kwargs)
response['x-frame-options'] = 'SAMEORIGIN'
return response
return _wrapped_view
def xframe_allow(view_fn):
@wraps(view_fn, assigned=available_attrs(view_fn))
def _wrapped_view(request, *args, **kwargs):
response = view_fn(request, *args, **kwargs)
response.no_frame_options = True
return response
return _wrapped_view
def xframe_deny(view_fn):
@wraps(view_fn, assigned=available_attrs(view_fn))
def _wrapped_view(request, *args, **kwargs):
response = view_fn(request, *args, **kwargs)
response['x-frame-options'] = 'DENY'
return response
return _wrapped_view
Cookie Protection
- Secure Flag
- HTTPOnly Flag
How to check
- Get Burp
- Go to your site
- should see that ""Set-Cookie: HTTPOnly" in the HTTP Header Response
Roadmap
- X Setup playdoh & github
- X Running HelloWorld
- X Design Planning
- X Figure out how to do templates
- X Figure out how to put in database
- X Know how to make pages with templates
- X basic: x-frame-options
- LATER --> Install Apache basic: secure flag (June 9 pg2)
- X basic: httponly flag
- X Use bleach for rich text.
- LATER --> input the same --> output check for HTML, JS, XML (June 13 pg2)
- X Google Safe Browsing POST Lookup
- LATER --> Use Google Safe Browsing Local (June 14)
- add decorators for data and business layers
- read about presentation layer
- Complete initial presentation layer and CSS for basic item
- Authentication/login
- File upload stuff
- Write about page for each vulnerability
- Access Control
- Input Validation