Purpose

A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.

Uses

• Demonstration of secure application design
• Explanation of importance and purpose of security features
• Learning tool for others to reference
• Testing site to validate effectiveness of security & design recommendations
• Evaluation tool for pen testing individuals or tools

Design

Architecture

Python on Django via Playdoh

Security Components & Controls

Authentication

• Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins)
• Password storage via bcrypt (fred wenzel) and system nonce
• Account creation with blacklisted password support
• (Possible) Secure Password Reset

How

• Login with database and different users

Access Control

• Presentation, Business, Data Layer Access Control
  • Presentation and Data layers use decorators
  • Read about presentation layer protection
• (Possible) Two tier design for admin account separation
  • The picture of separate control of changing passwords

Input Validation

• Rich text handling via bleach
• File upload support via secure file handling guidelines
• File Handling
• SQL
• Content Security Policy
  • outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
• (Possible) Third party service
• (Possible) Third party hosted images. Initial processing and per visit processing?

Transport Security

• Full & correct TLS
• HTTP Strict Transport Security

How

• Follow these rules

Cross Domain Controls

• X-frame-options in header options

See that x/frame-option is denied

Type:

> telnet 127.0.0.1 8000

> GET /en-US/msw/ HTTP/1.1

> press enter

Results: See that x-frame-options: DENY is there!

telnet 127.0.0.1 8000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /en-US/msw/ HTTP/1.1 

HTTP/1.0 200 OK
Date: Thu, 09 Jun 2011 23:41:32 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
  <head>
  <title>Hi there</title>
  </head>
  <body>

  <h1>aaiiibarbari</h1>
  
  Hi do I have a good title?

            <ul>
                            <li><a href="/msw/sqlinjection/">page title: SQL Injection</a> </li>
                            <li><a href="/msw/xss/">page title: XSS</a> </li>
                    </ul>
    
  </body>
</html>
Connection closed by foreign host.

Where playdoh set x-frame-option to "deny"

It's in vendor/src/commonware/commonware/response/middleware.py

from django.conf import settings

class FrameOptionsHeader(object):
    """
    Set an X-Frame-Options header. Default to DENY. Set
    response['x-frame-options'] = 'SAMEORIGIN'
    to override.
    """

    def process_response(self, request, response):
        if hasattr(response, 'no_frame_options'):
            return response

        if not 'x-frame-options' in response:
            response['x-frame-options'] = 'DENY'

Also see vendor/src/commonware/commonware/response/decorators.py

from functools import wraps

from django.utils.decorators import available_attrs


def xframe_sameorigin(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response['x-frame-options'] = 'SAMEORIGIN'
        return response
    return _wrapped_view


def xframe_allow(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response.no_frame_options = True
        return response
    return _wrapped_view


def xframe_deny(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response['x-frame-options'] = 'DENY'
        return response
    return _wrapped_view

Cookie Protection

• Secure Flag
• HTTPOnly Flag

How to check

1. Get Burp
2. Go to your site
3. should see that ""Set-Cookie: HTTPOnly" in the HTTP Header Response

Roadmap

1. X Setup playdoh & github
2. X Running HelloWorld
3. X Design Planning
4. X Figure out how to do templates
5. X Figure out how to put in database
6. X Know how to make pages with templates
7. X basic: x-frame-options
8. LATER --> Install Apache basic: secure flag (June 9 pg2)
9. X basic: httponly flag
10. X Use bleach for rich text.
11. LATER --> input the same --> output check for HTML, JS, XML (June 13 pg2)
12. X Google Safe Browsing POST Lookup
13. LATER --> Use Google Safe Browsing Local (June 14)
14. add decorators for data and business layers
15. read about presentation layer
16. Complete initial presentation layer and CSS for basic item
17. Authentication/login
18. File upload stuff
19. Write about page for each vulnerability
20. Access Control
21. Input Validation

Calendar

Week	Items	Category	Done
1. 6/6 - 6/10	stuff	more stuff	a
2. 6/13 - 6/17	x Richtext with bleach -> Finish Check Cert (If have time) Set up MITM to verify check cert works.	Input Validation HTTPS Validation	a
3. 6/20 - 6/24	SQL Injection write up / buttons / css everything so far make wiki more readable watch OWASP videos	Input Validation Cross Domain Controls (before) Cookie Protection (before)	a
4. 6/27 - 7/1	Content Security Policy		a
5. 7/3 - 7/8	Authentication - bcrypt / adaptive captcha		a
6. 7/11 - 7/15	Access Control (presentation business, data layers)		a
7. 7/18 - 7/22	File Handling		a
8. 7/25 - 7/29	"possible" items, catch up/extra		a

Links References

MozSecureWorld_FAQ

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines