Tuesday, June 25, 2013

Video: “Hack Yourself First” and other security tips for web developers

Tuesday, June 25, 2013

A little while back I wrote about Hacking yourself first and detailed a bunch of different ways for developers to seek out risks in their own apps, hopefully before attackers find them first. I’m extremely enthusiastic about this approach and believe that developers need to hone cyber-offence skills in order to properly understand – and protect their apps from – risks on the web. There’s a heap more content coming from me along these lines in a variety of formats and today it’s a free video discussion on SSW TV.

These guys do a bunch of great videos on various development topics that are up on their website for free, even including my user group talk on Protecting your web apps from the tyranny of evil with OWASP recorded last year (effectively walking through the OWASP Top 10 for ASP.NET). Today’s video is a chat with SSW’s Damian Brady and we touch on a heap of different issues related to the web, ASP.NET and security in general. It’s a casual, unscripted discussion that hopefully contains some useful info for the security-conscious developer.

Monday, June 24, 2013

The security futility that is embedding secure login forms within insecure pages

Monday, June 24, 2013

I’ve been writing a bunch of content around HTTPS lately and recording videos to demonstrate the ease with which insecure implementations of SSL can be broken. For example, there was the piece on why you can’t trust SSL logos, then how loading login forms over HTTP but posting to HTTPS is pointless and most recently, why those mixed content warnings mean easy pickings for attackers on the transport layer. All of these involve working demonstrations against real sites who just don’t quite get HTTPS.

Today’s example is about what happens when a login page is loaded securely, albeit embedded within an insecure page. This is a common security anti-pattern and you’ll see it on many sites. The example in the video is from Countdown in New Zealand but again, there are countless others out there. Take a look at the video then I’ll come back to how I mounted the attack:

Make sense? In short, you can never trust the HTTP component of the communication and without the ability to see the URL in the browser loaded over an HTTPS address with a valid certificate, the SSL implementation is almost useless.

Read more

Thursday, June 20, 2013

Dynamic security misconfiguration scanning with OnCheckin and ASafaWeb

Thursday, June 20, 2013

Here’s the thing about security – you can’t just “do it” then move on. What I mean by this is that it’s a continuous process and thinking that you only need to just implement some secure coding standards or scan the website once before go live leaves a great big hole in your process.

For example, the other day I wrote about how insecurity is easy where I talked about how Black and Decker had exposed ELMAH logs. This is the tiniest of security misconfigurations which can easily happen at any time but it meant that they ended up with the credentials from a significant portion of their customer base publicly accessible – ouch! Ok, this also involved storing plain text passwords in cookies in order to facilitate the “remember me” function (no, really), but the point is in how easy it was to make a simple change that blew a massive hole in the side of their security profile.

This brings me to the point of the post: security misconfiguration happens and you need to start looking for it bang after you publish the site. Exposed ELMAH logs is one thing but simple security misconfiguration changes you can screw up on release of an ASP.NET website go well beyond that; custom errors, tracing, request validation and the way your cookies are configured to name but a few. Each of these can be configured to leave a site vulnerable in literally just a few seconds.

For the last couple of years I’ve provided a service to detect these problems in a live site – ASafaWeb. The value proposition of ASafaWeb has always been that on demand, you can scan your live ASP.NET website and it will report on these security misconfigurations. Now I’m very happy to share how ASafaWeb has been integrated into OnCheckin (the brainchild of Doug Rathbone) to provide continuous deployment for ASP.NET websites as a cloud-based service.

OnCheckin - Cloud Powered Deployment

Read more

Tuesday, June 11, 2013

Understanding the risk of mixed content warnings

Tuesday, June 11, 2013

Ever see one of these?

IE8 mixed content warning

Or these?

IE10 mixed content warning

Or maybe this one?

Chrome mixed content warning

It means something is wrong with the website – very wrong – yet somehow we seem to keep building websites that do this. The problem, as you’ll see in the video below, is that it jeopardises the security of traffic going backwards and forwards over what otherwise appears to be a secure site, at least in terms of implementing SSL. This can lead to issues such as the theft of identity data, potentially including such personal information as social security numbers. Fortunately there’s a channel to report potentially fraudulent activity except that, well, this video explains it best:

Read more