Tuesday, August 03, 2010

Website Vulnerability Assessments: Good, Fast, or Cheap - Pick Two

Website vulnerability assessments are part of any mature secure software development lifecycle. Today software, especially web-based software, is being updated at ever increasing speeds with the adoption of agile and other iterative development methodologies. To fit security into that fast paced life-cycle, application security must find a way to fit within the delivery requirements AND constraints. Upon immediately reading the headline, software managers will be well familiar with what I'm getting at. So website vulnerability assessments, ideally you want them good, fast and cheap.

Good
= comprehensive assessments focusing on finding as many of the vulnerabilities as possible that bad guys really exploit. This requires an experienced pen-tester, a top-tier scanner, and a thorough threat-based testing methodology.

Fast
= assessments are those completed within a couple days or more specifically within a given QA testing window where preferably any outstanding issues can be addressed before production release.

Cheap = assessments are those that can be routinely performed with each code change without exceeding the allocated budget.

The challenge is, as illustrated by the Project Triangle, that unfortunately you can’t have it all. Choices and tradeoffs must be made. As wikipedia elegantly puts it (Project Triangle): Like any human undertaking, projects need to be performed and delivered under certain constraints. Traditionally, these constraints have been listed as "scope," "time," and "cost.”

When it comes to website vulnerability assessments, enterprises are faced with a similar choice:
  • Performed comprehensively and quickly, but it will not be cheap.
  • Performed quickly and cheaply, but will likely lead to missed vulnerabilities and potentially a security incident.
  • Performed comprehensively and cheaply, but it will take a long time.
Good, Fast, or Cheap -- Pick Two.

Monday, August 02, 2010

Breaking Browsers: Hacking Auto-Complete (All Materials Available)

BlackHat was one amazing ride. Over 5,000 people attended, a conference record. I got to see a ton of friends and colleagues and was fortunate enough to meet many new and interesting people. Of course a big highlight for me was my presentation, in which roughly 800 - 1,000 people showed up. A great turn out considering the talk was up against really solid and well-known presenters like Haroon Meer, Moxie Marlinspike, Christofer Hoff, and Ivan Ristic. Aside from some projector glitches and a failed cookie eviction demo everything went smoothly. From feedback in the hallway much of the audiences pin-drop silence was due to shock given how ridiculously simple yet effective these hacks were. :)

Essentially I described how a malicious website could steal their visitors names, job title, workplace, physical address, telephone number, email addresses, usernames, passwords, search terms, social security numbers, credit card numbers, and on and on by manipulating a Web browsers HTML form auto-complete / autofill functionality. For good measure I also showed show a Web page could evict all of a users cookies thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on. Lastly, with only clever bits of of javascript, these attacks impact millions of Web users cheaply via online advertising networks. Yes, a lot of fun.

My complete “Breaking Browsers: Hacking Auto-Complete” slide deck is available. I’ve put up a series of blog posts describing each of the distinct Web hacking techniques complete with proof-of-concept code, screen shots, videos, and technical explanations. Enjoy!

Other closely related Auto-Complete / AutoFill bugs: