# Web App Vulnerability Prevention
# Authentication & Access Control
# Component & Logging Security

## Reinforce Web App Security at Salesforce

Open Web Application Security Project (OWASP) Top 10
- 10 most common type of attacks
- last update 2017
- open source project 
- spreads the word about application security vulnerabilities, best practices, and remediation.
-  free tools, libraries, and APIs to help developers build secure and robust applications.

[www.OWASP.org](https://www.OWASP.org)

----

## OWASP 2017 Top 10

1. [Injection](#injection)
2. [Broken Authentication](#bauth)
3. [Sensitive Data Exposure](#sde)
4. [XML External Entities (XXE)](#xxe)
5. [Broken Access Control](#bac)
6. [Security Misconfiguration](#sm)
7. [Cross-Site Scripting (XSS)](#xss)
8. [Insecure Deserialization](#des)
9. [Using Components with Known Vulnerabilities](#vuln)
10. [Insufficient Logging & Monitoring](#log)

----

## Cheat Sheets

- [Authentication](https://www.owasp.org/index.php/Authentication_Cheat_Sheet)
- [Session Management](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet)
- [Deserialization](https://www.owasp.org/index.php/Deserialization_Cheat_Sheet)
- [Logging](https://www.owasp.org/index.php/Logging_Cheat_Sheet)

----

### <a name="injection"><a>Injection
- most prevalent attack vector
- untrusted user input is processed as legitimate commands
- widespread
- very damaging
- [2017 Equifax](https://www.wired.com/story/equifax-warned-of-vulnerability-months-before-breach/)
- SQL, JS, LDAP , OS Command, Xpath.

#### SQL Injection Example
```
Var sqlquery = "select * from users where name = ' " +name+"";
```

*Expected Example*
'Bob' produces the following SQL:   
```
Select * from users where name = 'Bob'
```

*Injection Example*
'Bob' or "1"='1'  produces the following SQL:   
```
Select * from users where name = 'Bob' or "1"='1'
```

#### Solution
- Use built-in functionality from libraries to escape certain characters in entry
- Perform strict validation/escaping in front-end
- Add SQL injection tests in test suite
- Use Stored Procedures to mutate database


----

### <a name="bauth"><a>Broken Authentication
- [Authentication and session management weaknesses](#https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication) allow attackers to access hundreds of millions of username and password combinations
- Attackers can detect these weaknesses manually and exploit them using automated tools.
- Session management attacks usually occur when attackers gain access to unexpired session tokens.

#### Recent Attacks
- [Deloitte](#https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails) Lack of 2FA. The breach went undetected for months, while hackers accessed emails, passwords, and other sensitive information.

#### Strong Authentication Mechanisms
- **Strengthening Your Password Controls** 2FA, weak-password checks (like 10K [worst password list](#https://github.com/danielmiessler/SecLists/tree/master/Passwords)) - do not ship/deploy with default credentials (esp admin users)
- **Limit password attempts** credential stuffing -- form of brute force, uses automated injection of breached username and password pairs. Limit password attempts, and/or increase delay in failed login attempts
- **Avoid verbose failure messages** 'Incorrect username or password', rather than 'Incorrect username'
- **Use high-entropy session tokens** Use a server-side, secure, built-in session manager that generates new random session IDs with high entropy after login. Session IDs should never appear in your URLs, but should be securely stored and invalidated after logout, idle, and absolute timeouts.

#### Session Management
Weak session management is
- Expose session IDs in URL, 
- Fail to rotate Session IDs after successful login
- Fail to properly invalidate session IDs or auth tokens during logout/inactivity

Rsolution
- **Generate Strong Tokens** Generate from tried-and-tested frameworks, dont do it youself, ensure the framework has credability
- **Handle Tokens Securely** 
  - Use an encrypted HTTPS (SSL/TLS) connection for the entire web session, not just the authentication process. To protect token
  - To ensure the session ID is only exchanged through an encrypted channel use the “Secure” cookie attribute. Using encrypted communication channels protects the session against some session fixation attacks where the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victim’s web browser. 


----

### <a name="sde"><a>Sensitive Data Exposure
- [Sensitive Data Exposure](#https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure)
- Salesforce has 5 levels of sensitive data:

| Classification Level | Description |
|-|-|
| Public | Public data is data that is already exposed to the public, or that is meant for public use. Public data is meant to be viewed, but not altered, by the public. |
| Internal | Internal data is appropriate for viewing or use by all Salesforce FTEs and/or contractors. Internal data is not meant for public view. |
| Confidential | Confidential data is meant to be used by a defined subset of Salesforce FTEs and/or contractors. This data is not restricted by law, regulation, or company MSA. For instance, employee compensation data is meant only for employees and their supervisors. |
| Restricted | Restricted data is meant to be used by a very small, defined subset of Salesforce FTEs and/or contractors. This data is likely to be restricted by law, regulation, NDA, or the company MSA. |
| Mission Critical | Mission-critical data is critical to the continued success of Salesforce and is key to the company’s survivability. This data is meant to be used by a very small, defined subset of Salesforce FTEs and previously approved contractors or third parties (subject to heightened contractual requirements). This data is almost always restricted by law, regulation, NDA, or a company MSA. |
_FTE - Full Time Equivalent_
_NDA - Non-Disclosure Agreement_
_MSA - Master Service Agreement_

Sensitive data is vulnerable to exposure if not encrypted
Encryption
- Strong key generation
- Strong key management
- Strong up-to-date algorithm protocol
- Encrypt all data in transit with TLS
- Enforce  encryption with HTTP Strict Transport Security HSTS
- Disable Caching for responses that containt sensitive data
- Store passwords using non-reversible, adaptive and salted hasing functions
- Password delay factor
- Argon2, scrypt, bcrypt, PBKDF2
- Good cipher usage
- For credit card data, use PCi DSS compliant tokenization or truncation


----

### <a name="xxe"></a>XML External Entities (XXE)

[XML External Entities (XXE) attack](https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE))
- XML input containing a reference to an external entity is processed by a weakly configured XML parser.

#### Impact
- information disclosure 
- denial of service (DoS)
- allow attackers to execute arbitrary code on the vulnerable system

#### Recent Attacks
- [Check Point Security](https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/) discovered almost all Android development tools (containing [APKTool](https://www.cyberscoop.com/android-developer-apps-vulnerabilities-check-point/)) contained a bug.

#### How it Works
The XML 1.0 standard includes an entity concept--essentially a storage unit. External entities can access local or remote content via a declared system identifier, usually a URI, that can be dereferenced by the XML processor. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processor dereferences it, the XML processor may disclose confidential information normally not accessible by the application.

Since XXE attacks occur via the XML processing application, an attacker may use this trusted application to pivot to other internal systems. The attack could disclose internal content via http(s) requests or launch a cross-site request forgery (CSRF) attack. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account. Other attacks can access local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.

Note that the application does not need to explicitly return the response to the attacker for it to be vulnerable to information disclosures. An attacker can leverage DNS information to exfiltrate data through subdomain names to a DNS server that he or she controls.

#### Your system is vulnerable if
- An application parses XML documents.
- Untrusted data is allowed within the system identifier portion of the entity, within the document type definition (DTD).
- An XML processor is configured to validate and process the DTD.
- An XML processor is configured to resolve external entities within the DTD.

### Prevention
The safest way to prevent XXE is always to disable DTDs (external entities) completely. Depending on the parser, the method should be similar to the following:

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Disabling DTDs also secures the parser against denial of service (DoS) attacks. If DTDs can’t be disabled completely, then external entities and external doctypes must be disabled in the way that’s specific to each parser.

----

### <a name="bac"></a>Broken Access Control
- [Broken Access Control](https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control)
- [Implement Access Controls](https://www.owasp.org/index.php/OWASP_Proactive_Controls#6:_Implement_Access_Controls)
- [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)

Access control is how we restrict users’ permissions. Access control failure leads to 
- consequences like unauthorized information disclosure
- modification or destruction of data
- performance of business functions outside the user’s limits.

[Common Vulnerabilities](https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control) include
- bypassing access control checks
- allowing the primary key to be changed to another user’s record
- elevation of privilege
- metadata manipulation
- force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user
- allowing access to APIs with missing access controls for POST, PUT, and DELETE.

#### Preventing Broken Access Control Attacks
Access control is only effective if enforced in trusted server-side code or serverless API, where attackers can’t modify the access control check or metadata. 

To prevent attacks 
- Be sure to deny by default. 
- Implement access control mechanisms only once, then re-use them throughout the application. 
- You'll also need to set access controls so users can't create, read, update, or delete them. 
- Make sure your application business limit requirements are set by domain;
- Disable web server directory listings. 
- Logging access control failures is crucial to maintaining good access control, as is rate limiting API and controller access
- Invalidate JWT tokens after logout
- Including functional access control unit and integration tests.



----

### <a name="sm"></a>Security Misconfigurations
- [Security Misconfiguration Errors](https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration)
- [Testing for Configuration Management](https://www.owasp.org/index.php/Testing_for_configuration_management)
- Dangerous becasue they can happen at any level of the stack.
- Automated scanners are useful for detection misconfigurations

Attackers often attempt to exploit
- access default accounts
- unused oages
- unprotected files and directories
etc

Resolve by hardening your system
- enforcing approved applications adn browser extensions only
- automated scanners
- ensure default accounts/passwords are changed/disabled
- watch out-of-date software
- security check your dependent libraries
- patch boxes
- storing backups
- users, permissions and roles
- logging, monitoring, alerts
- 

----

### <a name="xss"></a>Cross-Site Scripting (XSS)

[Cross-Site Scripting (XSS) attack](https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS))
- In an XSS attack, a hacker takes advantage of expanded functionality to exploit other users and the underlying system.
- Malicious users access the code and insert unauthorized JavaScript, VBScript, HTML, or other active content into a web page. When an unsuspecting user accesses that page, the malicious code executes an attack on the user’s browser. Attacks can include hijacking the user’s session, submitting unauthorized transactions as that user, stealing confidential information, or vandalizing the page.

#### Types
- **Stored XSS** - malicious input is permanently stored on a server, and return to a browser. For example - a message board post or data in a user profile.
- **Reflected XSS** - occurs when malicious input is sent to a server and reflected back to the user on the response page. The attacker needs to convince the user to visit a link that has the malicious input in it, like: `https://vulnerablesite.com?param=<script>document.cookie()</script>`
- **DOM-based XSS** - occurs when an attack payload is executed as a result of modifying the DOM in the user’s browser. The web page isn’t changed, but its client-side code executes in a malicious way because of these DOM changes. Server/DB is not involved. Many security products can’t catch this kind of attack if the malicious input doesn’t reach the server.

#### Mitigation
Since XSS is caused by weak separation between code context and user data, to defend against it, you have to strengthen the barrier between these two components. Two basic techniques are used:

**Input Filtering**  Whitelisting is the most secure, since the developer only needs to know expected input values.

**Output Encoding**  prevents malicious payloads in the system from executing. Because output encoding doesn’t rely on upstream or downstream protections, it can’t be bypassed by alternative input pathways. In output encoding, a server takes all characters that are meaningful in a specific context (HTML, JavaScript, URL) and replaces them with a text version.

----

### <a name="vuln"></a>Uncover Components with known Vulnerabilities
- Attack event - [Broadpawn phone attack 2017](https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/)
- [Spectre & Meltdown](https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/)
- Largest breaches have exploited [known vulnerabilities in components](https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities)

Resolution
- Frequently scan for vulnerabilities - OWASP Dependency Check, BlackDuck, or SourceClear.
- Record dependencies and their versions
- Susbcribe to vulnerability updates


----

### <a name="des"></a>Eliminate Insecure Deserialization
- [Attacks against desieralizers](https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization)
- Features of deserializer code can be repurposed for malicious effects
- denial of service
- access control
- remote code execution attacks

Example
- [Apache Strut](http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/)

Mitigation
- don't accept serialized objects from untrusted sources
- use serialization mediums that only permit primitive data types
- otherwise
   - implement integrity checks,
   - enforce strict type constraints before object creation
   - isolate and run deseerialization code in low-privilege environments
   - log all deserialization exceptions and failures
   - restrict/monitor incoming and outgoing network connectivity from containers/servers
   - alerts for users who deserialize constantly

----

### <a name="log"></a>Logging
- [Logging and Monitoring Vulnerabilities](https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring)
- Red team allows the to test out attacks without getting noticed

Look out for
- unlogged auditable events
- warnings and errors that don’t generate clear log messages
- logs that aren’t monitored for suspicious activity
- logs only stored locally

Mitigations
- Always capture unexpected behaviour 
   - exceptions
   - failed login attempts/access control
   - failed input validation
- Better to log too much, than too little
- Centralize log management
- high-value transactions have audit trail
- monitoring and alert address suspicious activity in real time
- 


