Addressing Web Application Security Vulnerabilities · Beat the Hacker – Solutions Security, ... (Open Web Application Security Project) top ten web applications vulnerabilities

AGS201

Addressing WebApplication SecurityVulnerabilities

SAP AG 2006, SAP TechEd ’06 / AGS201 / 2

Contributing Speaker

Patrick Hildenbrand,SAP AG, Walldorf


Learning Objectives

As a result of this workshop, you will be able to:Understand the nature and the intention of different groups of hackersName some important security risks in developmentUnderstand how to avoid security issues while programming in SAPenvironments

Security Development – That’s YOU

Beat the Hacker – Solutions

Security, Why?

Who is the enemy – Hacker Types

The Final


The Challenge of Security

In order to secure an application, all of its components, functions,infrastructure and the related threats must be understood

In order to break an application, only one flaw in any of itscomponents/functions or the infrastructure may be enough

The problem:Each new technology brings with it new vulnerabilitiesFirewalls, Intrusion Detection Systems and Encryption don't make asecure IT system


The OWASP Top Ten

Source: http://www.owasp.org/documentation/topten.html

The OWASP (Open Web Application Security Project) top tenweb applications vulnerabilities are typically targeted byhackers

1. Unvalidated Input2. Broken Access Control3. Broken Authentication and Session Management4. Cross Site Scripting (XSS) Flaws5. Buffer Overflows6. Injection Flaws7. Improper File Handling8. Insecure Storage9. Denial of Service10. Insecure Configuration Management

http://www.owasp.org/documentation/topten.html



Security, Why?


The Final


Know Your Enemy: How Hackers "Work"

Hackershighly-skilled, butfew in numbers,break mostly into"challenging"systems,publish/tradeweaknesses

Hackers look for newsecurity weaknesses

Script Kiddieslow-skilled, but numerous, useother peoples` tools to breakinto systemsgoal is to “OWN" as manymachines as possible

Script Kiddies look for systemsvulnerable to known exploits

Social Engineersvery good technical aswell as social skillsattacks are primarilydirected againsthumans ('wetware')

Social Engineers look forclues on which they canbase their attacks.

(Disgruntled) Employeesuse insider knowledge to gainsystem accessmotivated by curiosity or angerDisgruntled employees will try todamage the IT infrastructure

Employees usually look for HRinformation (e.g. salary) or want toenrich themselves


Know Your Enemy: How Hackers "Work"

Hackershighly-skilled, butfew in numbers,break mostly into"challenging"systems,publish/tradeweaknesses

Hackers look for newsecurity weaknesses

Script Kiddieslow-skilled, but numerous, useother peoples` tools to breakinto systemsgoal is to “OWN" as manymachines as possible

Script Kiddies look for systemsvulnerable to known exploits

Social Engineersvery good technical aswell as social skillsattacks are primarilydirected againsthumans ('wetware')

Social Engineers look forclues on which they canbase their attacks.

(Disgruntled) Employeesuse insider knowledge to gainsystem accessmotivated by curiosity or angerDisgruntled employees will try todamage the IT infrastructure

Employees usually look for HRinformation (e.g. salary) or want toenrich themselves

The new threat:Organized Crime

The new threat:Organized CrimeOrganized Crime


Know Your Enemy: Stages of an Attack

Reconnaissance – find a targetGet all data on the Web or somewhereelse you can get

Data analysis – where are the weak pointsAnalyze source and behavior of the target

Attack – hack itUse the knowledge you have gathered tobreak into the target

Clean up – Remove your tracesClean up all debris you have createdwhile breaking in to the system



Security, Why?


The Final


There is NO Central Security


Collected Statements About Security

Of course my application is secure. I’m using HTTPS!

We use an application server for development,it covers all security topics for me

I don’t need to worry about security duringdevelopment, because all gaps will be detectedand corrected during the test period

Security is not my job, there’s asecurity group in our company

Note: All these statements are wrong!

The caller of my function will never sendme any malformed data


Responsibility for Security Cannot be Delegated!

Don’t blindly assume others will do itfor you

Don't only rely blindly on others in terms ofsecurityIf you rely on someone else’s software, thenclarify whether or not your security demandsare fulfilledOnly if they commit to solving the issue youcan delegate responsibility

Application security is part of everybody'sresponsibility in design and development !


Include Security in the Design


Requirements for Productive Use

1. Companies must be able to comply with regulatoryrequirements, especially concerning data protection/privacyand audit

Must be possible to audit changes in user and authorizationmanagement, and security-related eventsMust be able to track changes to business data

2. Principle of fewest possible rights must be possibleMust be part of application designDeliver description (roles and authorization proposals, forexample)Administration efficiency importantFor users as well as for the application/programOn the file system, for the OS permissions and within the server


Retrospective Security Does Not Work


Common Sense Requirements

1. Encryption of all communications connections should bepossible

2. No transmission or storage of passwords in plain text- all passwords and user IDs must be changeable

3. No back doors in applications- especially not for management, support or other purposes

4. Avoid broadly generic functions- if security can not be guaranteed

5. No unintended disclosure of internal informationError messages, logs, URLs, cookies, …


Input Validation


Validate your Input

Unvalidated input is the number one problem for applicationsaccording to the OWASP top ten. Therefore do a

… positive check on server of all user input… positive check on server of all user input… positive check on server of all user input

To protect againstbuffer overflowsSQL injectionother attacks targeting the server

BUT Validation of user input is not a sufficient precaution againstcross-site scripting (XSS)

Different parts of the information may be combinedInput may be used ‘out of context’ (Log-files)


Beat the Hacker – Solutions – XSS

Security, Why?


The Final


Cross-Site Scripting (XSS) – A Description

Cross site scripting (XSS) is a type of computer security exploitwhere information from one context, where it is not trusted, can beinserted into another context, where it is.From the trusted context, an attack can be launched

Threat:an attacker manages to place HTML content into a web page, email, fileor other media which someone else will open at a later time, possibly ina different security context

Risk:Tampering with Data– execution of ActiveX commands

Information Disclosure– Stolen or modified Cookies– Stolen or modified data (redirected forms)


Cross-Site Scripting (XSS) – What To Do

Examples:an online application viewed in a corporate intraneta message posted to an online foruman administrator opening a log file with a browser

Best practices:Use WebDynpro, because of its closed rendering model, it is possible to ensureHTML encoding through the complete rendering engine by the WebDynproruntime itselfUse BSP/HTMLB similar to WebDynpro with some few exceptions (see developerguide for additional details, needs forceEncode=“Enabled”)escape HTML/Javascript control characters < > & " ' ( ) using methods in classStringUtils

! Caveat:attack methods vary depending on context

Note:XSS attacks the client, not the server, thus input validation may not help


Cross-Site Scripting (XSS) example code

Part of the companies intranet application:

public void doContent(...) {

...

String s;

if ((s = getUsernameByID("userid")) != null) {

response.write("<br>Applicant:<u>" + s + "</u>");

}

...

}

Supposed output:<br>Applicant:<u>Mr. Brian Smith</u>


Cross-Site Scripting (XSS) secure code

Security enhanced function:

public void doContent(...) {

...

String s;

if ((s = getUsernameByID("userid")) != null) {

s = StringUtils.escapeToHTML(s, 50);

response.write("<br>Applicant:<u>" + s + "</u>");

}

...

}


Cross Site Scripting – Attack Scenario 1

Output BETWEEN tags

StringsUtils.escapeToHTML()

<head>

<title>[CASE1]</title>

</head>

<table>

<tr>

<td>Username</td>

<td>[CASE1]</td>

</tr>

</table>



Output INSIDE tags, but output is not a URL

StringUtils.escapeToAttributeValue()

<form name="[CASE2]">

<input type="text" name="user" value="[CASE2]">

<input type="text" name="user" value='[CASE2]'>

</form>

<a name="[CASE2]"><img height="50" width="[CASE2]"></a>

! Caveat:Be sure to enclose values in double or single quotes! Omitting thosewill make an attack easier



Output is a URL

StringUtils.escapeToURL()

<a href='[CASE3]' style="[CASE3]">

<img src="[CASE3]" lowsrc="[CASE3]">

</a>

! Caveat:Be sure to enclose values in double or single quotes! Omitting thosewill make an attack easier



Output is inside a SCRIPT context

StringUtils.escapeToJS()

<script>

var a = '[CASE4]';

alert("[CASE4]");

var a = [CASE4];

[CASE4];

</script>


Beat the Hacker – Solutions – SQL

Security, Why?


The Final


SQL injection – A Description

Threat:An attacker manages to place SQL commands into an input string that isused as a parameter in a database query.

Risk:Tampering with Data– data can be created/changed/deleted without authorization

Information Disclosure– data can be read without authorization

Denial of Service– data can be deleted without authorization

Elevation of Privilege– depending on the database, system commands can be executed

Best practices:Validate input and remove/escape illegal characters '


SQL Injection – some suggestions

Generic protection is available if the OpenSQL framework is beingused, as this uses prepared statements with the command havingto be static. However, you still have to be careful for all dynamicparts of the queries, to make sure, that they do contain permittedvalues only

An example:

SELECT (select_clause)FROM (from_clause)WHERE (where_clause)GROUP BY (groupby_clause) HAVING (having_clause)ORDER BY (orderby_clause).

Being able to enter arbitrary values for ‘from_clause’ mayenable a hacker to ‘select’ the database to operate on. …

The same applies to all other commands as well


Beat the Hacker – Solutions – Viruses

Security, Why?


The Final


Virus Protection for SAP Systems

Partner products accessthe VSI API directly withthe scan engine orindirectly using aseparate VSA

Built in scanning for– GUI_UPLOAD in the SAP

ABAP Stack– HTTP_UPLOAD (BSP)– FileUpload of WebDynpro

for Java

Programmatic execution ofvirus scans with dedicatedclasses and methods ofthe VSI

ABAP CodeSAP Virus Scan API (ABAP)

Java CodeSAP Virus Scan API (Java)

Scan Service

J2EE EngineVirus Scan ServerSAP Internal VSI API

SAP VSI LibrarySAP NW-VSI

Virus SCAN AdapterScan Engine Internal API (optional)

SCAN Engine

Partner PartSAP Part Interface

Remote Function Call (RFC)

(RFC,

optional)


Using the Virus Scan Interface

try {myInstance = vsiService.getInstance();

if (myInstance != null) {

/* perform virus scan */

if (! myInstance.scanBytes(<your data>)) {

/* there was an infection,* what needs to be done comes here */

}

} else {

/* The returned instance was null, this means, the virus scan profile isnot active

* => do here nothing to allow the scan to be switchedoff */

}} catch (VirusInfectionException vse) {

Infection[] myInfections = vse.getInfections();String errorText = vse.getLocalizedMessage();

/* print out only the locale error text */

if (myInfections.length == 1) {/* the scan engine has found the infection */// ...

} else {/* not expected error */

// ...}

}


Application Examples for the Usage

For which application components is the virus scanning available?

For all applications based on SAP NetWeaver’04

– All upload functions for file-uploads will be affected

Sample application scenarios:

– HR: upload of applications documents from applicants

– KM and KMC: upload of documents for storage


Related SAP Notes About the VSI

The following notes are available for more information

786179: Data security products – Application in the Anti-Virus Area

797108: Virus scan interface (VSI): Changes and releases

782963: Availability of Virus Scan Server for NW-VSI

807989: Problem analysis: Virus check during the file upload

639486: Anti viruses protection within SAP applications (BC-SEC-VIR)

803637: Virus check added to gui_upload

666568: Using the EICAR anti-virus test file



Security, Why?


The Final


Consider Security

100% security is not achievable

But you can do a lot:Law of the weakest linkSecurity should not be an afterthoughtReduce the complexity of the whole applicationSecurity is a “horizontal” aspect of software developmentProtect your credentialsDeploy only tested code (do at least some kind of unit testing)



Check out SAP NetWeaver Developer’s Guide:Best-practice cookbook on how to avoidtypical vulnerabilitieshttp://www.sdn.sap.com/irj/sdn/developersguide

FundamentalsMaking Applications Enterprise Ready

Security Secure Programming JAVA / ABAP

Conduct security testing and performassessments:

By external security specialistsBy internal QM

Establish Security Response Measures

http://www.sdn.sap.com/irj/sdn/developersguide


Rules for Everybody in Planning and Development

Define a security level or quality for theapplication depending on:

Environment (back end versus Internet)Application profile (banking, defense)Regulatory requirementsCEO’s don’t like security surprises

Don’t blindly assume others will do it for you

“An application that has not been specified cannotbe incorrect; it can only be surprising”


Further Information

Public WebSAP Developer Network: www.sdn.sap.com

+ SAP NetWeaver Platform SecurityNetWeaver Developer‘s Guide: http://www.sdn.sap.com/irj/sdn/developersguidehttp://www.sap.com/education/

JA300 SAP WebAS Java DevelopmentSAP Service Marketplace:

http://service.sap.com/securityhttp://service.sap.com/securityguide

SAP Security NewsletterSend email to [email protected] with subject = subscribe

Related Workshops/Lectures at SAP TechEd ’06AGS202, Authentication with SAMLAGS212, Single Sign-On in Heterogeneous LandscapesAGS213, SPNego Login Module for Windows Integrated Authentication to SAP

NetWeaver for J2EE (Lecture, 1 hour)AGS250, J2EE Authentication (Hands-On, 2 hours)CD255, Developing Secure Web Services (Hands-On, 2 hours)CD262, Using Authorizations in Java Application Development (Hands-On, 2 hours)AGS214, The Top Five Security Threads and Countermeasures (Lecture, 1 hour)

http://www.sdn.sap.com/

http://www.sdn.sap.com/irj/sdn/developersguide

http://www.sap.com/education/

http://service.sap.com/security

http://service.sap.com/securityguide

mailto:[email protected]


THANK YOU FOR YOURATTENTION !

QUESTIONS – SUGGESTIONS – DISCUSSION


Please complete your session evaluation.

Be courteous — deposit your trash,and do not take the handouts for the following session.

Feedback

Thank You !


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The informationcontained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or othercountries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentionedare the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specificationsmay vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purposewithout the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intendedstrategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, productstrategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics,links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limitedto the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the useof these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the useof hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-partyWeb pages.

Copyright 2006 SAP AG. All Rights Reserved

Documents

Addressing Web Application Security Vulnerabilities · Beat the Hacker – Solutions Security, ... (Open Web Application Security Project) top ten web applications vulnerabilities