Upload
ngohanh
View
230
Download
0
Embed Size (px)
Citation preview
Wally LEE <[email protected]>Principal Consultant
17/18 March 2009
Application Security Best Practices
Speaker Profile
• Wally LEE– CISSP– BS7799 Lead Auditor– Certified Ultimate Hacking Instructor– Certified Ultimate Web Hacking Instructor
• Principal Consultant, NCS IT Security Consulting Services
• Security Practitioner with more than 14 years experience
• Conducted numerous audits on agencies, ministries and FSI
• Conducted web application penetration test on hundreds of Web Applications
• Security Expertise include:• Web Application Penetration Test ,• Architecture Design,• Compliance, • OS Hardening, • Computer Forensic, • Incident Response, • Audit.
AGENDA
TCP Non-Blinding Spoofing attack Demo Firewall and Log correlation Application Security in Enterprise Network Web Application Testing and challenges Conclusions
TCP Non-Blinding Spoofing attack
• Recently talk on famous sites redirect to a specific china site
• TCP 3-way handshake • Only in windows with firefox or IE (it
doesn’t mater which browser)• Detailed explanation on how it takes
advantage of the 3-way handshake
• Demo
Web site being redirect….
http://www.zdnet.com.tw/news/web/0,2000085679,20136641,00.htm
Background
• Some users in Taiwan are mysteriously redirect to a particular website in China (that host malware and rumored 0 days IE exploit)– www.msn.com.tw, tw.msn.com,
taiwan.cnet.com • Not the famous DNS flaws (by Dan
Kaminsky)• It is confirmed those sites are not
compromised
CISCO Advisory
TCP 3-way handshake
SYNSeq# 1234
SYN+ACKAck# 1235 + Seq# 5678
GET http://www.example.comSeq#5679 NxtSeq# 8888
ACKAck# 5679
HTTP ContentsAck#8888
Client Server
Non-binding Attack
SYNSeq# 1234
SYN+ACKAck# 1235 + Seq# 5678
GET http://www.example.comSeq#5679 NxtSeq# 8888
ACKAck# 5679
HTTP ContentsAck#8888
HTTP 302 RedirectFin + Ack#8888
Client Server
TCP Non-Blinding Spoofing • Takes place when the attacker is on the same subnet as
the victim• The sequence and acknowledgement numbers can be
sniffed, eliminating the potential difficulty of calculating them accurately
• The biggest threat of spoofing in this instance would be session hijacking
• This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine
• Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
Demo
Internet
GET http://www.example.com
302 Redirect http://www.maicious_site
What happen?• Windows received a FIN+ACK packet with a
data payload of url re-direct content (HTTP 302 Document Moved)
• According to RFC 793, FIN+ACK packets are not supposed to carry any data payload
• Windows sent a RST+ACK error packet after it received the FIN+ACK packet
One of the culprits
Risks that we are (may be) facing
• Default Homepage on newly installed Windows machines (for Chinese Windows)
• Re-direct to phishing site• Re-direct to site hosting malicious wares
(rumored IE/Firefox 0 day exploit to take advantage of browser vulnerability)
• For more reading:– http://armorize-cht.blogspot.com/2009/03/ip-spoofingarp-spoofingarprouter.html
Web Application Security
Web Application Hacking
75% of today’s attacks are on the web application (Gartner)
Attacks are mainly with criminal intent (vs trophy-hacking)
You can’t “patch” it, you need to rewrite code (it’s your own code)
Attacks cannot be readily detected if no one reviews database or
web application transaction logs
Even the best programmers write insecure code
“Never trust data which is presented to you” – assume all input
data and remote clients are hostile
A quick and dirty alternative to source code review
Decompose Web App• Web Application Components
WebServer
DB
DBWeb
Client
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Transport
SQL, Oracle,
etc.
HTTPrequest
Clear-textor
SSL
HTTP reply(HTML,
JavaScript, VBscript, etc)
• Apache• IIS• Netscape, etc…
• Perl• C++• CGI• JSP• ASP• PHP• etc.
• ADO,• ODBC, etc.
IE, Netscape,
etc.
WebServer
DB
DBWeb
Client
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Transport
SQL, Oracle,
etc.
HTTPrequest
Clear-textor
SSL
HTTP reply(HTML,
JavaScript, VBscript, etc)
• Apache• IIS• Netscape, etc…
• Perl• C++• CGI• JSP• ASP• PHP• etc.
• ADO,• ODBC, etc.
IE, Firefox,
etc.
Presentation Layer
Data Storage Layer
Data Processing Layer
Penetration Test Objectives
• Provides a snapshot of the current level of exposure
• Identify & prioritise visible vulnerabilities (whether from
an external or internal network perspective)
• Provide recommendations to mitigate or rectify these
vulnerabilities.
Web Application Penetration Test
• Automated Scanning vs Manual Penetration Testing
• Web application vulnerabilities can be grouped into two categories:– Technical (Programmic)– Logical (Business Logic)
• Both can be discovered by OWASP Top 10
OWASP Top 10 WebApp Vulnerabilities
• A1- Unvalidated Input• A2 - Broken Access Control• A3 - Broken Authentication and Session Management• A4 - Cross Site Scripting (XSS) Flaws• A5 - Buffer Overflows• A6 - Injection Flaws• A7 - Improper Error Handling• A8 - Insecure Storage• A9 - Denial of Service• A10 - Insecure Configuration Management
http://www.owasp.org
Automated Web Application Penetration Test
• Automated Web Application Vulnerability Scanning
• Focus on programmic test• Technical vulnerabilities include:
– Cross-site scripting (XSS)– Injection flaws– Buffer overflows– OWASP Top 10
• LHF (Low Hanging Fruit)
Manual Web Application Penetration Test
• Focus on logic testing • Logical vulnerabilities are much harder to
explicitly categorize• Logical vulnerabilities manipulate the logic of the
application to get it do things it was never intended to be.
• eg 1: Reset user password by guessing the answer to security question
• eg 2: Authenticated as User A, try to read User B data
Things that Automated tool can’t do
• Automated tool can't (or limited) fill in forms for you automatically, so there is coverage issue
• Automated tools can't test logical issues like authorization problems since they won't understand your business logic
• Automated tools can’t tell you the exact problem, you still need a human to understand and verify the vulnerabilities detected
NCS Web Application Pen-Test Methodology• “Black box” testing approach
• Purely TCP 80/443 (or other predefined web services port)
• Hacking through a web browser and a web proxy (to manipulate
variables and values send across)
• Covers OWASP Top 10 Web Application Vulnerabilities
– Both automated (Programmic) and manual (Business Logic) testing
• Lead and execute by Principal Consultant with a team of qualified
and experience (senior) consultants
Preparation and Sandbox
Definition
Reconnaissance and
Account Harvesting
Vulnerability Scanning and
SelectionApprovals
and Execution of Exploits
Clean Up and Report Preparation
Enterprise Security Services
PROTECT
Incident Response
Log Analysis Monitoring & Management
Managed Security Services
SecurityAdvisories
DESIGN
+
EXECUTE
Identity Management
Policy Compliance
Endpoint Security
ThreatManagement
Enterprise Security Solutions
Access Control Secure Networks
Intrusion Prevention
Content Security
ASSESS
PolicyReview
Compliance Reviews
Penetration Testing
Risk, Threat,VulnerabilityAssessment
Security Assessment Services
TRAIN
Formal Vendor Education
CustomisedCourseware
Education Services
PROTECT
Incident Response
Log Analysis Monitoring & Management
Managed Security Services
SecurityAdvisories
DESIGN
+
EXECUTE
Identity Management
Policy Compliance
Endpoint Security
ThreatManagement
Enterprise Security Solutions
Access Control Secure Networks
Intrusion Prevention
Content Security
ASSESS
PolicyReview
Compliance Reviews
Penetration Testing
Risk, Threat,VulnerabilityAssessment
Security Assessment Services
TRAIN
Formal Vendor Education
CustomisedCourseware
Education Services
Our Security Consulting Services
• Security Policy Development and Compliance Review
• Host and Application Security Compliance Review
• Network and Web Application Penetration Testing
• Security baseline creation and hardening
ASSESS PolicyReview
Compliance Reviews
Penetration Testing
Risk, Threat,VulnerabilityAssessment
Firewall and logs correlation
Firewall Rules
No. Source Destination Service Action
1 Any Web servers httphttps
Allow
2 Any Any Any Drop
Web serversHTTP:80
FTP:21
Skype:80
MSN:80
What are we running on port 80?
Collaboration / Media
SaaSPersonal
Applications Have Changed – Firewalls Have Not• The gateway at the trust
border is the right place to enforce policy control
- Sees all traffic- Defines trust boundary
Need to Restore Visibility and Control in the Firewall
Collaboration / MediaSaaS Personal
• BUT…Applications Have Changed- Ports ≠Applications
- IP Addresses ≠Users- Packets ≠Content
Limitation of current Firewall
• Unable to identify applications – only ports and protocols
• Cannot see user identity from AD – only IP addresses (DHCP)
• Need to correlated IP address with user credential
• Integration of firewall with AD to get credential?• Not able to isolate access based on group,
function, user credential etc.
Policy-based Control Isolates Access
WAN and Internet
Users
Finance Users
Development Servers
InfrastructureServers
CardholderServers
• Limit access to cardholder zone to only Finance users in Active Directory (rule 1)
• Limit application usage to only Oracle(rule 1)
• Block inbound threats (rule 1)• Monitor/block outbound cardholder
data transfer (rule 1)• Deny and log all else (rule 2)
Logs Correlation
• To log or not to log, that’s the question• To logs centrally• To correlate the logs
– Firewall, IPS/IDS– Web servers– Web application– Databases
• SIEM solution
Where are the logs?
Application Servers
PresentationTier
ApplicationTier
NetworkTier
IPS
Data Storage Tier
Web Servers
src ip & src port dst ip & dst port
Web user ID Application logs DB logs
OS Logs
Exchanges AD
Internet
Information Overload• The problem with threat detection systems is that they produce so much
information that it’s difficult to determine what information requires action.
IPS
Security Event Management Challenges
Security Information Management Security Intelligence Correlation
Prioritization Workflow
Network, Host, andNetwork, Host, andSecurity Log DataSecurity Log Data
EventsEvents
IncidentsIncidents
Event Management IDS/IPS, IDM, Firewall,
Antivirus
Policy Compliance Vulnerability Assessment
Log Consolidation IDS/IPS, IDM, Firewall,
Antivirus
Policy Compliance Vulnerability Assessment
10,000,000s
100,000s
100s
What course of action should I take to remediate threats?
What business assets are threatened?
Security information data over load
Help Desk
Legal Dept
Compliance
Issues that the Enterprise Network is facing
• Too many logs, normalization and filtering are a necessity
• Sophisticated attacks that need multiple devices logs to correlate
• Web application logs and backend db connection not in sync
• Each device provides its own perspective of events (may or may not be useful)
• Need common linkage information by additional devices– Web Application firewall, database gateway
What to correlate? Web Users < = > DB ?
Application Servers
PresentationTier
ApplicationTier
NetworkTier
IPS
Data Storage Tier
Web Servers
src ip & src port dst ip & dst port
Web user ID Application logs DB logs
OS Logs
Exchanges AD
Internet
WAF
DB firewall
UserKnowledgeUserKnowledge
• Connection pooling (one DB account for many app users) makes it difficult to tell who accessed what data
• With web application firewall and DB gateway logging, we could track what data was accessed through the application by which web user
Tracks Web Users to the Database
Attack
Firewall Logs
DHCP Logs
Web Login / AD
Username
Appl ication Logs
Database Logs
Router / Switches Logs
IPS Logs
Logs lifecycle?
Enterprise Security Services
PROTECT
Incident Response
Log Analysis Monitoring & Management
Managed Security Services
SecurityAdvisories
DESIGN
+
EXECUTE
Identity Management
Policy Compliance
Endpoint Security
ThreatManagement
Enterprise Security Solutions
Access Control Secure Networks
Intrusion Prevention
Content Security
ASSESS
PolicyReview
Compliance Reviews
Penetration Testing
Risk, Threat,VulnerabilityAssessment
Security Assessment Services
TRAIN
Formal Vendor Education
CustomisedCourseware
Education Services
PROTECT
Incident Response
Log Analysis Monitoring & Management
Managed Security Services
SecurityAdvisories
DESIGN
+
EXECUTE
Identity Management
Policy Compliance
Endpoint Security
ThreatManagement
Enterprise Security Solutions
Access Control Secure Networks
Intrusion Prevention
Content Security
ASSESS
PolicyReview
Compliance Reviews
Penetration Testing
Risk, Threat,VulnerabilityAssessment
Security Assessment Services
TRAIN
Formal Vendor Education
CustomisedCourseware
Education Services
Why Us?
• Real-world experience
• People, Process, Technology approach
• Understand the lifecycle process
• Standards-compliant
• Technical excellence
• Defence-in-Depth strategy
• Strong business and technology partnerships
Thank You | Let us be a Value Creator for your organisation