Click here to load reader

Application Security Best Practices - cisco.com · PDF fileApplication Security Best Practices. Speaker Profile ... • Only in windows with firefox or IE ... • Hacking through a

  • View
    213

  • Download
    0

Embed Size (px)

Text of Application Security Best Practices - cisco.com · PDF fileApplication Security Best...

  • Wally LEE Principal Consultant

    17/18 March 2009

    Application Security Best Practices

  • Speaker Profile

    Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified Ultimate Web Hacking Instructor

    Principal Consultant, NCS IT Security Consulting Services

    Security Practitioner with more than 14 years experience

    Conducted numerous audits on agencies, ministries and FSI

    Conducted web application penetration test on hundreds of Web Applications

    Security Expertise include: Web Application Penetration Test , Architecture Design, Compliance, OS Hardening, Computer Forensic, Incident Response, Audit.

  • AGENDA

    TCP Non-Blinding Spoofing attack Demo Firewall and Log correlation Application Security in Enterprise Network Web Application Testing and challenges Conclusions

  • TCP Non-Blinding Spoofing attack

    Recently talk on famous sites redirect to a specific china site

    TCP 3-way handshake Only in windows with firefox or IE (it

    doesnt mater which browser) Detailed explanation on how it takes

    advantage of the 3-way handshake

    Demo

  • Web site being redirect.

    http://www.zdnet.com.tw/news/web/0,2000085679,20136641,00.htm

  • Background

    Some users in Taiwan are mysteriously redirect to a particular website in China (that host malware and rumored 0 days IE exploit) www.msn.com.tw, tw.msn.com,

    taiwan.cnet.com Not the famous DNS flaws (by Dan

    Kaminsky) It is confirmed those sites are not

    compromised

  • CISCO Advisory

  • TCP 3-way handshake

    SYNSeq# 1234

    SYN+ACKAck# 1235 + Seq# 5678

    GET http://www.example.comSeq#5679 NxtSeq# 8888

    ACKAck# 5679

    HTTP ContentsAck#8888

    Client Server

  • Non-binding Attack

    SYNSeq# 1234

    SYN+ACKAck# 1235 + Seq# 5678

    GET http://www.example.comSeq#5679 NxtSeq# 8888

    ACKAck# 5679

    HTTP ContentsAck#8888

    HTTP 302 RedirectFin + Ack#8888

    Client Server

  • TCP Non-Blinding Spoofing Takes place when the attacker is on the same subnet as

    the victim The sequence and acknowledgement numbers can be

    sniffed, eliminating the potential difficulty of calculating them accurately

    The biggest threat of spoofing in this instance would be session hijacking

    This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine

    Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

  • Demo

    Internet

    GET http://www.example.com

    302 Redirect http://www.maicious_site

  • What happen? Windows received a FIN+ACK packet with a

    data payload of url re-direct content (HTTP 302 Document Moved)

    According to RFC 793, FIN+ACK packets are not supposed to carry any data payload

    Windows sent a RST+ACK error packet after it received the FIN+ACK packet

  • One of the culprits

  • Risks that we are (may be) facing

    Default Homepage on newly installed Windows machines (for Chinese Windows)

    Re-direct to phishing site Re-direct to site hosting malicious wares

    (rumored IE/Firefox 0 day exploit to take advantage of browser vulnerability)

    For more reading: http://armorize-cht.blogspot.com/2009/03/ip-spoofingarp-spoofingarprouter.html

  • Web Application Security

  • Web Application Hacking

    75% of todays attacks are on the web application (Gartner)

    Attacks are mainly with criminal intent (vs trophy-hacking)

    You cant patch it, you need to rewrite code (its your own code)

    Attacks cannot be readily detected if no one reviews database or

    web application transaction logs

    Even the best programmers write insecure code

    Never trust data which is presented to you assume all input

    data and remote clients are hostile

    A quick and dirty alternative to source code review

  • Decompose Web App Web Application Components

    WebServer

    DB

    DBWeb

    Client

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Transport

    SQL, Oracle,

    etc.

    HTTPrequest

    Clear-textor

    SSL

    HTTP reply(HTML,

    JavaScript, VBscript, etc)

    Apache IIS Netscape, etc

    Perl C++ CGI JSP ASP PHP etc.

    ADO, ODBC, etc.

    IE, Netscape,

    etc.

    WebServer

    DB

    DBWeb

    Client

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Web AppWeb App

    Transport

    SQL, Oracle,

    etc.

    HTTPrequest

    Clear-textor

    SSL

    HTTP reply(HTML,

    JavaScript, VBscript, etc)

    Apache IIS Netscape, etc

    Perl C++ CGI JSP ASP PHP etc.

    ADO, ODBC, etc.

    IE, Firefox,

    etc.

    Presentation Layer

    Data Storage Layer

    Data Processing Layer

  • Penetration Test Objectives

    Provides a snapshot of the current level of exposure

    Identify & prioritise visible vulnerabilities (whether from

    an external or internal network perspective)

    Provide recommendations to mitigate or rectify these

    vulnerabilities.

  • Web Application Penetration Test

    Automated Scanning vs Manual Penetration Testing

    Web application vulnerabilities can be grouped into two categories: Technical (Programmic) Logical (Business Logic)

    Both can be discovered by OWASP Top 10

  • OWASP Top 10 WebApp Vulnerabilities

    A1- Unvalidated Input A2 - Broken Access Control A3 - Broken Authentication and Session Management A4 - Cross Site Scripting (XSS) Flaws A5 - Buffer Overflows A6 - Injection Flaws A7 - Improper Error Handling A8 - Insecure Storage A9 - Denial of Service A10 - Insecure Configuration Management

    http://www.owasp.org

  • Automated Web Application Penetration Test

    Automated Web Application Vulnerability Scanning

    Focus on programmic test Technical vulnerabilities include:

    Cross-site scripting (XSS) Injection flaws Buffer overflows OWASP Top 10

    LHF (Low Hanging Fruit)

  • Manual Web Application Penetration Test

    Focus on logic testing Logical vulnerabilities are much harder to

    explicitly categorize Logical vulnerabilities manipulate the logic of the

    application to get it do things it was never intended to be.

    eg 1: Reset user password by guessing the answer to security question

    eg 2: Authenticated as User A, try to read User B data

  • Things that Automated tool cant do

    Automated tool can't (or limited) fill in forms for you automatically, so there is coverage issue

    Automated tools can't test logical issues like authorization problems since they won't understand your business logic

    Automated tools cant tell you the exact problem, you still need a human to understand and verify the vulnerabilities detected

  • NCS Web Application Pen-Test Methodology Black box testing approach

    Purely TCP 80/443 (or other predefined web services port)

    Hacking through a web browser and a web proxy (to manipulate

    variables and values send across)

    Covers OWASP Top 10 Web Application Vulnerabilities

    Both automated (Programmic) and manual (Business Logic) testing

    Lead and execute by Principal Consultant with a team of qualified

    and experience (senior) consultants

    Preparation and Sandbox

    Definition

    Reconnaissance and

    Account Harvesting

    Vulnerability Scanning and

    SelectionApprovals

    and Execution of Exploits

    Clean Up and Report Preparation

  • Enterprise Security Services

    PROTECT

    IncidentResponse

    LogAnalysis Monitoring&Management

    ManagedSecurityServices

    SecurityAdvisories

    DESIGN

    +

    EXECUTE

    IdentityManagement

    PolicyCompliance

    EndpointSecurity

    ThreatManagement

    EnterpriseSecuritySolutions

    AccessControl SecureNetworks

    IntrusionPrevention

    ContentSecurity

    ASSESS

    PolicyReview

    ComplianceReviews

    PenetrationTesting

    Risk,Threat,VulnerabilityAssessment

    SecurityAssessmentServices

    TRAIN

    FormalVendorEducation

    CustomisedCourseware

    EducationServices

    PROTECT

    IncidentResponse

    LogAnalysis Monitoring&Management

    ManagedSecurityServices

    SecurityAdvisories

    DESIGN

    +

    EXECUTE

    IdentityManagement

    PolicyCompliance

    EndpointSecurity

    ThreatManagement

    EnterpriseSecuritySolutions

    AccessControl SecureNetworks

    IntrusionPrevention

    ContentSecurity

    ASSESS

    PolicyReview

    ComplianceReviews

    PenetrationTesting

    Risk,Threat,VulnerabilityAssessment

    SecurityAssessmentServices

    TRAIN

    FormalVendorEducation

    CustomisedCourseware

    EducationServices

  • Our Security Consulting Services

    Security Policy Development and Compliance Review

    Host and Application Security Compliance Review

    Network and Web Application Penetration Testing

    Security baseline creation and hardening

    ASSESS PolicyReviewCompliance

    ReviewsPenetration

    Testing

    Risk, Threat,VulnerabilityAssessment

  • Firewall and logs correlation

  • Firewall Rules

    No. Source Destination Service Action

    1 Any Webservers httphttps

    Allow

    2 Any Any Any Drop

    Web serversHTTP:80

Search related