Wally LEE Principal Consultant
17/18 March 2009
Application Security Best Practices
Speaker Profile
Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified Ultimate Web Hacking Instructor
Principal Consultant, NCS IT Security Consulting Services
Security Practitioner with more than 14 years experience
Conducted numerous audits on agencies, ministries and FSI
Conducted web application penetration test on hundreds of Web Applications
Security Expertise include: Web Application Penetration Test , Architecture Design, Compliance, OS Hardening, Computer Forensic, Incident Response, Audit.
AGENDA
TCP Non-Blinding Spoofing attack Demo Firewall and Log correlation Application Security in Enterprise Network Web Application Testing and challenges Conclusions
TCP Non-Blinding Spoofing attack
Recently talk on famous sites redirect to a specific china site
TCP 3-way handshake Only in windows with firefox or IE (it
doesnt mater which browser) Detailed explanation on how it takes
advantage of the 3-way handshake
Demo
Web site being redirect.
http://www.zdnet.com.tw/news/web/0,2000085679,20136641,00.htm
Background
Some users in Taiwan are mysteriously redirect to a particular website in China (that host malware and rumored 0 days IE exploit) www.msn.com.tw, tw.msn.com,
taiwan.cnet.com Not the famous DNS flaws (by Dan
Kaminsky) It is confirmed those sites are not
compromised
CISCO Advisory
TCP 3-way handshake
SYNSeq# 1234
SYN+ACKAck# 1235 + Seq# 5678
GET http://www.example.comSeq#5679 NxtSeq# 8888
ACKAck# 5679
HTTP ContentsAck#8888
Client Server
Non-binding Attack
SYNSeq# 1234
SYN+ACKAck# 1235 + Seq# 5678
GET http://www.example.comSeq#5679 NxtSeq# 8888
ACKAck# 5679
HTTP ContentsAck#8888
HTTP 302 RedirectFin + Ack#8888
Client Server
TCP Non-Blinding Spoofing Takes place when the attacker is on the same subnet as
the victim The sequence and acknowledgement numbers can be
sniffed, eliminating the potential difficulty of calculating them accurately
The biggest threat of spoofing in this instance would be session hijacking
This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine
Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
Demo
Internet
GET http://www.example.com
302 Redirect http://www.maicious_site
What happen? Windows received a FIN+ACK packet with a
data payload of url re-direct content (HTTP 302 Document Moved)
According to RFC 793, FIN+ACK packets are not supposed to carry any data payload
Windows sent a RST+ACK error packet after it received the FIN+ACK packet
One of the culprits
Risks that we are (may be) facing
Default Homepage on newly installed Windows machines (for Chinese Windows)
Re-direct to phishing site Re-direct to site hosting malicious wares
(rumored IE/Firefox 0 day exploit to take advantage of browser vulnerability)
For more reading: http://armorize-cht.blogspot.com/2009/03/ip-spoofingarp-spoofingarprouter.html
Web Application Security
Web Application Hacking
75% of todays attacks are on the web application (Gartner)
Attacks are mainly with criminal intent (vs trophy-hacking)
You cant patch it, you need to rewrite code (its your own code)
Attacks cannot be readily detected if no one reviews database or
web application transaction logs
Even the best programmers write insecure code
Never trust data which is presented to you assume all input
data and remote clients are hostile
A quick and dirty alternative to source code review
Decompose Web App Web Application Components
WebServer
DB
DBWeb
Client
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Transport
SQL, Oracle,
etc.
HTTPrequest
Clear-textor
SSL
HTTP reply(HTML,
JavaScript, VBscript, etc)
Apache IIS Netscape, etc
Perl C++ CGI JSP ASP PHP etc.
ADO, ODBC, etc.
IE, Netscape,
etc.
WebServer
DB
DBWeb
Client
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Web AppWeb App
Transport
SQL, Oracle,
etc.
HTTPrequest
Clear-textor
SSL
HTTP reply(HTML,
JavaScript, VBscript, etc)
Apache IIS Netscape, etc
Perl C++ CGI JSP ASP PHP etc.
ADO, ODBC, etc.
IE, Firefox,
etc.
Presentation Layer
Data Storage Layer
Data Processing Layer
Penetration Test Objectives
Provides a snapshot of the current level of exposure
Identify & prioritise visible vulnerabilities (whether from
an external or internal network perspective)
Provide recommendations to mitigate or rectify these
vulnerabilities.
Web Application Penetration Test
Automated Scanning vs Manual Penetration Testing
Web application vulnerabilities can be grouped into two categories: Technical (Programmic) Logical (Business Logic)
Both can be discovered by OWASP Top 10
OWASP Top 10 WebApp Vulnerabilities
A1- Unvalidated Input A2 - Broken Access Control A3 - Broken Authentication and Session Management A4 - Cross Site Scripting (XSS) Flaws A5 - Buffer Overflows A6 - Injection Flaws A7 - Improper Error Handling A8 - Insecure Storage A9 - Denial of Service A10 - Insecure Configuration Management
http://www.owasp.org
Automated Web Application Penetration Test
Automated Web Application Vulnerability Scanning
Focus on programmic test Technical vulnerabilities include:
Cross-site scripting (XSS) Injection flaws Buffer overflows OWASP Top 10
LHF (Low Hanging Fruit)
Manual Web Application Penetration Test
Focus on logic testing Logical vulnerabilities are much harder to
explicitly categorize Logical vulnerabilities manipulate the logic of the
application to get it do things it was never intended to be.
eg 1: Reset user password by guessing the answer to security question
eg 2: Authenticated as User A, try to read User B data
Things that Automated tool cant do
Automated tool can't (or limited) fill in forms for you automatically, so there is coverage issue
Automated tools can't test logical issues like authorization problems since they won't understand your business logic
Automated tools cant tell you the exact problem, you still need a human to understand and verify the vulnerabilities detected
NCS Web Application Pen-Test Methodology Black box testing approach
Purely TCP 80/443 (or other predefined web services port)
Hacking through a web browser and a web proxy (to manipulate
variables and values send across)
Covers OWASP Top 10 Web Application Vulnerabilities
Both automated (Programmic) and manual (Business Logic) testing
Lead and execute by Principal Consultant with a team of qualified
and experience (senior) consultants
Preparation and Sandbox
Definition
Reconnaissance and
Account Harvesting
Vulnerability Scanning and
SelectionApprovals
and Execution of Exploits
Clean Up and Report Preparation
Enterprise Security Services
PROTECT
IncidentResponse
LogAnalysis Monitoring&Management
ManagedSecurityServices
SecurityAdvisories
DESIGN
+
EXECUTE
IdentityManagement
PolicyCompliance
EndpointSecurity
ThreatManagement
EnterpriseSecuritySolutions
AccessControl SecureNetworks
IntrusionPrevention
ContentSecurity
ASSESS
PolicyReview
ComplianceReviews
PenetrationTesting
Risk,Threat,VulnerabilityAssessment
SecurityAssessmentServices
TRAIN
FormalVendorEducation
CustomisedCourseware
EducationServices
PROTECT
IncidentResponse
LogAnalysis Monitoring&Management
ManagedSecurityServices
SecurityAdvisories
DESIGN
+
EXECUTE
IdentityManagement
PolicyCompliance
EndpointSecurity
ThreatManagement
EnterpriseSecuritySolutions
AccessControl SecureNetworks
IntrusionPrevention
ContentSecurity
ASSESS
PolicyReview
ComplianceReviews
PenetrationTesting
Risk,Threat,VulnerabilityAssessment
SecurityAssessmentServices
TRAIN
FormalVendorEducation
CustomisedCourseware
EducationServices
Our Security Consulting Services
Security Policy Development and Compliance Review
Host and Application Security Compliance Review
Network and Web Application Penetration Testing
Security baseline creation and hardening
ASSESS PolicyReviewCompliance
ReviewsPenetration
Testing
Risk, Threat,VulnerabilityAssessment
Firewall and logs correlation
Firewall Rules
No. Source Destination Service Action
1 Any Webservers httphttps
Allow
2 Any Any Any Drop
Web serversHTTP:80
