Wally LEE <wally.lee@scs.com.sg>Principal Consultant

17/18 March 2009

Application Security Best Practices

Speaker Profile

• Wally LEE– CISSP– BS7799 Lead Auditor– Certified Ultimate Hacking Instructor– Certified Ultimate Web Hacking Instructor

• Principal Consultant, NCS IT Security Consulting Services

• Security Practitioner with more than 14 years experience

• Conducted numerous audits on agencies, ministries and FSI

• Conducted web application penetration test on hundreds of Web Applications

• Security Expertise include:• Web Application Penetration Test ,• Architecture Design,• Compliance, • OS Hardening, • Computer Forensic, • Incident Response, • Audit.

AGENDA

TCP Non-Blinding Spoofing attack Demo Firewall and Log correlation Application Security in Enterprise Network Web Application Testing and challenges Conclusions

TCP Non-Blinding Spoofing attack

• Recently talk on famous sites redirect to a specific china site

• TCP 3-way handshake • Only in windows with firefox or IE (it

doesn’t mater which browser)• Detailed explanation on how it takes

advantage of the 3-way handshake

• Demo

Web site being redirect….

http://www.zdnet.com.tw/news/web/0,2000085679,20136641,00.htm

Background

• Some users in Taiwan are mysteriously redirect to a particular website in China (that host malware and rumored 0 days IE exploit)– www.msn.com.tw, tw.msn.com,

taiwan.cnet.com • Not the famous DNS flaws (by Dan

Kaminsky)• It is confirmed those sites are not

compromised

CISCO Advisory

TCP 3-way handshake

SYNSeq# 1234

SYN+ACKAck# 1235 + Seq# 5678

GET http://www.example.comSeq#5679 NxtSeq# 8888

ACKAck# 5679

HTTP ContentsAck#8888

Client Server

Non-binding Attack

SYNSeq# 1234

SYN+ACKAck# 1235 + Seq# 5678

GET http://www.example.comSeq#5679 NxtSeq# 8888

ACKAck# 5679

HTTP ContentsAck#8888

HTTP 302 RedirectFin + Ack#8888

Client Server

TCP Non-Blinding Spoofing • Takes place when the attacker is on the same subnet as

the victim• The sequence and acknowledgement numbers can be

sniffed, eliminating the potential difficulty of calculating them accurately

• The biggest threat of spoofing in this instance would be session hijacking

• This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine

• Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

Demo

Internet

GET http://www.example.com

302 Redirect http://www.maicious_site

What happen?• Windows received a FIN+ACK packet with a

data payload of url re-direct content (HTTP 302 Document Moved)

• According to RFC 793, FIN+ACK packets are not supposed to carry any data payload

• Windows sent a RST+ACK error packet after it received the FIN+ACK packet

One of the culprits

Risks that we are (may be) facing

• Default Homepage on newly installed Windows machines (for Chinese Windows)

• Re-direct to phishing site• Re-direct to site hosting malicious wares

(rumored IE/Firefox 0 day exploit to take advantage of browser vulnerability)

• For more reading:– http://armorize-cht.blogspot.com/2009/03/ip-spoofingarp-spoofingarprouter.html

Web Application Security

Web Application Hacking

75% of today’s attacks are on the web application (Gartner)

Attacks are mainly with criminal intent (vs trophy-hacking)

You can’t “patch” it, you need to rewrite code (it’s your own code)

Attacks cannot be readily detected if no one reviews database or

web application transaction logs

Even the best programmers write insecure code

“Never trust data which is presented to you” – assume all input

data and remote clients are hostile

A quick and dirty alternative to source code review

Decompose Web App• Web Application Components

WebServer

DB

DBWeb

Client

Web AppWeb App

Web AppWeb App

Web AppWeb App

Web AppWeb App

Transport

SQL, Oracle,

etc.

HTTPrequest

Clear-textor

SSL

HTTP reply(HTML,

JavaScript, VBscript, etc)

• Apache• IIS• Netscape, etc…

• Perl• C++• CGI• JSP• ASP• PHP• etc.

• ADO,• ODBC, etc.

IE, Netscape,

etc.

WebServer

DB

DBWeb

Client

Web AppWeb App

Web AppWeb App

Web AppWeb App

Web AppWeb App

Web AppWeb App

Web AppWeb App

Web AppWeb App

Web AppWeb App

Transport

SQL, Oracle,

etc.

HTTPrequest

Clear-textor

SSL

HTTP reply(HTML,

JavaScript, VBscript, etc)

• Apache• IIS• Netscape, etc…

• Perl• C++• CGI• JSP• ASP• PHP• etc.

• ADO,• ODBC, etc.

IE, Firefox,

etc.

Presentation Layer

Data Storage Layer

Data Processing Layer

Penetration Test Objectives

• Provides a snapshot of the current level of exposure

• Identify & prioritise visible vulnerabilities (whether from

an external or internal network perspective)

• Provide recommendations to mitigate or rectify these

vulnerabilities.

Web Application Penetration Test

• Automated Scanning vs Manual Penetration Testing

• Web application vulnerabilities can be grouped into two categories:– Technical (Programmic)– Logical (Business Logic)

• Both can be discovered by OWASP Top 10

OWASP Top 10 WebApp Vulnerabilities

• A1- Unvalidated Input• A2 - Broken Access Control• A3 - Broken Authentication and Session Management• A4 - Cross Site Scripting (XSS) Flaws• A5 - Buffer Overflows• A6 - Injection Flaws• A7 - Improper Error Handling• A8 - Insecure Storage• A9 - Denial of Service• A10 - Insecure Configuration Management

http://www.owasp.org

Automated Web Application Penetration Test

• Automated Web Application Vulnerability Scanning

• Focus on programmic test• Technical vulnerabilities include:

– Cross-site scripting (XSS)– Injection flaws– Buffer overflows– OWASP Top 10

• LHF (Low Hanging Fruit)

Manual Web Application Penetration Test

• Focus on logic testing • Logical vulnerabilities are much harder to

explicitly categorize• Logical vulnerabilities manipulate the logic of the

application to get it do things it was never intended to be.

• eg 1: Reset user password by guessing the answer to security question

• eg 2: Authenticated as User A, try to read User B data

Things that Automated tool can’t do

• Automated tool can't (or limited) fill in forms for you automatically, so there is coverage issue

• Automated tools can't test logical issues like authorization problems since they won't understand your business logic

• Automated tools can’t tell you the exact problem, you still need a human to understand and verify the vulnerabilities detected

NCS Web Application Pen-Test Methodology• “Black box” testing approach

• Purely TCP 80/443 (or other predefined web services port)

• Hacking through a web browser and a web proxy (to manipulate

variables and values send across)

• Covers OWASP Top 10 Web Application Vulnerabilities

– Both automated (Programmic) and manual (Business Logic) testing

• Lead and execute by Principal Consultant with a team of qualified

and experience (senior) consultants

Preparation and Sandbox

Definition

Reconnaissance and

Account Harvesting

Vulnerability Scanning and

SelectionApprovals

and Execution of Exploits

Clean Up and Report Preparation

Enterprise Security Services

PROTECT

Incident Response

Log Analysis Monitoring & Management

Managed Security Services

SecurityAdvisories

DESIGN

+

EXECUTE

Identity Management

Policy Compliance

Endpoint Security

ThreatManagement

Enterprise Security Solutions

Access Control Secure Networks

Intrusion Prevention

Content Security

ASSESS

PolicyReview

Compliance Reviews

Penetration Testing

Risk, Threat,VulnerabilityAssessment

Security Assessment Services

TRAIN

Formal Vendor Education

CustomisedCourseware

Education Services

PROTECT

Incident Response

Log Analysis Monitoring & Management

Managed Security Services

SecurityAdvisories

DESIGN

+

EXECUTE

Identity Management

Policy Compliance

Endpoint Security

ThreatManagement

Enterprise Security Solutions

Access Control Secure Networks

Intrusion Prevention

Content Security

ASSESS

PolicyReview

Compliance Reviews

Penetration Testing

Risk, Threat,VulnerabilityAssessment

Security Assessment Services

TRAIN

Formal Vendor Education

CustomisedCourseware

Education Services

Our Security Consulting Services

• Security Policy Development and Compliance Review

• Host and Application Security Compliance Review

• Network and Web Application Penetration Testing

• Security baseline creation and hardening

ASSESS PolicyReview

Compliance Reviews

Penetration Testing

Risk, Threat,VulnerabilityAssessment

Firewall and logs correlation

Firewall Rules

No. Source Destination Service Action

1 Any Web servers httphttps

Allow

2 Any Any Any Drop

Web serversHTTP:80

FTP:21

Skype:80

MSN:80

What are we running on port 80?

Collaboration / Media

SaaSPersonal

Applications Have Changed – Firewalls Have Not• The gateway at the trust

border is the right place to enforce policy control

- Sees all traffic- Defines trust boundary

Need to Restore Visibility and Control in the Firewall

Collaboration / MediaSaaS Personal

• BUT…Applications Have Changed- Ports ≠Applications

- IP Addresses ≠Users- Packets ≠Content

Limitation of current Firewall

• Unable to identify applications – only ports and protocols

• Cannot see user identity from AD – only IP addresses (DHCP)

• Need to correlated IP address with user credential

• Integration of firewall with AD to get credential?• Not able to isolate access based on group,

function, user credential etc.

Policy-based Control Isolates Access

WAN and Internet

Users

Finance Users

Development Servers

InfrastructureServers

CardholderServers

• Limit access to cardholder zone to only Finance users in Active Directory (rule 1)

• Limit application usage to only Oracle(rule 1)

• Block inbound threats (rule 1)• Monitor/block outbound cardholder

data transfer (rule 1)• Deny and log all else (rule 2)

Logs Correlation

• To log or not to log, that’s the question• To logs centrally• To correlate the logs

– Firewall, IPS/IDS– Web servers– Web application– Databases

• SIEM solution

Where are the logs?

Application Servers

PresentationTier

ApplicationTier

NetworkTier

IPS

Data Storage Tier

Web Servers

src ip & src port dst ip & dst port

Web user ID Application logs DB logs

OS Logs

Exchanges AD

Internet

Information Overload• The problem with threat detection systems is that they produce so much

information that it’s difficult to determine what information requires action.

IPS

Security Event Management Challenges

Security Information Management Security Intelligence Correlation

Prioritization Workflow

Network, Host, andNetwork, Host, andSecurity Log DataSecurity Log Data

EventsEvents

IncidentsIncidents

Event Management IDS/IPS, IDM, Firewall,

Antivirus

Policy Compliance Vulnerability Assessment

Log Consolidation IDS/IPS, IDM, Firewall,

Antivirus

Policy Compliance Vulnerability Assessment

10,000,000s

100,000s

100s

What course of action should I take to remediate threats?

What business assets are threatened?

Security information data over load

Help Desk

Legal Dept

Compliance

Issues that the Enterprise Network is facing

• Too many logs, normalization and filtering are a necessity

• Sophisticated attacks that need multiple devices logs to correlate

• Web application logs and backend db connection not in sync

• Each device provides its own perspective of events (may or may not be useful)

• Need common linkage information by additional devices– Web Application firewall, database gateway

What to correlate? Web Users < = > DB ?

Application Servers

PresentationTier

ApplicationTier

NetworkTier

IPS

Data Storage Tier

Web Servers

src ip & src port dst ip & dst port

Web user ID Application logs DB logs

OS Logs

Exchanges AD

Internet

WAF

DB firewall

UserKnowledgeUserKnowledge

• Connection pooling (one DB account for many app users) makes it difficult to tell who accessed what data

• With web application firewall and DB gateway logging, we could track what data was accessed through the application by which web user

Tracks Web Users to the Database

Attack

Firewall Logs

DHCP Logs

Web Login / AD 

Username

Appl ication Logs

Database Logs

Router / Switches Logs

IPS Logs

Logs lifecycle?

Enterprise Security Services

PROTECT

Incident Response

Log Analysis Monitoring & Management

Managed Security Services

SecurityAdvisories

DESIGN

+

EXECUTE

Identity Management

Policy Compliance

Endpoint Security

ThreatManagement

Enterprise Security Solutions

Access Control Secure Networks

Intrusion Prevention

Content Security

ASSESS

PolicyReview

Compliance Reviews

Penetration Testing

Risk, Threat,VulnerabilityAssessment

Security Assessment Services

TRAIN

Formal Vendor Education

CustomisedCourseware

Education Services

PROTECT

Incident Response

Log Analysis Monitoring & Management

Managed Security Services

SecurityAdvisories

DESIGN

+

EXECUTE

Identity Management

Policy Compliance

Endpoint Security

ThreatManagement

Enterprise Security Solutions

Access Control Secure Networks

Intrusion Prevention

Content Security

ASSESS

PolicyReview

Compliance Reviews

Penetration Testing

Risk, Threat,VulnerabilityAssessment

Security Assessment Services

TRAIN

Formal Vendor Education

CustomisedCourseware

Education Services

Why Us?

• Real-world experience

• People, Process, Technology approach

• Understand the lifecycle process

• Standards-compliant

• Technical excellence

• Defence-in-Depth strategy

• Strong business and technology partnerships

Thank You | Let us be a Value Creator for your organisation