Web application security qa2010

  • Published on

  • View

  • Download

Embed Size (px)




  • 1. Web Application Security What hackers are doing with your bugs Adi Sharabani IBM Rational Security Strategist IBM Master Inventor

2. About Me

  • My name is Adi Sharabani
  • Security Strategist for IBM Rational
  • Used to manage the Rational Application Security Research
  • 15 years of experience in Security
  • OWASP IL Committee
  • Application Security Insider Blog: http://blog.watchfire.com
  • Also, very proud to be a teacher in Ohel Shem, Ramat Gan

3. Web App Vulnerabilities Continue to Dominate

    • 55%of all vulnerabilities are Web application vulnerabilities.
    • Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.

4. Agenda

  • Theoretical part:
    • Same Origin Policy
    • Cross-Site Scripting
  • Practical part:
    • Demonstrating a real attack

5. Browser Scripting Capabilities

  • What can scripts do:
    • Scripts can perform user interactions with the site
    • Scripts can seamlessly interact with the web site
    • Can perform any action that is related to the site
    • Can launch signed and safe ActiveX control

6. Scripting Restrictions Same Origin Policy

  • What scripts can not do:
    • Scripts can only interact with the domain they came from
    • Scripts can see send and receive responsesonly from their own domain
    • Scripts can access other browsers frames only from same domain
    • Scripts can issue requests to other domains(butcannot view the corresponding responses )

a.com b.com a.com 7. XSS 101

  • XSS occurs when user input (JavaScript) is returned by the web application as is:
  • Simple exploit:
    • http://www.thebank.site/action?param=
  • Result:
    • Injected script returned by the server and executed by the victims browser
  • XSS breaks Same-Origin Policy
    • Vulnerable domain may now return arbitrary JavaScripts
    • String data = request.getParameter(param);
    • out.println(data)

8. Cross Site Scripting The Exploit Process Evil.org TheBank.site User Script returned, executed by browser 3 User sends script embedded as data 2 1 Link tobank.comsent to user via E-mail or HTTP 9. Exploiting XSS

  • If I can get you to run my JavaScript, I can
    • Steal your cookies for the domain youre browsing
    • Completely modify the content of any page you see on this domain
    • Track every action you do in that browser from now on
    • Redirect you to a Phishing site
    • Exploit browser vulnerabilities to take over your machine
  • XSS is one of the Top Web Security Risk today (most exploited)

10. Demo 11. There are solutions for this!

  • Education:
    • Secure coding for developers
    • Security testing for QA
  • Tools:
    • Such as Rational AppScan (both blackbox and whitebox)
  • Development process:
    • Integration into the development lifecycle

12. ? [email_address] http:// blog.watchfire.com