Upload
mike-spaulding
View
254
Download
0
Embed Size (px)
Citation preview
Web Application Security“Securing from the Ground Up”
Presenters: Charles Smith & Michael Spaulding
What is Web Application Security?
Web Applications exist in many forms. Some search, some count, others even transfer money within your bank accounts. Web Applications are employed to carry out many mission-critical tasks and if anything is certain, our reliance upon web applications will continue to grow.
So Simply Put, Web Application Security is the
achievement of an acceptable level of security assurance of a web
application solution.Security Assurance = CIA
Why is web application security important?
Before software functionality was capable of being delivered via the web, software developer’s security concerns were relative to network and OS level threats given their user-base was limited to internal or wan networks. All this has now changed. Web developers now create software that runs upon web servers accessed by anyone, anywhere. The scope and magnitude of their software delivery has increased exponentially and in so doing, security issues have also risen that are now web-centric and totally bypass the legacy network and OS based defensive strategy.
- Browser Hi-Jacking- Cookie Theft- Server & Client Compromise- Denial of Service- Abuse- User Privacy Invasion
Pay Me Now Or Pay Me Later
Security problems are found in the Design, Build and Deployment/Maintenance phases of the application lifecycle. A problem identified in any phase after the initial build may cause the code to go back to the design stage to be addressed, and then to pass through the necessary development phases again. This obviously adds time, cost and resource conflicts to the entire development process. It is well known that fixing a problem found in the Testing phase is about 2-5 times more expensive than fixing it in the coding phase, and fixing a problem found in the Maintenance (deployment and beyond) phase is 5-7times more expensive than fixing it in the coding phase
What Is The Ultimate Cost For Not Addressing Security Early?
The Fourth Level of Web Security
Security
Behavior
Antivirus
Disruption
Desktop
1
Encryption
Interception
Transport
2
Manual Patching
Web Perversion
WebApplications
4
Firewall
Illegal Access
3
Network
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls/Advanced Routers
Manual Patchingand Code Review
Digital Security Landscape
The business logic that enables: User’s interaction with Web site Transacting/interfacing with back-
end data systems (databases, CRM, ERP etc)
In the form of: 3rd party packaged software; i.e.
web server, shopping cart sw, personalization engines etc.
Code developed in-house / web builder / system integrator
Input and Output flow through each layer of the application
A break in any layer breaks the whole application
Web Server
User Interface Code
Front end Application
Backend Application
Database
Data
User InputHTML/HTTP
Browser
What is a Web Application
The manipulation of web applications for:
Web Threat Objectives?
Through a browser, a hacker can use even the smallest bug or backdoor to change, or distort, the intent of the application.
Application Attack Objective
Form field: collect data Buffer overflow Crash servers/close business
Online shopping Hidden fields eShoplifting
Sloppy code Debug options Download proprietary database
Text Field: collect data Cross Site scripting eHijacking - Get account info
Customer account Cookie poisoning Identity theft
Web Manipulation Examples
The results of over 300 AppAudits conducted with AppScan
97% of Sites Are Vulnerable
7%
7%7%
4%
25%
The Web’s 7 Deadly Sins
Hidden Field ManipulationHidden Field Manipulation Cookie PoisoningCookie Poisoning Application Buffer OverflowApplication Buffer Overflow Third-Party MisconfigurationThird-Party Misconfiguration Cross-Site Server ScriptingCross-Site Server Scripting Parameter TamperingParameter Tampering SQL InjectionSQL Injection
Hidden Field Manipulation
Vulnerability explanationVulnerability explanation:
The application sends data to the client using a hidden field in a form. Modifying the hidden field damages the data returning to the web application
Why Hidden Field ManipulationWhy Hidden Field Manipulation:
Passing hidden fields is a simple and efficient way to pass information from one part of the application to another (or between two applications) without the use of complex backend systems.
As a result of this manipulationAs a result of this manipulation :
The application acts according to the changed information and not according to the original
data
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Cookie Poisoning
Vulnerability explanationVulnerability explanation:
The session information contained within the cookie is changed to a different value causing the application to shift to the new session ID.
Why Cookie PoisoningWhy Cookie Poisoning:
Some session IDs are not-secure e.g. not encrypted or weakly encrypted or hashed. This is generally due to lack of cryptographic expertise of the part of developers.
As a result of this manipulationAs a result of this manipulation :
Hackers can assume the user’s identity and have access to that user’s information – identity theft/impersonation
Cookie Poisoning - Example
Cookie Poisoning - Example
Cookie Poisoning - Example
Cookie Poisoning - Example
Backdoor & Debug options
Vulnerability explanationVulnerability explanation:
The application has hidden debug options that can be activated by sending a specific parameter or sequence
Why Backdoor and Debug optionsWhy Backdoor and Debug options:
1. Leaving debug options in the code enables developers to find and fix bugs faster
2. Developers leave backdoors as a way of guaranteeing their access to the system
As a result of this manipulationAs a result of this manipulation :
Activation of the hidden debug option allows the hacker to have extreme access to the application (usually unlimited).
Backdoor & Debug options - Example
Backdoor & Debug options - Example
Backdoor & Debug options - Example
Application Buffer Overflow
Vulnerability explanationVulnerability explanation:
Exploiting a flaw in a form to overload the server with excess information - sending more characters will cause it to misbehave
Why Application Buffer OverflowWhy Application Buffer Overflow:
The application does not check the number of characters
As a result of this manipulationAs a result of this manipulation :
The application crashes and in many cases causes the whole site to shut down (DoS). In other cases, the application executes the code received as the input
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Stealth Commanding
Vulnerability explanationVulnerability explanation:
Concealing dangerous commands via a Trojan horse with the intent to run malicious or unauthorized code that is damaging to the site.
Why Stealth CommandingWhy Stealth Commanding:
Applications tend to use the content received from a field to evaluate a new command. However, they assume that the content is only data and not executable code.
As a result of this manipulationAs a result of this manipulation :
The hacker can perform any command on the web-server, including complete shut down, defacement, or access to all information
Stealth Commanding - Example
Stealth Commanding - Example
Known Vulnerabilities
Vulnerability explanationVulnerability explanation::
Some technology used in sites have inherent weaknesses that a persistent hacker, or a hacker with automated scanning tools, can exploit easily. Users are dependent on patches from the developer. After discovered in one site they can be used in all the sites using the same component
Why Known VulnerabilitiesWhy Known Vulnerabilities:
Third party vendors have bugs (Microsoft IIS etc). Since their products appear in many sites they are examined thoroughly by a large number of hackers
As a result of this manipulationAs a result of this manipulation:
Once a bug is found, large parts of the internet are scanned and exploited. The actual result varies according to the vulnerability type, but ability to gain the administrators’ passwords and take control of the site is not unusual!
/msadc/..à?¯..à?¯..à?¯..à..¯?/winnt/system32/cmd.exe?/c+dir+c:
Known Vulnerabilities - Example
3rd Party Misconfigurations
Vulnerability explanationVulnerability explanation:
A misconfiquration, or human error during install of 3rd party software can cause default passwords or settings unchanged – open invitation for attack
Why 3Why 3rdrd party misconfiqurations party misconfiqurations:
Occurs during the installation and maintenance of the 3rd party application
As a result of this manipulationAs a result of this manipulation :
Through a configuration error a hacker could create a new database that renders the existing one unusable by the site
3rd Party Misconfiguration - Example
/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../..
Cross Site Scripting
Vulnerability explanationVulnerability explanation:
A third party creates a link (or sends an email) and the URL contains a parameter with a script – once the user connects, the site runs this script
Why Cross Site ScriptingWhy Cross Site Scripting:
Many parameters are implanted within the HTML of following responses, while not checking their content for scripts.
As a result of this manipulationAs a result of this manipulation:
“Virtual hijacking” of the session. Any information flowing between the legitimate user and site can be manipulated or transmitted to the evil 3rd party.
Press this link to get to your bank
Underlying link: http://www.mybank.com?a=<evil javascript>
The JavaScript program collects and sends user names and passwords
Enter your login information
1
2
Username
Password3
Cross Site Scripting - Example
Parameter Tampering
Vulnerability explanationVulnerability explanation:
Parameters are used to obtain information from the client. This information can be changed in a site’s URL parameter
Why Parameter TamperingWhy Parameter Tampering:
Developers focus on the legal values of parameters and how they should be utilized. Little if any attention is given to the incorrect values
As a result of this manipulationAs a result of this manipulation :
The application can perform a function that was not intended by its developer like giving access to customer information
Parameter Tampering - Example
Parameter Tampering - Example
Forceful Browsing
Vulnerability explanationVulnerability explanation:
By “guessing” the names of files and directories the hacker can view them without going through the business logic leading to those objects
Why forceful browsingWhy forceful browsing:
1. Default files are left during the installation process
2. New files that should not be exposed and old files which should be removed are left (outside the normal flow) by mistake
As a result of this manipulationAs a result of this manipulation :
Content (log files, administration facilities, application source code) is revealed due to file and directory access
Forceful Browsing - Example
Forceful Browsing - Example
Forceful Browsing - Example
Thank You
Feedback?
Recommendations?