Web Application Security Introduction

Web Application SecurityIntroduction

V1.0.3 (11.04.2023)

Björn Kimminich

https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich

Björn Kimminich

2007+Software

Architect & Security Officer

at Kuehne+Nagel Corporate Web

Development

2011+Part-time lector for Java & Agile

Software Develoment at

private UAS Nordakademie

2012+OWASP

Member & QA Developer

OWASP Zed Attack Proxy

(ZAP)

Motivation

Phishing

Site Defacement

Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/

Site Defacement II

Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/

Site Defacement III

Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html

Worst Case Security Breach

Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111

Why Web Application Security is a High Priority

Web Applications have become the #1 target

75% of Attacks target the Application Layer (Gartner)

Most Web Applications are vulnerable95% of Web Applications have some sort of vulnerability (Imperva)78% of easily exploitable weaknesses occur in Web Applications (Symantec)

Web Applications are valuable targetsCustomer data, Credit Cards, ID Theft, Fraud, … Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment

Top 10 Malware Distribution Sites(Symantec, 2013)

Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf

„61 percent of malicious sites are

actually regular websites that

have been compromised and

infected with malicious code.“

OWASP Top 10

OWASP

Open Web Application Security ProjectOpen communityNon-profit organization

Core purposeBe the thriving global community that drives visibility and evolution in the safety and security of the world’s software

https://www.owasp.org

Source: https://www.owasp.org

http://owasp.org/

OWASP Top Ten 2013

A1: Injection

A2: Broken Authentication and Session Management

A3: Cross-Site Scripting (XSS)

A4: Insecure Direct Object References

A5: Security Misconfiguration

A6: Sensitive Data Exposure

A7: Missing Function Level Action Control

A8: Cross Site Request Forgery (CSRF)

A9: Using Known Vulnerable Components

A10: Unvalidated Redirects and Forwards

A1: Injection

A2: Broken Authentication and Session Management

A3: Cross-Site Scripting (XSS)

A4: Insecure Direct Object References

A5: Security Misconfiguration

A6: Sensitive Data Exposure

A7: Missing Function Level Action Control

A8: Cross Site Request Forgery (CSRF)

A9: Using Known Vulnerable Components

A10: Unvalidated Redirects and Forwards

Injection

Some simple authentication query

SELECT user_idFROM user_dataWHERE user_name = 'bkimminich'AND user_password = '680e89[…]75ab';

// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …

SQL Injection Example

SELECT user_idFROM user_dataWHERE user_name = '' or 1=1--' AND user_password = '1234';

// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …

Typical SQL Injection Attack Patterns I

Bypass Authenticationadmin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1') or ('1'='1

Source: http://ha.ckers.org/sqlinjection

Typical SQL Injection Attack Patterns II

Spy out Data' UNION SELECT login, password, 'x' FROM user--1 UNION SELECT 1,1,1 FROM user--

Manipulate Data'; UPDATE user SET type = 'admin' WHERE id = 23;--

Manipulate the DB Server' ;GO EXEC cmdshell('format C') --

Cheat Sheet: http://ha.ckers.org/sqlinjectionSource: http://ha.ckers.org/sqlinjection

http://ha.ckers.org/sqlinjection

Vulnerable Java Examples

Plain SQL via JDBC

HQL via Hibernate

String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName");

try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); }

Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");

Protection

Avoid Interpreters at all if possibleUse an interface that supports bind variables

For SQL: Prepared StatementsEnforce Least Privileges for the application‘s DB userPerform White List Input Validation on all user supplied input

Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

White List vs. Black List Validation

White List = Positive Security Rule„Block what is not explicitly allowed!“

Example: Allow only [a-z], [A-Z] and [0-9]

Define once, (almost) never worry againCan be quite effortsome to define for a whole application

Black List = Negative Security Rule„Allow what is not explicitly blocked!“

Example vs. SQL Injection: Block [-#';]Example vs. HTML Injection: Block [<>";'script]

Can be bypassed by masking attack patternsMust be updated for new attack patterns

Fixed Java Examples

Plain SQL via JDBC

HQL via Hibernate

String customerName = request.getParameter("customerName");assert(CustomerValidator.doesExist(customerName);String query = "SELECT account_balance FROM user_data WHERE

user_name = ?";PreparedStatement pstmt = connection.prepareStatement(query);pstmt.setString(1, customerName);ResultSet results = pstmt.executeQuery();

Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId");

safeHQLQuery.setParameter("productId", userSuppliedParameter);

Cross-Site Scripting (XSS)

Reflected XSS

Source: http://www.h-online.com/security/features/Web-application-security-747201.html

ServerBrowser

Database

Web Application

Bug!URL

HTML

Victim Request

Website Server Response

Persistent XSS

Source: http://www.h-online.com/security/features/Web-application-security-747201.html

ServerBrowser

Database

Web Application

Bug!

Website Server Response HTML

URL Initial Request

URL Subsequent Victim Request

XSS Attack Patterns I

Simple Patterns<SCRIPT>javascript:alert('XSS');</SCRIPT><IMG SRC=javascript:alert('XSS')><IFRAME SRC="javascript:alert('XSS');"></IFRAME>

Masked / Evasive Patterns<IMG SRC=javascript:alert("XSS")>'';!--"<XSS>=&{()}<IMG """><SCRIPT>alert("XSS")</SCRIPT>"><IMG SRC="jav ascript:alert('XSS');"><IMG SRC="jav ascript:alert('XSS');">

Source: http://ha.ckers.org/xss.html

XSS Attack Patterns II

Masked / Evasive Patterns (continued)

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> …

Cheat Sheet: http://ha.ckers.org/xss.html

Source: http://ha.ckers.org/xss.html

http://ha.ckers.org/xss.html

XSS Vulnerable Java Example

Scriptlet in Java Server Page (JSP)

<%String searchCriteria = request.getParameter("searchValue");%>

<%-- Later on the same or subsequent JSP... -->

Search results for <b><%=searchCriteria%></b>:...

Protection

Eliminate XSSDon‘t include user supplied input in your output!

Defend against XSSOutput Encode all user supplied inputPerform White List Input Validation on user inputUse an HTML Sanitizer for larger user supplied HTML chunks


Fixed Java Example w/ Encoding

Encoding with Struts Bean Taglib

Encoding with OWASP Enterprise Security API

...Search results for <b><bean:write name='searchCriteria'/></b>:...

...<easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml>...

OWASP Java HTML Sanitizer

Using a simple prepackaged policy

Defining a customized policy

private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS)

.and(Sanitizers.LINKS);

return policy.sanitize(html);}

private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY =

new HtmlPolicyBuilder()

.allowCommonInlineFormattingElements().allowCommonBlockElements()

.allowAttributes("face", "color", "size", "style", "align").onElements("font")

.allowAttributes("style").onElements("div", "span").allowElements("a")

.allowAttributes("href").onElements("a").allowStandardUrlProtocols()

.requireRelNofollowOnLinks().toFactory();

Cross-Site Request Forgery (CSRF)

CSRF Attack Explained

bank.com

WebApp

Browser

Bug!

evil.org

WebApp

Login

100

0$

Request

GET / HTTP/1.1Host: www.evil.org

Response

HTTP/1.1 200 OK...<html>...<img src=“http://bank.com/transfer

?to=hacker&amount=1000$“/>...</html>

CSRF-Attack

GET/transfer?to=hacker&amount=1000$ HTTP/1.1Host: bank.com

Intranet

Firewall

CSRF Attack into Intranet

192.168.0.1

WebApp

Browser

Bug!

evil.org

WebApp

Login

Rem

ote

Acc

ess

Request

GET / HTTP/1.1Host: www.evil.org

Response

HTTP/1.1 200 OK...<html>...<img src=“http://192.168.0.1/admin?setAccessMode=remote&resetPassword“/>...</html>

CSRF-Attack

GET/admin/setAccessMode=remote&resetPassword HTTP/1.1Host: 192.168.0.1

Protection

Add a secret, not automatically submitted, token to all sensitive requests

This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application)Tokens should be cryptographically strong or random

Make sure your application has no XSS holes which could be exploited to attack other applications (or itself)


CSRF + XSS =

What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters?

[img]http://forum.com/logout.do[/img]

Securing Web Applications

Network Security = Useless?!

ServerNetwork Security

Firewall IDS IPS WebApp

Malicious Requestsexploit vulnerabilities

andcompromise application

Security Scanners



BlackboxScannerPenetration Test

WhiteboxScanner

Web AppSourcecode

CodeAnalysis

Fix + PatchApplication

New security holes mightbe introduced duringongoing developmentand bugfixing!

Web Application Firewall (WAF)



WAF

GuidelinesRuleset

WhitelistBlacklist

Heuristics

Defines legal/illegal Requests

Rejects illegalrequests

Sometimes rejects legitimate requests („False Positives“) or fails to recognizeillegal requests („False Negative“)

Hacking Homework

The Voice of Rea§on™

Do not perform any attacks on servers, networks and applications…

…you do not own and operate yourself…or have the owners permission to pentest

The Target: BodgeIT Store

Source: http://code.google.com/p/bodgeit/

Installing BodgeIt

Download latest versionhttp://code.google.com/p/bodgeit/downloads/list

Unzip bodgeit.war into /webapps of an existing Serlvet Engine

e.g. Tomcat, Jetty, …Launch your ServerBrowse to the BodgeIt Store

e.g. http://localhost:8080/bodgeit

Source: http://code.google.com/p/bodgeit/

http://code.google.com/p/bodgeit/downloads/list

http://code.google.com/p/bodgeit/downloads/list

http://localhost:8080/bodgeit

Let the Hacking begin!

Try to pass as many challenges as possible!No Scanners! No Cheating! No Decompilers! Source: http://code.google.com/p/bodgeit/

Thank You…

…for your attention!

For more details, exercises and the seven remaining OWASP Top 10

check out myWeb Application Security Training Workshop slides:

http://slideshare.net/BjrnKimminich/web-application-

security-21684264

Technology

Web Application Security Introduction