Upload
bjoern-kimminich
View
2.393
Download
1
Embed Size (px)
DESCRIPTION
This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) - It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps: - SQL Injection - Cross Site Scripting (XSS) - Cross Site Request Forgery (CSRF) It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a "hacking homework" is presented where a vulnerable local web shop is supposed to be hacked in various ways. For a full-grown coverage of the topic feel free to check out my Web Application Security Training Workshop slide deck: https://de.slideshare.net/BjrnKimminich/web-application-security-21684264. /!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!
Citation preview
Web Application SecurityIntroduction
V1.0.3 (11.04.2023)
Björn Kimminich
https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich
Björn Kimminich
2007+Software
Architect & Security Officer
at Kuehne+Nagel Corporate Web
Development
2011+Part-time lector for Java & Agile
Software Develoment at
private UAS Nordakademie
2012+OWASP
Member & QA Developer
OWASP Zed Attack Proxy
(ZAP)
Motivation
Phishing
Site Defacement
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
Site Defacement II
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
Site Defacement III
Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html
Worst Case Security Breach
Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111
Why Web Application Security is a High Priority
Web Applications have become the #1 target
75% of Attacks target the Application Layer (Gartner)
Most Web Applications are vulnerable95% of Web Applications have some sort of vulnerability (Imperva)78% of easily exploitable weaknesses occur in Web Applications (Symantec)
Web Applications are valuable targetsCustomer data, Credit Cards, ID Theft, Fraud, … Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment
Top 10 Malware Distribution Sites(Symantec, 2013)
Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
„61 percent of malicious sites are
actually regular websites that
have been compromised and
infected with malicious code.“
OWASP Top 10
OWASP
Open Web Application Security ProjectOpen communityNon-profit organization
Core purposeBe the thriving global community that drives visibility and evolution in the safety and security of the world’s software
https://www.owasp.org
Source: https://www.owasp.org
OWASP Top Ten 2013
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Action Control
A8: Cross Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Unvalidated Redirects and Forwards
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Action Control
A8: Cross Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Unvalidated Redirects and Forwards
Injection
Some simple authentication query
SELECT user_idFROM user_dataWHERE user_name = 'bkimminich'AND user_password = '680e89[…]75ab';
// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …
SQL Injection Example
SELECT user_idFROM user_dataWHERE user_name = '' or 1=1--' AND user_password = '1234';
// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …
Typical SQL Injection Attack Patterns I
Bypass Authenticationadmin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1') or ('1'='1
Source: http://ha.ckers.org/sqlinjection
Typical SQL Injection Attack Patterns II
Spy out Data' UNION SELECT login, password, 'x' FROM user--1 UNION SELECT 1,1,1 FROM user--
Manipulate Data'; UPDATE user SET type = 'admin' WHERE id = 23;--
Manipulate the DB Server' ;GO EXEC cmdshell('format C') --
Cheat Sheet: http://ha.ckers.org/sqlinjectionSource: http://ha.ckers.org/sqlinjection
Vulnerable Java Examples
Plain SQL via JDBC
HQL via Hibernate
String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName");
try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); }
Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");
Protection
Avoid Interpreters at all if possibleUse an interface that supports bind variables
For SQL: Prepared StatementsEnforce Least Privileges for the application‘s DB userPerform White List Input Validation on all user supplied input
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
White List vs. Black List Validation
White List = Positive Security Rule„Block what is not explicitly allowed!“
Example: Allow only [a-z], [A-Z] and [0-9]
Define once, (almost) never worry againCan be quite effortsome to define for a whole application
Black List = Negative Security Rule„Allow what is not explicitly blocked!“
Example vs. SQL Injection: Block [-#';]Example vs. HTML Injection: Block [<>";'script]
Can be bypassed by masking attack patternsMust be updated for new attack patterns
Fixed Java Examples
Plain SQL via JDBC
HQL via Hibernate
String customerName = request.getParameter("customerName");assert(CustomerValidator.doesExist(customerName);String query = "SELECT account_balance FROM user_data WHERE
user_name = ?";PreparedStatement pstmt = connection.prepareStatement(query);pstmt.setString(1, customerName);ResultSet results = pstmt.executeQuery();
Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId");
safeHQLQuery.setParameter("productId", userSuppliedParameter);
Cross-Site Scripting (XSS)
Reflected XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
Bug!URL
HTML
Victim Request
Website Server Response
Persistent XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
Bug!
Website Server Response HTML
URL Initial Request
URL Subsequent Victim Request
XSS Attack Patterns I
Simple Patterns<SCRIPT>javascript:alert('XSS');</SCRIPT><IMG SRC=javascript:alert('XSS')><IFRAME SRC="javascript:alert('XSS');"></IFRAME>
Masked / Evasive Patterns<IMG SRC=javascript:alert("XSS")>'';!--"<XSS>=&{()}<IMG """><SCRIPT>alert("XSS")</SCRIPT>"><IMG SRC="jav ascript:alert('XSS');"><IMG SRC="jav	ascript:alert('XSS');">
Source: http://ha.ckers.org/xss.html
XSS Attack Patterns II
Masked / Evasive Patterns (continued)
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> …
Cheat Sheet: http://ha.ckers.org/xss.html
Source: http://ha.ckers.org/xss.html
XSS Vulnerable Java Example
Scriptlet in Java Server Page (JSP)
<%String searchCriteria = request.getParameter("searchValue");%>
<%-- Later on the same or subsequent JSP... -->
Search results for <b><%=searchCriteria%></b>:...
Protection
Eliminate XSSDon‘t include user supplied input in your output!
Defend against XSSOutput Encode all user supplied inputPerform White List Input Validation on user inputUse an HTML Sanitizer for larger user supplied HTML chunks
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Fixed Java Example w/ Encoding
Encoding with Struts Bean Taglib
Encoding with OWASP Enterprise Security API
...Search results for <b><bean:write name='searchCriteria'/></b>:...
...<easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml>...
OWASP Java HTML Sanitizer
Using a simple prepackaged policy
Defining a customized policy
private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS)
.and(Sanitizers.LINKS);
return policy.sanitize(html);}
private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY =
new HtmlPolicyBuilder()
.allowCommonInlineFormattingElements().allowCommonBlockElements()
.allowAttributes("face", "color", "size", "style", "align").onElements("font")
.allowAttributes("style").onElements("div", "span").allowElements("a")
.allowAttributes("href").onElements("a").allowStandardUrlProtocols()
.requireRelNofollowOnLinks().toFactory();
Cross-Site Request Forgery (CSRF)
CSRF Attack Explained
bank.com
WebApp
Browser
Bug!
evil.org
WebApp
Login
100
0$
Request
GET / HTTP/1.1Host: www.evil.org
Response
HTTP/1.1 200 OK...<html>...<img src=“http://bank.com/transfer
?to=hacker&amount=1000$“/>...</html>
CSRF-Attack
GET/transfer?to=hacker&amount=1000$ HTTP/1.1Host: bank.com
Intranet
Firewall
CSRF Attack into Intranet
192.168.0.1
WebApp
Browser
Bug!
evil.org
WebApp
Login
Rem
ote
Acc
ess
Request
GET / HTTP/1.1Host: www.evil.org
Response
HTTP/1.1 200 OK...<html>...<img src=“http://192.168.0.1/admin?setAccessMode=remote&resetPassword“/>...</html>
CSRF-Attack
GET/admin/setAccessMode=remote&resetPassword HTTP/1.1Host: 192.168.0.1
Protection
Add a secret, not automatically submitted, token to all sensitive requests
This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application)Tokens should be cryptographically strong or random
Make sure your application has no XSS holes which could be exploited to attack other applications (or itself)
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
CSRF + XSS =
What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters?
[img]http://forum.com/logout.do[/img]
Securing Web Applications
Network Security = Useless?!
ServerNetwork Security
Firewall IDS IPS WebApp
Malicious Requestsexploit vulnerabilities
andcompromise application
Security Scanners
ServerNetwork Security
Firewall IDS IPS WebApp
BlackboxScannerPenetration Test
WhiteboxScanner
Web AppSourcecode
CodeAnalysis
Fix + PatchApplication
New security holes mightbe introduced duringongoing developmentand bugfixing!
Web Application Firewall (WAF)
ServerNetwork Security
Firewall IDS IPS WebApp
WAF
GuidelinesRuleset
WhitelistBlacklist
Heuristics
Defines legal/illegal Requests
Rejects illegalrequests
Sometimes rejects legitimate requests („False Positives“) or fails to recognizeillegal requests („False Negative“)
Hacking Homework
The Voice of Rea§on™
Do not perform any attacks on servers, networks and applications…
…you do not own and operate yourself…or have the owners permission to pentest
The Target: BodgeIT Store
Source: http://code.google.com/p/bodgeit/
Installing BodgeIt
Download latest versionhttp://code.google.com/p/bodgeit/downloads/list
Unzip bodgeit.war into /webapps of an existing Serlvet Engine
e.g. Tomcat, Jetty, …Launch your ServerBrowse to the BodgeIt Store
e.g. http://localhost:8080/bodgeit
Source: http://code.google.com/p/bodgeit/
Let the Hacking begin!
Try to pass as many challenges as possible!No Scanners! No Cheating! No Decompilers! Source: http://code.google.com/p/bodgeit/
Thank You…
…for your attention!
For more details, exercises and the seven remaining OWASP Top 10
check out myWeb Application Security Training Workshop slides:
http://slideshare.net/BjrnKimminich/web-application-
security-21684264