10 – 12 april 2005 riyadh, saudi arabia. web application security fundamentals murat lostar...
TRANSCRIPT
![Page 1: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/1.jpg)
10 – 12 APRIL 2005 Riyadh, Saudi Arabia10 – 12 APRIL 2005 Riyadh, Saudi Arabia
![Page 2: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/2.jpg)
Web Application Security FundamentalsWeb Application Security Fundamentals
Murat LostarInformation Security Consultant
![Page 3: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/3.jpg)
“When we face a choice between adding new features and resolving security issues, we need to choose security.
Our products should emphasize security right out of the box”
Bill Gates
![Page 4: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/4.jpg)
CIA ConceptCIA Concept
ConfidentialityInformation must be protected from unauthorized disclosure
IntegrityInformation must be protected from unauthorized modification
AvailabilityInformation must be available when the users need it
![Page 5: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/5.jpg)
The goal of an attackThe goal of an attack
Steal data
Blackmail
Beachhead for other attacks
Bragging rights
Vandalism
Demonstrate vulnerability/satisfy curiosity
Damage company reputation
![Page 6: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/6.jpg)
Designing Secure SystemsDesigning Secure Systems
![Page 7: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/7.jpg)
Designing Secure SystemsDesigning Secure Systems
How much security does a web application require?
Zero risk is not practical
There are usually multiple ways to mitigate risk
Don’t spend $ 1.000.000 to protect $ 0,1
Security is almost always overhead, either in cost or performance
![Page 8: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/8.jpg)
Designing Secure SystemsDesigning Secure Systems
Common Security Mistakes
Security Principles
Security Design by Threat Modeling - STRIDE
Security Techniques
A Cornucopia of Threats and Solutions
![Page 9: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/9.jpg)
Common Security MistakesCommon Security Mistakes
Not designing applications with security in mind.
Adding security to the application as an afterthought.
This can be expensive than you think.
Adding security later,
Can change the way the features have been implemented
Can change the application interface
Can break the previously written code
![Page 10: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/10.jpg)
Why these mistakes are made?Why these mistakes are made?
Security is boring
Security disables some functionality.
Security is difficult to measure.
Security is not the interest of the designers and developers creating the product.
![Page 11: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/11.jpg)
Security PrinciplesSecurity Principles
Establish a Security Process
If you don’t define a process for designing, coding, testing, deploying and fixing systems in a secure manner, it’s very likely that you will spend a huge amount of time fixing security bugs.
Consider Security as a Product Feature
Build and review the development plan.
![Page 12: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/12.jpg)
Security PrinciplesSecurity Principles
Define the Product Security Goals
Who is the audience?
What does security mean to the audience?
Where will the application run?
What are you attempting to protect?
Who will manage the application?
What are the communication needs of the product?
What security infrastructure services do the OS and the environment already provide?
![Page 13: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/13.jpg)
Security PrinciplesSecurity Principles
Learn from Mistakes – Every bug is a learning opportunity
How did the security error occur?
Is the same error replicated in other areas of code?
How could we have prevented this code from occurring?
How do we make sure this kind of error does not happen in the future?
Use Least PrivilegeWhat resources must your application access?
What special tasks must your application perform?
![Page 14: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/14.jpg)
Security PrinciplesSecurity Principles
Use Compartmentalization (separation of privileges)Separation between users, processes, data, and networks helps contain problems if they occur.
Give the
Use Defense in DepthDon’t rely on other systems to protect you
At some stage you (your software) have to defend yourself.
Implement a “default deny” stance
![Page 15: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/15.jpg)
Security PrinciplesSecurity Principles
Assume External Systems Are Insecure
Until proved otherwise, all external stimuli have the potential to be an attack.
Plan on Failure
Bugs happen
Make security contingency plan
Fail to a Secure Mode
The application has not disclosed any data that would not be disclosed ordinarily, the data still can not be tampered with, ...
Do not issue huge swaths of information explaining why the error occured. Give the user a little bit of information.
Here is an example:
![Page 16: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/16.jpg)
Security Principles – Code ExampleSecurity Principles – Code Example
...
DWORD dwRet = IsAccessAllowed(...)
if (dwRet == ERROR_ACCESS_DENIED) {
// Security check failed.
// Inform user that access id denied.
} else {
// Security check OK.
// Perform task.
}
....
![Page 17: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/17.jpg)
Security Principles – Code ExampleSecurity Principles – Code Example
...
DWORD dwRet = IsAccessAllowed(...)
if (dwRet == NO_ERROR) {
// Security check OK.
// Perform task.
} else {
// Security check failed.
// Inform user that access id denied.
}
....
![Page 18: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/18.jpg)
Security PrinciplesSecurity Principles
Employ Secure DefaultsIf a feature is not running, it cannot be vulnerable to attack
Another reason for not enabling features by default is Performance.
Backward Compatibility Issue?Be ready to face many upgrade and backward compatibility issues if you change critical features (for security reasons.)
The weak version of the protocol lives forever.
Security Features = Secure Features ???Security features do not necessarily make for a secure application.
![Page 19: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/19.jpg)
Security PrinciplesSecurity Principles
Never Depend on Security Through Obscurity
Always assume that an attacker knows everything you know
Validate input and output
User input and output to and from the system is the route for malicious payloads into or out of the system
Allow only explicitly defined characteristics and drop all other data
![Page 20: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/20.jpg)
Security PrinciplesSecurity Principles
Keep it simple
Often the most effective security is the simples security
If the steps to secure a function or module of the application are too complex, they probably won’t be followed
Complex code is hard to understand, makes maintenance error-prone
![Page 21: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/21.jpg)
Security PrinciplesSecurity Principles
Use and reuse trusted components
When someone else has proven they got it right, take advantage of it
Beneficial from both a resource and security perspective
Only as secure as the weakest link
Attackers will find the weakest point and attempt to exploit it
Don’t leave all the locks on the front door and leave the back door swinging open
![Page 22: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/22.jpg)
Security Principles – Three Final PointsSecurity Principles – Three Final Points
If you find a security bug, fix it and go looking for similar issues in other parts of the code.
If you find a security bug, make the fix as close as possible to the location of the vulnerability.
If there is a fundamental reason why a security flaw exists, fix the root of the problem. Don’t patch it over.
![Page 23: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/23.jpg)
An ExampleAn Example
WebBrowser
WebServer
App. Comp.
DBServer
Authentication Data
Web Pages
Application Data
Audit Data
LDAP
HTTP DCOM SQL Over Sockets
![Page 24: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/24.jpg)
An ExampleAn Example
Threat 1: A malicious user can view or tamper with personal data en route from the Web server to the client or from the client to the Web server
Threat 2: A malicious user can view or tamper with personal data en route from the Web server to the application component or from the component to the Web server
![Page 25: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/25.jpg)
An ExampleAn Example
Threat 3: A malicious user can access or tamper with the personal data directly in the database
Threat 4: A malicious user can view LDAP Authentication packets and learn how to reply to them so that he can act “on behalf of” the user
![Page 26: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/26.jpg)
An ExampleAn Example
Threat 5: A malicious user can deface or redirect the Web server by changing one or more Web pages
Threat 6: An attacker can deny access to the database server by flooding it with TCP/IP packets
![Page 27: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/27.jpg)
An ExampleAn Example
Threat 7: An attacker can delete or modify the audit logs
Threat 8: An attacker can place his own Web server on the network after killing the original server with a distributed DoS attack.
![Page 28: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/28.jpg)
OWASP.orgOWASP.org
Open Web Application Security Project
Top-Ten Web Security Vulnerabilities
![Page 29: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/29.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 30: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/30.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 31: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/31.jpg)
#10: Web/App Server Misconfiguration#10: Web/App Server Misconfiguration
Tension between “work out of the box” and “use only what you need”
Developers ≠ web masters
ExamplesUnpatched security flaws
Misconfigurations that allow directory traversal
Administrative services accessible
Default accounts/passwords
CountermeasuresCreate and use hardening guides
Turn off all unused services
Set up and audit roles, permissions, and accounts
Set up logging and alerts
![Page 32: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/32.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 33: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/33.jpg)
#9 Denial-of-Service#9 Denial-of-Service
![Page 34: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/34.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 35: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/35.jpg)
#8: Poor Cryptography#8: Poor Cryptography
Insecure storage of credit cards, passwords, etc.
Poor choice of algorithm (or invent your own)
Poor randomnessSession IDs
Tokens
Cookies
Improper storage in memory
CountermeasuresStore only what you must
Store a hash instead of the full value
Use only vetted, public cryptography
![Page 36: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/36.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 37: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/37.jpg)
#7: Error Handling#7: Error Handling
Examples: stack traces, DB dumps
Helps attacker know how to target the app
Inconsistencies can be revealing too“File not found” vs. “Access denied”
Fail-open errors
Need to give enough info to user w/o giving too much info to attacker
CountermeasuresCode review
Modify default error pages (404, 401, etc.)
![Page 38: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/38.jpg)
Error messages exampleError messages example
![Page 39: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/39.jpg)
![Page 40: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/40.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 41: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/41.jpg)
#6: Command Injection#6: Command Injection
Allows attacker to relay malicious code in form variables or URL
System commands
SQL
Interpreted code (Perl, Python, etc.)
Many apps use calls to external programs
sendmail
Countermeasures
Taint all input
Avoid system calls (use libraries instead)
Run with limited privileges
![Page 42: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/42.jpg)
Injection in ASPInjection in ASP
Login:Select * from users where username = ‘” + username + “’ and password = ‘” + password + “’”;
Goal: gain information and administrator access
Methodology: inject SQL statement in the ‘username’ and ‘password’ fields
![Page 43: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/43.jpg)
Collect informationCollect informationSelect * from users where username = ‘” + username + “’
and password = ‘” + password + “’”;
1. Get database tableUsername: ' having 1=1--
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid …
2. Get columnsUsername: ' group by users.id having 1=1--
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid …
3. Get typesUsername: ' union select sum(username) from users--
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.
![Page 44: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/44.jpg)
Gain accessGain accessSelect * from users where username = ‘” + username + “’ and
password = ‘” + password + “’”;
4. Get version info. Of SQL server and OSUsername: ' union select @@version,1,1,1--
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) … Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' …
5. Get usernamesUsername: ' union select min(username),1,1,1 from users where username > 'a'--
Syntax error converting the varchar value 'admin' to a column of data type int.
6. Get passwordUsername: ' union select password,1,1,1 from users where username = 'admin'--
Syntax error converting the varchar value 'r00tr0x!' to a column of data type int.
![Page 45: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/45.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 46: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/46.jpg)
#5: Buffer Overflows#5: Buffer OverflowsMostly affects web/app servers
Can affect apps/libraries too
Goal: crash the target app and get a shell
Buffer overflow exampleecho “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
Replace all those “a”s with something like this…char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
CountermeasuresKeep up with bug reports/patches
Code reviews
Run with limited privileges
![Page 47: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/47.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 48: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/48.jpg)
#4: Cross-Site Scripting (XSS)#4: Cross-Site Scripting (XSS)Attacker uses trusted application/company to reflect malicious code to end-user
Attacker can “hide” the malicious code
Unicode encoding
2 types of attacks
Stored
Reflected
Wide-spread problem!
Countermeasures
input validation
Positive
Negative: “< > ( ) # &”
Don’t forget these: “< > ( ) # &”
User/customer education
![Page 49: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/49.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 50: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/50.jpg)
#3: Broken Account and Session Management#3: Broken Account and Session Management Weak authentication
Password-only
Easily guessable usernames (admin, etc.)
Unencrypted secrets are sniffable
How to break in
Guess/reset password
Have app email you new password
Sniff or crack password
Backend authentication
How are database passwords stored?
Trust relationships between hosts (IP address can be spoofed, etc.)
Countermeasures
Strong passwords
Remove default user names
Protect sensitive files
![Page 51: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/51.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 52: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/52.jpg)
#2: Broken Access Control#2: Broken Access ControlUsually inconsistently defined/applied
Examples
Forced browsing past access control checks
Path traversal
File permissions – may allow access to config/password files
Client-side caching
Countermeasures
Use non-programmatic controls
Verify access control via central container
Code reviews
![Page 53: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/53.jpg)
Top-Ten Web Security Vulnerabilities Top-Ten Web Security Vulnerabilities
1 Unvalidated Input
2 Broken Access Control
3 Broken Authentication and Session Management
4 Cross Site Scripting (XSS) Flaws
5 Buffer Overflows
6 Injection Flaws
7 Improper Error Handling
8 Insecure Storage
9 Denial of Service
10 Insecure Configuration Management
![Page 54: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/54.jpg)
#1: Unvalidated Parameters#1: Unvalidated ParametersAttacker can easily change any part of the HTTP request before submitting
URL
Cookies
Form fields
Hidden fields
Headers
Encoding is not encryptingToasted Spam: http://www.toastedspam.com/decode64
Input must be validated on the server (not just the client).CoolCarts: http://www.extremelasers.com
CountermeasuresTainting (Perl)
Code reviews (check variable against list of allowed values, not vice-versa)
Application firewalls
CodeSeeker: http://www.owasp.org/codeseeker/
Real-time auditing: http://www.covelight.com
![Page 55: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/55.jpg)
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
![Page 56: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/56.jpg)
Security Techniques - AuthenticationSecurity Techniques - Authentication
Authentication – The process of verifying a claimed identity
User Authentication
The process of determining that a user is who he/she claims to be
Usually happens only once per session
May need to re-authenticate during a session e.g. before a significant monetary action
Entity Authentication
The process of determining if an entity is who it claims to be
Usually takes place with every request
![Page 57: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/57.jpg)
AuthenticationAuthentication
User AuthenticationBasic authentication – Clear Text
Digest authentication
Forms-based authentication<%
Dim strUsername, strPwd
strUsername = Request.Form(“Username”)
strPwd = Request.Form(“Pwd”)
%>
Passport authentication - SSO
Windows authenticationNTLM authentication
Kerberos authentication
X.509 certificate authentication
![Page 58: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/58.jpg)
AuthenticationAuthentication
Entity Authentication
Cookie based
Infrastructure Authentication
IPSec
X.509 certificate authentication
![Page 59: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/59.jpg)
AuthenticationAuthentication
Cookies
Persistent and Secure
Persistent and Non-secure
Non-persistent and Secure
Non-persistent and Non-secure
![Page 60: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/60.jpg)
AuthenticationAuthentication
Managing User Sessions
Session tokens
Cryptographic algorithms
All session tokens should be user unique, non-predictable, and resistant to reverse engineering
Use a trusted random number generator
Map session tokens in some way to a specific HTTP client instance to prevent hijacking and replay attacks
Do not base a session token algorithm on or use as variables any user personal information
![Page 61: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/61.jpg)
AuthenticationAuthentication
Expire session tokens on the HTTP server when the session ends
Regenerate session tokens while the session is active
Build methods to detect session forging/brute-forcing and/or lockout
Re-authenticate users before significant actions
Encrypt session tokens during transmission
Use page-specific tokens in conjunction with session-specific tokens
Overwrite session tokens on logout
![Page 62: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/62.jpg)
Security Techniques – Authorization and Access ControlSecurity Techniques – Authorization and Access Control
Limits what users can do, which resources they have access to, and what functions they are allowed to perform on the data.
AuthorizationThe act of checking to see if a user has the proper permission to access a particular file or perform a particular action
Access ControlThe more general way of controlling access to web resources, including restrictions based on things like the time of day, the IP address or domain of the client browser, the type of encryption the HTTP client can support, number of times the user has authenticated that day, etc.
Any access control mechanism depends on effective and forge-resistant authentication controls for authorization
![Page 63: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/63.jpg)
Access Control and AuthorizationAccess Control and Authorization
Access ControlDiscretionary Access Control
Restricts access to information based on the identity
Decentralized model
Mandatory Access Control
Assigning sensitivity labels on information and comparing this level of sensitivity at which a user operates
For extremely secure systems
Role-based Access Control
Access decisions are based on an individual’s roles and responsibilities within the organization or user base
Centralized administration
Scalable
![Page 64: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/64.jpg)
Access Control and AuthorizationAccess Control and Authorization
In Windows Environment
Access Control Lists
Privileges
IP Restrictions
Server-Specific Permissions
![Page 65: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/65.jpg)
Security TechniquesSecurity Techniques
Tamper-Resistant and Privacy-Enhanced Technologies
SSL / TLS
IPSec
DCOM and RPCs
Encrypting File System
![Page 66: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/66.jpg)
Security TechniquesSecurity Techniques
Protect Secrets – Don’t Store SecretsIf you don’t store the data, the attacker cannot gain access!
Encryption, Hashes, MACs, and Digital SignaturesHide information from prying eyes.
FilteringInspect data as received and making a decision to accept or reject
ThrottlingLimit the number of requests to your system
Quality of ServicePreferential treatment for specific types of traffic
Least PrivilegeAlways run with just enough privilege to get the job done
![Page 67: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/67.jpg)
Security Techniques - LoggingSecurity Techniques - Logging
Importance of loggingProvides key security information about a web application and its associated process and integrated technologies
Makes individual users accountable for their actions
Often the only record of suspicious behavior – Base of IDS
![Page 68: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/68.jpg)
LoggingLogging
What to log
In general, time of event, initiating process or owner of process, detailed description of the event
Reading/writing/modifying/deleting data
Network communications at all points
All authentication/authorization events
All administrative functions, regardless of
Debugging information that can be enabled/disabled on the fly
![Page 69: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/69.jpg)
LoggingLogging
Best practices for log managementCollect and consolidate logs on a separate dedicated logging host
Encrypt network connections and log data contents to protect confidentiality and integrity
Set log file attributes so that only new information can be written (older records cannot be rewritten or deleted)
Copy logs at regular intervals, depending on size and volume
Verify regularly that logging is operational
Copy log files to permanent storage and include in backup strategy
Dispose of log files according to company record retention policy
Synchronize all logging components with a time server so that all logging can be consolidated effectively without latency errors.
![Page 70: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/70.jpg)
Some Common ThreatsSome Common Threats
Access to or modification of confidential data
Read or modify e-mail-based communication
Flood service with too many connections
Attempt to guess password
Attacker spoof a server
Attacker posts HTML or scripts to your site
Your data packets can be replayed
Attacker gains physical access to hardware
Attacker modifies configuration data
Error message leak too much information
An attacker accesses or uses data cached by a previous user
Attacker shuts down your process
Attacker modifies configuration data
![Page 71: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/71.jpg)
What to do next?What to do next?
Here are a few tips for the beginning:
Data Validation
Privacy Considerations
![Page 72: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/72.jpg)
Data ValidationData Validation
One of the most important aspects of designing a secure web application
Applies to input to and output from a web application
Validation strategiesAccept only known valid data
Accept only input that is known to be safe and expected
The best possible strategy, but not always feasible
Reject known bad dataCan limit exposure
Relies on the application knowing about specific malicious payloads
Sanitize all dataAn effective second line of defense
May be hard and time-consuming to perform
![Page 73: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/73.jpg)
Data ValidationData Validation
All three data validation strategies must check
Data type
Syntax
Length
Never rely on client-side validation
Data validation must be done on the trusted server or under the control of the application
Client-side data validation can always be bypassed
An attacker can watch the return value and modify it at will
![Page 74: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/74.jpg)
Privacy ConsiderationsPrivacy Considerations
Warn users about the dangers of communal web browsers
Pages may be retained in the browser cahce
Logging out and closing the browser to kill session cookies is recommended
Temp files may remain
Proxy servers and other LAN users may intercept traffic
Design sites with the assumption that no part of a client is secure and make no assumptions about integrity
![Page 75: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/75.jpg)
Privacy ConsiderationsPrivacy Considerations
Display personal data when really needed
Set pages to pre-expire
Set the no-cache meta tags
Otherwise, mask personal data, displaying only a subset
Offer an enhanced privacy login option to the user
Keep sensitive data out of the browser history by using POST for all form submissions
![Page 76: 10 – 12 APRIL 2005 Riyadh, Saudi Arabia. Web Application Security Fundamentals Murat Lostar Information Security Consultant](https://reader033.vdocuments.site/reader033/viewer/2022042822/56649eb75503460f94bc13a6/html5/thumbnails/76.jpg)
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.