beating web application security threats
TRANSCRIPT
-
7/28/2019 Beating Web Application Security Threats
1/30
The rapid increase in usage, development and complexityof Web applications has created new opportunities
for companies that employ them and hackers who
attack them. This handbook delivers up-to-dateinformation on security threats to Web 2.0and rich Internet applications and expert advise
on how to avoid those threats. BY KEVIN BEAVER
BEATING
WEB APPLICATION
SECURITYTHREATS
CHAPTER 1:
New Webapplicationsecuritychallenges
CHAPTER 2:
Assessingyour Webapplicationsecurity
CHAPTER 3:
BeatingcommonWeb securityattacks
CHAPTER 4:
Hackingyour ownapplications
CHAPTER 5:
Overview ofbest practicetips andchecklists
-
7/28/2019 Beating Web Application Security Threats
2/30
TS A GREAT time to be a soft-
ware professional. Whether youdevelop code or try to break it,
weve never had such great
opportunities to work with so
many dynamic technologies.From in-house development of Web
2.0 applications using ASP.NET to
ISVs developing the next big thing for
the cloud using Java, weve advanced
quite a bit from the more simplisticdays of BASIC, FORTRAN, and
COBOL. With this advancement
comes complexity though. And, as
were finding out, complexity is the
enemy of security.
There are numerous aspects ofcomplexity in todays software
development lifecycles beyond the
codebase itself as shown in Figure 1
(page 3)all of which create uniqueapplication security challenges.
Its easy to get so caught up in work
that we fail to see these things as cre-
ating barriers to the software devel-
opment lifecycle, and ultimately, secu-
rity. Let me elaborate on each item.
D Politics: People issues are at the
root of manyif not mostapplica-tion security problems. For every
good idea to help improve application
security, theres usually someone
there to strike it down. Managers andexecutives, in particular, are notorious
for getting in the way of security and
information risk management. Its the
ultimate irony given their fiduciary
responsibilities, but if you can workaround it youll be able to do wonders
for the development and QA process-
es. I suggest you check out these vari-
ous articles Ive written for getting
management on your side.
D Time management: Going beyondthe people hurdles we have to turn to
ourselves and how we manage our
time. One things for sure in IT: howyou manage your time will make you
or break you depending on your
approach to the subject. There are so
many factors affecting application
security in your work (design, devel-
opment, QA, deployment, mainte-
2 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 1: NEW WEB APPLICATION SECURITY CHALLENGES
Introduction:
New Web applicationsecurity challenges
I
http://www.principlelogic.com/careers.htmlhttp://www.principlelogic.com/careers.htmlhttp://securityonwheels.blogspot.com/search/label/time%20managementhttp://www.principlelogic.com/careers.htmlhttp://www.principlelogic.com/careers.htmlhttp://securityonwheels.blogspot.com/search/label/time%20management -
7/28/2019 Beating Web Application Security Threats
3/30
nance, and monitoring) that you have
to set specific goals and boundaries
to ensure everything is done properly
and you end up with higher qualityapplications. Learning and eventually
mastering time management is a
required skill. If theres anything youlearn about time management, there
are two things you must not forget:
1. Just because someone throws
you a ball doesnt mean you have
to catch it (a tip from the late
Richard Carlson).
2. Continually ask yourself if what
youre doing right now is the best
use of your time and, if not, moveon to something productive.
D Professional development: An-other personal aspect of the applica-
tion security complexity equation is
how you keep up with the latest tech-nologies and security challenges. I
studied and used Assembler, Pascal,
and C intensely in college and for acouple of years after that. Although
that was a time before application
security was on our radar, I thought I
knew all there was to know about
programming and QA.
Looking back on that now, if I
assumed that was all Id ever need toknow in order to excel in application
security Id be fooling myself. Sure,
those early days of my career built
an excellent foundation. But the reali-ty is theres so much more to learn
and knowespecially with
the numerous development
and OS platforms youre
required to work with andall security threats were
up against.
In my security assess-
ment work Ive yet to inter-
view a developer who con-
sistently attends develop-ment or security classes,
seminars, or conferences.
Dont be those people. Im
convinced that even thoughyou live and breathe this
stuff every day at work,
continuous learning is an
absolute necessity for not
only keeping up, but suc-
ceeding in this field.
3 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 1: NEW WEB APPLICATION SECURITY CHALLENGES
Figure 1: Complexities affectingWeb application security
-
7/28/2019 Beating Web Application Security Threats
4/30
DAttack vectors: Not too long agoall there was to worry about regard-
ing application security was who had
access to the dumb terminals andwhether the users knew their pass-
words. My have things changed! From
multiple Web browsers to mobileusers to malware, applications are
being attacked from every angle. And
SSL and strong passwords are no
longer the minimum necessary con-
trols. You have to consider input vali-
dation, application logic, session man-
agement, and so much more. Theresliterally an infinite number of ways to
exploit any number of vulnerabilities in
any given application. Its just a matter
of time and effortboth of which thebad guys tend to have a lot of.
D Compliance requirements: Nolonger are you just a developer or
QA professional who can focus onlyon the code itself. Today applications
have to be compliant with numer-
ous regulations such as PCI DSS,
HIPAA, GLBA, and Sarbanes-Oxley.
If you havent experienced it already,
youll no doubt be pulled into securityand compliance meetings to discuss
how your software meets the specific
requirements of these regulations.
Were not just talking about how yourapplications handle access controls
and authentication either. Theres
audit logging, separation of duties,
patch maintenance, system monitor-
ing, and even certain tie-ins with dis-
aster recovery, business continuity,
and security incident response. It
pays to learn more about compliance
these days. The good news is, under
the covers, its all the same stuffsimply information security best
practices stated in different ways.
D Customer and business partnerdemands: Compliance requirementshave likely already sparked conversa-
tions with customers and business
partners. If not, youll likely be
involved in discussions related to the
question How do we know yourapplication is secure? A majority of
the Web application security assess-
ments I do involve this very thing:
Company A is requiring an independ-ent third-party review of Company Bs
application. SAS 70 audits of a data
center wont cut it. Neither will inter-
nal assessments or basic security
scans. Ive heard that customer andbusiness partner inquiries such as
this are one of the most time-con-
suming aspects of application securi-
ty. However, its part of doing busi-
ness so you might as well come up
with some processes such as stan-dardized answers to security ques-
tionnaires and periodic security
reviews that you can pull out when
needed to help minimize the pain.
The important thing is to acknowl-
edge what youre up against. Choos-
ing to ignore these issues will only
serve to create more frustration and
additional stumbling blocks. I
4 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 1: NEW WEB APPLICATION SECURITY CHALLENGES
-
7/28/2019 Beating Web Application Security Threats
5/30
DONT KNOW about you but Im
getting kind of tired of hearing
about PCI DSS. Yes, an informa-
tion security consultant whoearns his living, in part, off of
compliance is saying hes tired
of big component of the compliance
equation. Let me elaborate.Im really just tired of two things.
First, all the marketing hype the ven-
dors are putting out there about how
their products are going to magically
make you compliant with PCI DSS.Secondly, all the differing opinions
about what it takes to be compliant
with this regulation are getting old
too. There are books, whitepapers,
seminars, scanning servicesyou
name it. If you need to comply withPCI DSS theres a self-proclaimed
expert on every corner out there
who wants to help.
Since youre reading this, PCI DSSprobably affects you and your busi-
ness in some way. As with many
organizations, its likely in the context
of Web security. Well, if so, youre in
luck. Heres the lowdown on what PCI
DSS is all about. First off, theres this
security scan requirement in PCI DSS
that everything seems to be revolv-
ing around. In doing security scans
myself Im here to tell you that securi-ty scans arent everything. I cant tell
you how many businesses I come
across that vouch theyre secure or
compliant just because theyve had
some PCI-certified scanning vendor
to run a quick scan and tell themeverythings OK. Its not that simple.
Ive used some of these very tools
that the vendors are saying will findvulnerabilities in your applications
and point out where youre out of
compliance with PCI. Ive seen them
not find any flaws at all while, at the
same time, another vendors tool
uncovers cross-site scripting, SQL
5 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 1: NEW WEB APPLICATION SECURITY CHALLENGES
The lowdown on
PCI compliance
Do your home-
work before buy-ing into compa-nies that tout PCIcompliance.
I
-
7/28/2019 Beating Web Application Security Threats
6/30
injection, and so on. Do your home-
work before buying into companies
that tout Web scans for PCI compli-
ance. If you show me a Web applica-tion out there that doesnt have any
vulnerabilities Ill show you an appli-
cation that hasnt been tested in theright ways.
Relying on scans alone is one thing.
Hiring a PCI Qualified Security Asses-
sor (QSA) is something else. Youd
think theyd find everything that
counts but its not that simple. Infor-
mation systemsespecially Webapplicationscan be extremely com-
plex and even the best QSAs out
there may not uncover everything
that matters. Just ask Heartland Pay-ment Systems. This is especially true
if the people doing the assessments
are just out of grad school and dont
have a good mix of skills to know
what to look for.Another thing is that youre prob-
ably not going to have PCI police
knocking on your door. No ones going
to jail over failing to comply with PCI
DSS. After all its an industry regula-
tionnot a law. That said all it takesis one breach of your payment-relat-
ed systems to get your business in a
real bind. A business that loses credit
card processing privileges in todaysworld is destined to take a big hit.
Finally, PCI DSS is nothing more
than a set of solid information securi-
ty practices bundled up in a neat little
package thats being pushed as yet
another separate component of com-
pliance you have to deal with. Dont
fall for this. You shouldnt focus on
PCI DSS in a standalone fashion if
your business falls under the scopeof other regulations such as HIPAA,
GLBA, SOX, and so on. Odds are it
does. Work with your compliance
officer, or if youre like many other
IT professionals and you are the com-
pliance officer, try to get a handle onwhat other regulations your business
is up against and focus on information
security as a whole. This will allow
you to touch on all of the importantareas (risk assessment, policies and
controls, visibility, automation, and so
on) so you can kill two, or three, or
four birds with one stone rather than
addressing each regulation on its
own. This is all the same stuff folks.
Getting your compliance prioritiesin order is absolutely necessary. Just
dont pour all your energy and money
into security for the sake of compli-ance. Even though PCI DSS is a regu-
lation with explicit requirements, you
have to temper it with some good
old-fashioned common sensefor
thats the stuff smart security con-
sists of. I
6 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 1: NEW WEB APPLICATION SECURITY CHALLENGES
No ones goingto jail over failingto comply with
PCI DSS.
http://www.2008breach.com/http://www.2008breach.com/http://www.2008breach.com/http://www.2008breach.com/http://www.2008breach.com/ -
7/28/2019 Beating Web Application Security Threats
7/30
HERES SOMETHING interesting
about application security.We can find the technical
flaws and even have the
means to fix them, but it
seems like the organization-al and people side of the equation
gets in the way every time without
fail. When it comes to locking down
your Web applications, youve got to
go beyond the bits and bytes and takeprocess and politics into account as
well. If you dont youll spin your
wheels indefinitely until you move on
to another organization, where youll
likely find the same roadblocks if
nothing is done about it.Web security is as much about cul-
ture and leadership from above as it is
how good of a developer or QA ana-
lyst you are. We often face challengesthat fly in the face of doing what real-
ly needs to be done in order to
achieve reasonable Web application
security such as:
DGetting the ear of management
and users to help support your
Web security initiatives.
D Establishing information
security standards and policies
that customers expect.
DGetting the funding to do Web
security testing the right way.
DHaving the means to actuallydo something with the results of
your testing.
DMaintaining the momentum
to ensure application security is
ingrained into daily business.
These issues are not unique to any
one type of business or industry.
Everyone faces them. Its how youposition yourself, establish your cred-
ibility, and make your case that will
determine whether or not you can
make things happen.
One thing to keep in mind when
going through the Web application
7 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 2: ASSESSING YOUR WEB APPLICATION SECURITY
Introduction:
Assessing your Webapplication security
T
-
7/28/2019 Beating Web Application Security Threats
8/30
security process is that you dont
have to drain the ocean all at once.
Simply getting the process started
and slowly integrating security intoyour processes is the best way to go
about it.
Furthermore, youll want to havegoals. You have to define where it is
you want to go so youll know when
youve arrived. Just dont forget that
security is never an end result, but
rather a set of processes and good
habits practiced time and again. That
said, lowering the number of security
flaws is an end result. And so is per-
forming consistent security checks.
Set your sights on the right areas and
you can move forward with ease.There are several key factors that
will help make effective Web applica-
tion securityand overall informationsecuritya reality in your business.
The proven process for minimizing
information risks is shown in Figure 1.
Even with these recommendations
many people are still too busy for
Web application security. Or, they
dont know where to start. There are
8 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 2: ORGANIZATIONAL ISSUES AND BEST PRACTICES
Figure 1: The minimum ingredients necessary forWeb application security success
-
7/28/2019 Beating Web Application Security Threats
9/30
numerous Web security standards
such as the OWASP Top 10 (especial-
ly the forthcoming risk-based 2010
version) and the SANS Top 25 thatcan help you get the ball rollingat
least on what to look for.
Beyond the OWASP and SANS listsyou can turn to a standard such as
ISO/IEC 27002:2005. Its higher level
information security principles can be
applied directly to Web application
security. From security policies to
incident response to business conti-
nuity and beyond, the 27002 frame-work shows you everything you need
to be successful at Web application
security. Its all a matter of making
the choice to do and then making tak-ing the time to do it right.
I strongly believe that you dont
need to recreate the wheelespecial-
ly when you have so many proven
information security resources atyour disposal. If youre too busy to
start from ground zero you can still
keep it simple by utilizing standards
and frameworks that other people
have developed to have all you need.
In the end, stay focused on the right
areas. Organizational issues such as
policies, procedures, and politics play
a significant role in Web application
security. Get into the right mindset
and approach Web application secu-rity like any other system or business
function then stay on top of it. You
cant go wrong. I
9 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 2: ORGANIZATIONAL ISSUES AND BEST PRACTICES
If youre toobusy to start fromground zero, keepit simple by util-izing standards
and frameworksthat other peoplehave developed.
-
7/28/2019 Beating Web Application Security Threats
10/30
CTION WITHOUT PLANNING is
the reason for every failure.Those words from success
expert Brian Tracy ring true
in so many of the Web
security assessmentprojects Ive both witnessed and been
involved in.
Time management experts say that
one minute of planning saves us five
minutes in execution. Thats a 500%return on our time. This sounds too
good to be true, but its not. Ill give an
example of this practice in action in
this tip. Then, Ill lay out 10 best prac-
tices for successfully assessing appli-
cations Web security.A software project leader just told
me a related story, in which she
detailed how much time she and her
team spend on planning IT and secu-rity-related projects before they ever
do a thing. She said this planning not
only helps get management buy-in
and helps set everyones expectations
going in, but it also really makes a
positive difference in the outcome of
their projects. This thoughtful plan-
ning showed in their security assess-ment results.
If youre truly willing to fight the
urge for instant gratification and
instead put the time in up front to
plan things out, its virtually guaran-teed that your Web security assess-
ment projects will run smoothly,
uncover the things that matter, and
finish on schedule to boot.
Whether youll be doing the testing
on your own or hiring an outside
10 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 2: ORGANIZATIONAL ISSUES AND BEST PRACTICES
10 steps to acing
Web app securityassessments
Here are 10 bestpractices for plan-ning Web securityassessmentproject. You cantafford to skipthese steps.
A
-
7/28/2019 Beating Web Application Security Threats
11/30
expert, you must diligently plan
things out and get all the right people
on the same page. Here are 10 best
practices for planning Web securityassessment project. Ive learned over
the years that you cant afford to skip
these steps.
1.Who is this project going to affect(before, during, and after) andcan we get them in on the planning
phase? Many people such as devel-opers, marketing, and DBAs are
often overlooked but need to be
included.
2.What compliance-related lawsand regulations are applicable here?
Are we overlooking any re-quire-ments in that area? PCI DSS is the
obvious one here but there are many
others including HIPAA, GLBA, and
even SOX.
3.Are we going to look at the systemas an untrusted outsider, a trusted
user, or both? Management maytrust users of the system which is
a dangerous way of doing business.
Even worse are the vulnerabilities a
trusted user could exploit you may
overlook by not doing authenticated
testing.
4.Will a simple vulnerability scan
suffice (i.e. for PCI DSS compliance)or do we also need to perform anin-depth manual analysis to uncoverthe other half of the vulnerabilitiesthat scanners wont find? Includingmanual analysis using a malicious
mindset is the only way to do itif
you want to do it right.
5.Is it going to be okay to let vulnera-bility scanners submit forms whichcould create database entries andpotentially thousands of emails tomultiple people? This is a side-effectthats often discovered once its too
late. Its good to know going in so you
can create preventative measures to
block such data and emails or at leastset expections.
6.When can the automated scanningbe done? Commercial vulnerabilityscanner toolswhen used properly
can be tweaked to minimize the
impact on your Internet connection
and server environment.
7.How often are status updates goingto be given? Ive found it to be notonly the courteous thing to do but
11 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 2: ORGANIZATIONAL ISSUES AND BEST PRACTICES
-
7/28/2019 Beating Web Application Security Threats
12/30
also an important part of keeping
people in the loop in these often
complex projects.
8.Will an initial findings report bedelivered to the key players beforethe final draft report is created? Ifso, when? Just be patient and try tohold off requesting a bulleted draft
report with few details, screenshots,
or specific URLs affected. This usually
just serves to generate more ques-tions and create more work for every-
one involved.
9.Is everything in writing? For internal-sourced projects, at least have a doc-
umented plan. For outsourced proj-
ects, statement of work and signedcontract needs to be in place without
exception.
10.Whats the exit strategy? In otherwords, whats going to happen once
the assessment is complete and the
report is delivered? This is wheremany projects fail. It is one thing to
find the flaws and then deliver the
report but quite another to actually
act upon them to ensure the money
and effort spent doesnt go towaste.
The hard part of all this is carvingout the time up front before getting
rolling with your Web security
assessment projects. Management
support is certainly a key component
but it really comes down to self-disci-
pline, as Elbert Hubbard once defined
as the ability to make yourself dowhat you should do, when you should
do it, whether you feel like it or not.
Its the little things that add up.
Pay attention to these project detailsand any others specific to your busi-
ness and youll certainly come out
on top. I
12 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 2: ORGANIZATIONAL ISSUES AND BEST PRACTICES
ADDITIONAL RESOURCESFOR CHAPTER 2
q How to get management
onboard withWeb2.0
security issues
qWeb application
security testing checklist
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.html -
7/28/2019 Beating Web Application Security Threats
13/30
Building Trust Around The Globe
When you want to establish trusted relationships
with anyone, anywhere on the internet, turn to thawte.
Securing Web sites around the globe with:
strong SSL encryption
expansive browser support
multi-lingual customer support
recognized trust seal in 18 languages
thawte offers outstanding value on a full range of
of digital certificates. Secure your site today
with a thawte SSL Certificate.
www.thawte.com
2009 thawte, Inc. All rights reserved. thawte; the thawte logo; its a trust thing; thawte, and other trademarks, service marks, and designs are registered
or unregistered trademarks ofthawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks areproperty of their respective owners.
-
7/28/2019 Beating Web Application Security Threats
14/30
OUVE LIKELY HEARD of the
Pareto Principlea.k.a.
the 80-20 rulewhich says
80% of the effects comefrom 20% of the causes. We
can easily apply the 80-20
rule to Web security: 80% of the risk
comes from 20% of the flaws. In
other words, the majority of the Websecurity risks stem from a small num-
ber of weaknessesmost of which
we keep repeating over and over
again.
Theres a misperception by many,
especially those in marketing andmanagement, that Web exploits are
these elaborate hacks carried out
by highly technical attackers. In fact,
its quite the contrary. Most of theissues I see in my workreinforced
by the many Top 10 Web security
vulnerability listsare simple, silly,
and often stupid weaknesses that
lead to serious consequences when
exploited.
The following are the most com-
mon Web security attacks you need
to be on the lookout for in your de-
velopment and quality assurance
processes along with what you cando to minimize the risks:
1.Lack of input validation: Everyoneknows that not sanitizing user input
to filter JavaScript, SQL commands,
and so on is a no-no, but this has got
to be one of the biggest problems on
the Web. Be it cross-site scripting orSQL injection, the ramifications of not
validating input on Web forms and
URLs can lead to pretty serious con-
sequences.Ive found that you absolutely have
to use a good Web vulnerability scan-
ner such as WebInspect or Acunetix
Web Vulnerability Scanner in order to
find input validation flaws. There are
just too many entry points and itera-
14 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 3: BEATING COMMON WEB SECURITY ATTACKS
Introduction:
Identifying andbeating most commonWeb security attacks
Y
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://www.acunetix.com/http://www.acunetix.com/https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://www.acunetix.com/http://www.acunetix.com/ -
7/28/2019 Beating Web Application Security Threats
15/30
tions to test an entire website or
application manually. But its not just
the toolsits using multiple tools
wherever possible (they all find differ-ent things) and testing as authenti-
cated users at different role levels as
well. Authenticated cross-site script-
ing is more difficult to exploit, but this
is the area where I find the most
problems with SQL injection. Just
because someone has login creden-tials into your application you can
never assume their intent is good and
theyre always going to do the right
thing.
Once you find the flaws, its sim-
ply a matter of only accepting whatsexpected and nothing more.
2.Weak passwords: Another commonsense flaw that I see all the time is
weak passwords. Commercial Web
vulnerability scanners do an okay job
at finding weak passwords. Theres
also the freeware tool called Brutus
that works just as well if not better
for ferreting out weak passwords.
However, finding weak passwords is
time sensitive (and intensive) andhighly-dependent on the dictionary
you use.
The problem with weak passwordsis actually pretty simple to prevent.
The reality is that if users have the
option to create a weak password,
they will. End of story. The solution is
simple: dont give them that option.
And ignore the complaining youll
undoubtedly hear from users andmanagement when this change is
made. Its for their own good. Further-
more, build in an intruder lockout
mechanism just like our operatingsystems have that will lock the
account after 5, 10, or 15 failed login
attempts.
3.Weak login mechanisms: On a relat-ed note, entire Web login mecha-
nisms are often vulnerable to attack.
Be it hidden fields, cookies, or other
session variables that are passed dur-ing the login process, theres often
something that can be manipulated
to escalate privileges or even bypass
the login process. This goes forNTLM-based authentication, form-
based authentication, and even sites
with multi-factor authentication.
Authentication logic thats easily
manipulated by users is bad however
you slice it.
15 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 3: BEATING COMMON WEB SECURITY ATTACKS
Once you findthe flaws, itssimply a matter
of only acceptingwhats expectedand nothing more.
http://www.hoobie.net/brutus/brutus-download.htmlhttp://www.hoobie.net/brutus/brutus-download.html -
7/28/2019 Beating Web Application Security Threats
16/30
Although a tougher problem to fix
given that the issues are so unique,
weak login mechanisms can be over-
come. You just need to on put yourhacker hat and perform some good
manual analysis using a Web proxy
tool and session manipulation toollike the Firefox Web Developer plug-
in and youre good to go. Find the
flaws and then reverse engineer a fix.
4.Web server configuration weakness-es: The final big Web security flaw Ifind goes beyond Layer 7 down to the
actual server and application configu-
rations. I often find weak OS pass-words, missing patches, ports open to
poorly-configured Internet services
such as FTP, and so on. If you dont
have a good foundation at the OS and
application levels you cant expecthave a secure Web site or application.
In order to find the flaws beyond
the application layer you need to use
more generic OS/network vulnerabili-
ty scanners such as QualysGuard and
NeXpose. Simply run the scans, seewhat they find, and plug the holes. Its
typically a matter of reconfiguring
software, installing newer versions of
Web and application servers, andhardening the OS. It wont cost you a
dime, but the payoff will be grand.
The interesting gotcha to these
weaknesses is that, in many situa-
tions, theres nothing in place to actu-
ally detect them. The bad guys comein, do their thing and sometime down
the road you may find out there was a
Web security breach.
Approach Web security from aproactive riskperspective rather than
a reactive we have to pass our compli-
ance audit so we need to lock thingsdown perspective. Model your appli-
cation threats, use good Web vulner-
ability scanners, and look at your
(mis)use cases by thinking like the
bad guys and how they can exploit
these weaknesses in your specificenvironment. By approaching Web
security this way youll not only iden-
tify and prevent the most common
attacks, but youll also find what mat-ters the most to your business and
your customers. I
16 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 3: BEATING COMMON WEB SECURITY ATTACKS
The bad guys come
in, do their thingand down the roadyou may find outthere was a Websecurity breach.
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1293838,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://www.qualys.com/http://www.rapid7.com/http://www.rapid7.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1310166,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1293838,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://www.qualys.com/http://www.rapid7.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1310166,00.html -
7/28/2019 Beating Web Application Security Threats
17/30
ROSS-SITE SCRIPTING (XSS)
is like weak passwords:the problem is wide-
spread; the solution is
relatively simple and yet
the issue appears to begetting worse.
I remember when XSS was this
mysterious Web flaw that no one
could really explain. We knew it was
something bad but it was hard to puta finger on it. A decade later, XSS
plagues the Internet. Everything from
basic Web sites to social media sys-
tems to e-commerce applications
seem to have XSS flaws in some form.
Numerous studies have shown thatXSS makes up the majority of Inter-
net-related vulnerabilities.
Over the past year, Ive found XSS
in all but about five percent of theWeb sites and applications Ive test-
ed. This is a big deal when you factor
in the ease of accessibility and
exploitation, especially via phishing-
related attacks.
Heres what you can do right now
to seek out and ultimately eliminate
XSS vulnerabilities in your environ-ment.
DUnderstand the vulnerability soyoull know what youre up againstand what to look for. As with weakpasswords, XSS is pretty basic.
DAssemble your toolset. XSS is
something that can turn up on anyWeb form or input area on your site
or application. Its unreasonable to
assume youre going to be able to find
all of the input areas and throw every
possible iteration of XSS at them. You
have to have a good Web vulnerabili-ty scanner such as HPs WebInspect
or Acunetix Web Vulnerability Scan-
ner, just to name a couple. Based on
my experience, youre not going tofind many XSS flaws, if any, if youre
not using a dedicated Web vulnerabil-
ity scanner and are just using a more
generic vulnerability scanner that
touts Web capabilities often in the
name of PCI DSS scans.
17 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 3: BEATING COMMON WEB SECURITY ATTACKS
Finding cross-site
scripting (XSS) appli-cation flaws checklist
C
-
7/28/2019 Beating Web Application Security Threats
18/30
D Scan your systems as an un-trusted outsider. I see a lot of XSSin Web applications behind authenti-
cation mechanisms. This no doubthighlights input validation issues but
its less of a concern given that the
required login can stop the automat-ed aspect of XSS attacks. However,
this is changing due to the emergence
of persistent XSS, malicious code
thats stored in a database and made
accessible via rich Internet applica-
tions.
D Test every public-facing systemwhether or not its critical. Theessence of XSS is not necessarily tied
to the importance or value of the sys-tem. Its the fact that youre enabling
the bad guys to exploit a flaw in your
environment to take advantage of an
unsuspecting user or third-party in
the same way spammers take advan-
tage of random open SMTP relays to
indirectly carry out their misdeedsagainst others.
DDont focus solely on JavaScript.Im starting to see more VBScript
and Flash-induced XSS. Its pretty
rare, but I suspect thatll change as
applications become more complex.
Make sure youre scanning all parts
of your site and/or application with
a tool that can uncover all XSS re-gardless of the language thats
facilitating it.
D If youve thoroughly scannedyour entire site/application andnothings turning up, you can checkfor XSS manually by entering the fol-
lowing into form fields: < script >
alert (XSS!)< /script > Its reallybasic and not guaranteed, but I have
found XSS that Web vulnerability
scanners have missed by using this
technique.
The good news is that XSS often
doesnt place sensitive back-officeinformation at risk. Its more of a risk
to your users and to unsuspecting
third-parties on the client side; but it
could ultimately lead to theft of logincredentials and session information,
which creates an entirely new dilem-
ma for your business. Given the sim-
ple solutions, its still not a risk worth
taking. I
18 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 3: BEATING COMMON WEB SECURITY ATTACKS
ADDITIONAL RESOURCESFOR CHAPTER 3
qWeb server weaknesses
you dont want to overlook
qWeb security problems: Five
ways to stop login weaknesses
q Fixing fourWeb2.0 input
validation securitymistakes
q Essentials of static source
code analysis forWeb
applications
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.html -
7/28/2019 Beating Web Application Security Threats
19/30
F ALL THE ways to
improve the securitytheres nothing better
than using hacking tools
and techniques to bring
out the worst in yourWeb applications. Not audits, not
source code analysis, and not even
vulnerability scans, but instead ethi-
cal hacking. Approaching Web secu-
rity with a malicious mindset is thetried and true way of finding all the
security flaws that count in your envi-
ronment. It essentially guarantees
that youll take your Web application
security to the next level and
beyondif you do it the right way.The key to successful hacking re-
quires the right mindseta malicious
mindset. You have to be able to think
of ways to exploit weaknesses in thesystem that the average person might
not be thinking about. Things like:
D Removing maximum field lengths
for form inputs to see how the appli-
cation reacts.
DManipulating URL variables
to gain access to other accounts.
D Looking at a shared computers
Web browser history file for
HTTP GET requests that cachelogin credentials.
D Tampering with cookies used
for session management in order
to escalate your privileges.
D Trying default or common
user IDs and passwords when
logging in.
DGaining access to the admini-strative portion of an application
and erasing audit log files that track
user logins and changes.
The possibilities are endless. My
point is that the bad guys on the
Internet and inside your organization
are thinking maliciously and you have
to do the same if you're going to
defend against them.
19 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 4: HACKING YOUR OWN APPLICATIONS
Introduction:
Hacking yourown applications
O
-
7/28/2019 Beating Web Application Security Threats
20/30
Once you establish the mindset you
can proceed with the ethical hacking
process. Its actually pretty simple to
understand and follow. This requiresthe following:
1.Get the key players on board andensure everyones expectations areset. The last thing you want to do isstart down the path of ethical hacking
without approval and buy-in of man-
agement. Its virtually guaranteedyoull lose support or not be able to
effect any changes if you do.
2.Inventory all of your Web systems.Youll know the obvious ones but its
often those obscure and forgotten
about systems deep inside your net-work that create considerable risks.
Talk to the different system managers
to determine whats where. To vali-
date your findings and uncover others
that people have forgotten about, I
suggest running a port scan to searchfor common Web ports (TCP 80,
443, and 8080) at a minimum. Cer-
tain Web vulnerability scanners have
discovery tools built in as well.
3.Build your toolset to include, at aminimum, OS/network vulnerability
scanner, Web vulnerability scanner, a
Web proxy, and a browser manipula-
tion tool such as Firefox Web Devel-
oper. Ive also come to rely on multi-
ple Web vulnerability scanners, theBrutus password cracking tool, a hex
editor, and even some of the tools
inside in the BackTrack toolset. Thequality of the tools will determine the
outcome of your hacking efforts.
4.Run your automated vulnerability
scans. Check the OS and network lev-els in addition to the application layer.
Use multiple scanners when possible
and be sure to test as both an
untrusted outsider as well as trustedusers at all role levels. An important
note related to authenticated scan-
ning: make sure your Web vulnerabili-
ty scanner actually authenticates into
the application. Ive see login andstartup macros fail more often than
not. It appears that the scanner
logged in, but actually did not, which
creates a false sense of completion
and security.
5.Perform your manual analysis. This is
where the true art of ethical hackingcomes into play. Youll take what your
vulnerability scanners found, validate
their results, and then dig in further
into areas the scanners discovered as
well as other areas that scanners
dont understand. Things like I men-
20 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 4: HACKING YOUR OWN APPLICATIONS
http://chrispederick.com/work/web-developerhttp://chrispederick.com/work/web-developerhttp://chrispederick.com/work/web-developerhttp://www.hoobie.net/brutushttp://forums.remote-exploit.org/http://forums.remote-exploit.org/http://chrispederick.com/work/web-developerhttp://chrispederick.com/work/web-developerhttp://www.hoobie.net/brutushttp://forums.remote-exploit.org/ -
7/28/2019 Beating Web Application Security Threats
21/30
tioned above regarding the login
mechanism, session management,
passwords, URL manipulation, and so
on. As with your automated scans, doyour manual analysis as an untrusted
outsider as well as trusted users at all
role levels. If your automated scan-ning took 1 or 2 days to complete, this
phase of your testing can easily take
twice that amount.
6.Once youre done (which can betricky to determine since you could
conceivably go on forever) you haveto focus on whats urgent and impor-tant. In other words, focus on thoseWeb vulnerabilities that are
exploitable or potentially exploitable
on the sites and applications that
matter. For example, you might find
cross-site scripting on a test applica-tion located on the QA network which
would likely be a low priority. On the
other hand you may find SQL injec-
tion on your main Web portal which
needs attention immediately.
Once youve completed your test-ing efforts and remediated the vulner-
abilities that matter to your businessitll probably be time to start the
process over again. I often see a lack
of follow through in this stage of the
game which effectively negates any
benefits youve gotten out of yourefforts. Think ethical, malicious, and
consistentthats the type of hacking
you want to do. I
21 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 4: HACKING YOUR OWN APPLICATIONS
Focus on the Webvulnerabilitiesthat are exploit-able on the sites
and applicationsthat matter.
-
7/28/2019 Beating Web Application Security Threats
22/30
VERYONE CLAIMS TO know
the right way to go abouttesting the security of Web
applications. Perform an
external scan, the auditors
recommend. Just use ourvulnerability scanner, the vendors
proclaim. Do a peer review of the
source code, the quality assurance
(QA) analysts declare. And then
there are the government, industryregulatory, and standards bodies who
believe they know what it takes to
secure an app. Regardless, its their
way or the highway. Ha!
With everything else being equal,
unrelenting and almost aggressivemalicious attacks are the absolute
best way for uncovering Web security
holes. In this tip, well cover why you
must literally go through your Websystems and throw everything you
possibly can at them. This tip will
get you started on using malicious
manipulation to boost security. In
forthcoming tips, Ill show how to do
malicious hacking in various different
software development and testing
scenarios.Theres so much information
available for uncovering Web applica-
tion flaws, but theres no good place
to start. So how can you, the security
admin, developer or IT manager, filterthrough the noise and distill exactly
what needs to be done to find the
Web flaws that count? Let me be
clear, its simple. There is no onebest way to go about it. As lawyers
and consultants like to say, it all
depends. It depends on the type of
business youre in and the regula-
tions you fall under. It also depends
on what type of Web presence you
have and how sensitive informationis processed, stored or otherwise
passed through your system. It de-
pends on how much managementsupports your efforts and, frankly,
how much money you have to
spend.
Every organization and every Web
application is different. Ironically, this
is one of the things that management
22 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 4: HACKING YOUR OWN APPLICATIONS
Hack maliciously
to boost yoursoftwares security
E
-
7/28/2019 Beating Web Application Security Threats
23/30
misunderstands the most. Web secu-
rity testing is not a black- and-white
science. Its just as much an art, and
one that requires good tools, creativi-ty, along with a confident security
assessor.
Choosing the one thing that standsout as being the most important for
uncovering the obvious and not so
obvious Web vulnerabilities is pretty
easy. Some of this requires Web vul-
nerability scanning tools like WebIn-
spect, Acunetix WVS and N-Stalker.
No matter how good you are withWeb apps and security, theres still no
replacing the requests that tools such
as these can throw at an application.
They can mimic hack attacks like nohuman possibly could.
Dont let me steer you in the wrong
direction though. Based on my experi-
ence testing Web applications over
the years, the ability to poke, prod,and control an application with ill-
gotten gains in mind is the key for
making things happen. Its required if
youre going to find the flaws that
really matter. At the heart of this is
manipulation, which is often a matterof just the right poking and prodding
to see how the application trusts you
and what it spits back.
This will rarely require specialhax0r skillz. Its merely a matter
of understanding the basic operation
of Web applications and thinking of
creative ways to hack and throw just
the right jabs to force them into sub-
mission.
Many, many times Ive tested Web
applications with automated scan-
ners, only to realize I wasnt even
halfway home. Beyond the scanningphase, Ive seen situations such as
creative URL manipulation, weak
passwords or sensitive files stored indownload folders that have turned
two to three day Web security
reviews into week-long plus analy-
ses bordering on data breach situa-
tions. All because of some basic
hackingmanipulationof these
applications that wouldve goneundiscovered otherwise.
I cant stress enough the value of
in-depth ethical hacking of your Webapplications. Theres no replacement
for manual manipulation; just you and
your Web browser. Get past the one-
scan-fits-all mindset. Its dangerous
and itll come back and bite you if you
rely on just the basics to get by. I
23 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 4: HACKING YOUR OWN APPLICATIONS
No matter howgood you are withWeb apps andsecurity, theres
still no replacingthe requests thattools such asthese can throwat an application.
-
7/28/2019 Beating Web Application Security Threats
24/30
HE MATURITY OF todays
Web applications is both
a blessing and a curse. On
the positive side, were nowable to do things with dy-
namic Web applications
that seemed impossible in the static
world of just a few years ago. On the
negative side, were now seeing Web
application complexities introduce
security vulnerabilities beyond ourimagination. Its becoming increasing-
ly difficult for information security
professionals, developers, and quality
assurance analysts to get their arms
around these issues.What can you do to minimize
security risks with rich Internet appli-
cations and in the cloud? It takes a
reasonable and well thought out ap-
proach to do it right. Figure 1 shows,
in a nutshell, what you have to do.Like any other ongoing business
process, these are things you have
to do on a periodic and consistent
basis. Lets look at each of theseareas more closely.
1.Obtain buy-in: If you dont have theear of the people who count, then
24 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS
Introduction:
Security bestpractices for todaysWeb applications
Figure 1: The proper approach
toWeb application security
T
-
7/28/2019 Beating Web Application Security Threats
25/30
youll be fighting a losing battle try-
ing to secure your applications. Most
importantly, you have to get manage-
ment on board. If the people approv-ing the budgets and writing the
checks dont understand why applica-
tion security is a business concern,then everything is for nothing. With-
out monetary, human resource, cul-
tural, and political support from the
powers that be you might as well just
rely on passwords and SSL to get you
through (hint: thats not a good long-
term solution).You may even need to get user
buy-in especially when it comes to
security controls requiring business
process changes and potential usabil-ity issues. Also, depending on which
side youre on (information security,
development, or QA) youll need to
get your colleagues on board. Making
sure everyone is on the same pageworking toward the same goals
should be your main goal.
2.Choose your tools: Just like youwouldnt use inferior programming
languages or IDEs to develop your
applications you cant afford to not
have good security testing tools. Hav-ing the right Web security tools such
as vulnerability scanners, proxies, and
source code analyzers will make or
break your Web application security
efforts. (See Security Testing Tools
for a list of tool options.)
3.Run automated scans: Web vulnera-
bility scanners are absolutely essen-tial for finding both the low-hanging
fruit as well as the complex input vali-
dation flaws, such as XSS and SQL
25 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS
SECURITYTESTING TOOLS
There are tonsof options avail-able but the following are ones
that Ive found towork well. Click
on the links below for additional
information.
Web vulnerability scanners
I AcunetixWebVulnerability
ScannerI N-StalkerI
NTOSpiderIWebInspect
Web proxies
I Burp ProxyI Paros ProxyIWebScarab
Source code analyzers
I CheckmarxI SecurityReview
Dont rule out open source
toolsespecially theWeb prox-
ies I list abovebut know that,
byand large, youre going toget
what you pay for.
http://www.acunetix.com/http://www.acunetix.com/http://www.acunetix.com/http://www.nstalker.com/http://www.ntobjectives.com/https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://portswigger.net/proxyhttp://portswigger.net/proxyhttp://www.parosproxy.org/download.shtmlhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Projecthttp://www.checkmarx.com/http://www.checkmarx.com/http://www.veracode.com/http://www.acunetix.com/http://www.acunetix.com/http://www.nstalker.com/http://www.ntobjectives.com/https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://portswigger.net/proxyhttp://www.parosproxy.org/download.shtmlhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Projecthttp://www.checkmarx.com/http://www.veracode.com/ -
7/28/2019 Beating Web Application Security Threats
26/30
injection that would otherwise be
impossible to uncover. Just know that
you have to run the scanners often
and multiple scanners are usuallyrequired to find everything that
matters.
4.Perform a manual analysis: Auto-mated scanners can only find so
much. A sharp human eye and
manipulative ethical hacking tech-
niques are essential for finding all theother flaws that vulnerability scan-
ners arent smart enough to detect.
Look for things like login mechanism
weaknesses, application logic prob-lems and privilege escalation via ses-
sion manipulation.
5.Check source code: Once youvecompleted your vulnerability scan-
ning and manual analysis, a nice way
to wrap things up is to look at the
actual source code. Some analyzers
look at raw source code while othersperform binary analysis that mimics
real-world execution. Both are very
good at finding things that youd be
hard-pressed to find otherwise.
6.Fix what you've found: Once youfind where the weaknesses are, take
the necessary steps to plug the holes.
Sadly, this step is skipped or not done
properly and the application vulnera-
bilities live on. The only way youre
going to produce better code, andthus, more secure Web applications
is to learn from your mistakes and
continually improve.
7.Report to your stakeholders: Keep-ing management, auditors, regulators,
customers, and business partners in
the loop on what youre doing/find-ing/improving upon is a great way to
get continued support for application
security. Its also a great way to help
create a competitive advantage foryour business. People are going to
ask How secure is the application?
anyway so it doesnt hurt to be pro-
active and be able to provide the cur-
rent security status when the timecomes.
Complexity introduces weakness
and oversight which, in turn, create
security risksall things we cant
afford to take on in business today.Finding and fixing Web application
flaws is becoming more difficult but
its not an insurmountable problem.
If you approach it in a mature andmethodical way you can find the
issues that matter and move on. The
method I discuss above has been
proven successful time and again.
Be it for best practice or compliance,
its simply a matter of choice. I
26 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS
-
7/28/2019 Beating Web Application Security Threats
27/30
ITH WEB 2.0 tech-
nologies like Ajax,Flash and Web serv-
ices being all the
rage, rich Internet
applications (RIAs)are popping up everywhere. More
developers are creating rich apps in-
house and integrating such third-party
code into existing environments.
However you slice it, RIAs and Web2.0 technologies cannot be ignored.
Likewise, we cant ignore the slew
of security flaws RIAs tend to intro-
duce. Rich Internet applications not
only place more control into the users
hands, they also broaden the attacksurface and open previously non-
existent entry points into networks.
The big thing with rich Internet
applications is that you cant just scanem and forget em. Current scanning
technologies for penetration testing
and code analysis are still pretty limit-
ed relative to the complexity of these
applications. But dont worry! You can
still check for the security holes that
matter, and a few more to boot, if you
approach your Web 2.0 code andtechnologies from all the right angles.
In this checklist, you can find out
what you can do to find and eliminate
security flaws from your rich Internet
applications.
DUnderstand the scope of the vul-nerabilities rich Internet applications
present. Theyre similar to commonWeb vulnerabilities but often havetheir own twist. Common rich Inter-
net application flaws include XSS,
SQL injection, embedded passwords
in media files, as well as easily-
manipulated client-side variablesand exposed business logic.
DGather good tools. There are
numerous free and commercialoptions. Among my favorite freebies
are the following:
I Firefox Web Developer is a Fire-
fox plugin for manual manipula-
tion of client-side code.
27 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS
Rich Internet
applications securitytesting checklist
W
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.html -
7/28/2019 Beating Web Application Security Threats
28/30
I SWFScan is a tool for decom-
piling/analyzing Shockwave
Flash (.swf) files.
I WSFuzzer is a tool for perform-
ing fuzzing of SOAP Web
services.
I My favorite commercial tools are
HPs Acunetix Web Vulnerability
Scanner. These are all-in-one Web
vulnerability scanners that include
specific tools for further manual
analysis. Plus theyre well-main-tained so you know youre going
to be scanning for the latest and
greatest Web 2.0 flaws.
D Scan your systems as an un-trusted outsider as well as a trusteduser. That said, you have to under-stand that your scans may not find
each and every flaw when you setthem on auto-pilot. If possible, set
your scanner to "manual crawl" mode
and step through the application
yourself, clicking on every link and
submitting every form. This will allow
your scanner to find parts of theapplication itd never be able to find
otherwise. The manual crawl process
can take a while in complicated appli-
cations but its the only reasonableway to get your Web vulnerability
scanner(s) to find what matters.
DUse multiple Web vulnerabilityscanners if you can. I often find vul-nerabilities using a second scanner
that the first one completely missed.
This is especially true for rich Inter-
net applications. Ive also found that
using a higher-level vulnerabilityscanner such as QualysGuard or
Nessus can often find server and
application weaknesses that dedi-cated Web scanners dont know
about.
D Scan your Web services. Theyreeasy to configure and forget, but
XML-based Web services can be one
of your greatest Web security weak-nesses. Theres something for every-
one, ranging from XPath injection to
SQL injection to command execution
to password cracking. Tools such asWebInspect, Acunetix and others can
scan for specific Web services flaws,
and I highly encourage you do to do
those scans.
D Scan your Flash, using SWFScan,and other media files, using Web andgeneral network vulnerability scan-ners. Even your local antivirus soft-ware can highlight security flaws in
these files when you download or runthem. Ive seen and heard about all
sorts of security flaws related to rich
media. Everything from embedded
encryption keys to business logic tomalware can turn up in these files, so
be sure to include them in the scope
of your testing.
D Check for other common flawsthat affect all Web applications
28 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS
http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Projecthttp://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project -
7/28/2019 Beating Web Application Security Threats
29/30
regardless of the technologies beingused. This includes weak passwords,lack of intruder lockout which facili-
tates password cracking, weakauthentication mechanismsespe-
cially home-grown multi-factor sys-
temsform manipulation, URL tam-pering and sensitive files stored on
the server unprotected.
Work through each of these
stepsand ensuring the issues are
remediatedwill bring you that much
closer to reasonable security in your
rich Internet applications. Perhapsmost importantly, never let your
guard down. The security issues sur-
rounding rich Internet applications
are only going to become more com-plex. Getting your arms around the
issues that matter now will allow you
to scale your efforts as your applica-tions continue to grow. I
29 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK
CHAPTER 1:
NEW WEB
APPLICATION
SECURITY
CHALLENGES
CHAPTER 2:
ASSESSING YOUR
WEB APPLICATION
SECURITY
CHAPTER 3:
BEATING
COMMON
WEB SECURITY
ATTACKS
CHAPTER 4:
HACKING
YOUR OWN
APPLICATIONS
CHAPTER 5:
OVERVIEW OF
BEST PRACTICE
TIPS AND
CHECKLISTS
CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, as well as a seminar
leader and keynote speaker with Atlanta-based Principle Logic, LLC. With over 20 years of
experience in the industry, Kevin specializes in performing independent security assessments
revolving around compliance and managing information risks. He has authored/co-authored
seven books on information security including Hacking For Dummies and Hacking Wireless Net-
works For Dummies (Wiley). In addition, hes the creator of the Security On Wheels information
security audio books and blog providing security learning for IT professionals on the go. Kevin
can be reached at www.principlelogic.com .
ADDITIONAL RESOURCESFOR CHAPTER 5
qMobile, Web app QAtesting
tips forhandling operating
system changes
qWeb server weaknesses
you dont want to overlook
q FreeWeb proxy security
tools software testers
should get to know
http://www.principlelogic.com/http://www.principlelogic.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://www.principlelogic.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.html -
7/28/2019 Beating Web Application Security Threats
30/30
q Extended Validationthe New Standard in SSL Security
q Sign your Code and Content for Secure Distribution Online
qGet a Free SSL Trial Certificate from Thawte
About Thawte:As a leading global certificate authority, Thawte provides online security
trusted by millions around the world. Expert multilingual support, robustauthentication practices, and easy online management make Thawte the
best value for SSL certificates and code signing certificates. In 2004, Thawte
became the first certificate authority to recognize and secure Internationalized
Domain Names (IDNs), enabling more people to navigate the web securely in
their own language. The Thawte Trusted Site Seal, available in 18 languages,helps users verify the identity of web sites in their own language. Because SSL
is our core business, we constantly improve our products to deliver the tools
and features our customers want and need. Our data centers and disaster
recovery sites provide unsurpassed customer data protection.
R E S O U R C E S F R O M O U R S P O N S O R
https://www.thawte.com/ssl/extended-validation-ssl-certificates/index.htmlhttp://www.thawte.com/code-signing/index.htmlhttps://www.thawte.com/leadgen.html?a=o29520423617049007https://www.thawte.com/ssl/extended-validation-ssl-certificates/index.htmlhttp://www.thawte.com/code-signing/index.htmlhttps://www.thawte.com/leadgen.html?a=o29520423617049007http://www.thawte.com/