beating web application security threats

7/28/2019 Beating Web Application Security Threats

1/30

The rapid increase in usage, development and complexityof Web applications has created new opportunities

for companies that employ them and hackers who

attack them. This handbook delivers up-to-dateinformation on security threats to Web 2.0and rich Internet applications and expert advise

on how to avoid those threats. BY KEVIN BEAVER

BEATING

WEB APPLICATION

SECURITYTHREATS

CHAPTER 1:

New Webapplicationsecuritychallenges

CHAPTER 2:

Assessingyour Webapplicationsecurity

CHAPTER 3:

BeatingcommonWeb securityattacks

CHAPTER 4:

Hackingyour ownapplications

CHAPTER 5:

Overview ofbest practicetips andchecklists


2/30

TS A GREAT time to be a soft-

ware professional. Whether youdevelop code or try to break it,

weve never had such great

opportunities to work with so

many dynamic technologies.From in-house development of Web

2.0 applications using ASP.NET to

ISVs developing the next big thing for

the cloud using Java, weve advanced

quite a bit from the more simplisticdays of BASIC, FORTRAN, and

COBOL. With this advancement

comes complexity though. And, as

were finding out, complexity is the

enemy of security.

There are numerous aspects ofcomplexity in todays software

development lifecycles beyond the

codebase itself as shown in Figure 1

(page 3)all of which create uniqueapplication security challenges.

Its easy to get so caught up in work

that we fail to see these things as cre-

ating barriers to the software devel-

opment lifecycle, and ultimately, secu-

rity. Let me elaborate on each item.

D Politics: People issues are at the

root of manyif not mostapplica-tion security problems. For every

good idea to help improve application

security, theres usually someone

there to strike it down. Managers andexecutives, in particular, are notorious

for getting in the way of security and

information risk management. Its the

ultimate irony given their fiduciary

responsibilities, but if you can workaround it youll be able to do wonders

for the development and QA process-

es. I suggest you check out these vari-

ous articles Ive written for getting

management on your side.

D Time management: Going beyondthe people hurdles we have to turn to

ourselves and how we manage our

time. One things for sure in IT: howyou manage your time will make you

or break you depending on your

approach to the subject. There are so

many factors affecting application

security in your work (design, devel-

opment, QA, deployment, mainte-

2 BEATING WEB APPLICATION SECURITY THREATS A SEARCHSOFTWAREQUALITY EBOOK

CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

CHAPTER 1: NEW WEB APPLICATION SECURITY CHALLENGES

Introduction:

New Web applicationsecurity challenges

I
http://www.principlelogic.com/careers.htmlhttp://www.principlelogic.com/careers.htmlhttp://securityonwheels.blogspot.com/search/label/time%20managementhttp://www.principlelogic.com/careers.htmlhttp://www.principlelogic.com/careers.htmlhttp://securityonwheels.blogspot.com/search/label/time%20management


3/30

nance, and monitoring) that you have

to set specific goals and boundaries

to ensure everything is done properly

and you end up with higher qualityapplications. Learning and eventually

mastering time management is a

required skill. If theres anything youlearn about time management, there

are two things you must not forget:

1. Just because someone throws

you a ball doesnt mean you have

to catch it (a tip from the late

Richard Carlson).

2. Continually ask yourself if what

youre doing right now is the best

use of your time and, if not, moveon to something productive.

D Professional development: An-other personal aspect of the applica-

tion security complexity equation is

how you keep up with the latest tech-nologies and security challenges. I

studied and used Assembler, Pascal,

and C intensely in college and for acouple of years after that. Although

that was a time before application

security was on our radar, I thought I

knew all there was to know about

programming and QA.

Looking back on that now, if I

assumed that was all Id ever need toknow in order to excel in application

security Id be fooling myself. Sure,

those early days of my career built

an excellent foundation. But the reali-ty is theres so much more to learn

and knowespecially with

the numerous development

and OS platforms youre

required to work with andall security threats were

up against.

In my security assess-

ment work Ive yet to inter-

view a developer who con-

sistently attends develop-ment or security classes,

seminars, or conferences.

Dont be those people. Im

convinced that even thoughyou live and breathe this

stuff every day at work,

continuous learning is an

absolute necessity for not

only keeping up, but suc-

ceeding in this field.


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


Figure 1: Complexities affectingWeb application security


4/30

DAttack vectors: Not too long agoall there was to worry about regard-

ing application security was who had

access to the dumb terminals andwhether the users knew their pass-

words. My have things changed! From

multiple Web browsers to mobileusers to malware, applications are

being attacked from every angle. And

SSL and strong passwords are no

longer the minimum necessary con-

trols. You have to consider input vali-

dation, application logic, session man-

agement, and so much more. Theresliterally an infinite number of ways to

exploit any number of vulnerabilities in

any given application. Its just a matter

of time and effortboth of which thebad guys tend to have a lot of.

D Compliance requirements: Nolonger are you just a developer or

QA professional who can focus onlyon the code itself. Today applications

have to be compliant with numer-

ous regulations such as PCI DSS,

HIPAA, GLBA, and Sarbanes-Oxley.

If you havent experienced it already,

youll no doubt be pulled into securityand compliance meetings to discuss

how your software meets the specific

requirements of these regulations.

Were not just talking about how yourapplications handle access controls

and authentication either. Theres

audit logging, separation of duties,

patch maintenance, system monitor-

ing, and even certain tie-ins with dis-

aster recovery, business continuity,

and security incident response. It

pays to learn more about compliance

these days. The good news is, under

the covers, its all the same stuffsimply information security best

practices stated in different ways.

D Customer and business partnerdemands: Compliance requirementshave likely already sparked conversa-

tions with customers and business

partners. If not, youll likely be

involved in discussions related to the

question How do we know yourapplication is secure? A majority of

the Web application security assess-

ments I do involve this very thing:

Company A is requiring an independ-ent third-party review of Company Bs

application. SAS 70 audits of a data

center wont cut it. Neither will inter-

nal assessments or basic security

scans. Ive heard that customer andbusiness partner inquiries such as

this are one of the most time-con-

suming aspects of application securi-

ty. However, its part of doing busi-

ness so you might as well come up

with some processes such as stan-dardized answers to security ques-

tionnaires and periodic security

reviews that you can pull out when

needed to help minimize the pain.

The important thing is to acknowl-

edge what youre up against. Choos-

ing to ignore these issues will only

serve to create more frustration and

additional stumbling blocks. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS



5/30

DONT KNOW about you but Im

getting kind of tired of hearing

about PCI DSS. Yes, an informa-

tion security consultant whoearns his living, in part, off of

compliance is saying hes tired

of big component of the compliance

equation. Let me elaborate.Im really just tired of two things.

First, all the marketing hype the ven-

dors are putting out there about how

their products are going to magically

make you compliant with PCI DSS.Secondly, all the differing opinions

about what it takes to be compliant

with this regulation are getting old

too. There are books, whitepapers,

seminars, scanning servicesyou

name it. If you need to comply withPCI DSS theres a self-proclaimed

expert on every corner out there

who wants to help.

Since youre reading this, PCI DSSprobably affects you and your busi-

ness in some way. As with many

organizations, its likely in the context

of Web security. Well, if so, youre in

luck. Heres the lowdown on what PCI

DSS is all about. First off, theres this

security scan requirement in PCI DSS

that everything seems to be revolv-

ing around. In doing security scans

myself Im here to tell you that securi-ty scans arent everything. I cant tell

you how many businesses I come

across that vouch theyre secure or

compliant just because theyve had

some PCI-certified scanning vendor

to run a quick scan and tell themeverythings OK. Its not that simple.

Ive used some of these very tools

that the vendors are saying will findvulnerabilities in your applications

and point out where youre out of

compliance with PCI. Ive seen them

not find any flaws at all while, at the

same time, another vendors tool

uncovers cross-site scripting, SQL


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


The lowdown on

PCI compliance

Do your home-

work before buy-ing into compa-nies that tout PCIcompliance.

I


6/30

injection, and so on. Do your home-

work before buying into companies

that tout Web scans for PCI compli-

ance. If you show me a Web applica-tion out there that doesnt have any

vulnerabilities Ill show you an appli-

cation that hasnt been tested in theright ways.

Relying on scans alone is one thing.

Hiring a PCI Qualified Security Asses-

sor (QSA) is something else. Youd

think theyd find everything that

counts but its not that simple. Infor-

mation systemsespecially Webapplicationscan be extremely com-

plex and even the best QSAs out

there may not uncover everything

that matters. Just ask Heartland Pay-ment Systems. This is especially true

if the people doing the assessments

are just out of grad school and dont

have a good mix of skills to know

what to look for.Another thing is that youre prob-

ably not going to have PCI police

knocking on your door. No ones going

to jail over failing to comply with PCI

DSS. After all its an industry regula-

tionnot a law. That said all it takesis one breach of your payment-relat-

ed systems to get your business in a

real bind. A business that loses credit

card processing privileges in todaysworld is destined to take a big hit.

Finally, PCI DSS is nothing more

than a set of solid information securi-

ty practices bundled up in a neat little

package thats being pushed as yet

another separate component of com-

pliance you have to deal with. Dont

fall for this. You shouldnt focus on

PCI DSS in a standalone fashion if

your business falls under the scopeof other regulations such as HIPAA,

GLBA, SOX, and so on. Odds are it

does. Work with your compliance

officer, or if youre like many other

IT professionals and you are the com-

pliance officer, try to get a handle onwhat other regulations your business

is up against and focus on information

security as a whole. This will allow

you to touch on all of the importantareas (risk assessment, policies and

controls, visibility, automation, and so

on) so you can kill two, or three, or

four birds with one stone rather than

addressing each regulation on its

own. This is all the same stuff folks.

Getting your compliance prioritiesin order is absolutely necessary. Just

dont pour all your energy and money

into security for the sake of compli-ance. Even though PCI DSS is a regu-

lation with explicit requirements, you

have to temper it with some good

old-fashioned common sensefor

thats the stuff smart security con-

sists of. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


No ones goingto jail over failingto comply with

PCI DSS.
http://www.2008breach.com/http://www.2008breach.com/http://www.2008breach.com/http://www.2008breach.com/http://www.2008breach.com/


7/30

HERES SOMETHING interesting

about application security.We can find the technical

flaws and even have the

means to fix them, but it

seems like the organization-al and people side of the equation

gets in the way every time without

fail. When it comes to locking down

your Web applications, youve got to

go beyond the bits and bytes and takeprocess and politics into account as

well. If you dont youll spin your

wheels indefinitely until you move on

to another organization, where youll

likely find the same roadblocks if

nothing is done about it.Web security is as much about cul-

ture and leadership from above as it is

how good of a developer or QA ana-

lyst you are. We often face challengesthat fly in the face of doing what real-

ly needs to be done in order to

achieve reasonable Web application

security such as:

DGetting the ear of management

and users to help support your

Web security initiatives.

D Establishing information

security standards and policies

that customers expect.

DGetting the funding to do Web

security testing the right way.

DHaving the means to actuallydo something with the results of

your testing.

DMaintaining the momentum

to ensure application security is

ingrained into daily business.

These issues are not unique to any

one type of business or industry.

Everyone faces them. Its how youposition yourself, establish your cred-

ibility, and make your case that will

determine whether or not you can

make things happen.

One thing to keep in mind when

going through the Web application


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

CHAPTER 2: ASSESSING YOUR WEB APPLICATION SECURITY

Introduction:

Assessing your Webapplication security

T


8/30

security process is that you dont

have to drain the ocean all at once.

Simply getting the process started

and slowly integrating security intoyour processes is the best way to go

about it.

Furthermore, youll want to havegoals. You have to define where it is

you want to go so youll know when

youve arrived. Just dont forget that

security is never an end result, but

rather a set of processes and good

habits practiced time and again. That

said, lowering the number of security

flaws is an end result. And so is per-

forming consistent security checks.

Set your sights on the right areas and

you can move forward with ease.There are several key factors that

will help make effective Web applica-

tion securityand overall informationsecuritya reality in your business.

The proven process for minimizing

information risks is shown in Figure 1.

Even with these recommendations

many people are still too busy for

Web application security. Or, they

dont know where to start. There are


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

CHAPTER 2: ORGANIZATIONAL ISSUES AND BEST PRACTICES

Figure 1: The minimum ingredients necessary forWeb application security success


9/30

numerous Web security standards

such as the OWASP Top 10 (especial-

ly the forthcoming risk-based 2010

version) and the SANS Top 25 thatcan help you get the ball rollingat

least on what to look for.

Beyond the OWASP and SANS listsyou can turn to a standard such as

ISO/IEC 27002:2005. Its higher level

information security principles can be

applied directly to Web application

security. From security policies to

incident response to business conti-

nuity and beyond, the 27002 frame-work shows you everything you need

to be successful at Web application

security. Its all a matter of making

the choice to do and then making tak-ing the time to do it right.

I strongly believe that you dont

need to recreate the wheelespecial-

ly when you have so many proven

information security resources atyour disposal. If youre too busy to

start from ground zero you can still

keep it simple by utilizing standards

and frameworks that other people

have developed to have all you need.

In the end, stay focused on the right

areas. Organizational issues such as

policies, procedures, and politics play

a significant role in Web application

security. Get into the right mindset

and approach Web application secu-rity like any other system or business

function then stay on top of it. You

cant go wrong. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


If youre toobusy to start fromground zero, keepit simple by util-izing standards

and frameworksthat other peoplehave developed.


10/30

CTION WITHOUT PLANNING is

the reason for every failure.Those words from success

expert Brian Tracy ring true

in so many of the Web

security assessmentprojects Ive both witnessed and been

involved in.

Time management experts say that

one minute of planning saves us five

minutes in execution. Thats a 500%return on our time. This sounds too

good to be true, but its not. Ill give an

example of this practice in action in

this tip. Then, Ill lay out 10 best prac-

tices for successfully assessing appli-

cations Web security.A software project leader just told

me a related story, in which she

detailed how much time she and her

team spend on planning IT and secu-rity-related projects before they ever

do a thing. She said this planning not

only helps get management buy-in

and helps set everyones expectations

going in, but it also really makes a

positive difference in the outcome of

their projects. This thoughtful plan-

ning showed in their security assess-ment results.

If youre truly willing to fight the

urge for instant gratification and

instead put the time in up front to

plan things out, its virtually guaran-teed that your Web security assess-

ment projects will run smoothly,

uncover the things that matter, and

finish on schedule to boot.

Whether youll be doing the testing

on your own or hiring an outside


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


10 steps to acing

Web app securityassessments

Here are 10 bestpractices for plan-ning Web securityassessmentproject. You cantafford to skipthese steps.

A


11/30

expert, you must diligently plan

things out and get all the right people

on the same page. Here are 10 best

practices for planning Web securityassessment project. Ive learned over

the years that you cant afford to skip

these steps.

1.Who is this project going to affect(before, during, and after) andcan we get them in on the planning

phase? Many people such as devel-opers, marketing, and DBAs are

often overlooked but need to be

included.

2.What compliance-related lawsand regulations are applicable here?

Are we overlooking any re-quire-ments in that area? PCI DSS is the

obvious one here but there are many

others including HIPAA, GLBA, and

even SOX.

3.Are we going to look at the systemas an untrusted outsider, a trusted

user, or both? Management maytrust users of the system which is

a dangerous way of doing business.

Even worse are the vulnerabilities a

trusted user could exploit you may

overlook by not doing authenticated

testing.

4.Will a simple vulnerability scan

suffice (i.e. for PCI DSS compliance)or do we also need to perform anin-depth manual analysis to uncoverthe other half of the vulnerabilitiesthat scanners wont find? Includingmanual analysis using a malicious

mindset is the only way to do itif

you want to do it right.

5.Is it going to be okay to let vulnera-bility scanners submit forms whichcould create database entries andpotentially thousands of emails tomultiple people? This is a side-effectthats often discovered once its too

late. Its good to know going in so you

can create preventative measures to

block such data and emails or at leastset expections.

6.When can the automated scanningbe done? Commercial vulnerabilityscanner toolswhen used properly

can be tweaked to minimize the

impact on your Internet connection

and server environment.

7.How often are status updates goingto be given? Ive found it to be notonly the courteous thing to do but


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS



12/30

also an important part of keeping

people in the loop in these often

complex projects.

8.Will an initial findings report bedelivered to the key players beforethe final draft report is created? Ifso, when? Just be patient and try tohold off requesting a bulleted draft

report with few details, screenshots,

or specific URLs affected. This usually

just serves to generate more ques-tions and create more work for every-

one involved.

9.Is everything in writing? For internal-sourced projects, at least have a doc-

umented plan. For outsourced proj-

ects, statement of work and signedcontract needs to be in place without

exception.

10.Whats the exit strategy? In otherwords, whats going to happen once

the assessment is complete and the

report is delivered? This is wheremany projects fail. It is one thing to

find the flaws and then deliver the

report but quite another to actually

act upon them to ensure the money

and effort spent doesnt go towaste.

The hard part of all this is carvingout the time up front before getting

rolling with your Web security

assessment projects. Management

support is certainly a key component

but it really comes down to self-disci-

pline, as Elbert Hubbard once defined

as the ability to make yourself dowhat you should do, when you should

do it, whether you feel like it or not.

Its the little things that add up.

Pay attention to these project detailsand any others specific to your busi-

ness and youll certainly come out

on top. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


ADDITIONAL RESOURCESFOR CHAPTER 2

q How to get management

onboard withWeb2.0

security issues

qWeb application

security testing checklist
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1373696,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1247920,00.html


13/30

Building Trust Around The Globe

When you want to establish trusted relationships

with anyone, anywhere on the internet, turn to thawte.

Securing Web sites around the globe with:

strong SSL encryption

expansive browser support

multi-lingual customer support

recognized trust seal in 18 languages

thawte offers outstanding value on a full range of

of digital certificates. Secure your site today

with a thawte SSL Certificate.

www.thawte.com

2009 thawte, Inc. All rights reserved. thawte; the thawte logo; its a trust thing; thawte, and other trademarks, service marks, and designs are registered

or unregistered trademarks ofthawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks areproperty of their respective owners.


14/30

OUVE LIKELY HEARD of the

Pareto Principlea.k.a.

the 80-20 rulewhich says

80% of the effects comefrom 20% of the causes. We

can easily apply the 80-20

rule to Web security: 80% of the risk

comes from 20% of the flaws. In

other words, the majority of the Websecurity risks stem from a small num-

ber of weaknessesmost of which

we keep repeating over and over

again.

Theres a misperception by many,

especially those in marketing andmanagement, that Web exploits are

these elaborate hacks carried out

by highly technical attackers. In fact,

its quite the contrary. Most of theissues I see in my workreinforced

by the many Top 10 Web security

vulnerability listsare simple, silly,

and often stupid weaknesses that

lead to serious consequences when

exploited.

The following are the most com-

mon Web security attacks you need

to be on the lookout for in your de-

velopment and quality assurance

processes along with what you cando to minimize the risks:

1.Lack of input validation: Everyoneknows that not sanitizing user input

to filter JavaScript, SQL commands,

and so on is a no-no, but this has got

to be one of the biggest problems on

the Web. Be it cross-site scripting orSQL injection, the ramifications of not

validating input on Web forms and

URLs can lead to pretty serious con-

sequences.Ive found that you absolutely have

to use a good Web vulnerability scan-

ner such as WebInspect or Acunetix

Web Vulnerability Scanner in order to

find input validation flaws. There are

just too many entry points and itera-


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

CHAPTER 3: BEATING COMMON WEB SECURITY ATTACKS

Introduction:

Identifying andbeating most commonWeb security attacks

Y
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://www.acunetix.com/http://www.acunetix.com/https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://www.acunetix.com/http://www.acunetix.com/


15/30

tions to test an entire website or

application manually. But its not just

the toolsits using multiple tools

wherever possible (they all find differ-ent things) and testing as authenti-

cated users at different role levels as

well. Authenticated cross-site script-

ing is more difficult to exploit, but this

is the area where I find the most

problems with SQL injection. Just

because someone has login creden-tials into your application you can

never assume their intent is good and

theyre always going to do the right

thing.

Once you find the flaws, its sim-

ply a matter of only accepting whatsexpected and nothing more.

2.Weak passwords: Another commonsense flaw that I see all the time is

weak passwords. Commercial Web

vulnerability scanners do an okay job

at finding weak passwords. Theres

also the freeware tool called Brutus

that works just as well if not better

for ferreting out weak passwords.

However, finding weak passwords is

time sensitive (and intensive) andhighly-dependent on the dictionary

you use.

The problem with weak passwordsis actually pretty simple to prevent.

The reality is that if users have the

option to create a weak password,

they will. End of story. The solution is

simple: dont give them that option.

And ignore the complaining youll

undoubtedly hear from users andmanagement when this change is

made. Its for their own good. Further-

more, build in an intruder lockout

mechanism just like our operatingsystems have that will lock the

account after 5, 10, or 15 failed login

attempts.

3.Weak login mechanisms: On a relat-ed note, entire Web login mecha-

nisms are often vulnerable to attack.

Be it hidden fields, cookies, or other

session variables that are passed dur-ing the login process, theres often

something that can be manipulated

to escalate privileges or even bypass

the login process. This goes forNTLM-based authentication, form-

based authentication, and even sites

with multi-factor authentication.

Authentication logic thats easily

manipulated by users is bad however

you slice it.


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


Once you findthe flaws, itssimply a matter

of only acceptingwhats expectedand nothing more.
http://www.hoobie.net/brutus/brutus-download.htmlhttp://www.hoobie.net/brutus/brutus-download.html


16/30

Although a tougher problem to fix

given that the issues are so unique,

weak login mechanisms can be over-

come. You just need to on put yourhacker hat and perform some good

manual analysis using a Web proxy

tool and session manipulation toollike the Firefox Web Developer plug-

in and youre good to go. Find the

flaws and then reverse engineer a fix.

4.Web server configuration weakness-es: The final big Web security flaw Ifind goes beyond Layer 7 down to the

actual server and application configu-

rations. I often find weak OS pass-words, missing patches, ports open to

poorly-configured Internet services

such as FTP, and so on. If you dont

have a good foundation at the OS and

application levels you cant expecthave a secure Web site or application.

In order to find the flaws beyond

the application layer you need to use

more generic OS/network vulnerabili-

ty scanners such as QualysGuard and

NeXpose. Simply run the scans, seewhat they find, and plug the holes. Its

typically a matter of reconfiguring

software, installing newer versions of

Web and application servers, andhardening the OS. It wont cost you a

dime, but the payoff will be grand.

The interesting gotcha to these

weaknesses is that, in many situa-

tions, theres nothing in place to actu-

ally detect them. The bad guys comein, do their thing and sometime down

the road you may find out there was a

Web security breach.

Approach Web security from aproactive riskperspective rather than

a reactive we have to pass our compli-

ance audit so we need to lock thingsdown perspective. Model your appli-

cation threats, use good Web vulner-

ability scanners, and look at your

(mis)use cases by thinking like the

bad guys and how they can exploit

these weaknesses in your specificenvironment. By approaching Web

security this way youll not only iden-

tify and prevent the most common

attacks, but youll also find what mat-ters the most to your business and

your customers. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


The bad guys come

in, do their thingand down the roadyou may find outthere was a Websecurity breach.
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1293838,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://www.qualys.com/http://www.rapid7.com/http://www.rapid7.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1310166,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1293838,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033_mem1,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://www.qualys.com/http://www.rapid7.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1306902,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1310166,00.html


17/30

ROSS-SITE SCRIPTING (XSS)

is like weak passwords:the problem is wide-

spread; the solution is

relatively simple and yet

the issue appears to begetting worse.

I remember when XSS was this

mysterious Web flaw that no one

could really explain. We knew it was

something bad but it was hard to puta finger on it. A decade later, XSS

plagues the Internet. Everything from

basic Web sites to social media sys-

tems to e-commerce applications

seem to have XSS flaws in some form.

Numerous studies have shown thatXSS makes up the majority of Inter-

net-related vulnerabilities.

Over the past year, Ive found XSS

in all but about five percent of theWeb sites and applications Ive test-

ed. This is a big deal when you factor

in the ease of accessibility and

exploitation, especially via phishing-

related attacks.

Heres what you can do right now

to seek out and ultimately eliminate

XSS vulnerabilities in your environ-ment.

DUnderstand the vulnerability soyoull know what youre up againstand what to look for. As with weakpasswords, XSS is pretty basic.

DAssemble your toolset. XSS is

something that can turn up on anyWeb form or input area on your site

or application. Its unreasonable to

assume youre going to be able to find

all of the input areas and throw every

possible iteration of XSS at them. You

have to have a good Web vulnerabili-ty scanner such as HPs WebInspect

or Acunetix Web Vulnerability Scan-

ner, just to name a couple. Based on

my experience, youre not going tofind many XSS flaws, if any, if youre

not using a dedicated Web vulnerabil-

ity scanner and are just using a more

generic vulnerability scanner that

touts Web capabilities often in the

name of PCI DSS scans.


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


Finding cross-site

scripting (XSS) appli-cation flaws checklist

C


18/30

D Scan your systems as an un-trusted outsider. I see a lot of XSSin Web applications behind authenti-

cation mechanisms. This no doubthighlights input validation issues but

its less of a concern given that the

required login can stop the automat-ed aspect of XSS attacks. However,

this is changing due to the emergence

of persistent XSS, malicious code

thats stored in a database and made

accessible via rich Internet applica-

tions.

D Test every public-facing systemwhether or not its critical. Theessence of XSS is not necessarily tied

to the importance or value of the sys-tem. Its the fact that youre enabling

the bad guys to exploit a flaw in your

environment to take advantage of an

unsuspecting user or third-party in

the same way spammers take advan-

tage of random open SMTP relays to

indirectly carry out their misdeedsagainst others.

DDont focus solely on JavaScript.Im starting to see more VBScript

and Flash-induced XSS. Its pretty

rare, but I suspect thatll change as

applications become more complex.

Make sure youre scanning all parts

of your site and/or application with

a tool that can uncover all XSS re-gardless of the language thats

facilitating it.

D If youve thoroughly scannedyour entire site/application andnothings turning up, you can checkfor XSS manually by entering the fol-

lowing into form fields: < script >

alert (XSS!)< /script > Its reallybasic and not guaranteed, but I have

found XSS that Web vulnerability

scanners have missed by using this

technique.

The good news is that XSS often

doesnt place sensitive back-officeinformation at risk. Its more of a risk

to your users and to unsuspecting

third-parties on the client side; but it

could ultimately lead to theft of logincredentials and session information,

which creates an entirely new dilem-

ma for your business. Given the sim-

ple solutions, its still not a risk worth

taking. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS



qWeb server weaknesses

you dont want to overlook

qWeb security problems: Five

ways to stop login weaknesses

q Fixing fourWeb2.0 input

validation securitymistakes

q Essentials of static source

code analysis forWeb

applications
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359709,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1359736,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1363756,00.html


19/30

F ALL THE ways to

improve the securitytheres nothing better

than using hacking tools

and techniques to bring

out the worst in yourWeb applications. Not audits, not

source code analysis, and not even

vulnerability scans, but instead ethi-

cal hacking. Approaching Web secu-

rity with a malicious mindset is thetried and true way of finding all the

security flaws that count in your envi-

ronment. It essentially guarantees

that youll take your Web application

security to the next level and

beyondif you do it the right way.The key to successful hacking re-

quires the right mindseta malicious

mindset. You have to be able to think

of ways to exploit weaknesses in thesystem that the average person might

not be thinking about. Things like:

D Removing maximum field lengths

for form inputs to see how the appli-

cation reacts.

DManipulating URL variables

to gain access to other accounts.

D Looking at a shared computers

Web browser history file for

HTTP GET requests that cachelogin credentials.

D Tampering with cookies used

for session management in order

to escalate your privileges.

D Trying default or common

user IDs and passwords when

logging in.

DGaining access to the admini-strative portion of an application

and erasing audit log files that track

user logins and changes.

The possibilities are endless. My

point is that the bad guys on the

Internet and inside your organization

are thinking maliciously and you have

to do the same if you're going to

defend against them.


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

CHAPTER 4: HACKING YOUR OWN APPLICATIONS

Introduction:

Hacking yourown applications

O


20/30

Once you establish the mindset you

can proceed with the ethical hacking

process. Its actually pretty simple to

understand and follow. This requiresthe following:

1.Get the key players on board andensure everyones expectations areset. The last thing you want to do isstart down the path of ethical hacking

without approval and buy-in of man-

agement. Its virtually guaranteedyoull lose support or not be able to

effect any changes if you do.

2.Inventory all of your Web systems.Youll know the obvious ones but its

often those obscure and forgotten

about systems deep inside your net-work that create considerable risks.

Talk to the different system managers

to determine whats where. To vali-

date your findings and uncover others

that people have forgotten about, I

suggest running a port scan to searchfor common Web ports (TCP 80,

443, and 8080) at a minimum. Cer-

tain Web vulnerability scanners have

discovery tools built in as well.

3.Build your toolset to include, at aminimum, OS/network vulnerability

scanner, Web vulnerability scanner, a

Web proxy, and a browser manipula-

tion tool such as Firefox Web Devel-

oper. Ive also come to rely on multi-

ple Web vulnerability scanners, theBrutus password cracking tool, a hex

editor, and even some of the tools

inside in the BackTrack toolset. Thequality of the tools will determine the

outcome of your hacking efforts.

4.Run your automated vulnerability

scans. Check the OS and network lev-els in addition to the application layer.

Use multiple scanners when possible

and be sure to test as both an

untrusted outsider as well as trustedusers at all role levels. An important

note related to authenticated scan-

ning: make sure your Web vulnerabili-

ty scanner actually authenticates into

the application. Ive see login andstartup macros fail more often than

not. It appears that the scanner

logged in, but actually did not, which

creates a false sense of completion

and security.

5.Perform your manual analysis. This is

where the true art of ethical hackingcomes into play. Youll take what your

vulnerability scanners found, validate

their results, and then dig in further

into areas the scanners discovered as

well as other areas that scanners

dont understand. Things like I men-


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

http://chrispederick.com/work/web-developerhttp://chrispederick.com/work/web-developerhttp://chrispederick.com/work/web-developerhttp://www.hoobie.net/brutushttp://forums.remote-exploit.org/http://forums.remote-exploit.org/http://chrispederick.com/work/web-developerhttp://chrispederick.com/work/web-developerhttp://www.hoobie.net/brutushttp://forums.remote-exploit.org/


21/30

tioned above regarding the login

mechanism, session management,

passwords, URL manipulation, and so

on. As with your automated scans, doyour manual analysis as an untrusted

outsider as well as trusted users at all

role levels. If your automated scan-ning took 1 or 2 days to complete, this

phase of your testing can easily take

twice that amount.

6.Once youre done (which can betricky to determine since you could

conceivably go on forever) you haveto focus on whats urgent and impor-tant. In other words, focus on thoseWeb vulnerabilities that are

exploitable or potentially exploitable

on the sites and applications that

matter. For example, you might find

cross-site scripting on a test applica-tion located on the QA network which

would likely be a low priority. On the

other hand you may find SQL injec-

tion on your main Web portal which

needs attention immediately.

Once youve completed your test-ing efforts and remediated the vulner-

abilities that matter to your businessitll probably be time to start the

process over again. I often see a lack

of follow through in this stage of the

game which effectively negates any

benefits youve gotten out of yourefforts. Think ethical, malicious, and

consistentthats the type of hacking

you want to do. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


Focus on the Webvulnerabilitiesthat are exploit-able on the sites

and applicationsthat matter.


22/30

VERYONE CLAIMS TO know

the right way to go abouttesting the security of Web

applications. Perform an

external scan, the auditors

recommend. Just use ourvulnerability scanner, the vendors

proclaim. Do a peer review of the

source code, the quality assurance

(QA) analysts declare. And then

there are the government, industryregulatory, and standards bodies who

believe they know what it takes to

secure an app. Regardless, its their

way or the highway. Ha!

With everything else being equal,

unrelenting and almost aggressivemalicious attacks are the absolute

best way for uncovering Web security

holes. In this tip, well cover why you

must literally go through your Websystems and throw everything you

possibly can at them. This tip will

get you started on using malicious

manipulation to boost security. In

forthcoming tips, Ill show how to do

malicious hacking in various different

software development and testing

scenarios.Theres so much information

available for uncovering Web applica-

tion flaws, but theres no good place

to start. So how can you, the security

admin, developer or IT manager, filterthrough the noise and distill exactly

what needs to be done to find the

Web flaws that count? Let me be

clear, its simple. There is no onebest way to go about it. As lawyers

and consultants like to say, it all

depends. It depends on the type of

business youre in and the regula-

tions you fall under. It also depends

on what type of Web presence you

have and how sensitive informationis processed, stored or otherwise

passed through your system. It de-

pends on how much managementsupports your efforts and, frankly,

how much money you have to

spend.

Every organization and every Web

application is different. Ironically, this

is one of the things that management


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


Hack maliciously

to boost yoursoftwares security

E


23/30

misunderstands the most. Web secu-

rity testing is not a black- and-white

science. Its just as much an art, and

one that requires good tools, creativi-ty, along with a confident security

assessor.

Choosing the one thing that standsout as being the most important for

uncovering the obvious and not so

obvious Web vulnerabilities is pretty

easy. Some of this requires Web vul-

nerability scanning tools like WebIn-

spect, Acunetix WVS and N-Stalker.

No matter how good you are withWeb apps and security, theres still no

replacing the requests that tools such

as these can throw at an application.

They can mimic hack attacks like nohuman possibly could.

Dont let me steer you in the wrong

direction though. Based on my experi-

ence testing Web applications over

the years, the ability to poke, prod,and control an application with ill-

gotten gains in mind is the key for

making things happen. Its required if

youre going to find the flaws that

really matter. At the heart of this is

manipulation, which is often a matterof just the right poking and prodding

to see how the application trusts you

and what it spits back.

This will rarely require specialhax0r skillz. Its merely a matter

of understanding the basic operation

of Web applications and thinking of

creative ways to hack and throw just

the right jabs to force them into sub-

mission.

Many, many times Ive tested Web

applications with automated scan-

ners, only to realize I wasnt even

halfway home. Beyond the scanningphase, Ive seen situations such as

creative URL manipulation, weak

passwords or sensitive files stored indownload folders that have turned

two to three day Web security

reviews into week-long plus analy-

ses bordering on data breach situa-

tions. All because of some basic

hackingmanipulationof these

applications that wouldve goneundiscovered otherwise.

I cant stress enough the value of

in-depth ethical hacking of your Webapplications. Theres no replacement

for manual manipulation; just you and

your Web browser. Get past the one-

scan-fits-all mindset. Its dangerous

and itll come back and bite you if you

rely on just the basics to get by. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


No matter howgood you are withWeb apps andsecurity, theres

still no replacingthe requests thattools such asthese can throwat an application.


24/30

HE MATURITY OF todays

Web applications is both

a blessing and a curse. On

the positive side, were nowable to do things with dy-

namic Web applications

that seemed impossible in the static

world of just a few years ago. On the

negative side, were now seeing Web

application complexities introduce

security vulnerabilities beyond ourimagination. Its becoming increasing-

ly difficult for information security

professionals, developers, and quality

assurance analysts to get their arms

around these issues.What can you do to minimize

security risks with rich Internet appli-

cations and in the cloud? It takes a

reasonable and well thought out ap-

proach to do it right. Figure 1 shows,

in a nutshell, what you have to do.Like any other ongoing business

process, these are things you have

to do on a periodic and consistent

basis. Lets look at each of theseareas more closely.

1.Obtain buy-in: If you dont have theear of the people who count, then


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

CHAPTER 5: OVERVIEW OF BEST PRACTICE TIPS AND CHECKLISTS

Introduction:

Security bestpractices for todaysWeb applications

Figure 1: The proper approach

toWeb application security

T


25/30

youll be fighting a losing battle try-

ing to secure your applications. Most

importantly, you have to get manage-

ment on board. If the people approv-ing the budgets and writing the

checks dont understand why applica-

tion security is a business concern,then everything is for nothing. With-

out monetary, human resource, cul-

tural, and political support from the

powers that be you might as well just

rely on passwords and SSL to get you

through (hint: thats not a good long-

term solution).You may even need to get user

buy-in especially when it comes to

security controls requiring business

process changes and potential usabil-ity issues. Also, depending on which

side youre on (information security,

development, or QA) youll need to

get your colleagues on board. Making

sure everyone is on the same pageworking toward the same goals

should be your main goal.

2.Choose your tools: Just like youwouldnt use inferior programming

languages or IDEs to develop your

applications you cant afford to not

have good security testing tools. Hav-ing the right Web security tools such

as vulnerability scanners, proxies, and

source code analyzers will make or

break your Web application security

efforts. (See Security Testing Tools

for a list of tool options.)

3.Run automated scans: Web vulnera-

bility scanners are absolutely essen-tial for finding both the low-hanging

fruit as well as the complex input vali-

dation flaws, such as XSS and SQL


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


SECURITYTESTING TOOLS

There are tonsof options avail-able but the following are ones

that Ive found towork well. Click

on the links below for additional

information.

Web vulnerability scanners

I AcunetixWebVulnerability

ScannerI N-StalkerI

NTOSpiderIWebInspect

Web proxies

I Burp ProxyI Paros ProxyIWebScarab

Source code analyzers

I CheckmarxI SecurityReview

Dont rule out open source

toolsespecially theWeb prox-

ies I list abovebut know that,

byand large, youre going toget

what you pay for.
http://www.acunetix.com/http://www.acunetix.com/http://www.acunetix.com/http://www.nstalker.com/http://www.ntobjectives.com/https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://portswigger.net/proxyhttp://portswigger.net/proxyhttp://www.parosproxy.org/download.shtmlhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Projecthttp://www.checkmarx.com/http://www.checkmarx.com/http://www.veracode.com/http://www.acunetix.com/http://www.acunetix.com/http://www.nstalker.com/http://www.ntobjectives.com/https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__http://portswigger.net/proxyhttp://www.parosproxy.org/download.shtmlhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Projecthttp://www.checkmarx.com/http://www.veracode.com/


26/30

injection that would otherwise be

impossible to uncover. Just know that

you have to run the scanners often

and multiple scanners are usuallyrequired to find everything that

matters.

4.Perform a manual analysis: Auto-mated scanners can only find so

much. A sharp human eye and

manipulative ethical hacking tech-

niques are essential for finding all theother flaws that vulnerability scan-

ners arent smart enough to detect.

Look for things like login mechanism

weaknesses, application logic prob-lems and privilege escalation via ses-

sion manipulation.

5.Check source code: Once youvecompleted your vulnerability scan-

ning and manual analysis, a nice way

to wrap things up is to look at the

actual source code. Some analyzers

look at raw source code while othersperform binary analysis that mimics

real-world execution. Both are very

good at finding things that youd be

hard-pressed to find otherwise.

6.Fix what you've found: Once youfind where the weaknesses are, take

the necessary steps to plug the holes.

Sadly, this step is skipped or not done

properly and the application vulnera-

bilities live on. The only way youre

going to produce better code, andthus, more secure Web applications

is to learn from your mistakes and

continually improve.

7.Report to your stakeholders: Keep-ing management, auditors, regulators,

customers, and business partners in

the loop on what youre doing/find-ing/improving upon is a great way to

get continued support for application

security. Its also a great way to help

create a competitive advantage foryour business. People are going to

ask How secure is the application?

anyway so it doesnt hurt to be pro-

active and be able to provide the cur-

rent security status when the timecomes.

Complexity introduces weakness

and oversight which, in turn, create

security risksall things we cant

afford to take on in business today.Finding and fixing Web application

flaws is becoming more difficult but

its not an insurmountable problem.

If you approach it in a mature andmethodical way you can find the

issues that matter and move on. The

method I discuss above has been

proven successful time and again.

Be it for best practice or compliance,

its simply a matter of choice. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS



27/30

ITH WEB 2.0 tech-

nologies like Ajax,Flash and Web serv-

ices being all the

rage, rich Internet

applications (RIAs)are popping up everywhere. More

developers are creating rich apps in-

house and integrating such third-party

code into existing environments.

However you slice it, RIAs and Web2.0 technologies cannot be ignored.

Likewise, we cant ignore the slew

of security flaws RIAs tend to intro-

duce. Rich Internet applications not

only place more control into the users

hands, they also broaden the attacksurface and open previously non-

existent entry points into networks.

The big thing with rich Internet

applications is that you cant just scanem and forget em. Current scanning

technologies for penetration testing

and code analysis are still pretty limit-

ed relative to the complexity of these

applications. But dont worry! You can

still check for the security holes that

matter, and a few more to boot, if you

approach your Web 2.0 code andtechnologies from all the right angles.

In this checklist, you can find out

what you can do to find and eliminate

security flaws from your rich Internet

applications.

DUnderstand the scope of the vul-nerabilities rich Internet applications

present. Theyre similar to commonWeb vulnerabilities but often havetheir own twist. Common rich Inter-

net application flaws include XSS,

SQL injection, embedded passwords

in media files, as well as easily-

manipulated client-side variablesand exposed business logic.

DGather good tools. There are

numerous free and commercialoptions. Among my favorite freebies

are the following:

I Firefox Web Developer is a Fire-

fox plugin for manual manipula-

tion of client-side code.


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


Rich Internet

applications securitytesting checklist

W
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1348303,00.html


28/30

I SWFScan is a tool for decom-

piling/analyzing Shockwave

Flash (.swf) files.

I WSFuzzer is a tool for perform-

ing fuzzing of SOAP Web

services.

I My favorite commercial tools are

HPs Acunetix Web Vulnerability

Scanner. These are all-in-one Web

vulnerability scanners that include

specific tools for further manual

analysis. Plus theyre well-main-tained so you know youre going

to be scanning for the latest and

greatest Web 2.0 flaws.

D Scan your systems as an un-trusted outsider as well as a trusteduser. That said, you have to under-stand that your scans may not find

each and every flaw when you setthem on auto-pilot. If possible, set

your scanner to "manual crawl" mode

and step through the application

yourself, clicking on every link and

submitting every form. This will allow

your scanner to find parts of theapplication itd never be able to find

otherwise. The manual crawl process

can take a while in complicated appli-

cations but its the only reasonableway to get your Web vulnerability

scanner(s) to find what matters.

DUse multiple Web vulnerabilityscanners if you can. I often find vul-nerabilities using a second scanner

that the first one completely missed.

This is especially true for rich Inter-

net applications. Ive also found that

using a higher-level vulnerabilityscanner such as QualysGuard or

Nessus can often find server and

application weaknesses that dedi-cated Web scanners dont know

about.

D Scan your Web services. Theyreeasy to configure and forget, but

XML-based Web services can be one

of your greatest Web security weak-nesses. Theres something for every-

one, ranging from XPath injection to

SQL injection to command execution

to password cracking. Tools such asWebInspect, Acunetix and others can

scan for specific Web services flaws,

and I highly encourage you do to do

those scans.

D Scan your Flash, using SWFScan,and other media files, using Web andgeneral network vulnerability scan-ners. Even your local antivirus soft-ware can highlight security flaws in

these files when you download or runthem. Ive seen and heard about all

sorts of security flaws related to rich

media. Everything from embedded

encryption keys to business logic tomalware can turn up in these files, so

be sure to include them in the scope

of your testing.

D Check for other common flawsthat affect all Web applications


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS

http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Projecthttp://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project


29/30

regardless of the technologies beingused. This includes weak passwords,lack of intruder lockout which facili-

tates password cracking, weakauthentication mechanismsespe-

cially home-grown multi-factor sys-

temsform manipulation, URL tam-pering and sensitive files stored on

the server unprotected.

Work through each of these

stepsand ensuring the issues are

remediatedwill bring you that much

closer to reasonable security in your

rich Internet applications. Perhapsmost importantly, never let your

guard down. The security issues sur-

rounding rich Internet applications

are only going to become more com-plex. Getting your arms around the

issues that matter now will allow you

to scale your efforts as your applica-tions continue to grow. I


CHAPTER 1:

NEW WEB

APPLICATION

SECURITY

CHALLENGES

CHAPTER 2:

ASSESSING YOUR

WEB APPLICATION

SECURITY

CHAPTER 3:

BEATING

COMMON

WEB SECURITY

ATTACKS

CHAPTER 4:

HACKING

YOUR OWN

APPLICATIONS

CHAPTER 5:

OVERVIEW OF

BEST PRACTICE

TIPS AND

CHECKLISTS


ABOUT THE AUTHOR:

Kevin Beaver is an information security consultant, expert witness, as well as a seminar

leader and keynote speaker with Atlanta-based Principle Logic, LLC. With over 20 years of

experience in the industry, Kevin specializes in performing independent security assessments

revolving around compliance and managing information risks. He has authored/co-authored

seven books on information security including Hacking For Dummies and Hacking Wireless Net-

works For Dummies (Wiley). In addition, hes the creator of the Security On Wheels information

security audio books and blog providing security learning for IT professionals on the go. Kevin

can be reached at www.principlelogic.com .


qMobile, Web app QAtesting

tips forhandling operating

system changes

qWeb server weaknesses

you dont want to overlook

q FreeWeb proxy security

tools software testers

should get to know
http://www.principlelogic.com/http://www.principlelogic.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://www.principlelogic.com/http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1365856,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1376087,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.htmlhttp://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1374033,00.html


30/30

q Extended Validationthe New Standard in SSL Security

q Sign your Code and Content for Secure Distribution Online

qGet a Free SSL Trial Certificate from Thawte

About Thawte:As a leading global certificate authority, Thawte provides online security

trusted by millions around the world. Expert multilingual support, robustauthentication practices, and easy online management make Thawte the

best value for SSL certificates and code signing certificates. In 2004, Thawte

became the first certificate authority to recognize and secure Internationalized

Domain Names (IDNs), enabling more people to navigate the web securely in

their own language. The Thawte Trusted Site Seal, available in 18 languages,helps users verify the identity of web sites in their own language. Because SSL

is our core business, we constantly improve our products to deliver the tools

and features our customers want and need. Our data centers and disaster

recovery sites provide unsurpassed customer data protection.

R E S O U R C E S F R O M O U R S P O N S O R
https://www.thawte.com/ssl/extended-validation-ssl-certificates/index.htmlhttp://www.thawte.com/code-signing/index.htmlhttps://www.thawte.com/leadgen.html?a=o29520423617049007https://www.thawte.com/ssl/extended-validation-ssl-certificates/index.htmlhttp://www.thawte.com/code-signing/index.htmlhttps://www.thawte.com/leadgen.html?a=o29520423617049007http://www.thawte.com/

beating web application security threats

Documents