intro to web application security
DESCRIPTION
Introduction to Web Application Security presented at for the Penn State Information Assurance Club (Fall 2007)TRANSCRIPT
![Page 1: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/1.jpg)
Information Assurance Club Information Assurance Club 20072007
Understanding Web Application Security
![Page 2: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/2.jpg)
What is Application Security?What is Application Security?
Application Security Application Security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, or deployment of the application. [Wikipedia]
Make sure codeMake sure code• Properly uses security mechanisms
• Has no design or implementation flaws
![Page 3: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/3.jpg)
![Page 4: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/4.jpg)
![Page 5: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/5.jpg)
Application Layer VS Network Application Layer VS Network LayerLayer Application Layer
Attackers send attacks inside valid HTTP requests
Custom code is manipulated to do something it shouldn’t
Security requires software development expertise, not signatures
Network Layer Firewall, hardening,
patches, IDS, IPS SSL cannot detect or
prevent attacks inside HTTP requests
Security based on signature database
![Page 6: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/6.jpg)
Test Your Hacking KnowledgeTest Your Hacking Knowledge
What might happen in an application if an attacker… Adds “; rm –rf /” to a menu selection passed to a
system call Replaces the unitprice hidden field with -500 Sends 1000000 ‘A’ characters to a login script Figures out the encoding used for cookies Disables all client side Javascript for form validation Adds to the end of an account ID parameter
“%27%20OR%201%3d1” Sends 1,000 HTTP requests per second to the search
field for an hour
![Page 7: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/7.jpg)
Why Should I Care?Why Should I Care? How likely is a successful web application attack?
Anyone in the world, including insiders, can send an HTTP request to your server
Vulnerabilities are highly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers with no security background
or training
Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Loss of use / availability Secondary attacks from your site
Application security is just as important as Network Security
![Page 8: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/8.jpg)
Attacks Shift Towards Attacks Shift Towards Application LayerApplication Layer 75% of All Attacks on Information
Security Are Directed to the Web Application Layer
2/3 of All Web Applications Are Vulnerable
-Gartner
![Page 9: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/9.jpg)
How Do Attackers Do It?How Do Attackers Do It?
Proxies Browser plugins Vulnerability scanning tools Many attacks can be launched using
only a browser and text editor
![Page 10: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/10.jpg)
HyperText Transfer Protocol HyperText Transfer Protocol (HTTP)(HTTP)
GET /index.html HTTP/1.1GET /index.html HTTP/1.1Host: www.example.comHost: www.example.com
HTTP/1.1 200 OKHTTP/1.1 200 OKDate: Mon, 23 April 2007 22:38:34 GMTDate: Mon, 23 April 2007 22:38:34 GMTServer: Apache/1.3.27 (Unix) (Red-Hat/Linux)Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)Last-Modified: Wed, 08 Jan 2003 23:11:55 GMTLast-Modified: Wed, 08 Jan 2003 23:11:55 GMTEtag: "3f80f-1b6-3e1cb03b"Etag: "3f80f-1b6-3e1cb03b"Accept-Ranges: bytesAccept-Ranges: bytesContent-Length: 438Content-Length: 438Connection: closeConnection: closeContent-Type: text/html; charset=UTF-8Content-Type: text/html; charset=UTF-8
![Page 11: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/11.jpg)
HTTPS
Just encryption Eavesdropping
Protect Passwords Gmail
Bypass IPS Doesn't prevent hacking
![Page 12: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/12.jpg)
Transparent Proxy
http://fiddler2.com/sandbox/ Fiddler is a HTTP Debugging Proxy which logs all
HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
Others: Paros, Web Scarab, etc
![Page 13: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/13.jpg)
Authentication Common Problems Never expire (facebook) Not protected by SSL Easy to forge (cookies) Replay attacks
Re-using cookies Preventable with encrypted date/time stamp
![Page 14: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/14.jpg)
Authentication Best Practices
Ensure HTTPS is being used Login failures should NOT indicate
whether username or password failed Strong password policy (don’t store in
clear text) Use brute force countermeasures
CAPTCHA Time delay
![Page 15: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/15.jpg)
State Problems HTTP is a stateless protocol Session ID tells client browser who you are Server maintains a map of session objects Hijacking techniques
Guessing XSS Not using HTTPS Session ID exposed using URL-rewriting
![Page 16: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/16.jpg)
Session Best Practices Single sign on/off Seemingly random and at least 20 bytes Timeout Use SSL Avoid URL-rewriting (disclosure risk)
![Page 17: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/17.jpg)
Access Control
Restricting access Who? What can they see? What can they do?
Should exist in UI, BLL, and DAL
![Page 18: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/18.jpg)
Broken Access Control Attacker notices URL indicating role
/guest/getAccountInfo They modify it to another directory (role)
/admin/getAccountInfo /auth/getAccountInfo
Attacker views more accounts than just their own
![Page 19: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/19.jpg)
Cross-Site Scripting (XSS) Web application vulnerability that allows an attacker to
execute a malicious script in a victim's web browser How it works
Web browsers support scripting languages like Javascript that allow web pages to perform logic
If an attacker can get a web server to send their malicious script to a victim, the script executes as if it came from that web site
Consequences Steal session cookies Deface websites Information disclosure
![Page 20: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/20.jpg)
XSS Vulnerability Pattern
Web app vulnerable to XSS if Attacker can provide malicious user input Site puts user input into a response
Search, form field, message board, etc Site doesn't properly validate or sanitize
that user input Unless developer is familiar with XSS, it's
very likely that proper input validation is not being done
![Page 21: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/21.jpg)
Two Types of XSS Stored XSS
Dangerous user input is stored on the site and displayed at some later time
Typically found in message boards, guest books, surveys
Like leaving a land mine for a victim to trip across on a vulnerable site
Reflected XSS Dangerous user input is immediately sent back to the
user that submitted it Possibly a malicious link with an embedded script Typically found in search fields, error pages, etc
![Page 22: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/22.jpg)
Cross-site Scripting - Tricks Scripts can only access data from their own site
Enforced by the browser “sandbox” SOP Trick: Use an anonymous proxy
Scripts can't access the OS or file system Trick: Wscript http://my.3c.ist.psu.edu/rrr174/email.js
The browser isn't doing anything abnormal Cheat Sheet: http://ha.ckers.org/xss.html Demos: http://www.attacklabs.com
![Page 23: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/23.jpg)
XSS Real World Example MySpace XSS Worm – Oct 2005
AKA Samy worm Introduced an XSS attack into his own profile When anyone viewed his profile, the attack:
added Samy as a 'friend' to that user's profile and infected them with the same XSS attack in their own
profile Then, when anyone views the infected profile, starts all
over... The exploit:
Used 'java\nscript' since 'javascript' was filtered out, String.fromCharCode(34) to generate a double quote, etc.
Used XmlHttpRequest (AJAX), so does Yamanner worm 10 hrs – 560 friends, 13 hrs – 6400 friends, 18 hrs - 1,000,000
friends, 19 hrs - entire site down, 22 hrs – site back up again
![Page 24: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/24.jpg)
![Page 25: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/25.jpg)
XSS– Input Filters Many applications attempt XSS protection with filters
Convert < and > to < and > Strip out HTML tags Eliminate <script> tags Strip out Javascript
.NET provides XSS protection by default <%@ Page ValidateRequest=”true” %> Anti-Cross Site Scripting Library
http://msdn2.microsoft.com/en-us/security/aa973814.aspx
Better to white list input instead of black list VALIDATE USER INPUT!!! TRUST NOTHING FROM THE
CLIENT!!!
![Page 26: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/26.jpg)
PSU Webmail XSSPSU Webmail XSS
https://webmaillite.psu.edu/webmail/inbox.cgi?mailbox=
https://my.3c.ist.psu.edu/rrr174/xss.js
popMessage param (cookie)
Now what? Hijack web access session ID Steal email Go phishing Do anything the user can do
![Page 27: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/27.jpg)
View Passwords
javascript:(function(){var s,F,j,f,i; s = %22%22; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == %22password%22) s += f[i].value + %22\n%22; } } if (s) alert(%22Passwords in forms on this page:\n\n%22 + s); else alert(%22There are no passwords in forms on this page.%22);})();
![Page 28: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/28.jpg)
CSRF (Sea-Surf)
Cross-site request forgery, also known as one click attack or session riding
Digg and Amazon have been targets Prevention
Include a secret, user-specific token in forms that is verified in addition to the cookie
Users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session
![Page 29: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/29.jpg)
Injection Overview Many applications invoke interpreters
SQL OS command shell (cmd.exe, perl) Sendmail, LDAP, XPath, XSLT
Interpreters take commands and data and execute the instructions Attacker can send malicious data or
commands into your application tricking it into behaving differently
Frequently interpreters run as root or administrator
![Page 30: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/30.jpg)
SQL Injection – Example Get rows from table based on user provided
parameter SELECT * FROM users WHERE SSN='” + ssn + “'”
SSN goes from user to web application to database Never validated Attacker sends 123456789' OR '1'='1
Application builds a query SELECT * FROM users WHERE SSN='123456789'
OR '1'='1' Returns every user in the database
Blind SQL Injection: http://www.0x90.org/releases/absinthe
![Page 31: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/31.jpg)
Prevent SQL Injection
Validate user input Stored procedures Parameterized queries Connection strings (Access Control)
Prevent DELETE and DROP queries
![Page 32: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/32.jpg)
Injection DemoInjection Demo
SQL Injection:
Almost every IST student’s web application is vulnerable
https://my.3c.ist.psu.edu/jeb5010/customer.php?Name
='%20OR%201=1--
Remote Code Execution:
http://scripts.cac.psu.edu/pxn126/finger.cgi
![Page 33: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/33.jpg)
Conclusion Be aware of security threats
Train yourself Assess security at every step of the SDLC Define unacceptable risks
Then implement policy Ensure accountability
Consider commercial solutions (Get help)
![Page 34: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/34.jpg)
Where can I learn more? http://www.owasp.org/index.php/OWASP_Top_Ten_Project http://en.wikipedia.org/wiki/Category:Web_security_exploits http://www.spidynamics.com/spilabs/index.html http://ha.ckers.org http://johnny.ihackstuff.com/ghdb.php http://www.foundstone.com/resources/freetools.htm http://www.owasp.org/index.php/
Category:OWASP_WebGoat_Project http://blogged-on.de/xss http://leastprivilege.com
Download this presentation http://my.3c.ist.psu.edu/rrr174/webappsec.ppt
![Page 35: Intro to Web Application Security](https://reader035.vdocuments.site/reader035/viewer/2022070315/554f5292b4c905423f8b52f9/html5/thumbnails/35.jpg)
Questions?
Ask questions and I'll try to answer them