"the web is broken" by bipin upadhyay

63
The Web Is Broken Why every feature is, in fact, a loophole!

Upload: bipin-upadhyay

Post on 01-Sep-2014

5.183 views

Category:

Technology


2 download

DESCRIPTION

Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly. http://codeinmybug.wordpress.com/2007/10/12/the-web-is-broken/

TRANSCRIPT

Page 1: "The Web Is Broken" by Bipin Upadhyay

The Web Is BrokenWhy every feature is, in fact, a loophole!

Page 2: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

The first matrix I designed was quite

naturally, perfect. It was a work of art.

Flawless. Sublime. A triumph only equaled by

its monumental failure.

Page 3: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

RoadMap

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

Page 4: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

RoadMap…

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

Page 5: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Who Am I?

• I am SpiderMan

• Apart from that, I:– am a part of ADMS

– work on WebAppSec

– am co-author of a yet to be released book

• I can be pinged @:– http://blog.projectbee.org

– Om-[AT]-PROJectBee-[DOT]-org

Page 6: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Web 1.0 versus Web 2.0

Page 7: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Technologies Involved

Page 8: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Fundamentals

Fundamentals,

less or more, still the same

Page 9: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Fundamentals…

Database

Web server(Server side scripts like

PHP, ASP, JSP etc.)

Database

User User

Firewall / IDSFirewall / IDS

Page 10: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Network Sec. versus Web Sec.

Ports

Firewall/IDS/IPS

80

443

0

65535

Web ServerAttacker

Page 11: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Network Sec. versus Web Sec…

Ports

Firewall/NATed IP

0

65535Malicious OR Compromised Web Server

Victim

Page 12: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

How serious is the matter!

• 90% of web applications have serious vulnerabilities –Gartner Group

• 78% of attacks are at the web application level –Symantec

• XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre

• Every 8-9/10 sites vulnerable to XSS –WASC

Page 13: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

How serious is the matter!...

Page 14: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

How serious is the matter!...

Page 15: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

What’s @ Stake

• Money

• Data

• Reputation

• Faith/Trust

• and…

Page 16: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

What’s @ Stake…

• …

Page 17: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

It’s a Mythical World out there…

• Myths often prevail rationality.

• Myths often are the cause of devastation.

Page 18: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster

• Myth:– My developers have implemented security

• Reality:– Security ain’t no feature dude! It’s a metrics.

Page 19: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– Security is a non-functional requirement

• Reality:– By definition, Yes!

Page 20: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– We use blah-blah framework. We’re safe

• Reality:– Frameworks are encouraged. Human brain isn’t.

Page 21: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– Java is secure by design

• Reality:– May be! But web isn’t… nor is human brain.

Page 22: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– SSL is secure from sniffing

• Reality:– Far from it. It’s difficult for sure, though

Page 23: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– Procedures means no SQL Injection

• Reality:– Not always.

Page 24: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– I use firewall. I am safe.

• Reality:– So what? Your browser ports are open.

Page 25: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– I use latest antivirus and my system is patched.

• Reality:– Big Deal!!!

Page 26: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– I browse net from inside a LAN.

• Reality:– Urghhh! Browser dude, browser!

Page 27: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Myth Buster…

• Myth:– Human stupidity is infinite

• Reality:– There you go! ☺

Page 28: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

RoadMap…

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

Page 29: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Injection Attacks

• A form of attack where the user input manipulates the underlying platform in an undesired way.

• Several variants:-– SQL Injection

– Command Injection

– LDAP Injection

– XPATH Injection

– XML Injection

– JSON Injection

Page 30: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

SQL Injections

Page 31: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

XSS

• OWASP Top - 10 2007 #1

• Any type of user input that is reflected back to the user without being purified.

• Input can be HTML, CSS, or Javascript

• Two kinds --Persistent & Non-Persistent XSS

Page 32: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

XSS…

• XSS attacks include, but not limited to:– Cookie Theft & Session Hijacking

– Site Defacement & Phishing

– Key logging

– History Theft

– Port Scanning

– CSRF & Web Worms

– DoS-ing

– … limited only by imagination

Page 33: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

CSRF

• Also called Unauthorized Requests.

• The server is punished/exploited for trusting the user.

• CSRF is, arguably, more dangerous than XSS.

• Doesn’t necessarily require javascript.

• OWASP Top - 10 2007 #5, (also called the Sleeping Giant)

Page 34: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Cookie Poisoning

• Cookies sometimes store confidential data

• This information can be manipulated for fun and profit.e.g., price of a product on an ecommerce site

Page 35: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

HTTP Response Splitting

• Attacker splits Http Response into two.

• Watch out for redirection scripts using user input in response headers

• CR-LF (0x0d & 0x0a) is the key to response splitting

• Web/browser cache poisoning, XSS etc. attacks possible

Page 36: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Google Hacking

• Search engines index all permissibledocuments inside the web tree

• These data can be recovered using special queries:– site:<sitename>

– inurl:<string>

– intitle:<string>

– filetype:<string>

Page 37: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Scary Cracks

• Credit Cards & Google

• Google.com UTF-7 XSS Vulnerability

• Yamanner

• “Samy is my Hero” OR Samy Worm

• Bank Of India Hack

• GMail CSRF Vulnerability

Page 38: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

RoadMap…

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

Page 39: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

The Arsenal

• A Web browser

• Textbox/Textarea

• Iframe

• TamperData/TamperIE

• WebScarab

• Fuzzer (Crowbar)

• Google

Page 40: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

RoadMap…

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

Page 41: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Google Hacking

• Search engines index anything and everything

• Demo

Page 42: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Exploiting Mistakes

• Client side validation isn’t enough

• Demo

• “Clues in Codes/Comments”

• Demo

• Insecure implementation of “Forgot Password” feature

• Demo

Page 43: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Exploiting Mistakes…

• Too verbose error messages

• Demo

• Cookie Isn’t for sensitive data

• Demo

• Brute forcing Session id

• Demo

Page 44: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Exploiting Zero Days

• URI Vulnerabilities

• Demo

Page 45: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Injection Attacks

• SQL Injections

• Demo

• Command Injection

• Demo

• XPATH Injection

• Demo

Page 46: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

XSS Family

• XSS (Cross Site Scripting)

• Demo

• XSS and encoding mistakes

• Demo

• CSRF, the sleeping Giant

• Demo

Page 47: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Http Response Splitting

• Why user is evil?

• Demo

Page 48: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

RoadMap…

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

Page 49: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

SDLC

• Integrate security into SDLC

DesignDesign

CodingCoding

TestingTesting

DeploymentDeployment

Page 50: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Design Phase

• Stick to standards

• Encourage usage of well-proven frameworks

• Prefer Whitelisting over Blacklisting

• Prefer Onion Model over Garlic Model

Page 51: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Coding Phase

• Do NOT trust the user.

• Do NOT rely on Client side validation.

• Prefer HttpOnly Cookie to avoid cookie theft

• Use nonces to prevent CSRF

• Don’t just hash passwords, salt them too

• Avoid too verbose/meaningful error messages

Page 52: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Coding Phase…

• Proper encoding can avoid most problems

• Input Encoding– prefer UTF-8 and ISO-8859-1

– refer http://ha.ckers.org/charsets.html

• Output Encoding– avoid rich html input from user

– decimal encode input before displaying

– refer OWASP_Encoding_Project

Page 53: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Coding Phase…

• Sanitize anything that comes from the user.

Page 54: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Coding Phase…

• Filter Metacharacters:• < %3c > %3e• | %7c ‘ %60• & %26 ( %28• %od %0a ..• / %2f \ %5c

• RegEx are your friend

• Use Stored Procedures

• Prefer usage of bind variables in SQL statement

Page 55: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Testing Phase

• Code Auditing:– OWASP – LAPSE plugin (Java)

– SPI Dynamics’ DevInspect (Java & .NET), etc.

• Web Application Scanners– w3af

– Watchfire AppScan

– SPI Dynamics’ WebInspect, etc.

• No substitute for an experienced human eye

Page 56: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Deployment Phase

• Keep out of the Web Tree; use robots.txt

• Set minimal permissions

• Keep the system patched & patched

• Use Web Application Firewall– urlScan

– ModSecurity

– SecureIIS, etc.…but, most importantly

Page 57: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Education

Educate your developers.

Page 58: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Final Words

• www was designed for information exchange

• Today, too much is at stake

• Ignorance, no longer a bliss

• Take responsibility and…

Page 59: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Final Words…

…be prepared.

“Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…”

–Ronald van den Heetkamp

Page 60: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

…and Finally,

String.fromCharCode(84,104,97,110,107,32,89,111,117,33)

i.e., Thank You! ☺

Page 61: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Acknowledgements

• Lalit Patel (http://lalit.org) & Lucky (http://reboot.in)• http://flickr.com• http://flickr.com/photos/jeanetteb1/1400824517• http://flickr.com/photos/jbhalper/334521840• http://flickr.com/photos/hondawang/566041603• http://flickr.com/photos/14018070@N08/1438910620• http://flickr.com/photos/44368636@N00/76684587• http://www.cyberpunkreview.com/images/matrixreloaded63.jpg• www.flickr.com/photos/johnengler/211482969• http://www.flickr.com/photos/lamkevin/458083458• http://www.flickr.com/photos/beavis/459281241• http://flickr.com/photos/briansolis/326278887• http://www.flickr.com/photos/focus2capture/297232107• http://flickr.com/photos/complexify/97303317• http://flickr.com/photos/amyking/142161588• http://xkcd.com/327/

Page 62: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

References

• http://search.yahoo.com (To be safer)• http://0x000000.com• http://ha.ckers.org• http://sla.ckers.org• http://gnucitizen.com• XSS Attacks (Syngress Publications)• PenTesting for Web Applications (Wrox)• Hacking Exposed (Tata McGraw Hill)• 19 Deadly Sins of Sotware Security (Tata McGraw Hill)• OWASP & WASC• David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes,

Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,….

……………………………. a lot many

Page 63: "The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay http://projectbee.org

Got Questions???

Shoot them