1 / 29

Securing Web Applications

Securing Web Applications. Part 1 of 2 Understanding Threats and Attacks. Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints. Attackers vs. Defenders.

atara
Download Presentation

Securing Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Web Applications Part 1 of 2 Understanding Threats and Attacks

  2. Attacker needs to understand only one security issue • Defender needs to secure all entry points • Attacker has unlimited time • Defender works with time and cost constraints Attackers vs. Defenders • Secure systems are more difficult to use • Complex and strong passwords are difficult to remember • Users prefer simple passwords Security vs. Usability • Developers and management think that security does not add any business value • Addressing security issues just before a product is released is very expensive Security As an Afterthought Security? Challenges When Implementing Security

  3. Agenda • A Closer look at Top Web Vulnerabilities: • Cross Site Scripting • Injection Flaws • Malicious File Execution • Insecure Direct Object Reference • Cross Site Request Forgery (CSRF) • Information Leakage and Improper Error Handling • Broken Authentication and Session Management • Insecure Cryptography • Insecure Communications • Failure to Restrict URL Access Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007

  4. Cross Site Scripting (XSS) • What is Cross Site Scripting • Exploit applications that echo raw, unfiltered input to Web pages • Malicious code is echoed back into the HTML • Find a <form> field or query string parameter whose value is echoed to the Web page and put in malicious script and get a user to navigate to the page • Allows attackers to execute scripts • Can hijack user sessions • Deface web sites or insert hostile content • Conduct Phishing attacks • Take over the user’s browsers

  5. Cross Site Scripting (XSS) • Three known types of cross site scripting • Reflected • Stored • DOM Injection

  6. Cross Site Scripting (XSS) • Reflected • A page will reflect user supplied data directly back to the user • Occurs when a site does not filter content before displaying it • Allows for hidden site details such as session or authentication structure to be captured and potentially utilized

  7. Cross Site Scripting (XSS) • Stored / Sticky XSS • Stores hostile / non-approved data in a file or a database • Sometimes assumed that stored data is inherently safe • Internal attacks often exploit this assumption • Dangerous to Systems such as: • Content Management Systems • Blogs or forums • Sites that allow users to see input by other users

  8. Cross Site Scripting (XSS) • DOM based attacks • JavaScript code is manipulated • Attacks can be a blend of various attacks • Generally carried out using JavaScript • Allows hackers to manipulate the rendered page • Manipulating the DOM tree • Can allow Form Data Hijacking • Can occur without user interaction in complete transparency • Can utilize the XmlHttpRequest Object (AJAX) • Can compromise checkout information

  9. Cross Site Scripting (XSS) • Cross Site Scripting Demo • Discovery using Reflected Method • Using Stored or Sticky Method • Non-Persistent Attack via Email

  10. Cross Site Request Forgery • Simple and Potentially Devastating • Forces a logged-on victim’s browser to send a request to a vulnerable web application • Then performs an action on behalf of the victim • Occurs when authorization is performed solely on automatically submitted credentials such as: • Session cookies • Basic authorization credentials • Source IP Addresses • SSL Certificates • Windows domain credentials

  11. Cross Site Request Forgery

  12. Cross Site Request Forgery • Cross Site Request Forgery Demo

  13. Injection Flaws • SQL Injection flaws are common vulnerabilities • Occurs when external input is used in database commands • The supplied data changes the command being executed • Can allow attackers to create, read, update or delete data. • Can potentially compromise an entire application

  14. Injection Flaws • Example exploit: • SELECT COUNT(*) FROM Users WHERE User = ‘User’ AND Password = ‘Password’ • The query relies on user submitted information to perform the query • Malicious code can be submitted such as • Where input could be ‘or 1 = 1 -- • ‘ closes preceding string in SQL statement • or 1=1 matches every record in the table • -- comments out the remainder of the SQL statement

  15. Injection Flaws • SQL Injection Flaw Demos • Adding an Admin Account • Compromising Database Table Structure and Data • Defacing a Website

  16. Injection Flaws • Not limited to SQL Injection only • LDAP, XPATH, XXI, MX(Mail) • HTML Injection (XSS) • HTTP Injection (HTTP Response Splitting)

  17. Malicious File Execution • Occurs when the application is tricked into executing commands or creating files on the server • System allows potentially hostile input to be utilized with file or stream functions such as URLS or file system references • Can lead to arbitrary remote and hostile content being included or invoked by server • Allows for remote code execution • Remote root installations or system compromises

  18. Insecure Direct Object Reference • Occurs when an internal implementation object is exposed such as a: • File • Directory • Database Record or Key • URL • Form Parameter • These can be manipulated if no access control check is in place

  19. Insecure Direct Object Reference • Applications expose internal objects to users • Parameter Tampering allow references to be changed • Can violate the intended but unenforced access control policy • Any exposed application construct could be vulnerable • Code can be attacked when user input is determining location of Object • Using input parameters such as: • ../../…/ - can allow an attacker to traverse the file system

  20. Insecure Direct Object Reference • Insecure Direct Object Reference Demo • Accessing Source Code • Accessing Sensitive Information

  21. Information Leakage and Improper Error Handling • Applications can unintentionally leak information about their configuration or internal workings • They can leak state information • Improper error handling exposes internal workings and implementation details • Stack traces • Failed SQL statements • Other debugging information • This Information can help a hacker successfully exploit other vulnerabilities • This is an extremely common error and can occur if the web.config file is not properly configured

  22. Information Leakage and Improper Error Handling • Information Leakage and Improper Error Handling DEMO • Too Much Info on Login Attempts • Too Much Error Information

  23. Broken Authentication and Session Management • Improper authentication and session management • Use of pseudo random session values • Failing to protect credentials and session tokens after login • Can lead to hijacking of user or admin accounts • Undermine authorization and accountability controls • Can cause privacy violations

  24. Broken Authentication and Session Management • Generally ancillary functions cause problems such as: • Logout • Password Management • Timeout • Remember me • Secret question • Account update

  25. Broken Authentication and Session Management • Broken Authentication and Session Management Demo • Displaying Others Profile Information

  26. Insecure Cryptographic Storage • Correct use of data encryption tools is key to protection • Flaws can lead to disclosure of sensitive data and compliance violations • Some of the most common flaws include: • Not encrypting sensitive data • Insecure use of strong algorithms • Usage of weak / homegrown algorithms A.K.A. “encraption” • Hard coding keys or not protecting them

  27. Insecure Communications • Unencrypted traffic can be sniffed • Can access conversation • Potentially expose sensitive information or credentials • Could risk exposing authentication or session token • Traffic sniffers can access credentials or sensitive information • Varies by network • Not using SSL for each authenticated request

  28. Failure to Restrict URL Access • Generally URL protection is based on authentication • Pages can still be accessed if not secured properly • Security by obscurity is not sufficient • Hidden URLS that are only available to certain users can be stumbled upon or discovered • Client side privilege authentication

  29. Failure to Restrict URL Access • Failure to Restrict URL Access Demo • Security by Obscurity

More Related