1 / 33

Web Application Security

Web Application Security. Web Application Security. Overview Increase in deployment of web applications Issues with secure web application development Impact of Application Attacks Top Web Application Threats Conclusions. Web Application Security.

Download Presentation

Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Application Security

  2. Web Application Security • Overview • Increase in deployment of web applications • Issues with secure web application development • Impact of Application Attacks • Top Web Application Threats • Conclusions

  3. Web Application Security • Many in-house applications are being migrated to web applications • Ease of accessibility • Ease of client deployment • Employee intranets • PeopleSoft and SAP recently converted to web applications • Customer portals • Support applications • Endless possibilities…

  4. Web Application Security • Traditional security protections do not address the complexity of web applications • Stateful inspection firewalls • Many IDS/IDP systems • Vulnerability Assessments • Because of this, new security products and services need to be developed to address the security problems inherent in web applications • Web application firewalls • Web application vulnerability assessments • Web application code review • Training and awareness

  5. Web Application Security • Issues with secure web application development • Protecting applications against threats • Ensuring access for authorized users • Ensuring availability and application performance • Applications need to be coded securely, but that is most often not the case • A Web application vulnerability assessment can uncover weaknesses in applications before malicious attackers do

  6. Web Application Security • Implications of Web Application attacks • Identity theft • Credit card theft • Website defacement • Unauthorized access • Password theft • Unauthorized modification of data • Data and information theft • Denial of service • Unauthorized access to back-end systems

  7. Types of Attacks • SQL Injection • Attack description • Allows execution of commands against database • Results in unauthorized disclosure and/or modification of SQL data • Occurs when SQL statements are constructed with user-supplied data, either through the URL, headers, or forms variables • In some extreme cases, commands can be executed in the OS (with xp_cmdshell stored procedure in MSSQL) • Countermeasures • Validate all input, looking for SQL commands in input • Deploy a web application firewall that provides protection against SQL Injection

  8. Types of Attacks • Command Injection • Attack description • Allows execution of commands in the web server OS • Results in unauthorized access to the OS, including disclosure and modification of data. Also results in privilege escalation • Occurs when command statements are constructed with user-supplied data, either through the URL, headers, or forms variables • Countermeasures • Validate all input, looking for OS commands in input • Deploy a web application firewall that provides protection against Command Injection

  9. Types of Attacks • Parameter & Form Tampering • Attack description • User manipulates parameters by setting them in the URL, editing HTML code, or modifying the POST with a proxy such as Achilles • Can result in bypassing authentication mechanisms, privilege escalation, unauthorized disclosure and/or modification of data • Countermeasures • Validate all information returned from the client • Deploy a web application firewall that understands the parameters used for that application, their data types, acceptable lengths, acceptable ranges of values, etc.

  10. Types of Attacks • Directory Traversal & Forceful Browsing • Attack description • Attacker uses unchecked URL input parameters, cookies, and HTTP request headers to access files outside of allowed paths and directories • Attacker may also try to guess or brute-force special paths and known paths/scripts that are known to be vulnerable • Results in unauthorized disclosure of and modification to the file system of the web server • Countermeasures • Validate all user input. Specifically look for “../” • Deploy a web application firewall that knows the valid forms, paths and URLs for the particular web application that you are trying to protect

  11. Types of Attacks • Cross Site Scripting • Attack description • Attacker uses malicious script on a vulnerable target site to send the attack to client browser • Results in theft of client data, may lead to identity theft and financial fraud • Countermeasures • Validate all input. Specifically, look for <SCRIPT> tags • Deploy a web application firewall that parses out <SCRIPT> tags in user-supplied input

  12. Types of Attacks • Session Hijacking • Attack description • Each user logged into a web application receives a unique session id from the web application. Allows web app to keep state for the client • Attacker manipulates web application to determine predictable session ids • Attacker then sets a session id either through parameters, cookies, or HTML code (depending on how the web app stores session ids) • Attacker now has a session id from another user’s valid session • Results in authentication bypass, unauthorized disclosure and modification, and privilege escalation

  13. Types of Attacks • Session Hijacking (continued) • Countermeasures • Use random session ids. Use MD5 (or similar) to generate session ids • Deploy a web application firewall that protects session id data (cookies and/or form parameters). Some of these products digitally encrypt, sign and time-stamp cookies, protecting their data • Cookie poisoning • Attack description • Attacker modifies cookie to escalate privileges or assume another users identity. See “Session Hijacking”

  14. Types of Attacks • HTTP Header Manipulation • Attack description • Attacker alters HTTP request headers to include meta-characters (see “SQL Injection” and “Command Injection”) or steal cookies • Countermeasures • Valid all HTTP request headers • Deploy a web application firewall that examines HTTP request headers for malicious input

  15. Types of Attacks • Hidden Form Field Tampering • Attack description • Applications may use hidden form fields for tracking state (session ids), authentication, price of item, etc. • Attacker can modify the HTML or modify the parameter value with a proxy such as Achilles • Results in privilege escalation, unauthorized disclosure and modification, possible session hijacking. Can also result in monetary loss (in the case of a field such as “price”) • Countermeasures • Try not to use hidden form fields, as they don’t provide any security. • If hidden fields are necessary, validate all information returned from the client • Deploy a web application firewall that understands the parameters used for that application, their data types, acceptable lengths, acceptable ranges of values, etc.

  16. Types of Attacks • Error Message Interception • Attack description • Attacker sends input in an attempt to cause a program error • Program sends an error message back to the browser (through HTML) • Error message may reveal directories, OS and version, database and version, database field names and tables, parameter names • Gives attacker information necessary to execute other attacks (SQL Injection, Command Injection) • Countermeasures • Turn off all error message output in web server and web application. Turn off all debugging. Enable only for development servers • Validate input to prevent errors from ocurring • Deploy a web application firewall that understands the parameters used for that application, their data types, acceptable lengths, acceptable ranges of values, etc.

  17. Types of Attacks • Buffer Overflows • Attack description • Occurs when user-supplied input is not checked for length • Leads to remote command execution • Countermeasures • Check length of user-supplied input • Deploy a web application firewall that knows the acceptable lengths and acceptable ranges of parameters • Format String Vulnerabilities • Attack description • Occurs when a format string command, such as printf, is constructed using user-supplied input • Leads to remote command execution • Countermeasures • Validate all input. Specifically, look for “%s” and “%x” in input • Deploy a web application firewall that checks for format string attacks

  18. Types of Attacks • Unicode and URL Encoding • Attack description • Attacker uses URL-encoded input to disguise malicious code in URL strings • Bypasses security mechanisms • Can lead to any number of attacks • Countermeasures • Deploy a web application firewall that decodes all URLs before inspection

  19. Types of Attacks • Web Services Attacks • Web services – SOAP, UDDI, WSDL • New breed of web application • Components interacting with one another • Require authentication, authorization, encryption, integrity • Peer relationships (Not client to server). Peers are web services components who must authenticate to one another, encrypt communications between one another, and check permissions for allowed access

  20. Types of Attacks • Denial of Service • SSL Hacking • Attacks against Web Servers (IIS, Apache) • Operating System Attacks (Windows, UNIX, Linux, etc.)

  21. Web Application Security • OWASP Top Ten • Unvalidated Input - Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. • Broken Access Control - Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.

  22. Web Application Security • OWASP Top Ten • Broken Authentication and Session Management - Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities. • Cross Site Scripting (XSS) Flaws - The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.

  23. Web Application Security • OWASP Top Ten • Buffer Overflows - Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. • Injection Flaws - Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.

  24. Web Application Security • OWASP Top Ten • SQL Injection - Attacker creates or alters existing SQL commands. A serious threat for database-driven sites. • Direct OS/system command injection - Attacker injects system commands into HTML forms, cookies, or URL parameters. Attacker can execute system-level functions. • Meta character injection - Attacker inserts meta characters into URL-encoded parameters in query strings to exploit known security holes. Certain characters (such as ~ or =) have special meanings in certain scripts and applications. The risk varies with OS and application.

  25. Web Application Security • OWASP Top Ten • Improper Error Handling - Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. • Insecure Storage - Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

  26. Web Application Security • OWASP Top Ten • Denial of Service - Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. • Insecure Configuration Management - Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.

  27. Web Application Security • Traditional Network Security and Web Applications • Firewalls – usually only inspect up to the transport layer • IDS/IPS – will not prevent/detect application-specific attacks • AntiVirus – same problem as IDS and IPS • OS Patches

  28. Web Application Security • New solutions are needed • Web application firewalls – they focus on the web application layer learn what input is valid for a specific application. Rules are generated based on valid inputs • Web Application Scanners – test web applications for vulnerabilities • Web Application Security Assessments – go further than a network-layer penetration test and examine the specific web application. Highly customized service • Web application security training & awareness • Secure programming practices

  29. Web Application Security • Tools • WebScarab http://www.owasp.org/development/webscarab • WebGoat http://www.owasp.org/development/webgoat • Lilith http://angelo.scanit.biz/ • Nikto http://www.cirt.net/code/nikto.shtml • Achilles http://packetstormsecurity.org/web/achilles-0-27.zip

  30. Web Application Security • Conclusions • Web application vulnerability assessments and web application scanners will check for all of these types of attacks • Web application firewalls prevent these attacks before attack gets to web server • Web application developers need to be trained in secure programming practices • IT personnel responsible for the security of web servers need to understand the risks • Training & awareness

  31. Web Application Security • Links • OWASP http://www.owasp.org • CGI Security http://www.cgisecurity.com/ • Improving Web Application Security: Threats and Countermeasures (ASP.NET) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp • Web Application Security mailing list http://www.securityfocus.com/archive/107

  32. Web Application Security • Links • OWASP http://www.owasp.org • CGI Security http://www.cgisecurity.com/ • Improving Web Application Security: Threats and Countermeasures (ASP.NET) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp • Web Application Security mailing list http://www.securityfocus.com/archive/107

  33. Contact Information James Kist Network Security Corp. 405 North French Road, Suite 100 Amherst, NY 14228 Phone: (716) 692-8183 Fax: (716) 692-8301 www.nsec.net kist@nsec.net

More Related