1 / 60

Web Application Security training

Web Application Security training. Agenda. Introduction OWASP: a quick review Common vulnerabilities and solutions (Hacking demos) Best practices. Agenda. Introduction OWASP: a quick review Common vulnerabilities and solutions (Hacking demos) Best practices. Introduction.

apu
Download Presentation

Web Application Security training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security training

  2. Agenda • Introduction • OWASP: a quick review • Common vulnerabilities and solutions (Hacking demos) • Best practices

  3. Agenda • Introduction • OWASP: a quick review • Common vulnerabilities and solutions (Hacking demos) • Best practices

  4. Introduction • Whatis application security? • Definition : "Information security is a process to protect data against unauthorized access, use, dissemination, destruction or modification. “ (Wikipedia)

  5. Introduction Extended definition: Software Part integrated in Information Systems that manage:● The information security● The integrity of I.S.● Confidentiality of IS..

  6. Introduction What is at stake?● S.I. = business core ● S.I. = data set (sensitive data) Consequences if:● Data Theft (sale to a competitor)● Data Violation (deletion / modification)● Degradation of services

  7. Introduction • Web application source code, independent of languages and platforms, is a major source for vulnerabilities.

  8. Agenda • Introduction • OWASP: a quick review • Common vulnerabilities and solutions (Hacking demos) • Best practices

  9. OWASP(1/2) • What is OWASP? • OWASP= Open Web Application Security Project • A standard for performing application-level security verifications. • A Guide : document provides detailed guidance on web application security

  10. OWASP(2/2)TOP 10

  11. Agenda • Introduction • PCI DSS : a quick review for developers • Common vulnerabilities and solutions (Hacking demos) • Best practices

  12. Common vulnerabilitiesOWASP TOP 10

  13. Common vulnerabilitiesA1 : Injection

  14. Common vulnerabilitiesA1 : SQL Injection (login bypass example) POST http://www.mysite.com/login.asp HTTP/1.1 login=admin&pwd=' or 1=1-- POST http://www.mysite.com/login.asp HTTP/1.1 login=admin&pwd=Ultra-s3cur3-p@ssw0rd! 1 select * fromuserswherelogin ='admin'AND password='' or 1=1--' select * fromuserswherelogin ='admin'AND password='Ultra-s3cur3-p@ssw0rd!' 3 HTTP Request SQL Query ID | LOGIN | ROLE1 | admin | superuser SQL Answer 4 Firewall Firewall Workstation / Browser Web Server Web App Web App Database Server 80 / 443 Web App Web App HTTP Response <html> <%if (sqlResults.isEmpty()){%> <h1>Access Denied</h1> <%}else{%> <h1>Hello user<%=login%></h1> <%}%> </html> 6 HTTP/1.x 200 OK Content-Type: text/html Content-Length: 2000 <html> <h1>Hello user admin</h1> </html> Http Request Parsing 2 5 Server page

  15. Demo : Sql injection Common vulnerabilitiesA1 : SQL Injection (demos)

  16. Common vulnerabilitiesA1 : Injection

  17. Solution (2/2) Common vulnerabilitiesA1 : Injection

  18. Demo :Solution Common vulnerabilitiesA1 : Injection

  19. Common vulnerabilitiesA2 : Cross-Site Scripting (XSS)

  20. Common vulnerabilitiesA2 : Cross-Site Scripting (identity theft example) • /editObject.asp?id=100&newTitle=<javascript>alert(document.cookie)</script> Database Server Web Server /showObject.asp?id=100 Hacker Web Server Storage <html><body> <h1>Article 100</h1> <javascript> alert(document.cookie) </script> </body></html> /cookie.cgi?SESSIONID=002E42EF3CBRA29F3

  21. Demo : XSS Attack Common vulnerabilities A2 : XSS(demos)

  22. Common vulnerabilitiesA2 : Cross-Site Scripting (XSS)

  23. Demo : Solution Common vulnerabilities A2 : XSS(demos)

  24. Common vulnerabilitiesA3 :Broken Authentication and Session management

  25. Demo Common vulnerabilitiesA3 :Broken Authentication and Session management

  26. Common vulnerabilitiesA4 : Insecure Direct Object References

  27. Common vulnerabilitiesA4 : Insecure Direct Object References • Parameter tampering : authorization bypass example /listMyAccounts.asp /account.asp?id=12 /account.asp?id=15 Database Server Web Server "select * from account where owner="+session(userid) select * from account where id=15 ID | ACCOUNT | BALANCE 15 | bill gates| 999 999 999 € ID | ACCOUNT | BALANCE 12 | check| 1 000 € 30 |saving| 20 000 € <html><body> <h1>List of accounts</h1> <a href=/account.asp?id=12>Check</a> <a href=/account.asp?id=30>Saving</a> </body></html> <html><body> <h1>Bill gates private account</h1> […] </body></html>

  28. Demo Common vulnerabilitiesA4 : Insecure Direct Object References

  29. Common vulnerabilitiesA5 : Cross Site Request Forgery (CSRF)

  30. Common vulnerabilitiesA5 : Cross Site Request Forgery (CSRF) When the customer read this news An authenticated connection is done to his bank web site https://bank.com/transfert.asp?Montant=2500&compteDestination=25302252232552 One fraudulent transfert have been proceed (du to the CSRF vulnerability) bank.com Blog.net • Hackers have create a malicious news on Blog.net • It contains the following link • <imgsrc=“https://bank.com/transfert.asp?Montant=2500&compteDestination=25302252232552 ”> A customer is connected to his bank web site and To another (already hacked) web site (blog.net)

  31. Demo Common vulnerabilitiesA5 : Cross Site Request Forgery (CSRF)

  32. Common vulnerabilitiesA5 : Cross Site Request Forgery (CSRF)

  33. Common vulnerabilitiesA5 : Cross Site Request Forgery (CSRF)

  34. Demo • Solution Common vulnerabilitiesA5 : Cross Site Request Forgery (CSRF)

  35. Common vulnerabilitiesA6 – Security Misconfiguration

  36. Common vulnerabilitiesA6 – Security Misconfiguration (ex)

  37. Common vulnerabilitiesA6 – Security Misconfiguration

  38. Demo • Access to jsp pages Common vulnerabilitiesA6 – Security Misconfiguration (ex)

  39. Common vulnerabilitiesA7 – Failure to Restrict URL Access

  40. Common vulnerabilitiesA7 – Failure to Restrict URL Access • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own

  41. Common vulnerabilitiesA8 – Insecure Cryptographic Storage

  42. Common vulnerabilitiesA8 – Insecure Cryptographic Storage

  43. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Common vulnerabilitiesA8 – Insecure Cryptographic Storage Victim enters credit card number in form 1 Log files Malicious insider steals 4 million credit card numbers 4 2 Error handler logs CC details because merchant gateway is unavailable 3 Logs are accessible to all members of IT staff for debugging purposes

  44. Demo • Solution Common vulnerabilitiesA8 – Insecure Cryptographic Storage

  45. Common vulnerabilitiesA9 – Insufficient Transport Layer Protection

  46. Common vulnerabilitiesA9 – Insufficient Transport Layer Protection illustration External Victim Backend Systems Custom Code Employees 2 1 External attacker steals credentials and data off network Internal attacker steals credentials and data from internal network External Attacker Internal Attacker

  47. Common vulnerabilitiesA10 – Unvalidated Redirects and Forwards

  48. Common vulnerabilitiesA10 – Unvalidated Redirects and Forwards

  49. Agenda • Introduction • PCI DSS : a quick review for developers • Common vulnerabilities and solutions (Hacking demos) • Best practices

  50. Best practicesSecurity principles (1/10) INPUT IS EVIL • It’s better to consider that users or external systems that communicate with your application may be someday harmful for your application • E.g.: • A user that tries to input unexpected data in a form • A partner’s system, with privileged access to one of your applications, that is compromised by a hacker or worm and tries to attack your network VALIDATE, VALIDATE, VALIDATE !!!

More Related