1 / 15

Web Application Security

DPT Security Day [27.06.2009]. Web Application Security . Ivan Markovic <ivan.markovic@netsec.rs>. Web Application Security. Web aplikacije … - Zasto su opasne ? - Zastita [ siguran kod , firewall, enkripcija ] - Gde nastaje problem ?

caesar
Download Presentation

Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DPT Security Day [27.06.2009] Web Application Security Ivan Markovic <ivan.markovic@netsec.rs>

  2. Web Application Security Web aplikacije …- Zastosuopasne ?- Zastita [sigurankod, firewall, enkripcija]- Gdenastaje problem ? - Uobicajnimetodinapada [Cross site scripting & SQL injection]- Uobicajnimetodizastite [ugradjenefunkcije, magic_quotes, waf]

  3. Web Application Security Nestandardnimetodinapada: 1. HTTP polluting2. ClickJacking3. Javascript Obfuscation 4. Blind SQL injection5. SQL Column Truncation Vulnerabilities

  4. Web Application Security Nestandardnimetodinapada: 1. HTTP polluting --- Query String --- Injection triggered by query string delimiters --- Impact: Override existing hardcoded HTTP parameters, Modify the application behaviors, Access and potentially exploit uncontrollable variables, Bypass input validation checkpoints and WAFs rules

  5. Web Application Security 1. HTTP polluting [Servers behaviour]

  6. Web Application Security 1. HTTP polluting [Examples] ModSecurity- HPPed! While the following query is properly detected /index.aspx?page=select 1,2,3 from table where id=1 Using HPP, it is possible to bypass the filter /index.aspx?page=select 1&page=2,3 from table where id=1 - This technique could potentially be extended to obfuscate attack payloads

  7. Web Application Security 1. HTTP polluting [Examples] - HPP Client Side is about injecting additional parameters to links and other src attributes - Suppose the following code:<? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?> <a href="/page.php?action=view&par='.<?=$val?>.'">View Me!</a> - There's no XSS, but what about HPP ? - It’s just necessary to send a request likehttp:/host/page.php?par=123%26action=edit - To obtain <a href="/page.php?action=view&par=123&amp;action=edit">View Me!</a>

  8. Web Application Security 1. HTTP polluting [Examples] MS IE8 XSS Filter Bypass - HPPed ! - IE8 checks for XSS regexp in the query string parameters, as well as it searches for them in the output - When there's a .NET application, multiple occurrences of a parameter are joined using “,” - So param=<script&param=src=”....”> becomes <script,src=”...”> in HTML - As you can imagine, it bypasses the IE8 XSS filter

  9. Web Application Security 2. ClickJacking - Vulnerability that interact with functions on other websites- How it works ?

  10. Web Application Security 2. ClickJacking- How it works ?

  11. Web Application Security 2. ClickJacking- Vulnerability that interact with functions on other websites- How it works ? - Why is dangerous-- Phishing-- Local system access-- Click fraud

  12. Web Application Security 3. JavascriptObfuscation Ways to make a string - Make JavaScript with no alphanumeric chars that could execute: alert(1) on Firefox

  13. Web Application Security 4. Blind SQL injection- Kakofunkcionise- Primeri-- Trazenjeistihvrednosti-- Izvalacenjepodatakakarakterpokarakter-- Pogadjanjetablica

  14. Web Application Security 5. SQL Column Truncation Vulnerabilities - By default MySQL will truncate strings longer than the defined maximum column width and only emit a warning. Those warnings are usually not seen by web applications and therefore not handled at all. - Potentional risk [example]:* The application is a forum where new users can register * The administrator’s name is known e.g. ‘admin’ * MySQL is used in the default mode * There is no application restriction on the length of new user names * The database column username is limited to 16 characters * There is function isAlreadyRegistered(SELECT * FROM user WHERE username= ?)* Vulnerable function: if (isPasswordCorrect($username, $password)) { $userdata = getUserDataByLogin($username); ... }

  15. STAY SECUREWeb Application Security Ivan Markovic <ivan.markovic@netsec.rs>

More Related