Top Five Web Application Vulnerabilities

1. Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004 Top Five Web Application Vulnerabilities

2. Top 5 • Top 5 vulnerabilities (src: http://software.newsforge.com/software/04/09/17/1527247.shtml?tid=78&tid=48) • SQL insertion • Cross Site Scripting (CSS/XSS) • Session management • Default/misconfigurations • Dangerous HTTP methods

3. SQL insertion • Problem: Trusting input from client, and passing it on to a SQL server. • E.g. :SELECT userid FROM tblusers WHERE user = ‘bleh’; EXEC master..xp_cmdshell “cmd.exe /c …”;--‘ AND pass = ‘password’

4. SQL insertion • Form fields, URL parameters, cookies, and HTTP headers are all valid input vectors. • Solution: Define acceptable data and make it as restrictive as possible. If input data is invalid then it should be rejected.

5. Cross Site Scripting • Problem: a Web application accepts scripting commands as input, and returns them. • The script seems to appear to originate from the vulnerable server, which the user trusts, and gives it access to all the user's cookie and session information. • Example: http://mywebsite.com/login.jsp?msg=<script>alert()</script> • Solution: Do not reflect values obtained as input back to the browser.

6. Session management problems • Problem: the state between your browser and the Web site. • Used to track who are logged in and their access privileges. • Attackers can access restricted pages without proper authorization, or manipulate session variables to gain access to other users' accounts. • e.g. manipulating parameters in the URL

7. Session management problems • Sessions should always be maintained on the server side. • Don't trust cookies and client-side session values • Always use a strong unique identifier instead of an integer, email address or account number/name. • Check for a valid session on each restricted access page whenever the page is requested.

8. Session management problems • javascript shopping carts • price is often embedded in html code • 3. party money collector • it is possible to change the price (get stuff cheaper...)

9. Default/misconfigurations(Sample apps/dir listings) • configuration and installation problems. • provides an attacker with a starting point for breaking into the server: • sample applications that are installed by default • directory listings and permissions • default software features and configurations • log and swap files

10. Default/misconfigurations • Sample applications that are installed by default can contain information. • Disclosing scripts that may reveal Web site source code. • Directory listings can reveal files. • Default software features may have exploitable bugs. • Log files and swap files can be left over from developers editing Web application pages.

11. Dangerous HTTP commands • PUT, DELETE, WebDAV • PUT: upload a script • DELETE: delete all the content of a site – DoS • WebDAV: methods have been used to perform buffer overflows on Windows servers.

12. Dangerous HTTP commands cont. • To test the PUT method, use a tool like curl to attempt a file upload: curl -T test.html www.mysite.com • try to access the file • To test the DELETE method, telnet to the Web server and issue the command: DELETE / HTTP/1.0

14. Conclusion • Security problems are caused by errors: • configuration errors • programming errors • misplaced trust (e.g. in user input) • Cryptography is failing to protect • or.. not the final answer • Awareness and theaching