1 / 36

Web 2.0 Security

Web 2.0 Security. James Walden Northern Kentucky University. Speaker Biography. Assistant Professor at NKU Graduate certificate in Secure Software Eng. Minors in Infosec and Forensics. Papers & workshops in software security. Contributor to SANS/CWE Top 25 programming flaws.

nikita
Download Presentation

Web 2.0 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web 2.0 Security James Walden Northern Kentucky University

  2. Speaker Biography Assistant Professor at NKU • Graduate certificate in Secure Software Eng. • Minors in Infosec and Forensics. • Papers & workshops in software security. Contributor to • SANS/CWE Top 25 programming flaws. • SANS GSSP secure programmer cert. • OWASP/Fortify Open Source Review.

  3. Why Target Web Apps?

  4. Attack Surface A system’s attack surface consists of all of the ways an adversary can enter the system. Merchant’s Bank Building

  5. Defender’s View web server firewall wireless VPN

  6. History of Web Security

  7. Firewalls and Web Apps telnet Firewall ftp Application DatabaseServer WebClient WebServer Application HTTP Traffic Port 80

  8. SSL: injection attacks, XSS telnet Firewall ftp Application WebClient DatabaseServer WebServer Application HTTPS Traffic Port 443

  9. Revised Attack Surface external web apps external web server firewall VPN wireless database

  10. Intra-Security Assumptions Since the firewall protects you • Patches don’t have to be up to date. • Passwords don’t have to be strong. • There’s no need to be careful when you code. • There’s no need to audit your source code. • There’s no need to run penetration tests. But do your users have web browsers?

  11. Javascript Malware Intranet Firewall telnet Group Server Main Server ftp WebServer (Javascript malware)‏ WebClient HTTP Traffic Port 80 Wiki

  12. Malware Sources • Evil web site owner inserts in page. • Attacker inserts malware into defaced page. • Attacker inserts malware into a public comment or forum post (stored XSS.) • Attacker creates link that causes web site to echo malware to user (reflected XSS.)

  13. external web apps external web server internal web apps firewall VPN internal web servers wireless database Re-revised Attack Surface

  14. Web Applications external web apps external web server internal web apps firewall VPN internal web servers wireless database

  15. Web App Vulnerabilities Input-based Security Problems • Injection Flaws • Insecure Remote File Inclusion • Unvalidated Input Authentication and Authorization • Authentication • Access Control • Cross-Site Attacks Other Bugs • Error Handling and Information Leakage • Insecure Storage • Insecure Communications

  16. Attacker ‘ or 1=1-- User Pass Firewall DB Server Web Server SQL Injection • App sends form to user. • Attacker submits form with SQL exploit data. • Application builds string with exploit data. • Application sends SQL query to DB. • DB executes query, including exploit, sends data back to application. • Application returns data to user.

  17. Cross-Site Scripting Web Server 8. Attacker hijacks user session. 1. Login Attacker User 2. Cookie 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID.

  18. SQL injection. Cross-site scripting. Information leakage. Path traversal. Authentication, session management, access control flaws. Feature Vulnerability Map Database interaction Displays user-supplied data Error messages File upload/download Login

  19. Web App Attack Surface cookies form inputs HTTP headers URLs

  20. Traditional Web Apps HTTP Request (form submission)‏ User waits Server processing HTTP Response (new web page)‏ User interaction HTTP Request (form submission)‏ Server processing User waits HTTP Response (new web page)‏

  21. AJAX Asynchronous Javascript & XML • User interacts with client-side Javascript. • Javascript makes asynchronous requests to server for data. • Continues to allow user to interact with application. • Updates when receives encoded data from server.

  22. AJAX Applications Client-side Code HTTP request (asynchronous)‏ HTTP Response (data)‏ Server processing User interaction partial update partial update HTTP request (asynchronous)‏ User interaction Server processing HTTP Response (data)‏ HTTP request (asynchronous)‏ User interaction HTTP Response (data)‏ partial update Server processing partial update

  23. Traditional Application on server. Entire form sent to server. User fills in input items. Clicks on submit. Server returns new page. Presentation + Data. AJAX App on client and server. JavaScript receives user input, issues function calls to server when needed. Get map tile. Save location data. Server returns individual data items. JavaScript incorporates data items into existing page. Architecture Differences

  24. AJAX: More Entry Points Purchase Item getPrice() debitAccount() downloadItem()

  25. Example Client-side Code var auth = checkPassword(user, pass); if (auth == false) { alert(‘Authentication failed.’); return; } var itemPrice = getPrice(itemID); debitAccount(user, itemPrice); downloadItem(itemID);

  26. Client Side Data Use Firebug to modify variables. Modifying session state • Set auth to true. • Set itemPrice to $0.01, $0, -$1.00. Viewing sensitive data if (discountCode == “HALF_OFF”) { window.location(“discount_order.html”); }

  27. Client Side Code Example Code (AJAX Security, p. 176) <script> function sum(x,y) { var z = x + y; alert(“Sum is “ + z); } </script> <input type=“button” value=“5 + 6 = ?” onclick=“sum(5,6);” /> Insert with Firebug to replace sum() in 5s: setTimeout(“sum = function() { alert(‘hijacked!’); }”, 5000);

  28. Selected Data Selected Data Intended Data Extra Data Intended Data Extra Data AJAX: More Client Data Server returns HTML page that displays desired data. SQL Injection SQL Injection Presentation (HTML) Database Web Server Server returns XML/JSON full data for AJAX client to display. SQL Injection SQL Injection Data (XML,JSON) Database Web Server

  29. Client Data Vulnerability SQL Query SELECT * FROM USERS WHERE UID=<> Injected Query SELECT * FROM USERS WHERE UID=12345 UNION SELECT * FROM CREDITCARDS XML Data <data> <user> <uid>12345</uid> <name>John Smith</name> </user> <creditcard> <ccnumber>4444-4444-4444-4444</ccnumber> <expire>01/01/2011</expire> </creditcard> </data>

  30. JSON var json = getItem() // json = “[ ‘Toshiba’, 499, ‘LCD TV’]” var item = eval(json) // item[0] = ‘Toshiba’ // item[1] = 499 // item[2] = ‘LCD TV’

  31. JSON Injection Evil input: ‘];alert(‘XSS’);// var json = getItem() // json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//” var item = eval(json) // Alert box with ‘XSS’ appears. // Use json2.js validation library to prevent.

  32. Client-Side State Storage Technologies • Cookies • DOM Storage (HTML5) • Flash LSOs • UserData (IE) Client-Side Storage Issues • User can always modify client-side data. • Cross-Domain Attacks (between subdomains). • Cross-directory Attacks. • Cross-port Attacks.

  33. client-side code client-side state cookies form inputs HTTP headers client-side data transforms URLs server API AJAX Attack Surface

  34. A site’s attack surface client-side code cookies is nearly fractal. form inputs client-side state HTTP headers client-side data transforms URLs server API external web apps external web server internal web apps firewall VPN internal web servers database wireless

  35. Discussion Items • Are organization’s security policies changing in response to Web 2.0? • What are people currently doing to determine their attack surface? • How do people select which elements of the attack surface to reduce first?

More Related