1 / 22

Web Application Threats and Remediation

Web Application Threats and Remediation. Terry Labach, IST Security Team. IST Security Team. The problem. While we use firewalls and other means to prevent attackers from access to our networks, we encourage access to our web sites, literally inviting miscreants to attack us

tola
Download Presentation

Web Application Threats and Remediation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Threats and Remediation Terry Labach, IST Security Team

  2. IST Security Team WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  3. The problem • While we use firewalls and other means to prevent attackers from access to our networks, we encourage access to our web sites, literally inviting miscreants to attack us • Complex web application systems contain flaws that attackers can use for a variety of nefarious purposes WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  4. Risks • Loss of confidential data • Vandalism of web sites • Financial theft • Denial of service • Spread of spam or viruses • Damaged reputation WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  5. OWASP Top Ten for 2010 • A1 Injection • A2 Cross Site Scripting (XSS) • A3 Broken Authentication and Session Management • A4 Insecure Direct Object References • A5 Cross Site Request Forgery (CSRF) • A6 Security Misconfiguration • A7 Failure to Restrict URL Access • A8 Unvalidated Redirects and Forwards • A9 Insecure Cryptographic Storage • A10 Insufficient Transport Layer Protection WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  6. SANS Institute • PHP Remote File Include • SQL Injection • Cross-Site Scripting (XSS) • Cross-site request forgeries (CSRF) WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  7. General principles • Specify what is allowed, not what is forbidden • Use software engineering best practices (no cowboy coders) • Test applications fully • Test environments must duplicate production environments • Test bad input, not just good input WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  8. Trust no one WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  9. Example attacks WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  10. Failure to restrict URL access • OWASP A6 • Includes elements of data leakage • Attackers can access documents through URLs that should be protected WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  11. Preventing data leakage • Permissions, server settings, .htaccess can help, but best to prevent unneeded files from being present at all • Limit development to dedicated machines, publish only final files to production server WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  12. Cross-site scripting (XSS) • OWASP A2 • Crafted URLs can allow scripts to be run by client’s browser • This can result in victims: • Having authentication credentials stolen • Being redirected to malicious web sites WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  13. Preventing cross-site scripting • Sanitize all user input • Remove meta-characters e.g. “’`<> • Characters may be encoded, best to remove anything not obviously harmless (e.g. a-zA-Z0-9) • Foreign language support allows pathway to inject meta-characters • Validation must be done on server end, validation done in the browser (e.g. through Javascript) can be bypassed WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  14. Broken Authentication • OWASP A3 • Authentication of users can be faked or credentials stolen to allow access to resources WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  15. Preventing authentication theft • Don’t pass authentication information in hidden fields WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  16. SQL injection • OWASP A1 • SQL commands are entered in user input fields • If allowed as part of query to back-end database, can result in • data theft • manipulation or vandalism of data WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  17. Preventing injection attacks • Sanitize user input • Use appropriate data types and enumerations instead of text fields WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  18. Automated Vulnerability Scanning • Hackers can perform vast numbers of typical attacks using automated processes to identify likely targets • The good guys can do the same, and a number of vendors provide such solutions • IBM AppScan selected after a lengthy evaluation process • IST Security Team will provide web application scans as a service WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  19. IBM AppScan WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  20. Resources • Security information • OWASP • www.owasp.org • SANS Institute • (SysAdmin, Audit, Network, Security) • www.sans.org • Jeremiah Grossman • www.whitehatsec.com/home/resource/grossman.html WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  21. Resources • Vendors • IBM (Appscan) • www.ibm.com/software/awdtools/appscan/ • Cenzic (Hailstorm) • www.cenzic.com • HP (WebInspect) • www.hp.com • WhiteHat • www.whitehatsec.com WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

  22. Questions and Comments WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

More Related