340 likes | 563 Views
E-Security Solutions: Web Applications Security and Challenges. Need for Securing Web Sites/Applications. Defaced Sites Reported on the Internet Defacement reasons Application Vulnerability Site owner authored (accidental/intentional) Web Server Misconfiguration. Internet. Server (Data).
E N D
E-Security Solutions: Web Applications Security and Challenges Cyber Security Division/NIC
Need for Securing Web Sites/Applications • Defaced Sites Reported on the Internet • Defacement reasons • Application Vulnerability • Site owner authored (accidental/intentional) • Web Server Misconfiguration Cyber Security Division/NIC
Internet Server(Data) Workstations (Green Segment) Firewall !!!!!!!!!!!! Wild Wild West Corporate Security Cyber Security Division/NIC
Security at Network and Transport layer INTERNET Port 23 Port 139 Port 21 Port 80/8080 Securing traditionally was not enough Network Controls – legitimate traffic Above 70% attacks at the application level Cyber Security Division/NIC
Web Application • A web application is generally comprised of a collection of scripts , that reside on a web server and interact with a database and other sources of dynamic content. • Runs generally at port 80/8080 Attacks Undetected • Data as part of legitimate traffic on port 80/8080 go undetected. • Conventional Network devices and Firewalls cannot distinguish bad data from the genuine data Cyber Security Division/NIC
Web Application Security • Refers to the combination of People, Processes and Technology • Identify, Measure and Manage the risks • Presented by Open source and custom web applications Cyber Security Division/NIC
Risks identifiedin applications • A malicious user can log in without a valid account. • An unauthorised user view, add, update, delete data. • An authenticated user can Add/Update data as another user. • A malicious user can upload malicious contents. • A malicious user can steal user credentials. Cyber Security Division/NIC
People Processes Technology Cyber Security Division/NIC
Web Application Security Standards • OWASP (Open Web Application Security Project) • WASC ( Web Application Security Consortium) Cyber Security Division/NIC
OWASP • The Open Web Application Security Project is a project dedicated to sharing knowledge and developing open source software that promotes understanding of web application security. • For more info see http://www.owasp.org • OWASP Top 10 Cyber Security Division/NIC
WASC • Is an international group of experts, practitioners and organizational representatives who produce open source and widely agreed upon best practice security standards for the world wide web. • http://www.webappsec.org • Web Hacking Incidents Database • Web Security Threat classification Cyber Security Division/NIC
OWASP Top Ten Project • It Provides a minimum standard for web application security. • The OWASP top ten represents a broad consensus about what the most critical web applications vulnerabilities are. • Adopter • US Federal Trade commission, US DOD , VISA • Other companies including Sprint, IBM etc.. Cyber Security Division/NIC
OWASP Top Ten Most Critical Web Application Vulnerabilities • A1 - Unvalidated Input • A2 -Broken Access Control • A3 - Broken Authentication and Session Management • A4 - Cross Site Scripting (XSS) Flaws • A5 - Buffer Overflow • A6 - Injection Flaws • A7 - Improper Error Handling Cyber Security Division/NIC
Top ten contd.. • A8 - Insecure Storage • A9 - Denial of Service • A10 - Insecure Configuration Management Cyber Security Division/NIC
Vulnerability Explained - Unvalidated Input • Web sites are host to applications which accept input in URL strings, form fields, hidden form fields etc • Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backside components through a web application. Cyber Security Division/NIC
Florists Un-validated input Example Rose Dahlia Chrysanthamum Web Server Rs.18 Rs.11 Rs.6 Quantity Shopping cart To Pay Florists Rose Dahlia Chrysanthamum Hidden fields Rs.18 Rs.11 Rs.6 Quantity 50 To Pay Rs. 300 Florists Order Rose Dahlia Chrysanthamum Price manipulated Rs.18 Rs.11 Rs.1 Order Accepted. Thank You Quantity 50 To Pay Rs. 50 Cyber Security Division/NIC
Applications incorporate input validations. • Implemented on Client side of the application. • Intercepting tools make the client side checks inadequate Cyber Security Division/NIC
Vulnerability - SQL Injection • This is a form of attack affecting Database Driven sites • It’s impact can range from mild damage to complete system compromise. • It effects a large number of sites on the Internet and can be completely prohibited. • It is largely caused by developers who us string building techniques to execute SQL code Web app SQL Query Client Web server SQL Server Firewall Cyber Security Division/NIC
Remote Shutdown of DB http://abc.xyz.com/Bull_No.asp?number=41213';shutdown-- Shutdown command injected DB no longer available to the app Cyber Security Division/NIC
Impacts of SQL Injection • Denial of Service • Database shutdown remotely • Integrity of Data ? • Gain authentication and privileged access to CUG applications • Deleted Records in Database • Inserted Junk data in Database • Modify data • Drop Tables Cyber Security Division/NIC
Data Validation • Validation strategies • Accept only known valid data • Reject known bad data • Sanitize all data • All three methods must check • Data Type • Syntax • Length • Never Rely on Client Side Validations alone • Assess Database level privileges Cyber Security Division/NIC
Vulnerability - Insecure configuration Management Server configuration problems include 1.Unpatched flaws in the server s/w 2.Server s/w flaws or misconfiguration that allow directory listing or directory traversal 3.Improper file and directory permission 4.Unnecessary services enabled including remote administration 5.Default a/cs with default passwords Cyber Security Division/NIC
Example : Application based upload Application allows file upload File uploaded could be executed. => malicious content based file also can be uploaded and executed. Cyber Security Division/NIC
Solution • Assess the requirement of the application for file upload facility. • In this case, the directory used for file repository must not be in the direct path of the web application. • The permissions on this folder must only be having write privilege for the account usedby the application. • Note: A combination of write and execute permissions on web hosting folders is strictly forbidden. Cyber Security Division/NIC
Tests and Tools • Penetration Tests • Manual • Automated • Tools • Manual viz. Burp Proxy • Automatic Scan Tools • Open Source – • websphinx, Paros, Nikto • Commercial – • ScanDo, Appscan Cyber Security Division/NIC
User’s Client M/c Intercepted HTTP Request/Response Browser Web Server Burp Interceptor Cyber Security Division/NIC
Application Security Audit Framework Awareness Secure Code Delivery Audit Code Hardening Convincing Developers Compliance Check Cyber Security Division/NIC
Challenges – People, Processes and Technology • Large number of sites with applications. • Testing may not be accurate • Black box based Pen Test used to test. Limited by the known vulnerabilities. • Source code auditing is not feasible as many of the sites are legacy and it is a time consuming process. • Limited by the skill set of the tester. • Vulnerabilities identified remain Unpatched due to Developer un-availibility Cyber Security Division/NIC
Tools not readily available : immature technology • Large amount of resources required for logistics arrangements • Large amount of Coordination and communication efforts • Effective monitoring, detection and response to security incidents • Correlation of Events • Keeping up to date with new attacks and delivery mechanism Cyber Security Division/NIC
Achievement • Lessons Learnt in improving security • Separation of Security boundaries of sites in a multi hosting environment recommended • Security of developed sites has improved • Turnaround time in audit is reduced • Awareness of developers increased • Requirement of Security Audit has been propagated Cyber Security Division/NIC
Road Ahead • Security needs to be built into applications in the SDLC. • A policy of asset classification to be adopted and security rating given to sites/applications. • Adaptive Framework for People, Processes and Technology for Web Application Security Cyber Security Division/NIC
References • Audit Reports of Web sites audited • http://www.Owasp.org • http://www.Sans.org • http://www.webappsec.org Cyber Security Division/NIC
Thank YouWrite to Snigdha Acharya snigdha.acharya@nic.in Cyber Security Division/NIC