Web Security. Thierry Sans

Size: px

Start display at page:

Download "Web Security. Thierry Sans"

Gwendoline Stanley
6 years ago
Views:

1 Web Security Thierry Sans

2 1991 Sir Tim Berners-Lee

3 Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing

4 Web security is a major concern

10 The Big Picture

11 The web architecture Client Side Web Browser Server Side Web Server Database

12 Securing the web architecture means securing... The network The DNS (Domain Name System) The web server operating system The web server application (Apache for instance) The database application (Oracle for instance) The web application Our focus here!

13 What is a web application? program running on the browser + program running on the server

14 Anatomy of a web application

15 The HTTP protocol Network protocol for requesting/receiving data on the Web Standard TCP protocol on port 80 (by default) URI/URL specifies what resource is being accessed Different request methods

16 Let s look at what a web server does telnet to a web server > telnet whitehat.local 80 GET / enter HTTP requests

17 Anatomy of a URL protocol server query string path get parameters resource

18 Authentication and Authorization Authentication Who are the authorized users? Authorization Who can access what and how?

19 The simple recipe for user authentication 1. Ask the user for a login and password and send it to the server (HTTP/POST request) 2. Verify the login/password based on information stored on the server (usually in the database) 3. Start a session once the user has been authenticated 4. Grant access to resources according to the session

20 The concept of session There is a session id (aka token) between the browser and the web application This session id should be unique and unforgeable (usually a long random number or a hash) Stored in the cookie The session id is bind to key/value pairs data Stored on the server

21 Session : key/value pairs stored on the server The big picture HTTP request HTTP response HTTP request HTTP response Web Browser Cookie : key/value pairs stored in the requests Web Server The user can create, modify, delete the session ID in the cookie But cannot access the key/value pairs stored on the server

22 Hacking Authentication

23 How to steal user s credentials Brute force the password Brute force the session ID Steal the user s password Steal the user s session ID

24 Limitation of HTTPS password = password = E#%FY7*5EZ$#G

25 Stealing passwords from the client Social engineering - Phishing Keyloggers (keystroke logging) Data mining ( s, logs) Hack the client s code

26 Stealing passwords from the server Hack the server Hack the server s side code

27 Hacking the Client s Side Code

28 Client side s attacks Content Spoofing inject arbitrary HTML content into a webpage CSRF inject arbitrary urls into a webpage XSS inject arbitrary Javascript code into a webpage

29 Content Spoofing injecting arbitrary HTML content into a webpage GET /?videoid=527 <html... comment = <a href= myad.com >Fun stuff... GET /?videoid=527 <html... The page contains the attacker s code. * Notice that Youtube is not vulnerable to this attack

CSRF attack injecting arbitrary urls into a webpage GET View/?profileid=53 <img src= www.alice.

url=delete/?profileid=53 53 www.alice.com/ profilepic Alice Done! profileid=86 86 www.badwebsite.com/ Delete/?

30 CSRF attack injecting arbitrary urls into a webpage GET View/?profileid=53 <img src= GET profilepic GET Delete/?profileid=53 id url name GET setprofile/?url=delete/?profileid= profilepic Alice Done! profileid= Delete/?imageid=53 Charlie Hey Alice, check my profile GET View/?profileid=86 <img src= Delete/?profileid=53 GET Delete/?profileid=53

31 XSS attack injecting arbitrary javascript into a webpage GET /?videoid=527 <html... comment = <script>... GET /?videoid=527 <html... login=alice&password= The script contained in the comments modifies the page to look like the login page! * Notice that Youtube is not vulnerable to this attack

32 Scope of XSS attacks Inject illegitimate content in the page (same as content spoofing) Perform illegitimate HTTP requests through Ajax (same as a CSRF attack) Steal Session ID from the cookie Steal user s login/password by modifying the page to forge a perfect scam

33 XSS attacks are widespread

34 Hacking the Server s Side Code

35 Server s side attacks SQL injection inject arbitrary SQL code executed on the server s database File inclusion inject arbitrary code executed on the server

SQL Injection Attack inject arbitrary SQL

Access Deny! Access Granted! checkpassword.

36 SQL Injection Attack inject arbitrary SQL code executed on the server s database loginpage.html OR 1 = 1 name=alice&pwd= Access Deny! Access Granted! checkpassword.php <?php $uid = SQLQuery("SELECT uid FROM LoginTable WHERE login=". $_POST['name']. "AND password =". $POST['pwd ']); if ($uid) echo "Access Granted"; else echo "Access Denied";?>

37 Scope of SQL injection attacks retrieves, adds, modifies, deletes arbitrary information bypasses authentication installs a reverse shell

38 File Inclusion Attack inject arbitrary code executed on the server

39 Web Penetration Testing

40 Web application security tools Commercial AppScan Proxy mapper Vulnerability scanner Acunetix Burp Suite Replay HTTP requests (Exploit tool) Nikto Vega W3af Open Source among others

41 Conclusion You have absolutely no control on the client Client Side Server Side Web Browser Web Server Database

42 References Mozilla Secure Coding Guideline Ruby on Rails Security Page Django Security Page PHP Security Pages

Web Application Penetration Testing

Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate