Web Application Threats and Remediation. Terry Labach, IST Security Team

Size: px

Start display at page:

Download "Web Application Threats and Remediation. Terry Labach, IST Security Team"

Ashlynn Flynn
5 years ago
Views:

1 Web Application Threats and Remediation Terry Labach, IST Security Team

2 IST Security Team

3 The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage access to our web sites, literally inviting miscreants to attack us Complex web application systems contain faws that attackers can use for a variety of nefarious purposes

4 Risks Loss of confdential data Vandalism of web sites Financial theft Denial of service Spread of spam or viruses Damaged reputation

5 OWASP Top Ten for 2010 A1 Injection A2 Cross Site Scripting (XSS) A3 Broken Authentication and Session Management A4 Insecure Direct Object References A5 Cross Site Request Forgery (CSRF) A6 Security Misconfguration A7 Failure to Restrict URL Access A8 Unvalidated Redirects and Forwards A9 Insecure Cryptographic Storage A10 Insufcient Transport Layer Protection

6 SANS Institute PHP Remote File Include SQL Injection Cross-Site Scripting (XSS) Cross-site request forgeries (CSRF)

7 General principles Specify what is allowed, not what is forbidden Use software engineering best practices (no cowboy coders) Test applications fully Test environments must duplicate production environments Test bad input, not just good input

8 Trust no one

9 Example attacks

10 Failure to restrict URL access OWASP A6 Includes elements of data leakage Attackers can access documents through URLs that should be protected

11 Preventing data leakage Permissions, server settings,.htaccess can help, but best to prevent unneeded fles from being present at all Limit development to dedicated machines, publish only fnal fles to production server

12 Cross-site scripting (XSS) OWASP A2 Crafted URLs can allow scripts to be run by client s browser This can result in victims: Having authentication credentials stolen Being redirected to malicious web sites

13 Preventing cross-site scripting Sanitize all user input Remove meta-characters e.g. `<> Characters may be encoded, best to remove anything not obviously harmless (e.g. a-za-z0-9) Foreign language support allows pathway to inject meta-characters Validation must be done on server end, validation done in the browser (e.g. through Javascript) can be bypassed

14 Broken Authentication OWASP A3 Authentication of users can be faked or credentials stolen to allow access to resources

15 Preventing authentication theft Don t pass authentication information

16 SQL injection OWASP A1 SQL commands are entered in user input felds If allowed as part of query to back-end database, can result in data theft manipulation or vandalism of data

17 Preventing injection attacks Sanitize user input Use appropriate data types and enumerations instead of text felds

18 Automated Vulnerability Scanning Hackers can perform vast numbers of typical attacks using automated processes to identify likely targets The good guys can do the same, and a number of vendors provide such solutions IBM AppScan selected after a lengthy evaluation process IST Security Team will provide web application scans as a service

19 IBM AppScan

20 Resources Security information OWASP SANS Institute (SysAdmin, Audit, Network, Security) Jeremiah Grossman

21 Resources Vendors IBM (Appscan) Cenzic (Hailstorm) HP (WebInspect) WhiteHat

22 Questions and Comments

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security