Web Application Security GVSAGE Theater

Similar documents
Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

INNOV-09 How to Keep Hackers Out of your Web Application

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Certified Secure Web Application Engineer

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

CSWAE Certified Secure Web Application Engineer

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

C1: Define Security Requirements

1 About Web Security. What is application security? So what can happen? see [?]

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application Vulnerabilities: OWASP Top 10 Revisited

Sichere Software vom Java-Entwickler

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Threats and Remediation. Terry Labach, IST Security Team

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Exploiting and Defending: Common Web Application Vulnerabilities

Copyright

HTTP Protocol and Server-Side Basics

Welcome to the OWASP TOP 10

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Application Security. Philippe Bogaerts

Bank Infrastructure - Video - 1

Applications Security

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Application vulnerabilities and defences

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Managed Application Security trends and best practices in application security

Notes From The field

Introduction to Ethical Hacking

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

COMP9321 Web Application Engineering

F5 Application Security. Radovan Gibala Field Systems Engineer

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Solutions Business Manager Web Application Security Assessment


"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

GOING WHERE NO WAFS HAVE GONE BEFORE

Test Harness for Web Application Attacks

Secure Coding, some simple steps help. OWASP EU Tour 2013

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Ralph Durkee Independent Consultant Security Consulting, Security Training, Systems Administration, and Software Development

Your Turn to Hack the OWASP Top 10!

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Web Security, Part 2

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Web Application Penetration Testing

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Base64 The Security Killer

F5 Big-IP Application Security Manager v11

NET 311 INFORMATION SECURITY

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

The requirements were developed with the following objectives in mind:

Common Websites Security Issues. Ziv Perry

OWASP Application Security Building and Breaking Applications

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Fortify Software Security Content 2017 Update 4 December 15, 2017

Threat Landscape 2017

Hunting Security Bugs

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Using Threat Modeling To Find Design Flaws

Sichere Webanwendungen mit Java

The OWASP Foundation

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Application Layer Security

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Information Security. Gabriel Lawrence Director, IT Security UCSD

Preparing for the Cross Site Request Forgery Defense

String Analysis for the Detection of Web Application Flaws

CSE 127 Computer Security

Aguascalientes Local Chapter. Kickoff

Injecting Security Controls into Software Applications. Katy Anton

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Top 10 Web Application Vulnerabilities

Web Security: Vulnerabilities & Attacks

EasyCrypt passes an independent security audit

Transcription:

Web Application Security GVSAGE Theater B2B Tech Expo Oct 29, 2003 Durkee Consulting www.rd1.net 1

Ralph Durkee SANS Certified Mentor/Instructor SANS GSEC, GCIH, GGSC Network Security and Software Development Consulting Durkee Consulting www.rd1.net 2

Agenda Web Application Risk Overview Threat Categories Overview Top 10 Vulnerabilities Examine 4 Vulnerabilities in Detail Durkee Consulting www.rd1.net 3

Web Applications What s the Risk? Risk = Threat * Vulnerability * Asset Threat Level for Internet Web Servers? Web attacks are very frequent (3-8 attacks / probes per day per IP is normal) Port 80 consistently one of the top 10 attacked (www.incidents.org) Vulnerabilities Plenty to come on Vulnerabilities Asset Estimate of all potential losses and costs. Durkee Consulting www.rd1.net 4

Traditional Threat Categories Threat Target Network Protocols Operating System Commercial Applications Mitigation Firewalls, Routers etc Patching, Hardening, Minimize Services Patching, Configuration Sophistication Automated Automated Automated Durkee Consulting www.rd1.net 5

Custom Application 4 th Threat Category Threat Target Network Protocols Operating System Commercial Applications Mitigation Firewalls, Routers etc Patching, Hardening, Minimize Services Patching, Configuration Sophistication Automated Automated Automated Custom Application Software Arch. Design & Code Reviews Appl. Testing Appl. Scanners Not Yet Automated Durkee Consulting www.rd1.net 6

OWASP Open Web Application Security Project WWW.OWASP.ORG Dedicated to helping organizations understand and improve the security of their web application and web services. Publish Top 10 Web App. Vulnerabilities Open Source Projects (WebGoat, WebScarab) Durkee Consulting www.rd1.net 7

OWASP Top 10 OWASP A1 - Unvalidated Parameters A2 - Broken Access Control A3 - Broken Account & Session Management Description Malicious input may attack server or back-end components. Access not well defined with controls which may be bypassed with client side manipulation. Session or Account authentication may be disclosed or guessed. Durkee Consulting www.rd1.net 8

OWASP Top 10 OWASP A4 - Cross Site Scripting A5 - Buffer Overflows A6 - Cmd Injection Description Malicious script is stored by the Web Application and given to an unsuspecting victim. Providing too much input allows code execution to be manipulated. Manipulates server evaluation of input to execute commands. Durkee Consulting www.rd1.net 9

OWASP Top 10 OWASP A7 - Error Handling A8 - Insecure Cryptography A9 - Remote Admin flaws A10 - Server misconfiguration Description Diagnostics reveal platforms, architecture and identifiers. Improper usage and home grown algorithms Inadequate controls and protection. Not using security configuration guidelines. Durkee Consulting www.rd1.net 10

Types of Input for Validation Form Input parameters <INPUT name=userid value= shmoe > Hidden form parameters <INPUT TYPE=hidden name=sessionid value= 928302757461044230129736 > Keep mind all input parameters are visible and can be modified. Durkee Consulting www.rd1.net 11

URL Query String Parameters Example https://www.rd1.net/servlet/login?userid=shmoe &password=dumb Least secure place for parameters Stored in browser history cache Visible to shoulder surfing Could be Book Marked App. Servers often allow this transparently. Durkee Consulting www.rd1.net 12

Cookies Flavors Persistent with expiration date / time, stored on client hard drive Non-persistent, no expiration, stored in memory until browser closed. Secure option (request https transmission) Durkee Consulting www.rd1.net 13

Cookies Example: Server Response and Client Request Set-Cookie: siteid=91d3dc13713aa579d0f148972384f4; path=/; expires=wednesday, 12-Oct-2003 02:12:40 domain=.www.rd1.net secure Cookie: siteid=91d3dc13713aa579d0f148972384f4 Durkee Consulting www.rd1.net 14

HTTP Headers Carry a good deal of information Access through various program API s. Easy to use HTTP header input without considering the need for validation. Durkee Consulting www.rd1.net 15

HTTP Headers Accept: image/gif, image/x-xbitmap, image/jpeg,..., */* Referer: http://rd1.net/index.html Accept-Language: en-us Content-Type: application/x-www-formurlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312) Host: rd1.net Content-Length: 46 Durkee Consulting www.rd1.net 16

HTTP Headers Java Sample URL server_url = new URL( urlstr); URLConnection conn = server_url.openconnection(); // Additional code int len = conn.getcontentlength(); What if len < 0? Or a very large value? Is the call getting the http header value or the actual length? What happens if they differ? Durkee Consulting www.rd1.net 17

Examples of Malicious Input 1. Command or SQL injection 2. Cross Site Scripting (XSS) 3. Improper Error Handling 4. Input encoding Durkee Consulting www.rd1.net 18

Command or SQL injection Input may contain special Meta-characters Some Meta-characters will have significance to the script, OS or database interpreter Meta-characters may be encoded to attempt to circumvent filtering CERT URL http://www.cert.org/tech_tips/malicious_code_mit igation.html Durkee Consulting www.rd1.net 19

SQL Injection JSP Example String squery = select userid from users where uname= + request.getparameter("user_nm ) + ; ; But What if.. user_nm= %27 or %27x%27=%27x The %27 is an encoded quote and the or x = x will always be true, May bypass the authentication and execute arbitrary SQL statements Durkee Consulting www.rd1.net 20

Cross Site Scripting (XSS) Any dynamic web page using unvalidated data is vulnerable. Data may contain html or client side scripting May originated from a malicious source May attack another client via web server Durkee Consulting www.rd1.net 21

XSS Example Durkee Consulting www.rd1.net 22

XSS Example 1. Malicious XSS Input comment=<script>malicious code</script> 2. Comment is placed in a DB 3. Served up on a web page to an unsuspecting victim. 4. Victims browser execute malicious code, and/or is sent to another site. Durkee Consulting www.rd1.net 23

Error Response Information Helpful Debug messages Provides way too much information! Very helpful to potential attacker. Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access 97 Driver] Can't open database VDPROD'. Durkee Consulting www.rd1.net 24

Improper Error Handling Possible Denial of Service Java Exceptions and Stack traces Very revealing! java.sql.sqlexception: ORA-00600: internal error code, arguments: [ttcgnd-1], [0], [], [], [], at oracle.jdbc.dbaccess.dberror.throwsqlexception (DBError.java:169) at oracle.jdbc.ttc7.ttioer.processerror (TTIoer.java:208) Durkee Consulting www.rd1.net 25

Input Encoding Malicious Input can be encoded in many ways Each software layer and script languages has additional encoding. Attempts to avoid negative filtration. Examples; & & Double encoding: &amp; Triple? Durkee Consulting www.rd1.net 26

Where to Validate Client validation -- is helpful but does not provide security Server validation Everything received from client must be suspect Validate before usage or interpretation. Durkee Consulting www.rd1.net 27

How to validate Positive filtering preferred rather than Negative Canonical form (decode) where appropriate Encode special characters where appropriate Many types of encoding Durkee Consulting www.rd1.net 28

What to check Minimally Allowed Character Set (Specific to data field) Numeric Range Length too short or too long Optional or required Encoding of potential meta-characters that must be allowed. Null bytes Durkee Consulting www.rd1.net 29

The Future for Web Application Security Application Security Testing tools Available but expensive still a bit green (new / bleeding edge) Application Firewalls also very new and expensive. Better understanding of Vulnerabilities Better Security input validation support from Development tool Vendors More Design & Code Reviews. Durkee Consulting www.rd1.net 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback