Threat Landscape 2017

Similar documents
Pattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.

Security Testing. John Slankas

The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Copyright

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

CIS 4360 Secure Computer Systems XSS

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Vulnerabilities: OWASP Top 10 Revisited

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Exploiting and Defending: Common Web Application Vulnerabilities

Introduction to Ethical Hacking

V Conference on Application Security and Modern Technologies

OWASP Top 10 The Ten Most Critical Web Application Security Risks

World-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved

HTTP Protocol and Server-Side Basics

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Security. Philippe Bogaerts

COSC 2206 Internet Tools. The HTTP Protocol

Web Security, Part 2

Unraveling the Mysteries of J2EE Web Application Communications

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Web basics: HTTP cookies

Aguascalientes Local Chapter. Kickoff

Application Level Protocols

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Your Turn to Hack the OWASP Top 10!

Web Application Security GVSAGE Theater

Web Security: Vulnerabilities & Attacks

The HTTP Protocol HTTP

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

HTTP Security. CSC 482/582: Computer Security Slide #1

Common Websites Security Issues. Ziv Perry

Internet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

Web basics: HTTP cookies

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Building a Web-based Health Promotion Database

SECURITY TESTING. Towards a safer web world

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Web Security: Vulnerabilities & Attacks

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

CSE 333 Lecture HTTP

C1: Define Security Requirements

WEB SECURITY: XSS & CSRF

C22: Browser & Web Server Communication

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Robust Defenses for Cross-Site Request Forgery Review

Web Applications Penetration Testing

3. WWW and HTTP. Fig.3.1 Architecture of WWW

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application Layer Security

SIP Session Initiation Protocol

Practical Guide to Securing the SDLC

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Web Penetration Testing

Outline of Lecture 3 Protocols

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Application Penetration Testing

Computer Networks. Wenzhong Li. Nanjing University

Using OAuth 2.0 to Access ionbiz APIs

Web Search An Application of Information Retrieval Theory

dotdefender User Guide Applicure Web Application Firewall

ForeScout Extended Module for Carbon Black

Vulnerability & Attack Injection for Web Applications

COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ

Stopping Automated Application Attack Tools

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

HTTP Request Handling

Imperva Incapsula Website Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Security. Thierry Sans

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Lab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2

Notes beforehand... For more details: See the (online) presentation program.

Attacking CAPTCHAs for Fun and Profit

jquery Basic HTTP communication

All requests must be authenticated using the login and password you use to access your account.

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Policies to Resolve Archived HTTP Redirection

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Protect Your Organization from Cyber Attacks

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Specification Information Note

Presentation Overview

SECURE CODING ESSENTIALS

Transcription:

Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat Landscape 2017 2

Vulnerabilities of Websites Symantec 2018 (Data measured in 2017) Symantec 2016 3 Incident classification patterns for Confirmed Data Breaches Verizon, Data Breach Investigation Report, 2016 4

Exploiting Vulnerable Hosts 5 How to Exploit Vulnerable Hosts? 1. Find a Vulnerable Host Specific Search Engines 2. Download one or more Exploits Specific Repositories 3. Attack the web site Be carefully not to leave traces J ETHICAL HACKING!!! 6

Kill Chain ENISA Threat Landscape 2017 7 Shodan 8

Metasploit 9 Exploit Database 10

Web Application Exploits 11 Web Attack Toolkits Symantec 2016 12

Exploit Kits https://www.mcafee.com/threat-center/threat-landscape-dashboard/exploit_kits.html 13 HTTP Protocol Specification 14

IETF Internet Engineering Task Force The official documentation is maintained by the IETF HTTP working group (http://httpwg.org) The current version is HTTP/1.1 The next version is HTTP/2 (https://http2.github.io) 15 Structure of HTTP Transactions HTTP uses the client-server model A HTTP client opens a connection sends a request message to an HTTP server The server returns a response message containing the requested resource After delivering the response, the server closes the connection (except for persistent connections). Format of HTTP request and response messages an initial line specifying the method zero or more header lines a blank line an optional message body (e.g. a file, or query data, or query output). 16

HTTP Request message 17 Initial Request Line A request line has three parts, separated by spaces a method name the local path of the requested resource and the version of HTTP being used. example: GET /path/to/file/index.html HTTP/1.1 GET is the most common HTTP request It means: give me this resource Other methods include POST and HEAD, etc. Method names are always uppercase. The path is the part of the URL after the host name, also called the request URI (Uniform Resource Identifier) 18

Initial Response Line Status line The HTTP version A response status code: result of the request A reason phrase describing the status code. Response categories 1xx an informational message 2xx success of some kind 3xx redirections 4xx an error on the client's part 5xx an error on the server's part 19 Common status codes 200 OK The request succeeded, and the resulting resource is returned in the message body. 404 Not Found 301 Moved Permanently 302 Moved Temporarily Check RFC 2616 for the complete list 20

The Message Body In a response, it contains the requested resource or an explanatory text if there is an error. In a request, it contains the user-entered data or uploaded files If an HTTP message includes a body, some header lines describe the format of the body. The Content-Type: the MIME-type of the data e.g., text/html or image/gif. The Content-Length: the number of bytes in the body. 21 Sample HTTP Exchange HTTP Request GET /path/f.htm HTTP/1.1 Host: www.host1.com:80 User-Agent: HTTPTool/1.0 [blank line here] HTTP Response HTTP/1.1 200 OK Date: Fri, 31 Dec 1999 23:59:59 GMT Content-Type: text/html Content-Length: 1354 <html> <body> <h1>happy New Millennium!</h1> (more file contents)... </body> </html> 22

The HEAD Method A HEAD request is just like a GET request, except It asks the server to return the response headers only, not the actual resource. (i.e., no message body) This is used to check characteristics of a resource without actually downloading it The response to a HEAD request must never contain a message body, just the status line and headers. 23 The POST Method A POST method is used to send data to the server A POST request is different from a GET request Data is sent with the request, in the message body There are usually extra headers to describe this message body, e.g., Content-Type: and Content-Length: The request URI is not a resource to retrieve, but it's usually a program to handle the data you're sending. The HTTP response is normally the output of a program, not a static file. Examples PHP forms Javascript code 24

The POST Method Example Example POST /login.jsp HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/4.0 Content-Length: 27 Content-Type: application/x-www-formurlencoded userid=me&password=guessme Form submission POST requests can be used to send whatever data you want The sender and the receiving program must agree on the format. The GET method can also be used to submit forms. The form data is URLencoded and appended to the request URI. 25 Persistent HTTP Connections The server does not immediately close the connection after sending the response The responses should be sent back in the same order as requests The "Connection: close" header in a request indicates the final request for the connection. The server should close the connection after sending the response. The server should close an idle connection after some timeout period. 26

Web Application Attacks 27 OWASP The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible, so that individuals and organizations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. http://www.owasp.org 28

Architecture of Information Systems Web pages are created dynamically by querying a database selection of products in e-commerce sites selection of courses in the university etc. Relational databases are the core of many web sites usually part of the information system of the organization How to query the database through the web site? 29 Web Application Exploitation Web pages contains TEXT and Multimedia content Commands and instructions to shape the web page, and provide for dynamic content, are textual tokens embedded within the content of the page. Goal of the attacker: to disguise malicious commands as legitimate content when filling a web form querying a database through a web interface posting a comment in a web forum 30

Web Security Command Injection 31 PHP at work Web Browser display.php URI Web Server Web Page PHP->Web Page display.php: <? echo system( cat.$_get[ file ]);?> system(call,args) performs a system call in the working directory (dot) concatenates string 32

PHP at work command injection Web Browser URI display.php?file=cal.txt Content of cal.txt Web Server system( cat.$_get[ file ] ) Shell Command cat cal.txt What happens if we forge the URI display.php?file=cal.txt%3b%20rm%20-rf%20%2f%3b%0a%0a http://www.url-encode-decode.com 33 Command Injection display.php?file=cal.txt%3b%20rm%20-rf%20%2f%3b%0a%0a translates into display.php?file=cal.txt; rm rf /; and the shell executes cat cal.txt; rm rf; Solutions Input Validation Using less powerful API 34

Input Validation Blacklisting is ineffective we should list all possible invalid input strings Whitelisting checking if the input string has the expected format Input Escaping adding quotes to the input string 35 Using less powerful API The system API is simple to use BUT it is too powerful allows an attacker to run any system command Select the API that performs just what we need 36

OWASP Testing Guide 53 OWASP Testing Guide Application development must follow a clear methodology to avoid known vulnerabilities Generic SDLC Model Testing must take into account People to ensure that there is adequate education and awareness Process to ensure that there are adequate policies and standards and that people know how to follow these policies Technology to ensure that the process has been effective in its implementation. 54

Basic principles of Testing There is No Silver Bullet! Think Strategically, Not Tactically The SDLC is King Test Early and Test Often Understand the Scope of Security Develop the Right Mindset Understand the Subject Use the Right Tools The Devil is in the Details Use Source Code When Available Develop Metrics Document the Test Results 55 OWASP Testing Techniques Manual Inspections & Reviews Threat Modelling Source Code Review Penetration Testing 56

OWASP Testing Framework Phase 1: Before Development Begins Phase 1.1: Define a SDLC Phase 1.2: Review Policies and Standards Phase 1.3: Develop Measurement and Metrics Criteria and Ensure Traceability Phase 2: During Definition and Design Phase 2.1: Review Security Requirements Phase 2.2: Review Design and Architecture Phase 2.3: Create and Review UML Models Phase 2.4: Create and Review Threat Models 57 OWASP Testing Framework Phase 3: During Development Phase 3.1: Code Walk Through Phase 3.2: Code Reviews Phase 4: During Deployment Phase 4.1: Application Penetration Testing Phase 4.2: Configuration Management Testing Phase 5: Maintenance and Operations Phase 5.1: Conduct Operational Management Reviews Phase 5.2: Conduct Periodic Health Checks Phase 5.3: Ensure Change Verification 58

OWASP Web Application Security Testing Information Gathering Configuration and Deployment Management Testing Identity Management Testing Authentication Testing Authorization Testing Session Management Testing Input Validation Testing Testing for Error Handling Testing for weak Cryptography Business Logic Testing Client Side Testing 59 Automated testing tools Code review Commercial: Fortify Software (HP); IBM AppScan Source, Contrast Security, etc. Open Source: OWASP Orizon, OWASP O2, OWASP Codecrawler, etc. Application testing (black box) Commercial: IBM AppScan Standard, HP WebInspect, etc. Open Source: OWASP Zap, SQLMap, etc. 60

Training on Web Attacks 61 Tools available to learn web security Please visit https://www.owasp.org/index.php/owasp_vulnerable_web_applications_directory_project 62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback