Web Security. Thierry Sans

Similar documents
Web Application Penetration Testing

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Introduction to Ethical Hacking

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

P2_L12 Web Security Page 1

Web Application Security. Philippe Bogaerts

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Security. CSC309 TA: Sukwon Oh

RKN 2015 Application Layer Short Summary

Progress Exchange June, Phoenix, AZ, USA 1

Information Security CS 526 Topic 8

XSS Homework. 1 Overview. 2 Lab Environment

Information Security CS 526 Topic 11

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Common Websites Security Issues. Ziv Perry

CIS 4360 Secure Computer Systems XSS

WEB SECURITY: XSS & CSRF

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CSC 482/582: Computer Security. Cross-Site Security

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Client Side Injection on Web Applications

WHY CSRF WORKS. Implicit authentication by Web browsers

1 About Web Security. What is application security? So what can happen? see [?]

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Content Security Policy

Solution of Exercise Sheet 5

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Curso: Ethical Hacking and Countermeasures

Application vulnerabilities and defences

Security Course. WebGoat Lab sessions

An analysis of security in a web application development process

Certified Secure Web Application Engineer

A D V I S O R Y S E R V I C E S. Web Application Assessment

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Robust Defenses for Cross-Site Request Forgery

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Solutions Business Manager Web Application Security Assessment

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Web basics: HTTP cookies

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CS 142 Winter Session Management. Dan Boneh

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

Ethical Hacking. Content Outline: Session 1

IronWASP (Iron Web application Advanced Security testing Platform)

CSCE 813 Internet Security Case Study II: XSS

Penetration Testing with Kali Linux

Avactis PHP Shopping Cart ( Full Disclosure

Web security: an introduction to attack techniques and defense methods

Your Turn to Hack the OWASP Top 10!

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

OpenID Security Analysis and Evaluation

Ruby on Rails Secure Coding Recommendations

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Hacking Intranet Websites from the Outside

CS 155 Project 2. Overview & Part A

EasyCrypt passes an independent security audit

Web basics: HTTP cookies

XSSFor the win! What can be really done with Cross-Site Scripting.

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Bank Infrastructure - Video - 1

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

CSWAE Certified Secure Web Application Engineer

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Computer Security CS 426 Lecture 41

Web Attacks CMSC 414. September 25 & 27, 2017

Host Website from Home Anonymously

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Detecting XSS Based Web Application Vulnerabilities

Combating Common Web App Authentication Threats

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Penetration Testing. James Walden Northern Kentucky University

Web Penetration Testing

Robust Defenses for Cross-Site Request Forgery

Project 2: Web Security

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Web Application Security. Sytech System Co.,Ltd.

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Web Vulnerabilities. And The People Who Love Them

GOING WHERE NO WAFS HAVE GONE BEFORE

CSCD 303 Essential Computer Security Fall 2017

OWASP March 19, The OWASP Foundation Secure By Design

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Transcription:

Web Security Thierry Sans

1991 Sir Tim Berners-Lee

Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing

Web security is a major concern

The Big Picture

The web architecture Client Side Web Browser Server Side Web Server Database

Securing the web architecture means securing... The network The DNS (Domain Name System) The web server operating system The web server application (Apache for instance) The database application (Oracle for instance) The web application Our focus here!

What is a web application? program running on the browser + program running on the server

Anatomy of a web application

The HTTP protocol Network protocol for requesting/receiving data on the Web Standard TCP protocol on port 80 (by default) URI/URL specifies what resource is being accessed Different request methods

Let s look at what a web server does telnet to a web server > telnet whitehat.local 80 GET / enter HTTP requests

Anatomy of a URL protocol server query string http://whitehat.local/index.php?filter=hello path get parameters resource

Authentication and Authorization Authentication Who are the authorized users? Authorization Who can access what and how?

The simple recipe for user authentication 1. Ask the user for a login and password and send it to the server (HTTP/POST request) 2. Verify the login/password based on information stored on the server (usually in the database) 3. Start a session once the user has been authenticated 4. Grant access to resources according to the session

The concept of session There is a session id (aka token) between the browser and the web application This session id should be unique and unforgeable (usually a long random number or a hash) Stored in the cookie The session id is bind to key/value pairs data Stored on the server

Session : key/value pairs stored on the server The big picture HTTP request HTTP response HTTP request HTTP response Web Browser Cookie : key/value pairs stored in the requests Web Server The user can create, modify, delete the session ID in the cookie But cannot access the key/value pairs stored on the server

Hacking Authentication

How to steal user s credentials Brute force the password Brute force the session ID Steal the user s password Steal the user s session ID

Limitation of HTTPS password = 123456 password = 123456 E#%FY7*5EZ$#G

Stealing passwords from the client Social engineering - Phishing Keyloggers (keystroke logging) Data mining (emails, logs) Hack the client s code

Stealing passwords from the server Hack the server Hack the server s side code

Hacking the Client s Side Code

Client side s attacks Content Spoofing inject arbitrary HTML content into a webpage CSRF inject arbitrary urls into a webpage XSS inject arbitrary Javascript code into a webpage

Content Spoofing injecting arbitrary HTML content into a webpage GET /?videoid=527 <html... comment = <a href= myad.com >Fun stuff... GET /?videoid=527 <html... The page contains the attacker s code. * Notice that Youtube is not vulnerable to this attack

CSRF attack injecting arbitrary urls into a webpage GET View/?profileid=53 <img src= www.alice.com/profilepic GET profilepic www.badwebsite.com GET Delete/?profileid=53 www.alice.com???... id url name GET setprofile/?url=delete/?profileid=53 53 www.alice.com/ profilepic Alice Done! profileid=86 86 www.badwebsite.com/ Delete/?imageid=53 Charlie Hey Alice, check my profile GET View/?profileid=86 <img src= Delete/?profileid=53 GET Delete/?profileid=53

XSS attack injecting arbitrary javascript into a webpage GET /?videoid=527 <html... comment = <script>... GET /?videoid=527 <html... login=alice&password=123456 The script contained in the comments modifies the page to look like the login page! * Notice that Youtube is not vulnerable to this attack

Scope of XSS attacks Inject illegitimate content in the page (same as content spoofing) Perform illegitimate HTTP requests through Ajax (same as a CSRF attack) Steal Session ID from the cookie Steal user s login/password by modifying the page to forge a perfect scam

XSS attacks are widespread

Hacking the Server s Side Code

Server s side attacks SQL injection inject arbitrary SQL code executed on the server s database File inclusion inject arbitrary code executed on the server

SQL Injection Attack inject arbitrary SQL code executed on the server s database loginpage.html 123456 OR 1 = 1 name=alice&pwd=123456 Access Deny! Access Granted! checkpassword.php <?php $uid = SQLQuery("SELECT uid FROM LoginTable WHERE login=". $_POST['name']. "AND password =". $POST['pwd ']); if ($uid) echo "Access Granted"; else echo "Access Denied";?>

Scope of SQL injection attacks retrieves, adds, modifies, deletes arbitrary information bypasses authentication installs a reverse shell

File Inclusion Attack inject arbitrary code executed on the server

Web Penetration Testing

Web application security tools Commercial AppScan Proxy mapper Vulnerability scanner Acunetix Burp Suite Replay HTTP requests (Exploit tool) Nikto Vega W3af Open Source among others

Conclusion You have absolutely no control on the client Client Side Server Side Web Browser Web Server Database

References Mozilla Secure Coding Guideline https://wiki.mozilla.org/webappsec/secure_coding_guidelines Ruby on Rails Security Page http://guides.rubyonrails.org/security.html Django Security Page https://docs.djangoproject.com/en/dev/topics/security/ PHP Security Pages http://php.net/manual/en/security.php http://phpsec.org/projects/guide/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback