Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Similar documents
Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

EasyCrypt passes an independent security audit

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Web Application Security. Philippe Bogaerts

C1: Define Security Requirements

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Copyright

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Application Penetration Testing

Security Course. WebGoat Lab sessions

Web Application Security GVSAGE Theater

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

INNOV-09 How to Keep Hackers Out of your Web Application

Certified Secure Web Application Engineer

CS 356 Operating System Security. Fall 2013

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Your Turn to Hack the OWASP Top 10!

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Bank Infrastructure - Video - 1

RiskSense Attack Surface Validation for Web Applications

CSE 127 Computer Security

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

epldt Web Builder Security March 2017

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Endpoint Security - what-if analysis 1

Penetration Testing with Kali Linux

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

1 About Web Security. What is application security? So what can happen? see [?]

Solutions Business Manager Web Application Security Assessment

Web Application Threats and Remediation. Terry Labach, IST Security Team

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Curso: Ethical Hacking and Countermeasures

C and C++ Secure Coding 4-day course. Syllabus

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

HP 2012 Cyber Security Risk Report Overview

CSWAE Certified Secure Web Application Engineer

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

A (sample) computerized system for publishing the daily currency exchange rates

Web Application Vulnerabilities: OWASP Top 10 Revisited

MigrationWiz Security Overview

Hacking by Numbers OWASP. The OWASP Foundation

Web Security II. Slides from M. Hicks, University of Maryland

Integrigy Consulting Overview

Web Application Attacks

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Security Testing for Benefits Screening & Management Project

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Test Harness for Web Application Attacks

Hunting Security Bugs

Application Security Approach

Combating Common Web App Authentication Threats

Intrusion Attempt Who's Knocking Your Door

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Application security : going quicker

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Tiger Scheme SST Standards Web Applications

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Applying AI in Application Security

GOING WHERE NO WAFS HAVE GONE BEFORE

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

John Coggeshall Copyright 2006, Zend Technologies Inc.

Application vulnerabilities and defences

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

F5 Application Security. Radovan Gibala Field Systems Engineer

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

CIS 4360 Secure Computer Systems XSS

McAfee Certified Assessment Specialist Network

Penetration Testing. James Walden Northern Kentucky University

Securing ArcGIS Services

Cyber security tips and self-assessment for business

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Instructions 1 Elevation of Privilege Instructions

GE Fanuc Intelligent Platforms

Secure Web Application Coding Team January 26, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Transcription:

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1

Agenda Introduction What are Web Applications? Web server deployment architecture What is Vulnerabilities Assessment? VA & PT Configuration related vulnerabilities Insecure Configuration Improper error handling Directory Indexing Application related vulnerabilities Technical vulnerabilities Unvalidated input Cross-Site Scripting flaws Content Injection flaws Security Vulnerabilities Denial of Service Session management Secure Architecture Best Practices Q&A 2

What are Web Applications? A web application is an application delivered to users from a web server over a network such as the World Wide Web or an intranet. Web Application Client/Server Software HTTP Browser Web Server 3

Web server deployement architecture 4

Process 5

What is Vulnerabilities Assessment? A vulnerability assessment is the process of identifying, quantifying, and assigning ranking the vulnerabilities in a system. Assessments are typically performed according to the following steps: 1. Cataloging resources in a system. 2. Assigning rank and importance to those resources. 3. Identifying threats and vulnerabilities for each resource. 4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources. What is Penetration Testing? A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source by using proof of concept instead of using real exploit. 6

VA & PT VA General in scope and includes a large assessment. Predictable. Admin has prior information about scan Unreliable at times and high rate of false positives. Vulnerability assessment invites debate among System Admins. Produces a report with mitigation guidelines and action items. PT Focused in scope and may include targeted attempts to exploit specific vulnerabilities Unpredictable by the recipient. Highly accurate and reliable. Penetration Testing = Proof of Concept against vulnerabilities. Produces a binary result: Either the team owned you, or they didn't. 7

Web Server Configuration related vulnerabilities Insecure Configuration Configuration problems Unpatched security flaws Improper file and directory permissions Overly informative error messages Unnecessary services enabled Default accounts with their default passwords Administrative or debugging functions that are enabled 8

Web Server Configuration related vulnerabilities Improper error handling Introduce a variety of security problems for a web Application. Detailed internal error messages Database dumps Table name Attribute name Error codes are displayed to the user It means any user can easily get access the sensitive information as a legal user by using SQL injection, cross-site scripting etc. 9

Web Server Configuration related vulnerabilities 10

Web Server Configuration related vulnerabilities 11

Web Server Configuration related vulnerabilities Information Disclosure The Information Disclosure section covers attacks designed to acquire system specific information about a web site. Directory Indexing Directory indexing is when a directory listing of files is displayed in a browser instead of an actual web page. This occurs when a URL resolves to a directory that does not contain a default file. Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm/default.asp/default.aspx/index.php) is not present. 12

Web Server Configuration related vulnerabilities 13

Configuration related vulnerabilities The following information could be obtained based on directory indexing data: Backup files - with extensions such as.bak,.old or.org Temporary files Hidden files Naming conventions Enumerate User Accounts Configuration file contents. Script Contents 14

Web Application Related Vulnerabilities Web Application Related Vulnerabilities 15

Web Application Related Vulnerabilities Unvalidated input Parameters uses in URLs, HTTP headers, and forms are often used to control and validate access to sensitive information. Tainted parameters - Any part of an HTTP request that is used by a web application without being carefully validated is known as a tainted parameter. The simplest way to find tainted parameter use is to have a detailed code review, searching for all the calls where information is extracted from an HTTP request 16

Web Application Related Vulnerabilities XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site 17

Web Application Related Vulnerabilities Cross-Site Script Attack URL is sent to the client, which contains a malicious script User click malicious link,the request goes to the server with malicious script. The server sends response back to the client with the malicious script. The browser gets the data from the server with the malicious script & executes that script, as browser assumes that the HTML or script tag was from the requested page. Ways to send attacker s script to victim Message board URL provided on a third-party web site By email 18

Web Application Related Vulnerabilities Content Injection flaws SQL injection - SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database XPath injection - XPath injection allows attacker to manipulate the data in the XML database Command injection - OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers. 19

SQL Injection through Login Page Using or condition 20

Web Application Attacks : SQL Injection Login form 21

Web Application Related Vulnerabilities Authorization script in the web page: Login.asp <% dim username, password, query dim conn, rs username = Request.Form("userName") password = Request.Form("password") set conn = server.createobject("adodb.connection") set rs = server.createobject("adodb.recordset") query = "select count(*) from users where username='" &username & "' and userpass='" & password & "'" conn.open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password=" rs.activeconnection = conn rs.open query if not rs.eof then response.write "Logged In SQL world" else response.write "Bad Credentials" end if %> 22

Web Application Related Vulnerabilities To bypass this authorization, the user will have to enter the following sql code: Username: Ram Password: or 1=1 -- out put -> "Logged In SQL world ". 23

Web Application Attacks : SQL Injection The resultant query would now look like: select count(*) from users where username= Ram and userpass= or 1=1 -- The query now checks for an empty password, 24

Security Vulnerabilities Logical Attacks Denial of Service(DoS) Attacks Temporarily cease operations of web application. Exploiting an application vulnerability 25

Security Vulnerabilities Classification of DoS attacks Bandwidth consumption Resource starvation Programming flaws on web applications DoS targeting a specific user User Accounts locked-out during a password cracking DoS targeting the Database server modify the database so that the system becomes unusable DoS targeting the Web server Buffer Overflow techniques to send a specially crafted request that will crashes the web server process and the system will normally be inaccessible to normal user activity. 26

Web Application Related Vulnerabilities Session management Session Connection (User Server) Temporary & Unique Store parameters relevant to the user A URL containing the session ID might look something like: http://www.12345randomsite.com/view/7ad3072512 2120803 27

Security Vulnerabilities Credential/Session Prediction hijacking or impersonating a web site user. generating an authentication session ID brute forced reverse-engineered session IDs 28

Web Application Related Vulnerabilities Calculate IDs are generated in a non-random manner can be calculated. e.g. http://www.123greetings.com/view/ad3075122110120 Press Back we will see few more URL s with copy of my greeting cards like below: http://www.123greetings.com/view/ad30725122116211 http://www.123greetings.com/view/ad30725122118901 http://www.123greetings.com/view/ad30725122120803 GUESS? Beginning looks fairly constant (AD3) for each session ID 25 July at 12:21,Eliminate the part (07251221) and remaining five digits are randomly generated at the end of the URL s. Prior knowledge of visitor time at which he sends Greeting, we can formulate and guess most of the Session ID except for the last five digits. 29

Secure Architecture 30

BEST PRACTICES Place your web server(s) in a DMZ. Set your firewall to drop connections to your web server on all ports but http (port 80) or https (port 443) should open. Remove all unneeded services from your web server Disallow all remote administration unless it is done using a one-time password or an encrypted link. Limit the number of persons having administrator or root level access. Log all user activity and maintain those logs either in an encrypted form on the web server or store them on a separate machine on your Intranet. Monitor system logs regularly for any suspicious activity. Remove ALL unnecessary files such as phf from the scripts directory /cgibin. Remove the "default" document trees that are shipped with Web servers Do all updates from your Intranet. Scan your web server periodically with tools like ISS or nmap to look for vulnerabilities. Have intrusion detection software monitor the connections to the server. 31

Thanks pankaj@cert-in.org.in 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback