INNOV-09 How to Keep Hackers Out of your Web Application

Similar documents
Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Bank Infrastructure - Video - 1

Web Application Security. Philippe Bogaerts

Web Application Security GVSAGE Theater

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application vulnerabilities and defences

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Solutions Business Manager Web Application Security Assessment

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

F5 Application Security. Radovan Gibala Field Systems Engineer

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web Application Threats and Remediation. Terry Labach, IST Security Team

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

RiskSense Attack Surface Validation for Web Applications

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

How to perform the DDoS Testing of Web Applications

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Vulnerabilities in online banking applications

Web Security. Outline

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Copyright

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Combating Common Web App Authentication Threats

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Advanced Web Technology 10) XSS, CSRF and SQL Injection

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

TIBCO Cloud Integration Security Overview

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Your Turn to Hack the OWASP Top 10!

CSWAE Certified Secure Web Application Engineer

Application Layer Security

Curso: Ethical Hacking and Countermeasures

Web Application Attacks

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Certified Secure Web Application Engineer

Scan Report Executive Summary

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Web Application Penetration Testing

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP TOP OWASP TOP

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

OWASP TOP 10. By: Ilia

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Security Testing for Benefits Screening & Management Project

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

C1: Define Security Requirements

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Integrigy Consulting Overview

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

How were the Credit Card Numbers Published on the Web? February 19, 2004

Progress Exchange June, Phoenix, AZ, USA 1

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

1 About Web Security. What is application security? So what can happen? see [?]

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

ECCouncil Certified Ethical Hacker. Download Full Version :

Web Application Vulnerabilities: OWASP Top 10 Revisited

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Exploiting and Defending: Common Web Application Vulnerabilities

Security Solutions. Overview. Business Needs

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

SECURITY TESTING. Towards a safer web world

GOING WHERE NO WAFS HAVE GONE BEFORE

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Top 10 Web Application Vulnerabilities

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

Web basics: HTTP cookies

Notes From The field

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Hunting Security Bugs

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CS 161 Computer Security

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Web Applications Penetration Testing

Transcription:

INNOV-09 How to Keep Hackers Out of your Web Application Michael Solomon, CISSP PMP CISM Solomon Consulting Inc. www.solomonconsulting.com

What is a Web Application? Any access to your data via the Internet Generally uses standard web browser Easy to find and connect Advantages No special end user software requirements Connect from anywhere Convenient for users Easy to upgrade software (internal) INNOV-09, How to Keep Hackers Out of your Application 2

Basic Web Application Architecture Web Server AppServer / DBMS Web browser RDBMS INNOV-09, How to Keep Hackers Out of your Application 3

Web Application Security Issues Most web applications use standard ports HTTP uses port 80 HTTPS (SSL) uses port 443 Easy access through the exterior firewall Connect to a web app and you are inside the company s system Hopefully, there is at least one more firewall between the web server and the internal network Many weaknesses are known, but they still persist We keep making the same mistakes over and over See the SANS Top 20 Internet Vulnerabilities List www.sans.org/top20 INNOV-09, How to Keep Hackers Out of your Application 4

Perimeter Defense AppServer /DBMS Web Server (DMZ) Web browser DMZ Demilitarized Zone Ingress and Egress firewalls Still not secure enough RDBMS INNOV-09, How to Keep Hackers Out of your Application 5

What are hackers after? Regardless of the motivation, there are three basic goals of attacks on web applications Disclosure of confidential data Medical records/financial information Identity theft Modification of important data Grades Medical/Financial information Interruption of service Denial of Service (DoS) INNOV-09, How to Keep Hackers Out of your Application 6

How to stop hackers Realistically, you can t A motivated attacker will almost always find a way to attack the intended target But, you can dramatically reduce the likelihood that an attack on your system will be successful Know how attackers carry out attacks Place as many roadblocks in their way as you can Put The Club on your system Don t be low hanging fruit Let s look at how hackers plan attacks INNOV-09, How to Keep Hackers Out of your Application 7

The path to a successful attack Most successful attacks follow these steps: 1. Collect information on target Profile the system Profile the application 2. Analyze information to determine target s weaknesses 3. Launch attacks against known weaknesses INNOV-09, How to Keep Hackers Out of your Application 8

Reconnaissance collecting information The first step in a successful attack is to profile the target A good target profile can uncover many potential weaknesses Examples: Un-patched software Open ports Weak authentication Poor security on sensitive data INNOV-09, How to Keep Hackers Out of your Application 9

Profiling utilities and methods Nmap Port scanner www.insecureorg/nmap Netcat All-purpose network sockets utility www.securityfocus.com/tools/137 http://www.securityfocus.com/tools/139/scoreit Nikto Vulnerability scanner http://www.cirt.net/code/nikto.shtml Nessus Vulnerability scanner http://www.nessus.org/ INNOV-09, How to Keep Hackers Out of your Application 10

Pay attention to system scans Generally, scanning is not illegal A system scan may be the first step in an attack on your system Keep records of scanning activity You can use scanning information to help identify subsequent attackers Don t overreact to scanning activity Most scans will not result in future attacks The fewer holes that scans turn up, the better your chances of avoiding an attack INNOV-09, How to Keep Hackers Out of your Application 11

Analyze information to uncover weaknesses Don t move to this step too soon! Be patient and collect as much information as you can about your target Once you have collected all the information you can on your intended target, start looking for easy hits Depending on your attack motives, choose the most effective attack INNOV-09, How to Keep Hackers Out of your Application 12

Ask for help Social Engineering Social engineering can be the easiest way into a system Social engineering the act of convincing an authorized user to perform actions that you are not authorized to carry out Never underestimate the power of social engineering attacks People are generally willing to help INNOV-09, How to Keep Hackers Out of your Application 13

Sources for known vulnerabilities Only a few of the many resources available www.packetstormsecurity.org www.securityfocus.com www.cgisecurity.com www.owasp.org www.sans.org INNOV-09, How to Keep Hackers Out of your Application 14

Common attacks Input validation Targets any modifiable data sent to the server SQL injection (works with 4GL, too) Submitting cleverly crafted query arguments to provide more or different data than was intended Cross-site scripting A method of causing authorized users to provide data to unauthorized recipients INNOV-09, How to Keep Hackers Out of your Application 15

Common attacks Stored-data attacks Taking advantage of, or stealing, any data stored on a client machine Session attacks Hijacking a session and assuming another identity XML attacks Combination of input validation and SQL injection attacks, but using XML as a transport format INNOV-09, How to Keep Hackers Out of your Application 16

Launch the attack Once you have chosen the appropriate attack methods, launch the attack Timing may be important Choose a time where immediate response is unlikely Weekends and holiday often result in smaller support staffing INNOV-09, How to Keep Hackers Out of your Application 17

Input validation attacks The #1 most common (and critical) web application vulnerability (OWASP) Try to send data the application does not expect to cause: Data disclosure or modification System compromise Denial of Service (DoS) Arbitrary command execution For example, a common method is to replace some characters with URL encoded characters http://system/scripts/..%c0%af..%c0%afdir/cmd Becomes: http://system/scripts/../../dir/cmd You just convinced the web service to execute a command! INNOV-09, How to Keep Hackers Out of your Application 18

Input validation attacks How to protect your OpenEdge application Validate ALL input data, regardless of source Validate on the server, even if client-side validation has already been applied Client-side validation enhances usability Service-side validation enhances security Validate ALL output data as well Decode all characters BEFORE applying validation rules Process is called canonicalization INNOV-09, How to Keep Hackers Out of your Application 19

Query injection attacks The goal is to extract or modify data that is not supposed to be available to you Alter input data to prematurely terminate or add query arguments Not only SQL; can work in 4GL For example, you could enter the following data in the SearchFor field: 1" or 2" = 2 QUERY-PREPARE( FOR EACH item WHERE ItemName CONTAINS ~ + VALUE(cSearchFor) + ~ ). INNOV-09, How to Keep Hackers Out of your Application 20

Query injection attacks How OpenEdge applications are vulnerable Dynamic queries Query objects SmartDataObjects Any use of the QUERY-PREPARE method Solution: Pre-process ALL query string components! INNOV-09, How to Keep Hackers Out of your Application 21

Cross-site scripting attacks An attack that doesn t target the server, but other users Cross-site scripting (XSS) attacks cause other users of a web application to execute code you specify For example, enter this in the SearchFor field: <script>alert('hello, world');</script> in the SearchFor field. If a web application allows arbitrary script code, you could insert any script into input fields If the previous string value doesn t work, try this: %3Cscript%3Ealert('Hello%2C%20world')%3B%3C/script%3E This approach combines input validation and XSS attacks INNOV-09, How to Keep Hackers Out of your Application 22

Cross-site scripting attacks How to protect your OpenEdge application Same approach as with input validation attacks Ensure all input (and output) are validated on the server INNOV-09, How to Keep Hackers Out of your Application 23

Stored-data attacks Many web applications store data on the client machine Cookies Favorites Changing stored data can cause unexpected results Force initial behavior Send authentication or other sensitive data to another location without the user s knowledge Sometimes called data poisoning INNOV-09, How to Keep Hackers Out of your Application 24

Stored-data attacks How to protect your OpenEdge application Start by validating all input (and output) data Limit data stored on (or transmitted to) client machines Eliminate sensitive data stored or transmitted in the clear Carefully choose the right encryption method for storing sensitive data on the client INNOV-09, How to Keep Hackers Out of your Application 25

Session attacks Session attacks exploit poorly implemented session management HTTP was designed to operate using discrete requests no concept of sessions The application must manage session information Attackers can attempt to alter or hijack a session by manipulating session tracking variables Often URL arguments or cookies Session ID could be Sequential Time/date based Pseudorandom Constructed INNOV-09, How to Keep Hackers Out of your Application 26

Session attacks How to protect your OpenEdge application Develop a sound session management system Store session information in a DB table Use a unique id to identify a session The original client session id works Associate the session id with user and timestamp information Ensure sessions are only valid for a short period of time and tied to a single IP address INNOV-09, How to Keep Hackers Out of your Application 27

Web Application Attack Demo INNOV-09, How to Keep Hackers Out of your Application 28

The OWASP Top 10 Web Application Vulnerabilities List For more information The OWASP web site www.owasp.org 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting (XSS) Flaws 5. Buffer Overflows INNOV-09, How to Keep Hackers Out of your Application 29

The OWASP Top 10 Web Application Vulnerabilities List 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service 10. Insecure Configuration Management INNOV-09, How to Keep Hackers Out of your Application 30

Web application hardening checklist Patch your software! OS, firewall, web server, AppServer, DBMS Assess your system for the OWASP Top 10 web application vulnerabilities http://www.owasp.org/documentation/topten.html Assess your system for the SANS Top 20 Internet Security Vulnerabilities www.sans.org/top20 INNOV-09, How to Keep Hackers Out of your Application 31

For More Information Solomon Consulting Inc. www.solomonconsulting.com The SANS Institute www.sans.org Web-related vulnerabilities information www.cgisecurity.org The WWW Security FAQ www.w3.org/security/faq/ Open Web Application Security Project www.owasp.org INNOV-09, How to Keep Hackers Out of your Application 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback