W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Similar documents
Web Application Security. Philippe Bogaerts

Copyright

Aguascalientes Local Chapter. Kickoff

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

C1: Define Security Requirements

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 The Ten Most Critical Web Application Security Risks

SECURITY TESTING. Towards a safer web world

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology


Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CIS 4360 Secure Computer Systems XSS

Solutions Business Manager Web Application Security Assessment

Application vulnerabilities and defences

Your Turn to Hack the OWASP Top 10!

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Application Threats and Remediation. Terry Labach, IST Security Team

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Layer Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

CSCE 813 Internet Security Case Study II: XSS

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

OWASP TOP 10. By: Ilia

CSWAE Certified Secure Web Application Engineer

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Certified Secure Web Application Engineer

RiskSense Attack Surface Validation for Web Applications

Sichere Software vom Java-Entwickler

Copyright

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant


OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Exploiting and Defending: Common Web Application Vulnerabilities

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Advanced Web Technology 10) XSS, CSRF and SQL Injection

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Evaluating the Security Risks of Static vs. Dynamic Websites

Welcome to the OWASP TOP 10

An analysis of security in a web application development process

WEB SECURITY: XSS & CSRF

Secure Development Guide

Bank Infrastructure - Video - 1

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Client Side Injection on Web Applications

Web basics: HTTP cookies

Security Communications and Awareness

The Top 6 WAF Essentials to Achieve Application Security Efficacy

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

OWASP TOP OWASP TOP

HP 2012 Cyber Security Risk Report Overview

Security Solutions. Overview. Business Needs

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Applications Penetration Testing

1 About Web Security. What is application security? So what can happen? see [?]

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web Application Attacks

CS 161 Computer Security

Security Testing White Paper

Web Security II. Slides from M. Hicks, University of Maryland

Hacking Oracle APEX. Welcome. About

Web Application Whitepaper

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Web basics: HTTP cookies

Detecting XSS Based Web Application Vulnerabilities

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Combating Common Web App Authentication Threats

Security Communications and Awareness

CSCD 303 Essential Computer Security Fall 2018

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

WebGoat Lab session overview

6-Points Strategy to Get Your Application in Security Shape

Common Websites Security Issues. Ziv Perry

Mitigating Security Breaches in Retail Applications WHITE PAPER

SECURE CODING ESSENTIALS

Web Penetration Testing

Test Harness for Web Application Attacks

Simplifying Application Security and Compliance with the OWASP Top 10

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

About the OWASP Top 10

Web Application Vulnerabilities: OWASP Top 10 Revisited

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

ANATOMY OF AN ATTACK!

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Transcription:

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst

Why is this important? ISE Proprietary

Agenda About ISE Web Applications and Security What is OWASP? Vulnerabilities Injection-based attacks Broken Authentication and Session Management Cross-Site Scripting (XSS) Q&A

Perspective White box About ISE Talks Analysts Hackers; Cryptographers Reverse Engineers, etc Research Routers; NAS; Healthcare M&E Customers Content Owners; Vendors; Supply Chain ISE Proprietary

Talks ISE in M&E Involvement ISE Proprietary

Web Application Security What is a vulnerability? What causes vulnerabilities? Understanding a vulnerability: What is it? Why does it matter? How do I detect it? How do I prevent it? What nuances should I understand?

What is OWASP? Not-for-profit, free, open source resources The OWASP Top Ten

INJECTION

Injection What is it?

Injection What is it?

Injection What is it? Initiation Application requests input from user. Attack Adversary supplies malicious input, containing embedded code. Vulnerability Application flaws inject the malicious code into the application control flow. Compromise The malicious code is executed.

Injection Why does it matter? Asset Theft Passwords, credentials billing information Asset Destruction Data Machine Manipulation Gain control of the entire machine.

Injection How to detect it Automated Free detection tools are available. Best known for SQL inj. is sqlmap Manual Manual code reviews are the only way to discover subtle errors that may allow for custom attacks.

Injection How to prevent it Method #1: Sanitization Input is cleaned before getting processed. Validation restricts users to a set of safe inputs. Some legitimate users may encounter errors. e.g. Bob O Neil is told his name can t contain Escaping replaces potentially dangerous characters with codes. Before use, the data must be unescaped. e.g. O Neil O\ Niell What is a safe set of characters?

Injection How to prevent it Method #2: Parameterization Use fixed commands with variables holding the place of user data. The attacker cannot inject code because the command cannot be changed or have additional code added to the end. When available, parameterization is the safer method of preventing injection.

Injection - Nuances Suppressing error pages is not enough. Blind injection attacks can extract data even without output! Changing backend databases changes the set of safe characters. Make sure to also switch to the proper sanitization functions. Injection goes beyond SQL/LDAP. Command injection is far more dangerous.

BROKEN AUTHENTICATION AND SESSION MANAGEMENT

Broken authentication What is it? Initiation Legitimate user authenticates, and then finishes session. Attack Malicious user exploits authentication flaws to recover the first user s session. Compromise Malicious user may now take any action of the legitimate user.

Broken authentication What is it? Some examples: Session IDs included in URL, saved in browser history Session IDs don t time out Passwords are sent over an unencrypted connection

Broken authentication Why does it matter? Sessions are double-edged sword. Users trust applications. Common attack target.

Broken authentication Automated How to detect it Very few tests available. Manual Most effective method. Important to stay up-to-date; new technologies and features often open new attack avenues. Proper logging can alert to a breach if logs are monitored.

Broken authentication How to prevent it Do not store plaintext passwords. Keep session IDs secret, random, and shortlived. Regular security evaluations, either in-house or contracted, by security professionals who are up-to-date on latest attacks.

Broken authentication - Nuances Client-side authentication alone is never secure. Beware of development backdoors. Defense in Depth. Session and Authentication vulnerabilities vary drastically in risk. Understanding how attacks work is crucial when deciding how and whether to address them.

CROSS-SITE SCRIPTING (XSS)

XSS What is it?

XSS What is it? Initiation Application asks a user for input. Attack Attacker sends malicious input. Vulnerability When the application displays the user-submitted input, it is processed as code. Compromise The attacker s code is embedded in the application.

XSS Why does it matter? Legitimate users trust your application. Attackers prey on that trust. Attackers can execute code in the target s browser Steal session cookies. Redirect users to malicious sites. Take full control.

Automated XSS How to detect it Some automated tools exist, but most only catch easilyexploited vulnerabilities. Manual As always, manual reviews are the only way to detect sophisticated attacks. Cross-Site Scripting is an example of Injection. Similar methods apply.

XSS How to prevent it Usually XSS vulnerabilities cannot be addressed with parameterization. This means filtering must be used. When possible, use validation. Look for heavily used escaping libraries. Defense in Depth

XSS - Nuances XSS type #1: Reflected attacks Best known. An application reflects user input onto a page. An attacker tricks a target in to navigating to a page with malicious input.

XSS - Nuances XSS type #2: DOM based attacks Similar to reflected attacks, but more dangerous. Injection occurs on client s machine instead of the server. Attacker can act as user s browser, including making changes on user s computer.

XSS - Nuances XSS type #3: Persistent attacks The most dangerous. When an application saves user input and displays it to other users (e.g. a message board), many more potential victims are exposed to an XSS exploit.

XSS - Nuances Understanding data flow is crucial. Base 64 or other encodings dodge filters Data must be properly escaped and unescaped. Client-side protections can be evaded and are not sufficient. However, they are still necessary to prevent DOM based attacks.

contact@securityevaluators.com Q u e s t i o n s? Next Session: Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback