CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Similar documents
Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

C1: Define Security Requirements

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Application Penetration Testing

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Certified Secure Web Application Engineer


Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Combating Common Web App Authentication Threats

Copyright

How to Configure Authentication and Access Control (AAA)

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

WatchGuard AP - Remote Code Execution

CSWAE Certified Secure Web Application Engineer

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

TIBCO Cloud Integration Security Overview

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Web Application Security. Philippe Bogaerts

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Secure Coding, some simple steps help. OWASP EU Tour 2013

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Tenable.io for Thycotic

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

EasyCrypt passes an independent security audit

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Web Security II. Slides from M. Hicks, University of Maryland

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

AppSpider Enterprise. Getting Started Guide

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Web Application Security GVSAGE Theater

Web Application Whitepaper

DreamFactory Security Guide

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Solutions Business Manager Web Application Security Assessment

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

COMP9321 Web Application Engineering

eb Security Software Studio

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Your Turn to Hack the OWASP Top 10!

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

RSA Web Threat Detection

Penetration Testing. James Walden Northern Kentucky University

In order to install mypos Checkout plugin please follow the steps below:

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Welcome to the OWASP TOP 10

Sichere Software vom Java-Entwickler

WEB SECURITY: XSS & CSRF

Overview of Web Application Security and Setup

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

1 About Web Security. What is application security? So what can happen? see [?]

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Application Layer Security

The OAuth 2.0 Authorization Protocol

Applications Security

OWASP TOP 10. By: Ilia

Web Security. Web Programming.

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Security Course. WebGoat Lab sessions

Vulnerabilities in online banking applications

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Bypassing Web Application Firewalls

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Man in the Middle Attacks and Secured Communications

Application security : going quicker

SAML-Based SSO Solution

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Secure web proxy resistant to probing attacks

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

SAML-Based SSO Solution

16th Annual Karnataka Conference

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

TWO-FACTOR AUTHENTICATION Version 1.1.0

GOING WHERE NO WAFS HAVE GONE BEFORE

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Introduction to Ethical Hacking

COMP9321 Web Application Engineering

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Web Security: Web Application Security [continued]

COMP9321 Web Application Engineering

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Endpoint Security - what-if analysis 1

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Transcription:

CNIT 129S: Securing Web Applications Ch 8: Attacking Access Controls

Access Control Authentication and session management Ensure that you know who is using the application Access Controls Limit what actions are possible for authenticated users Must be tested for every request and operation

Common Vulnerabilities Vertical Horizontal Context-dependent

Vertical Privilege Escalation Allow user to access a different part of the application's functionality Such as escalating from User to Administrator

Horizontal Privilege Escalation Allow a user to access a wider range of resources of the same type Such as reading another user's email

Context-Dependent: Business Logic Exploitation User can do things that should not be possible in context Such as performing tasks out of order Or bypassing the payment step when checking out

Completely Unprotected Functionality Functionality can be accessed by anyone who knows the URL OWASP calls this "Unsecured Direct Object Access" Also called "security through obscurity"

Finding Privileged URLs App may not contain any link to the URLs Inspecting client-side code may reveal them

Identifier-Based Functions Identifier for a document passed to server in a parameter Access controls may be broken so everyone with the URL can view the document This happens when developers find it too difficult to share a session-based security model between servers using different technologies

Identifier-Based Functions Document identifiers might be predictable Such as simple incrementing numbers URLs are not treated as secrets Often visible to attackers in logs, or elsewhere within an app

Multistage Functions Select "New User" Function Select Dept. Select Role Enter username & password App may enforce access control for an early step, but not test it again at a later step So attacker can skip steps and escalate privileges

Static Files Customers pay for a book, and then are sent to a download link like this It's a static resource, downloaded directly from the Web server No application-level code is executed Anyone with the URL can download the book

Platform Misconfiguration Access to specified URL paths are restricted Ex: only Administrators can access the /admin path

Verb Tampering Access control rule may only apply to the POST method Using GET may allow a non-administrator to perform admin-level tasks Also, the HEAD method is often implemented internally on the Web server with the GET method And then just returning only the headers So an admin function is still performed Unrecognized HTTP methods may default to GET

Insecure Access Control Methods Parameter-based access control Referer-based access control Location-based access control

Parameter-Based Access Control Privilege level in a hidden form field, cookie, or query string parameter Attacker can just add the parameter to gain privileges

Referer-Based Access Control HTTP Referer header grants access User can modify that field to gain privileges

Location-Based Access Control Location restrictions, as in sports events Often uses geolocation of user's IP address Common methods of bypass:

Testing with Different User Accounts Burp can map the contents of an application using two user accounts and compare them

Testing Direct Access to Methods You may be able to guess other methods from the ones you see Test them to see if access is properly limited This request indicates use of the IBM HTTP Server (link Ch 8a)

Testing Controls Over Static Resources Walk through the app while logged in as Administrator Note the URLs of high-privilege resources Log in as a low-privilege user Return to those URLs to see if you can still access them If you can, try to guess other sensitive URLS from the pattern of the ones you have found

Testing Restrictions on HTTP Methods Log in as Administrator Find sensitive requests Try other methods: POST, GET, HEAD, invalid If other methods are honored, test them with a low-privilege account

Securing Access Controls Don't rely on user's ignorance of URLS or identifiers like document ID2 Don't trust any user-supplied parameters like admin=true Don't assume users will access pages in the intended sequence Don't trust the user not to tamper with data; revalidate it before using it

Best Practices Explicitly evaluate and document access control requirements for every unit of application functionality Drive all access control decisions from the user's session Use a central application component to check access controls; use it for every client request; mandate that every page must include an interface to this component

Best Practices For particularly sensitive functionality, further restrict access by IP address Protect static content by Passing filename to a server-side page that implements access control logic, or Use HTTP authentication or other features of the application server to restrict access

Best Practices Don't trust resource identifiers from the client-- validate them on the server Consider requiring re-authentication or twofactor authentication for security-critical application functions, such as creating a new payee Log events using sensitive data or actions

Advantages of Central Access Control

Multilayered Privileges

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback