Web Application Security. Philippe Bogaerts

Similar documents
Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Application vulnerabilities and defences

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Copyright

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CIS 4360 Secure Computer Systems XSS

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

CSCE 813 Internet Security Case Study II: XSS

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Your Turn to Hack the OWASP Top 10!

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Welcome to the OWASP TOP 10

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Aguascalientes Local Chapter. Kickoff

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

C1: Define Security Requirements

Web Application Vulnerabilities: OWASP Top 10 Revisited

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Sichere Software vom Java-Entwickler

Web Application Threats and Remediation. Terry Labach, IST Security Team

Application Layer Security

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Security Testing White Paper

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

OWASP TOP 10. By: Ilia

CSCD 303 Essential Computer Security Fall 2017

1 About Web Security. What is application security? So what can happen? see [?]

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

COMP9321 Web Application Engineering

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Applications Penetration Testing

CSCD 303 Essential Computer Security Fall 2018

WEB SECURITY: XSS & CSRF

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

F5 Application Security. Radovan Gibala Field Systems Engineer

P2_L12 Web Security Page 1

Web Application Penetration Testing

Information Security CS 526 Topic 8

SECURITY TESTING. Towards a safer web world


Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

GOING WHERE NO WAFS HAVE GONE BEFORE

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

COMP9321 Web Application Engineering

Solutions Business Manager Web Application Security Assessment

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Simplifying Application Security and Compliance with the OWASP Top 10

Curso: Ethical Hacking and Countermeasures

Top 10 Web Application Vulnerabilities

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web basics: HTTP cookies

Client Side Injection on Web Applications

Development*Process*for*Secure* So2ware

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Common Websites Security Issues. Ziv Perry

COMP9321 Web Application Engineering

Web basics: HTTP cookies

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

Information Security CS 526 Topic 11

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

Web security: an introduction to attack techniques and defense methods

Combating Common Web App Authentication Threats


OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Security Course. WebGoat Lab sessions

Exploiting and Defending: Common Web Application Vulnerabilities

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Application. Security. on line training. Academy. by Appsec Labs

Certified Secure Web Application Engineer

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CSWAE Certified Secure Web Application Engineer

CSC 482/582: Computer Security. Cross-Site Security

WebGoat Lab session overview

WHY CSRF WORKS. Implicit authentication by Web browsers

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Computer Security CS 426 Lecture 41

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

OWASP TOP OWASP TOP

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

John Coggeshall Copyright 2006, Zend Technologies Inc.

Transcription:

Web Application Security Philippe Bogaerts

OWASP TOP 10

3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities provide basic methods to protect against these vulnerabilities

4 TOP 10 2010 - overview A1 - Injection Flaws A2 - Cross Site Scripting (XSS) A3 - Broken Authentication and Session Management A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Security A10 - Unvalidated Redirects and Forwards

Cross Site scripting

6 Cross Site Scripting (XSS) XSS based attacks intend to inject and run mobile code on a client PC XSS is special in that way that it attacks the user of the web application instead of the server/application directly Almost every website is vulnerable

7 Why does it work? XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content.

8 Business impact use the victim's workstation to hack other Web sites download illegal content to client PC worms, Trojans, virus phishing attacks force the sending of e-mail messages

9 Technological impact XSS can be used: application worms steal cookies and steal credentials execute malicious mobile code attack vector for phishing attacks

10 XSS types Stored XSS Reflected XSS DOM based XSS

11 Stored XSS 1 2 By inserting JavaScript code into web pages, an attacker can potentially execute malicious code on a client computer. In this way a hacker can obtain authentication and session information stored in cookies or run other types of scripts. Source code of the webpage on the client side 1. A hacker inserts JavaScript code into the web application by simply filling in the web form. 3 Vulnerable web server 3. The web client downloads transparently the malicious code or uploads sensitive information to the attacker s machine 2. Users view the modified page and execute the JavaScript code locally.

12 Reflective XSS 2. The specially crafter URL is send to the server. 1. Hacker tricks a user on clicking a specific link in an email or on another website. The link incorporates the code to execute. 3. The server reflects the URL and the browser executes the mobile code

13 DOM based XSS The client side mobile code is vulnerable to attack! Ex. Reusing the URL in the loaded mobile code. http://www.xxx.yyy/news.php?">#<script>alert("test")</script> http://www.xxx.yyy/news.php?"><script>alert("test")</script> The infamous.pdf bug (Jan 2007) http://www.xxx.yyy//file.pdf#something=javascript:window.open( http://some-evil-site );

Injection flaws

15 Injection flaws Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

16 Types of injections There are many types of injections SQL LDAP Xpath, XSLT, XML HTML OS command injection

17 SQL Injection SQL injection attacks try to run unauthorized SQL code against the underlying database of a web application system supplied via unprotected inputs.

18 Business impact Identity theft Stolen credentials Stolen credit cards Lost database integrity Database downtime

19 Technical impact Deleting data Data modification!!! Adding or deleting tables Executing commands using stored procedures!!

20 SQL injection example By clicking submit, the following request and arguments are passed to the web application. http://192.168.10.81/login.aspx? eventtarget=& eventargument=& viewstate=ddwtmtm3mjgxowyod&txtusername='+or+1 =1--&txtpassword=&btnsubmit=submit The arguments are used to construct an SQL query that will be passed to the SQL server. string strqry = "SELECT Count(*) FROM Users WHERE UserName='" + txtusername.text + "' AND Password='" + txtpassword.text + "'"; By carefully injecting partial SQL code in the form SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password='' the SQL query can be modified to execute different and unforeseen actions. SELECT Count(*) FROM Users WHERE UserName='' Or 1=1--

Malicious File Execution

22 Malicious file execution Applications often concatenate potentially hostile input with file or stream functions use of external object references URL file system references

23 Example include $_REQUEST['filename ]; What if the variable is URL?? File containing PHP code?? Check out http://osvdb.org http://johnny.ihackstuff.com/

24 Impact Remote code execution Remote root kit installation complete system compromise

Cross Site Request Forgery

26 Cross Site Request Forgery Cross site request forgery is simple and devastating Imagine what could happen if a hacker could steer your mouse and get you to click on links in your online banking application

27 How common is it? The attack is very easy to exploit and most websites are vulnerable. Web sites or applications are vulnerable because: NO or default passwords Cookie based authentication 27

28 How does it work? A CSRF attack forces a logged-on victim s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.

29 Logged on or not? Applications are vulnerable when no authorization check is performed for vulnerable actions When a default login is able to be given e.g. http:// /admin/dosomething.ctl?username=admin&passwd=admin) authorization based only on credentials that are automatically submitted» such as the session cookie (if currently logged )» Remember me functionality» a Kerberos token if part of an Intranet participating in integrated logon with Active Directory

30 Business impact Attackers misuse the user s identity! Attackers issue commands on behalf of trusted (authenticated) users. Poll fraud Forum posts Denial of service SPAM 30

31 CSRF vs. XSS CSRF differs from XSS A XSS attack relies on injecting a script into a browser CSRF does not insert code into the application being attacked! 31

32 Example 1 Attacking the web interface of a wireless internet router. 32

33 Example 1 A user visits the website embedding the attack. 33

34 Example 1 The page source code shows the embedded IMG tag specifying the command to execute Authentication parameters can be inserted in the IMG tag. 34

Example 2 35

Example 2 36

37 Links http://www.owasp.org http://www.owasp.org/index.php/belgium http://www.webappsec.be http://ha.ckers.org/ http://ha.ckers.org/xss.html http://www.amazon.com/xss-attacks-scripting-exploits- Defense/dp/1597491543 http://www.amazon.com/web-application-hackers-handbook- Discovering/dp/0470170778 http://www.amazon.com/professional-pen-testing- Applications-Programmer/dp/0471789666

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback