Web Application Security Philippe Bogaerts
OWASP TOP 10
3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities provide basic methods to protect against these vulnerabilities
4 TOP 10 2010 - overview A1 - Injection Flaws A2 - Cross Site Scripting (XSS) A3 - Broken Authentication and Session Management A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Security A10 - Unvalidated Redirects and Forwards
Cross Site scripting
6 Cross Site Scripting (XSS) XSS based attacks intend to inject and run mobile code on a client PC XSS is special in that way that it attacks the user of the web application instead of the server/application directly Almost every website is vulnerable
7 Why does it work? XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content.
8 Business impact use the victim's workstation to hack other Web sites download illegal content to client PC worms, Trojans, virus phishing attacks force the sending of e-mail messages
9 Technological impact XSS can be used: application worms steal cookies and steal credentials execute malicious mobile code attack vector for phishing attacks
10 XSS types Stored XSS Reflected XSS DOM based XSS
11 Stored XSS 1 2 By inserting JavaScript code into web pages, an attacker can potentially execute malicious code on a client computer. In this way a hacker can obtain authentication and session information stored in cookies or run other types of scripts. Source code of the webpage on the client side 1. A hacker inserts JavaScript code into the web application by simply filling in the web form. 3 Vulnerable web server 3. The web client downloads transparently the malicious code or uploads sensitive information to the attacker s machine 2. Users view the modified page and execute the JavaScript code locally.
12 Reflective XSS 2. The specially crafter URL is send to the server. 1. Hacker tricks a user on clicking a specific link in an email or on another website. The link incorporates the code to execute. 3. The server reflects the URL and the browser executes the mobile code
13 DOM based XSS The client side mobile code is vulnerable to attack! Ex. Reusing the URL in the loaded mobile code. http://www.xxx.yyy/news.php?">#<script>alert("test")</script> http://www.xxx.yyy/news.php?"><script>alert("test")</script> The infamous.pdf bug (Jan 2007) http://www.xxx.yyy//file.pdf#something=javascript:window.open( http://some-evil-site );
Injection flaws
15 Injection flaws Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
16 Types of injections There are many types of injections SQL LDAP Xpath, XSLT, XML HTML OS command injection
17 SQL Injection SQL injection attacks try to run unauthorized SQL code against the underlying database of a web application system supplied via unprotected inputs.
18 Business impact Identity theft Stolen credentials Stolen credit cards Lost database integrity Database downtime
19 Technical impact Deleting data Data modification!!! Adding or deleting tables Executing commands using stored procedures!!
20 SQL injection example By clicking submit, the following request and arguments are passed to the web application. http://192.168.10.81/login.aspx? eventtarget=& eventargument=& viewstate=ddwtmtm3mjgxowyod&txtusername='+or+1 =1--&txtpassword=&btnsubmit=submit The arguments are used to construct an SQL query that will be passed to the SQL server. string strqry = "SELECT Count(*) FROM Users WHERE UserName='" + txtusername.text + "' AND Password='" + txtpassword.text + "'"; By carefully injecting partial SQL code in the form SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password='' the SQL query can be modified to execute different and unforeseen actions. SELECT Count(*) FROM Users WHERE UserName='' Or 1=1--
Malicious File Execution
22 Malicious file execution Applications often concatenate potentially hostile input with file or stream functions use of external object references URL file system references
23 Example include $_REQUEST['filename ]; What if the variable is URL?? File containing PHP code?? Check out http://osvdb.org http://johnny.ihackstuff.com/
24 Impact Remote code execution Remote root kit installation complete system compromise
Cross Site Request Forgery
26 Cross Site Request Forgery Cross site request forgery is simple and devastating Imagine what could happen if a hacker could steer your mouse and get you to click on links in your online banking application
27 How common is it? The attack is very easy to exploit and most websites are vulnerable. Web sites or applications are vulnerable because: NO or default passwords Cookie based authentication 27
28 How does it work? A CSRF attack forces a logged-on victim s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
29 Logged on or not? Applications are vulnerable when no authorization check is performed for vulnerable actions When a default login is able to be given e.g. http:// /admin/dosomething.ctl?username=admin&passwd=admin) authorization based only on credentials that are automatically submitted» such as the session cookie (if currently logged )» Remember me functionality» a Kerberos token if part of an Intranet participating in integrated logon with Active Directory
30 Business impact Attackers misuse the user s identity! Attackers issue commands on behalf of trusted (authenticated) users. Poll fraud Forum posts Denial of service SPAM 30
31 CSRF vs. XSS CSRF differs from XSS A XSS attack relies on injecting a script into a browser CSRF does not insert code into the application being attacked! 31
32 Example 1 Attacking the web interface of a wireless internet router. 32
33 Example 1 A user visits the website embedding the attack. 33
34 Example 1 The page source code shows the embedded IMG tag specifying the command to execute Authentication parameters can be inserted in the IMG tag. 34
Example 2 35
Example 2 36
37 Links http://www.owasp.org http://www.owasp.org/index.php/belgium http://www.webappsec.be http://ha.ckers.org/ http://ha.ckers.org/xss.html http://www.amazon.com/xss-attacks-scripting-exploits- Defense/dp/1597491543 http://www.amazon.com/web-application-hackers-handbook- Discovering/dp/0470170778 http://www.amazon.com/professional-pen-testing- Applications-Programmer/dp/0471789666