Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
1. Web Application
Security and Awareness
Abdul Rahman, Sherzad
Lecturer at Computer Science Faculty of Herat
University, Afghanistan, and
Ph.D. Student at Technical University of Berlin,
Germany
December 19, 2016
12th IT Conference for Higher Education in Afghanistan
January 05, 2017
Hariwa Institute of Higher Education, Herat, Afghanistan
2. 2
Major problems were only caused by a collection
of smaller factors, and only a reverse similar
behavior is needed to resolve the given situation
(Sherzad).
3. Goal and Objectives
Build security awareness for web applications
Get to know attack methods
Learn ways to discover security vulnerabilities
Learn the basics of secure web development
3
6. Security Threats
■ The majority of web application attacks occur through
– Cross Site Scripting (XSS)
– SQL Injection
■ The majority of web application vulnerabilities arise from
– Weak coding,
– Failure to properly validate input,
– Failure to sanitize output.
6[2] [3] [4]
8. User Input
• Attacker can easily change any part of the HTTP request
before submitting
– Cookies
– Form fields
– Hidden fields
– URL
– Headers
• The ultimate solution: Input must be validated on the
SERVER!
– Not just on the CLIENT!
8[5]
9. Client-side - Demo Link
■ Client-side Validation (Can be disabled by client)
– HTML5
– JavaScript
■ Input Fields (Can be Modified by client)
– Hidden Fields
– Dropdown
■ Cookies (Can be Changed by client)
9
10. Phishing – Demo Link
■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and
financial information
– User ID / Password
– Credit Card Number
– PIN
■ In a typical phishing attack a user will receive an e-mail message impersonated to
be sent from a bank or other e-commerce enterprise.
■ 1% - 20% users respond to such attacks.
■ In Afghanistan it is very common and practical!!!
10[6] [7]
11. Phishing Ultimate Solutions
■ Policy guidelines
■ Training the end users
■ User awareness
– Carefully check the suspicious links!
– Do not click the E-MAIL asking sensitive data!
– Do not Trust TinyURL links!
– Do not Enter CREDIT CARD or Sensitive Data if the website
doesn't start with https://
11[6] [7]
12. Cross-site Scripting (XSS)
■ XSS, a security exploit in which the attacker inserts malicious client-side code into
webpages.
■ It has been around since the 1990s.
■ Most major websites like Google, Yahoo and Facebook have all been affected by
cross-site scripting flaws at some point.
■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's
session, run malicious code, or be used as part of a phishing scam.
– Reflected - Demo Link
– Persistent – Basic Demo Link || Steal Cookie Demo Link
12[8] [9] [10]
13. Preventing XSS Attacks
■ Filtering
■ Input Validation / Output Sanitization
■ Select a safer browser
■ Use a virtual machine for suspicious links
■ Pay more attention to shortened URLs
■ Use plugins for better security (like NoScript).
13[8] [9] [10]
14. SQL Injection
■ SQL Injection is a technique where malicious users can
inject SQL commands into an SQL statement through
– URLs
– Input Parameters
– Others e.g. Cookie, HTTP Headers
■ SQL injection is a very old approach but it is still popular
among attackers.
14[11] [12]
15. Possible Threats
■ Unauthorized access to application
– User login without knowing the login nor the password
■ Access to whole database / databases on the server
– Attacker can delete, modify or even worse, steal the data
■ Read / write files on server's file system
■ Code execution
15[11] [12]
16. SQL Injection - Demo Link
■ Login without knowing the username and the password
– anything' OR TRUE; --
■ Modify and steal the data
– anything' OR 1; UPDATE users SET email = 'evil@evitsite.com'
WHERE email = 'absherzad@gmail.com';--
■ Delete data and even drop the tables
– anything' OR 1; DROP TABLE users; --
16
18. Conclusion - Core Security Principles
■ Use least privilege
■ Do not trust user input
■ Apply defense in depth
■ Fail securely and friendly
■ Turn off un-needed services
■ Keep systems patched
■ Watch for logic holes
■ Hide sensitive information
– Encryption
– Access controls
18[15] [16]
19. 19
Works Cited
1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center.
2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic.
3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP:
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web-
Hacking-Incident-Database
5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input
6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing
7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you-
are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/
8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross-
site_Scripting_(XSS)
9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous-
complexity-of-web-application-security/
10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker:
https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/
11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection
12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker:
https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/
13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx
15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft.
16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.