SlideShare uma empresa Scribd logo

Top Ten Web Attacks

Ajay Ohri
Ajay Ohri
1 de 46
Baixar para ler offline
Top Ten Web Attacks Saumil Shah Net-Square BlackHat Asia 2002, Singapore
TodayÕs battleground Ð the Web ¥ Web sites and web applications rapidly growing. ¥ Complex business applications are now delivered over the web (HTTP). ¥ Increased Òweb hackingÓ activity. ¥ Worms on the web. ¥ How much damage can be done? ¥ Firewalls?
Typical Web Application set-up HTTP Firewall SQL request Database (cleartext or SSL) Web app Web app DB Web Web Client Server Web app DB Web app HTTP reply (HTML, Javascript, ¥Apache Plugins: Database VBscript, ¥IIS ¥Perl connection: etc) ¥Netscape ¥C/C++ ¥ADO, etcÉ ¥JSP, etc ¥ODBC, etc.
Traditional HackingÉLimitations ¥ Modern network architectures are getting more robust and secure. ¥ Firewalls being used in almost all network roll-outs. ¥ OS vendors learning from past mistakes (?) and coming out with patches rapidly. ¥ Increased maturity in coding practices.
Utility of Firewalls ¥ Hacks on OS network services prevented by firewalls. Web app Web app DB Web Server Web app DB wu-ftpd Web app X Sun RPC X NT ipc$ X
Utility of Firewalls ¥ Internal back-end application servers are on a non- routable IP network. Web app (private addresses) Web app DB Web Server Web app DB Web app X
Utility of Firewalls ¥ Outbound access restricted. Why would a web server telnet out? Web app Web app DB Web Server Web app DB Web app X
Futility of Firewalls ¥ E-commerce / Web hacking is unfettered. ¥ Web traffic is the most commonly allowed of protocols through Internet firewalls. ¥ Why fight the wall when youÕve got an open door? ¥ HTTP is perceived as ÒfriendlyÓ traffic. ¥ Content/Application based attacks are still perceived as rare.
The Web HackerÕs Toolbox Essentially, all a web hacker needs is É ¥ a web browser, ¥ an Internet connection, ¥ É and a clear mind.
Classifying Web Hacks Web Hacks fall under the following categories: ¥ URL Interpretation attacks ¥ Input Validation attacks ¥ SQL Injection attacks ¥ Impersonation attacks ¥ Buffer Overflow attacks
Firewalls cannot preventÉ Web Web Client Server ¥ URL Interpretation Attacks. web server mis- configuration
Firewalls cannot preventÉ Web app Web app Web Web Client Server Web app Web app ¥ Input Validation attacks. URL poor Interpretation checking attacks of user inputs
Firewalls cannot preventÉ Web app Web app DB Web Web Client Server Web app DB Web app ¥ SQL Query Poisoning URL Input Extend SQL Interpretation Validation statements attacks attacks
Firewalls cannot preventÉ Reverse- engineering HTTP cookies. Web app Web app DB Web Web Client Server Web app DB Web app ¥ HTTP session hijacking. ¥ Impersonation. URL Input SQL query Interpretation Validation poisoning attacks attacks
Why is Web Hacking so deadly? ¥ Ports 80 and 443 are usually allowed through firewalls. ¥ A single URL works its way into may components. ¥ And in most cases, the only defense is Òsecure codingÓ.
The URL as a cruise missile http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7 Web app Web app DB Web Server Web app DB Web app
Web Hacks - net effects Web Hacks cause three types of effects: ¥ Extra information disclosure. (paths, etc.) ¥ Source code and arbitrary file content disclosure. ¥ Extra data disclosure (e.g. return all rows) ¥ Arbitrary command execution.
The Web HackerÕs Toolbox Some desired accessories would be É ¥ a port scanner, ¥ netcat, ¥ vulnerability checker (e.g. whisker), ¥ OpenSSL, É etc.
Hacking over SSL ¥ SSL Myth: ÒStrong 128 bit crypto stops hackers dead in their tracksÓ ¥ Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy! ¥ Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL. web nc SSL client web openssl server
The Top 10 Web Hacking Techniques 1. URL Misinterpretation 2. Directory Browsing 3. Retrieving Ònon-webÓ Files 4. Reverse Proxying 5. Java Decompilation
The Top 10 Web Hacking Techniques 6. Source Code Disclosure 7. Input Validation 8. SQL Query Poisoning 9. Session Hijacking 10. Buffer Overflows
1. URL Misinterpretation ¥ The web server fails to parse the URL properly. ¥ e.g. the Unicode / Superfluous decode attack. ¥ Mismatched resource mappings in the configuration. ¥ e.g. +.htr, .JSP, Java remote command execution, etc.
1. URL Misinterpretation Countermeasures: ¥ Usually require a vendor supplied fix. ¥ Thorough inspection of the web server configuration and bindings.
2. Directory Browsing ¥ Ability to retrieve complete directory listing within directories on the web server. ¥ Usually happens when the default document is missing. ¥ Not-so-strict Web server configuration.
2. Directory Browsing Countermeasures: ¥ Web server configuration lock-down. ¥ Disable serving of directory listings. ¥ Sometimes the error may require a vendor supplied fix.
3. Retrieving Ònon-webÓ Files ¥ ÒNon-webÓ files can be: ¥ Archive files (.zip, .tar.gz, etc) ¥ Backup files (.bak, ~, etc) ¥ Header / Include files (.inc, .asa, etc) ¥ Text files (readme.txt, etc) ¥ Can be retrieved with some guess work. ¥ e.g. if there is a directory called /reports/, look for Òreports.zipÓ.
3. Retrieving Ònon-webÓ Files Countermeasures: ¥ Eliminate careless presence of such files. ¥ Disable serving certain file types by creating a resource mapping. ¥ Strict change control measures.
4. Reverse Proxying ¥ Web proxy servers may work both ways! ¥ Typically meant to allow users from within a network to access external web sites. ¥ May end up proxying HTTP requests from the outside world to the internal network. ¥ e.g. Compaq Insight Manager ¥ Usually happens when the front end web server proxies requests to back end app servers.
4. Reverse Proxying Countermeasures: ¥ Check the web server proxy configuration thoroughly. ¥ Be careful when creating URL mappings to internal servers.
5. Java Decompilation ¥ Java Bytecode can be decompiled quite effectively. ¥ May disclose sensitive information such as passwords, application paths, etc. ¥ May also disclose application logic Ð such as generation of session IDs, encryption, etc. ¥ Java Archive files (.jar files) may contain files other than bytecode, such as configuration files.
5. Java Decompilation Countermeasures: ¥ Java bytecode obfuscation. ¥ Elimination of sensitive configuration information within bytecode. ¥ Elimination of unnecessary files within .jar files.
6. Source Code Disclosure ¥ Ability to retrieve application files in an unparsed manner. ¥ Attackers can recover the source code of the web application itself. ¥ The code can then be used to find further loopholes / trophies. ¥ May be caused my many ways: ¥ Misconfiguration or vendor errors ¥ Poor application design, etc.
6. Source Code Disclosure Countermeasures: ¥ Vendor supplied fixes. ¥ Locking down the web server configuration. ¥ Secure coding practices.
7. Input Validation ¥ Root cause of most web hacks. ¥ All inputs received should be validated: ¥ data types ¥ data ranges (e.g. -ve or fractional numbers) ¥ buffer sizes and bounds ¥ metacharacters ¥ Tampering with hidden fields. ¥ Bypassing client side checking (e.g. javascript).
7. Input Validation Countermeasures: ¥ These are the worst to deal with! ¥ There is no other countermeasure but proper coding practices.
8. SQL Query Poisoning ¥ Parameters from the URL or input fields get used in SQL queries. ¥ An instance of Input Validation attacks. ¥ Data can be altered to extend the SQL query. ¥ e.g. http://server/query.asp?item=3+OR+1=1 ¥ Execution of stored procedures. ¥ May even lead to back-end database server compromise.
8. SQL Query Poisoning Countermeasures: ¥ Again, no easy fix. ¥ Thorough source code review. ¥ Following the principle of least privilege for the database application. ¥ Elimination of unnecessary database users and stored procedures.
9. Session Hijacking ¥ HTTP is inherently a ÒstatelessÓ protocol. ¥ Many web applications are stateful. ¥ Poor mechanisms of state tracking. ¥ Hidden fields carrying a session ID ¥ Client side cookies ¥ É with no server side session tracking. ¥ Reverse engineering of the session ID leads to access of other usersÕ data.
9. Session Hijacking Countermeasures: ¥ Use server side session ID tracking. ¥ Match connections with time stamps, IP addresses, etc. ¥ Cryptographically generated session IDs. ¥ hard to sequence. ¥ Use web application server session management APIs when possible.
10. Buffer Overflows ¥ Poor bounds checking. ¥ Web server HTTP requests. ¥ e.g. ASP buffer overflow, .printer, etc. ¥ Application Input fields. ¥ e.g. ColdFusion DoS, etc. ¥ Can cause: ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)
10. Buffer Overflows Countermeasures: ¥ Vendor supplied fixes. ¥ Bounds checking within applications. ¥ Source code reviews. ¥ Buffer overflow testing.
Hacking Web enabled Devices ¥ Network equipment, printers, etc. becoming Òweb enabledÓ. ¥ e.g. Cisco IOS HTTP hack, HP WebJetAdmin hack, etc. ¥ May leak sensitive information about a network. ¥ May allow proxying of web attacks.
Beating the IDS ¥ ÒSecure HackingÓ Ð hacking over SSL. ¥ Many ways of writing the same URL. ¥ Defeats signature based pattern matching. ¥ Spurious parameters. ¥ Intentionally generating false positives.
Closing Thoughts ¥ Far harder to secure web sites and web applications. ¥ Need to create a heightened levels of security awareness. ¥ Use of formal software engineering methods for developing web applications. ¥ Use of secure coding practices. ¥ Thorough application testing.
Closing Thoughts ¥ ÒThere is no patch for carelessnessÓ. ¥ Web Hacking: Attacks and Defense Saumil Shah, Shreeraj Shah, Stuart McClure Addison Wesley Ð 2002.
Thank you! saumil@net-square.com http://www.net-square.com/ +91 98254 31192

Recomendados

Why Load Testing from the Cloud Doesn't Work
Why Load Testing from the Cloud Doesn't WorkWhy Load Testing from the Cloud Doesn't Work
Why Load Testing from the Cloud Doesn't WorkCompuware APM
 
Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Microsoft TechNet - Belgium and Luxembourg
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Building Living Web Applications with HTML5 WebSockets
Building Living Web Applications with HTML5 WebSocketsBuilding Living Web Applications with HTML5 WebSockets
Building Living Web Applications with HTML5 WebSocketsPeter Moskovits
 
Accessing Native APIs from Touch
Accessing Native APIs from TouchAccessing Native APIs from Touch
Accessing Native APIs from TouchSencha
 
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Peter Moskovits
 
Real Life WebSocket Case Studies and Demos
Real Life WebSocket Case Studies and DemosReal Life WebSocket Case Studies and Demos
Real Life WebSocket Case Studies and DemosPeter Moskovits
 
Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for softwareJames Wickett
 

Recomendados

Why Load Testing from the Cloud Doesn't Work
Why Load Testing from the Cloud Doesn't WorkWhy Load Testing from the Cloud Doesn't Work
Why Load Testing from the Cloud Doesn't WorkCompuware APM
 
Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Microsoft TechNet - Belgium and Luxembourg
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Building Living Web Applications with HTML5 WebSockets
Building Living Web Applications with HTML5 WebSocketsBuilding Living Web Applications with HTML5 WebSockets
Building Living Web Applications with HTML5 WebSocketsPeter Moskovits
 
Accessing Native APIs from Touch
Accessing Native APIs from TouchAccessing Native APIs from Touch
Accessing Native APIs from TouchSencha
 
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Peter Moskovits
 
Real Life WebSocket Case Studies and Demos
Real Life WebSocket Case Studies and DemosReal Life WebSocket Case Studies and Demos
Real Life WebSocket Case Studies and DemosPeter Moskovits
 
Adversity: Good for software
Adversity: Good for softwareAdversity: Good for software
Adversity: Good for softwareJames Wickett
 
API Reliability Guide
API Reliability GuideAPI Reliability Guide
API Reliability GuideNick DeNardis
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
Application DoS In Microservice Architectures
Application DoS In Microservice ArchitecturesApplication DoS In Microservice Architectures
Application DoS In Microservice ArchitecturesScott Behrens
 
The Fundamentals of HTML5
The Fundamentals of HTML5The Fundamentals of HTML5
The Fundamentals of HTML5DataLeader.io
 
vFabric - Ideal Platform for SaaS Apps
vFabric - Ideal Platform for SaaS AppsvFabric - Ideal Platform for SaaS Apps
vFabric - Ideal Platform for SaaS AppsVMware vFabric
 
SproutCore GTUG
SproutCore GTUGSproutCore GTUG
SproutCore GTUGsproutit
 
Working with Data and Web Services in Microsoft Silverlight 2
Working with Data and Web Services in Microsoft Silverlight 2Working with Data and Web Services in Microsoft Silverlight 2
Working with Data and Web Services in Microsoft Silverlight 2goodfriday
 
WEBSITE HOSTING FOR PNG ORGANISATIONS
WEBSITE HOSTING FOR PNG ORGANISATIONSWEBSITE HOSTING FOR PNG ORGANISATIONS
WEBSITE HOSTING FOR PNG ORGANISATIONSwebhostingguy
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Ajax World Fall08
Ajax World Fall08Ajax World Fall08
Ajax World Fall08rajivmordani
 
ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?Deploy360 Programme (Internet Society)
 
Sail Fin Webinar Overview
Sail Fin Webinar OverviewSail Fin Webinar Overview
Sail Fin Webinar OverviewEduardo Pelegri-Llopart
 
BeamAuth - Two-Factor Web Authentication with a Bookmark
BeamAuth - Two-Factor Web Authentication with a BookmarkBeamAuth - Two-Factor Web Authentication with a Bookmark
BeamAuth - Two-Factor Web Authentication with a BookmarkBen Adida
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super BowlPerformance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowlnatematias
 
Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Behind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksBehind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksMaurizio Abbà
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 

Mais conteúdo relacionado

Mais procurados

API Reliability Guide
API Reliability GuideAPI Reliability Guide
API Reliability GuideNick DeNardis
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
Application DoS In Microservice Architectures
Application DoS In Microservice ArchitecturesApplication DoS In Microservice Architectures
Application DoS In Microservice ArchitecturesScott Behrens
 
The Fundamentals of HTML5
The Fundamentals of HTML5The Fundamentals of HTML5
The Fundamentals of HTML5DataLeader.io
 
vFabric - Ideal Platform for SaaS Apps
vFabric - Ideal Platform for SaaS AppsvFabric - Ideal Platform for SaaS Apps
vFabric - Ideal Platform for SaaS AppsVMware vFabric
 
SproutCore GTUG
SproutCore GTUGSproutCore GTUG
SproutCore GTUGsproutit
 
Working with Data and Web Services in Microsoft Silverlight 2
Working with Data and Web Services in Microsoft Silverlight 2Working with Data and Web Services in Microsoft Silverlight 2
Working with Data and Web Services in Microsoft Silverlight 2goodfriday
 
WEBSITE HOSTING FOR PNG ORGANISATIONS
WEBSITE HOSTING FOR PNG ORGANISATIONSWEBSITE HOSTING FOR PNG ORGANISATIONS
WEBSITE HOSTING FOR PNG ORGANISATIONSwebhostingguy
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
BeamAuth - Two-Factor Web Authentication with a Bookmark
BeamAuth - Two-Factor Web Authentication with a BookmarkBeamAuth - Two-Factor Web Authentication with a Bookmark
BeamAuth - Two-Factor Web Authentication with a BookmarkBen Adida
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super BowlPerformance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowlnatematias
 

Mais procurados (15)

API Reliability Guide
API Reliability GuideAPI Reliability Guide
API Reliability Guide
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
 
Application DoS In Microservice Architectures
Application DoS In Microservice ArchitecturesApplication DoS In Microservice Architectures
Application DoS In Microservice Architectures
 
The Fundamentals of HTML5
The Fundamentals of HTML5The Fundamentals of HTML5
The Fundamentals of HTML5
 
vFabric - Ideal Platform for SaaS Apps
vFabric - Ideal Platform for SaaS AppsvFabric - Ideal Platform for SaaS Apps
vFabric - Ideal Platform for SaaS Apps
 
SproutCore GTUG
SproutCore GTUGSproutCore GTUG
SproutCore GTUG
 
Working with Data and Web Services in Microsoft Silverlight 2
Working with Data and Web Services in Microsoft Silverlight 2Working with Data and Web Services in Microsoft Silverlight 2
Working with Data and Web Services in Microsoft Silverlight 2
 
WEBSITE HOSTING FOR PNG ORGANISATIONS
WEBSITE HOSTING FOR PNG ORGANISATIONSWEBSITE HOSTING FOR PNG ORGANISATIONS
WEBSITE HOSTING FOR PNG ORGANISATIONS
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Ajax World Fall08
Ajax World Fall08Ajax World Fall08
Ajax World Fall08
 
ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?
 
Sail Fin Webinar Overview
Sail Fin Webinar OverviewSail Fin Webinar Overview
Sail Fin Webinar Overview
 
BeamAuth - Two-Factor Web Authentication with a Bookmark
BeamAuth - Two-Factor Web Authentication with a BookmarkBeamAuth - Two-Factor Web Authentication with a Bookmark
BeamAuth - Two-Factor Web Authentication with a Bookmark
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09
 
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super BowlPerformance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
 

Destaque

Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Ajay Ohri
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Behind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksBehind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksMaurizio Abbà
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Trends in Web Attacks
Trends in Web AttacksTrends in Web Attacks
Trends in Web AttacksIWMW
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 

Destaque (14)

Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1Owasp top 10 2013 - rc1
Owasp top 10 2013 - rc1
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 
Behind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksBehind The Scenes Of Web Attacks
Behind The Scenes Of Web Attacks
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Trends in Web Attacks
Trends in Web AttacksTrends in Web Attacks
Trends in Web Attacks
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Hacking Web: Attacks & Tips
Hacking Web: Attacks & TipsHacking Web: Attacks & Tips
Hacking Web: Attacks & Tips
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 

Semelhante a Top Ten Web Attacks

Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Flaskdata.io
 
Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services PlatformDavid Chou
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Startup Harvard Part 3 (Derek)
Startup Harvard Part 3 (Derek)Startup Harvard Part 3 (Derek)
Startup Harvard Part 3 (Derek)dhorton
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azuresdeconf
 
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...Joonas Lehtinen
 
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...jaxconf
 
SF DevOps: Introducing Vagrant
SF DevOps: Introducing VagrantSF DevOps: Introducing Vagrant
SF DevOps: Introducing VagrantMitchell Hashimoto
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web Architectures[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web ArchitecturesCarles Farré
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
Building tomorrow's web with today's tools
Building tomorrow's web with today's toolsBuilding tomorrow's web with today's tools
Building tomorrow's web with today's toolsJames Pearce
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure PlatformAsmTrash
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008ClubHack
 
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...Damir Dobric
 
The Modern Web Part 4: Cloud Computing
The Modern Web Part 4: Cloud ComputingThe Modern Web Part 4: Cloud Computing
The Modern Web Part 4: Cloud ComputingDavid Pallmann
 

Semelhante a Top Ten Web Attacks (20)

Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?
 
Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services Platform
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Startup Harvard Part 3 (Derek)
Startup Harvard Part 3 (Derek)Startup Harvard Part 3 (Derek)
Startup Harvard Part 3 (Derek)
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azure
 
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...
 
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...
 
SF DevOps: Introducing Vagrant
SF DevOps: Introducing VagrantSF DevOps: Introducing Vagrant
SF DevOps: Introducing Vagrant
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web Architectures[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web Architectures
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Building tomorrow's web with today's tools
Building tomorrow's web with today's toolsBuilding tomorrow's web with today's tools
Building tomorrow's web with today's tools
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008
 
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
 
Windows Azure Essentials
Windows Azure EssentialsWindows Azure Essentials
Windows Azure Essentials
 
The Modern Web Part 4: Cloud Computing
The Modern Web Part 4: Cloud ComputingThe Modern Web Part 4: Cloud Computing
The Modern Web Part 4: Cloud Computing
 

Mais de Ajay Ohri

Introduction to R ajay Ohri
Introduction to R ajay OhriIntroduction to R ajay Ohri
Introduction to R ajay OhriAjay Ohri
 
Introduction to R
Introduction to RIntroduction to R
Introduction to RAjay Ohri
 
Social Media and Fake News in the 2016 Election
Social Media and Fake News in the 2016 ElectionSocial Media and Fake News in the 2016 Election
Social Media and Fake News in the 2016 ElectionAjay Ohri
 
Download Python for R Users pdf for free
Download Python for R Users pdf for freeDownload Python for R Users pdf for free
Download Python for R Users pdf for freeAjay Ohri
 
Install spark on_windows10
Install spark on_windows10Install spark on_windows10
Install spark on_windows10Ajay Ohri
 
Ajay ohri Resume
Ajay ohri ResumeAjay ohri Resume
Ajay ohri ResumeAjay Ohri
 
Statistics for data scientists
Statistics for data scientistsStatistics for data scientists
Statistics for data scientistsAjay Ohri
 
National seminar on emergence of internet of things (io t) trends and challe...
National seminar on emergence of internet of things (io t) trends and challe...National seminar on emergence of internet of things (io t) trends and challe...
National seminar on emergence of internet of things (io t) trends and challe...Ajay Ohri
 
Tools and techniques for data science
Tools and techniques for data scienceTools and techniques for data science
Tools and techniques for data scienceAjay Ohri
 
How Big Data ,Cloud Computing ,Data Science can help business
How Big Data ,Cloud Computing ,Data Science can help businessHow Big Data ,Cloud Computing ,Data Science can help business
How Big Data ,Cloud Computing ,Data Science can help businessAjay Ohri
 
Training in Analytics and Data Science
Training in Analytics and Data ScienceTraining in Analytics and Data Science
Training in Analytics and Data ScienceAjay Ohri
 
Software Testing for Data Scientists
Software Testing for Data ScientistsSoftware Testing for Data Scientists
Software Testing for Data ScientistsAjay Ohri
 
A Data Science Tutorial in Python
A Data Science Tutorial in PythonA Data Science Tutorial in Python
A Data Science Tutorial in PythonAjay Ohri
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Using R for Social Media and Sports Analytics
Using R for Social Media and Sports AnalyticsUsing R for Social Media and Sports Analytics
Using R for Social Media and Sports AnalyticsAjay Ohri
 
Kush stats alpha
Kush stats alpha Kush stats alpha
Kush stats alpha Ajay Ohri
 
Analyze this
Analyze thisAnalyze this
Analyze thisAjay Ohri
 

Mais de Ajay Ohri (20)

Introduction to R ajay Ohri
Introduction to R ajay OhriIntroduction to R ajay Ohri
Introduction to R ajay Ohri
 
Introduction to R
Introduction to RIntroduction to R
Introduction to R
 
Social Media and Fake News in the 2016 Election
Social Media and Fake News in the 2016 ElectionSocial Media and Fake News in the 2016 Election
Social Media and Fake News in the 2016 Election
 
Pyspark
PysparkPyspark
Pyspark
 
Download Python for R Users pdf for free
Download Python for R Users pdf for freeDownload Python for R Users pdf for free
Download Python for R Users pdf for free
 
Install spark on_windows10
Install spark on_windows10Install spark on_windows10
Install spark on_windows10
 
Ajay ohri Resume
Ajay ohri ResumeAjay ohri Resume
Ajay ohri Resume
 
Statistics for data scientists
Statistics for data scientistsStatistics for data scientists
Statistics for data scientists
 
National seminar on emergence of internet of things (io t) trends and challe...
National seminar on emergence of internet of things (io t) trends and challe...National seminar on emergence of internet of things (io t) trends and challe...
National seminar on emergence of internet of things (io t) trends and challe...
 
Tools and techniques for data science
Tools and techniques for data scienceTools and techniques for data science
Tools and techniques for data science
 
How Big Data ,Cloud Computing ,Data Science can help business
How Big Data ,Cloud Computing ,Data Science can help businessHow Big Data ,Cloud Computing ,Data Science can help business
How Big Data ,Cloud Computing ,Data Science can help business
 
Training in Analytics and Data Science
Training in Analytics and Data ScienceTraining in Analytics and Data Science
Training in Analytics and Data Science
 
Tradecraft
Tradecraft Tradecraft
Tradecraft
 
Software Testing for Data Scientists
Software Testing for Data ScientistsSoftware Testing for Data Scientists
Software Testing for Data Scientists
 
Craps
CrapsCraps
Craps
 
A Data Science Tutorial in Python
A Data Science Tutorial in PythonA Data Science Tutorial in Python
A Data Science Tutorial in Python
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Using R for Social Media and Sports Analytics
Using R for Social Media and Sports AnalyticsUsing R for Social Media and Sports Analytics
Using R for Social Media and Sports Analytics
 
Kush stats alpha
Kush stats alpha Kush stats alpha
Kush stats alpha
 
Analyze this
Analyze thisAnalyze this
Analyze this
 

Top Ten Web Attacks

  • 1. Top Ten Web Attacks Saumil Shah Net-Square BlackHat Asia 2002, Singapore
  • 2. TodayÕs battleground Ð the Web ¥ Web sites and web applications rapidly growing. ¥ Complex business applications are now delivered over the web (HTTP). ¥ Increased Òweb hackingÓ activity. ¥ Worms on the web. ¥ How much damage can be done? ¥ Firewalls?
  • 3. Typical Web Application set-up HTTP Firewall SQL request Database (cleartext or SSL) Web app Web app DB Web Web Client Server Web app DB Web app HTTP reply (HTML, Javascript, ¥Apache Plugins: Database VBscript, ¥IIS ¥Perl connection: etc) ¥Netscape ¥C/C++ ¥ADO, etcÉ ¥JSP, etc ¥ODBC, etc.
  • 4. Traditional HackingÉLimitations ¥ Modern network architectures are getting more robust and secure. ¥ Firewalls being used in almost all network roll-outs. ¥ OS vendors learning from past mistakes (?) and coming out with patches rapidly. ¥ Increased maturity in coding practices.
  • 5. Utility of Firewalls ¥ Hacks on OS network services prevented by firewalls. Web app Web app DB Web Server Web app DB wu-ftpd Web app X Sun RPC X NT ipc$ X
  • 6. Utility of Firewalls ¥ Internal back-end application servers are on a non- routable IP network. Web app (private addresses) Web app DB Web Server Web app DB Web app X
  • 7. Utility of Firewalls ¥ Outbound access restricted. Why would a web server telnet out? Web app Web app DB Web Server Web app DB Web app X
  • 8. Futility of Firewalls ¥ E-commerce / Web hacking is unfettered. ¥ Web traffic is the most commonly allowed of protocols through Internet firewalls. ¥ Why fight the wall when youÕve got an open door? ¥ HTTP is perceived as ÒfriendlyÓ traffic. ¥ Content/Application based attacks are still perceived as rare.
  • 9. The Web HackerÕs Toolbox Essentially, all a web hacker needs is É ¥ a web browser, ¥ an Internet connection, ¥ É and a clear mind.
  • 10. Classifying Web Hacks Web Hacks fall under the following categories: ¥ URL Interpretation attacks ¥ Input Validation attacks ¥ SQL Injection attacks ¥ Impersonation attacks ¥ Buffer Overflow attacks
  • 11. Firewalls cannot preventÉ Web Web Client Server ¥ URL Interpretation Attacks. web server mis- configuration
  • 12. Firewalls cannot preventÉ Web app Web app Web Web Client Server Web app Web app ¥ Input Validation attacks. URL poor Interpretation checking attacks of user inputs
  • 13. Firewalls cannot preventÉ Web app Web app DB Web Web Client Server Web app DB Web app ¥ SQL Query Poisoning URL Input Extend SQL Interpretation Validation statements attacks attacks
  • 14. Firewalls cannot preventÉ Reverse- engineering HTTP cookies. Web app Web app DB Web Web Client Server Web app DB Web app ¥ HTTP session hijacking. ¥ Impersonation. URL Input SQL query Interpretation Validation poisoning attacks attacks
  • 15. Why is Web Hacking so deadly? ¥ Ports 80 and 443 are usually allowed through firewalls. ¥ A single URL works its way into may components. ¥ And in most cases, the only defense is Òsecure codingÓ.
  • 16. The URL as a cruise missile http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7 Web app Web app DB Web Server Web app DB Web app
  • 17. Web Hacks - net effects Web Hacks cause three types of effects: ¥ Extra information disclosure. (paths, etc.) ¥ Source code and arbitrary file content disclosure. ¥ Extra data disclosure (e.g. return all rows) ¥ Arbitrary command execution.
  • 18. The Web HackerÕs Toolbox Some desired accessories would be É ¥ a port scanner, ¥ netcat, ¥ vulnerability checker (e.g. whisker), ¥ OpenSSL, É etc.
  • 19. Hacking over SSL ¥ SSL Myth: ÒStrong 128 bit crypto stops hackers dead in their tracksÓ ¥ Using netcat and OpenSSL, it is possible to create a simple two-line SSL Proxy! ¥ Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL. web nc SSL client web openssl server
  • 20. The Top 10 Web Hacking Techniques 1. URL Misinterpretation 2. Directory Browsing 3. Retrieving Ònon-webÓ Files 4. Reverse Proxying 5. Java Decompilation
  • 21. The Top 10 Web Hacking Techniques 6. Source Code Disclosure 7. Input Validation 8. SQL Query Poisoning 9. Session Hijacking 10. Buffer Overflows
  • 22. 1. URL Misinterpretation ¥ The web server fails to parse the URL properly. ¥ e.g. the Unicode / Superfluous decode attack. ¥ Mismatched resource mappings in the configuration. ¥ e.g. +.htr, .JSP, Java remote command execution, etc.
  • 23. 1. URL Misinterpretation Countermeasures: ¥ Usually require a vendor supplied fix. ¥ Thorough inspection of the web server configuration and bindings.
  • 24. 2. Directory Browsing ¥ Ability to retrieve complete directory listing within directories on the web server. ¥ Usually happens when the default document is missing. ¥ Not-so-strict Web server configuration.
  • 25. 2. Directory Browsing Countermeasures: ¥ Web server configuration lock-down. ¥ Disable serving of directory listings. ¥ Sometimes the error may require a vendor supplied fix.
  • 26. 3. Retrieving Ònon-webÓ Files ¥ ÒNon-webÓ files can be: ¥ Archive files (.zip, .tar.gz, etc) ¥ Backup files (.bak, ~, etc) ¥ Header / Include files (.inc, .asa, etc) ¥ Text files (readme.txt, etc) ¥ Can be retrieved with some guess work. ¥ e.g. if there is a directory called /reports/, look for Òreports.zipÓ.
  • 27. 3. Retrieving Ònon-webÓ Files Countermeasures: ¥ Eliminate careless presence of such files. ¥ Disable serving certain file types by creating a resource mapping. ¥ Strict change control measures.
  • 28. 4. Reverse Proxying ¥ Web proxy servers may work both ways! ¥ Typically meant to allow users from within a network to access external web sites. ¥ May end up proxying HTTP requests from the outside world to the internal network. ¥ e.g. Compaq Insight Manager ¥ Usually happens when the front end web server proxies requests to back end app servers.
  • 29. 4. Reverse Proxying Countermeasures: ¥ Check the web server proxy configuration thoroughly. ¥ Be careful when creating URL mappings to internal servers.
  • 30. 5. Java Decompilation ¥ Java Bytecode can be decompiled quite effectively. ¥ May disclose sensitive information such as passwords, application paths, etc. ¥ May also disclose application logic Ð such as generation of session IDs, encryption, etc. ¥ Java Archive files (.jar files) may contain files other than bytecode, such as configuration files.
  • 31. 5. Java Decompilation Countermeasures: ¥ Java bytecode obfuscation. ¥ Elimination of sensitive configuration information within bytecode. ¥ Elimination of unnecessary files within .jar files.
  • 32. 6. Source Code Disclosure ¥ Ability to retrieve application files in an unparsed manner. ¥ Attackers can recover the source code of the web application itself. ¥ The code can then be used to find further loopholes / trophies. ¥ May be caused my many ways: ¥ Misconfiguration or vendor errors ¥ Poor application design, etc.
  • 33. 6. Source Code Disclosure Countermeasures: ¥ Vendor supplied fixes. ¥ Locking down the web server configuration. ¥ Secure coding practices.
  • 34. 7. Input Validation ¥ Root cause of most web hacks. ¥ All inputs received should be validated: ¥ data types ¥ data ranges (e.g. -ve or fractional numbers) ¥ buffer sizes and bounds ¥ metacharacters ¥ Tampering with hidden fields. ¥ Bypassing client side checking (e.g. javascript).
  • 35. 7. Input Validation Countermeasures: ¥ These are the worst to deal with! ¥ There is no other countermeasure but proper coding practices.
  • 36. 8. SQL Query Poisoning ¥ Parameters from the URL or input fields get used in SQL queries. ¥ An instance of Input Validation attacks. ¥ Data can be altered to extend the SQL query. ¥ e.g. http://server/query.asp?item=3+OR+1=1 ¥ Execution of stored procedures. ¥ May even lead to back-end database server compromise.
  • 37. 8. SQL Query Poisoning Countermeasures: ¥ Again, no easy fix. ¥ Thorough source code review. ¥ Following the principle of least privilege for the database application. ¥ Elimination of unnecessary database users and stored procedures.
  • 38. 9. Session Hijacking ¥ HTTP is inherently a ÒstatelessÓ protocol. ¥ Many web applications are stateful. ¥ Poor mechanisms of state tracking. ¥ Hidden fields carrying a session ID ¥ Client side cookies ¥ É with no server side session tracking. ¥ Reverse engineering of the session ID leads to access of other usersÕ data.
  • 39. 9. Session Hijacking Countermeasures: ¥ Use server side session ID tracking. ¥ Match connections with time stamps, IP addresses, etc. ¥ Cryptographically generated session IDs. ¥ hard to sequence. ¥ Use web application server session management APIs when possible.
  • 40. 10. Buffer Overflows ¥ Poor bounds checking. ¥ Web server HTTP requests. ¥ e.g. ASP buffer overflow, .printer, etc. ¥ Application Input fields. ¥ e.g. ColdFusion DoS, etc. ¥ Can cause: ¥ Denial of service (crashing the app / service) ¥ Remote command execution (shellcode)
  • 41. 10. Buffer Overflows Countermeasures: ¥ Vendor supplied fixes. ¥ Bounds checking within applications. ¥ Source code reviews. ¥ Buffer overflow testing.
  • 42. Hacking Web enabled Devices ¥ Network equipment, printers, etc. becoming Òweb enabledÓ. ¥ e.g. Cisco IOS HTTP hack, HP WebJetAdmin hack, etc. ¥ May leak sensitive information about a network. ¥ May allow proxying of web attacks.
  • 43. Beating the IDS ¥ ÒSecure HackingÓ Ð hacking over SSL. ¥ Many ways of writing the same URL. ¥ Defeats signature based pattern matching. ¥ Spurious parameters. ¥ Intentionally generating false positives.
  • 44. Closing Thoughts ¥ Far harder to secure web sites and web applications. ¥ Need to create a heightened levels of security awareness. ¥ Use of formal software engineering methods for developing web applications. ¥ Use of secure coding practices. ¥ Thorough application testing.
  • 45. Closing Thoughts ¥ ÒThere is no patch for carelessnessÓ. ¥ Web Hacking: Attacks and Defense Saumil Shah, Shreeraj Shah, Stuart McClure Addison Wesley Ð 2002.
  • 46. Thank you! saumil@net-square.com http://www.net-square.com/ +91 98254 31192