O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Web Application Security

Próximos SlideShares
Web application security
Web application security
Carregando em…3

Confira estes a seguir

1 de 181 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (20)


Semelhante a Web Application Security (20)


Mais recentes (20)

Web Application Security

  1. 1. Workshop on Web Application Security
  2. 2. Overview <ul><li>Course designed to </li></ul><ul><ul><li>Teach participants about most common web application vulnerabilities </li></ul></ul><ul><ul><li>Identify importance of having a secure web application architecture </li></ul></ul><ul><ul><li>How to integrate security within your web applications </li></ul></ul>
  3. 3. Overview <ul><ul><li>Web Applications Sect-1 </li></ul></ul><ul><ul><li>Security threats revisit Sect-1 </li></ul></ul><ul><ul><li>Web applications security </li></ul></ul><ul><ul><li>Parameter Manipulation </li></ul></ul><ul><ul><li>Cross Site Scripting (XSS) </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Implementing Web Application Security </li></ul></ul><ul><ul><li>Resources </li></ul></ul><ul><ul><li>Google Hacking </li></ul></ul><ul><ul><li>Wrap-up </li></ul></ul>
  4. 4. Web Application
  5. 5. Evolution of the Internet <ul><li>Initially we had static HTML based websites </li></ul>
  6. 6. Evolution of the Internet <ul><li>Replaced with dynamic multi-technology based web applications </li></ul>‘ Dynamic’ means different things to different people – Interactive forms – Customizing page content based on client attributes – Reactive pages
  7. 7. Popularity of web apps <ul><li>Easy deployment and no installation hassles </li></ul><ul><li>Very easy to change and update functionality </li></ul><ul><li>Easy accessibility for users </li></ul><ul><li>Organizations “ web-fying ” all their applications </li></ul><ul><ul><li>E-commerce sites </li></ul></ul><ul><ul><li>Intranet portals </li></ul></ul>
  8. 8. Typical structure of a Web Application HTTP allowed through port 80 Firewalls and other simple boundary devices lack some degree of intelligence when it comes to observing, recognizing, and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. Without sounding critical of such other systems’ capabilities, this deficiency brought in Intrusion Detection systems
  9. 9. Today’s threat landscape <ul><li>Organization nowadays do a lot of things right as far as security goes </li></ul><ul><ul><li>Firewalls and other perimeter devices are deployed </li></ul></ul><ul><ul><li>Servers are regularly patched </li></ul></ul><ul><ul><li>Network traffic is encrypted </li></ul></ul><ul><ul><li>Continuous monitoring via security audits and Network scanning tools </li></ul></ul><ul><li>However security bugs/vulnerabilities present at the application layer (code level) are usually ignored </li></ul><ul><li>Also network layer has some solved vulnerables </li></ul>
  10. 10. Network Level Attack
  11. 11. Network a mean of breach
  12. 12. Security threats revisit
  13. 13. <ul><li>IP Spoofing </li></ul><ul><li>Smurf Attack </li></ul><ul><li>Denial of service attack </li></ul><ul><li>Fragmentation Attack </li></ul>
  14. 14. IP Spoofing <ul><li>Any station can send packets pretending to be from any IP address </li></ul><ul><li>Replies will be routed to the appropriate subnet </li></ul><ul><ul><li>Route asymmetry </li></ul></ul><ul><ul><li>So, attacker might not get replies if spoofing a host on a different subnet </li></ul></ul><ul><ul><ul><li>For some attacks this is not important </li></ul></ul></ul><ul><li>Analogy </li></ul><ul><ul><li>Nothing prevents you from physically mailing a letter with an invalid return address, or someone else’s, or your own. </li></ul></ul><ul><ul><li>Likewise, packets can be inserted in the network with invalid or other IP addresses. </li></ul></ul>
  15. 15. IP Spoofing with Amplification <ul><li>Use broadcasts pretending to originate from victim </li></ul><ul><li>All replies go back to victim </li></ul><ul><li>This may use any IP protocol (ICMP, TCP, UDP) </li></ul><ul><ul><li>Any application or service that replies using these protocols </li></ul></ul><ul><ul><li>Famous attack: Smurf (using ICMP) DoS </li></ul></ul><ul><ul><ul><li>CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks </li></ul></ul></ul><ul><ul><ul><li>Many others </li></ul></ul></ul><ul><ul><ul><li>Smurf Amplifier Registry: http://www.powertech.no/smurf/ </li></ul></ul></ul>
  16. 16. Smurf Attack <ul><li>If an attacker wants to map your network, the trivial way is to ping all the IP addresses in your network... </li></ul><ul><li>Therefore, if you allow pings, your network is exposed. </li></ul><ul><li>Ping a broadcast address, with the (spoofed) IP of a victim as source address </li></ul><ul><li>All hosts on the network respond to the victim </li></ul><ul><li>The victim is overwhelmed </li></ul><ul><li>Keys: Amplification and IP spoofing </li></ul><ul><li>Protocol vulnerability; implementation can be “patched” by violating the protocol specification, to ignore pings to broadcast addresses </li></ul><ul><li>ICMP echo just used for convenience </li></ul><ul><ul><li>All ICMP messages can be abused this way </li></ul></ul><ul><ul><li>&quot;Fraggle&quot; is the equivalent, using UDP instead of ICMP </li></ul></ul><ul><li>Sol : Ingress filtering , Egress filtering </li></ul>Drop inbound broadcasts Drop outbound broadcasts
  17. 17. Denial of Service Attack <ul><li>A denial-of-service attack ( DoS attack ) or distributed denial-of-service attack ( DDoS attack ) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. </li></ul>
  18. 18. DOS Attack Methods <ul><li>The five basic types of attack are: </li></ul><ul><li>Consumption of computational resources, such as bandwidth, disk space, or processor time </li></ul><ul><li>Disruption of configuration information, such as routing information. </li></ul><ul><li>Disruption of state information, such as unsolicited resetting of TCP sessions. </li></ul><ul><li>Disruption of physical network components. </li></ul><ul><li>Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately </li></ul>
  19. 19. Fragmentation Attack <ul><li>Networks have different frame sizes </li></ul><ul><ul><li>“ MTU” is the &quot;Maximum Transmission Unit&quot; </li></ul></ul><ul><li>Fragmentation allows oversized packets to be split to fit on a smaller network </li></ul><ul><li>Reassembly is difficult </li></ul><ul><ul><li>Have to keep track of all fragments until packet is reassembled (Last fragment lost) </li></ul></ul><ul><ul><li>Resource allocation is necessary before all validation is possible (overlapping fragments) </li></ul></ul><ul><ul><li>Lots of fragments from different packets can exhaust available memory (Packet reassembly generate IP packet larger then legal size) </li></ul></ul><ul><ul><li>Perfect grounds for resource exhaustion attacks </li></ul></ul>Fragmentation Basics
  20. 20. Fragmentation Attack, countermeasures <ul><li>Firewalls and intrusion detection systems (IDS) may reassemble packets differently from how the attacked operating systems do it </li></ul><ul><ul><li>Perhaps rules are interpreted before reassembly is complete </li></ul></ul><ul><li>Fragrouter </li></ul><ul><ul><li>IDS evasion toolkit </li></ul></ul><ul><ul><ul><li>http:// packetstorm.widexs.nl/UNIX/IDS/nidsbench/fragrouter.html </li></ul></ul></ul><ul><ul><li>Fragment packets to trick firewalls and IDS </li></ul></ul><ul><ul><li>Dug Song (1999) </li></ul></ul>
  21. 21. Firewalls and Encryption do NOT protect against Web Application Vulnerabilities Only tool required is a web browser ! HTTP allowed through port 80
  22. 22. Problems <ul><li>Nearly 70-80% of all vulnerabilities being reported are web application vulnerabilities </li></ul><ul><li>Quickly becoming the Easiest way to compromise hosts </li></ul><ul><li>For web applications to properly work ,you have to allow traffic (port 80) through the firewall. </li></ul>
  23. 23. A Gartner study indicates that 75% of security breaches are due to flaws in software
  24. 24. Web Application Security Issues <ul><li>Web applications effectively extend an organization’s security perimeter </li></ul><ul><li>Easy accessibility for attackers as well </li></ul><ul><li>Over reliance on SSL </li></ul><ul><li>Most web-applications connect back to databases containing confidential information </li></ul><ul><li>Lack of security awareness amongst developers </li></ul>
  25. 25. What makes web apps so vulnerable? <ul><li>Unlike OS, Firewalls and Intrusion Detection Systems; applications vary from organization to organization. </li></ul><ul><li>Coding mistakes due to pressure to build and deploy system. </li></ul><ul><li>Special skills required to secure web apps </li></ul>
  26. 26. Misconceptions <ul><li>We are secure: we have a firewall </li></ul><ul><ul><li>Great at blocking ports </li></ul></ul><ul><ul><li>Does not detect malicious input </li></ul></ul><ul><li>We are secure: we use SSL </li></ul><ul><ul><li>Great at encrypting traffic </li></ul></ul><ul><ul><li>Does not validate application input </li></ul></ul>
  27. 27.
  28. 28. Web Application Security
  29. 29. Basic principle behind web app attacks <ul><li>“ Make the web application do something the developer never intended for it to do” </li></ul>
  30. 30. Basic principle behind web app attacks
  31. 31. Basic principle behind web app attacks
  32. 32. Problem: user input <ul><li>All user input is inherently evil </li></ul><ul><li>Malicious input can: </li></ul><ul><ul><li>Enable attacker to access your internal databases </li></ul></ul><ul><ul><ul><li>Damage limited only by privilege of data account </li></ul></ul></ul><ul><ul><li>Alter flow of your web applications </li></ul></ul><ul><ul><li>Allow attackers to use your website to launch attacks against other users </li></ul></ul>
  33. 33. Root Cause: Client input <ul><li>Attacks are injected through </li></ul><ul><li>Text based forms in Web pages </li></ul><ul><li>Manipulating URL addresses </li></ul><ul><li>Cookie tampering </li></ul><ul><li>Manipulation of hidden fields </li></ul>
  34. 34. Common vulnerabilities Cause crashing of a process Buffer Overflow Vulnerability What can an attacker do ? Parameter manipulation Change values of sensitive information Cross Site Scripting Impersonate a trusted site and steal user information SQL Injection Access all data in your database resulting in a total data breach
  35. 35. Buffer Overflows
  36. 36. Buffer Overflows
  37. 37. How to Avoid
  38. 38. Parameter manipulation
  39. 39. Parameter Manipulation <ul><li>Web pages are “stateless” i.e. they do not remember what data was on the previous page </li></ul><ul><li>Developers need some way to keep track or “persist” the data as users go from page to page </li></ul>Shopping Cart Product Details Order Details Check out
  40. 40. Parameter Manipulation <ul><li>Several ways to do this </li></ul><ul><li>Temporary databases </li></ul><ul><li>Cookies </li></ul><ul><li>User Sessions </li></ul><ul><li>Hidden Fields in Web pages </li></ul><ul><li>URLs </li></ul><ul><li>We’re concerned about Hidden Fields and </li></ul><ul><li>Cookies </li></ul>
  41. 41. Hidden Fields <ul><li>Developers use hidden fields to store data needed between pages. </li></ul><ul><li>These fields are not visible to the users </li></ul><input type=&quot;hidden&quot; id=“price” value=1000>
  42. 42. Hidden-field tampering <ul><li>Possible for an attacker to take advantage and change values stored in hidden fields </li></ul><ul><li>The technique </li></ul><ul><ul><li>Look for <input type=&quot;hidden&quot; … > tags </li></ul></ul><ul><ul><li>Submit bogus requests with modified value attributes </li></ul></ul><input type=&quot;hidden&quot; id=&quot;price“ value=&quot;10000.00&quot;> price=&quot;1.00&quot;
  43. 43. Hidden-field tampering <input type=&quot;hidden&quot; name=“txtprice1“ value=&quot;1000.00&quot;> <input type=&quot;hidden&quot; name=“txtprice2“ value=“500.00&quot;> Sample Shopping Cart
  44. 44. Hidden-field tampering <ul><li>Tamper Data : Firefox add-on which allows you to intercept and change values submitted by a page. </li></ul>
  45. 46. Hidden-field tampering Change the price ?
  46. 47. Hidden-field tampering <ul><li>Changing the value of the hidden price field gives us a rather steep discount ! </li></ul>
  47. 48. Cookies <ul><li>Same principle as Hidden Fields </li></ul><ul><li>Usually used by websites to “ Remember ” users when they re-visit a website </li></ul><ul><li>Cookies can contain following: </li></ul><ul><ul><li>UserIDs </li></ul></ul><ul><ul><li>Email Addresses </li></ul></ul><ul><ul><li>Discount values </li></ul></ul>
  48. 49. Cookies <ul><li>Same can be edited at the client side </li></ul>
  49. 50. Defending against parameter manipulation <ul><li>Do not: </li></ul><ul><ul><li>Store sensitive values on the client </li></ul></ul><ul><li>Do: </li></ul><ul><ul><li>Encrypt your data </li></ul></ul><ul><ul><li>Maintain sensitive data on the server </li></ul></ul><ul><ul><li>Validate input parameters </li></ul></ul>
  50. 51. Cross Site Scripting (XSS)
  51. 52. <ul><li>Allows attackers to inject their own malicious scripts onto web pages and have it executed by the user’s browser </li></ul><ul><li>Usually occurs when web pages display back the text that was entered by the user </li></ul>Cross Site Scripting (XSS) Welcome back Taimur ! Login failed for ‘ Taimur ’ Your search for ‘ Taimur ’ returned 0 results
  52. 54. What is cross site scripting? <ul><li>Vulnerability commonly seen in : </li></ul><ul><ul><li>Search results that display back the text that was entered </li></ul></ul><ul><ul><li>Error messages that display the text that caused the error </li></ul></ul><ul><ul><li>Forms which are filled out whose values are later displayed to the user </li></ul></ul><ul><ul><li>Web message boards where users can post messages </li></ul></ul>
  53. 55. What is cross site scripting? <ul><li>XSS allows attacker to: </li></ul><ul><ul><li>Perform malicious actions in a client’s Web browser </li></ul></ul><ul><ul><li>Perform Identity Theft </li></ul></ul><ul><ul><li>Spy on user’s web browsing habits </li></ul></ul><ul><ul><li>Redirect users to other sites </li></ul></ul><ul><ul><li>As of 2007, cross-site scripting carried out </li></ul></ul><ul><ul><li>On websites were roughly 80% of all </li></ul></ul><ul><ul><li>Documented security vulnerabilities </li></ul></ul>do it
  54. 56. How XSS attack can happen Response.Write(&quot;Welcome &quot; & Request.QueryString(&quot;UserName&quot;)) <ul><ul><li>www.vulnerable.asp?username=Taimur will display “ Welcome Taimur” </li></ul></ul><ul><ul><li>Web Application takes name as a parameter from website’s URL and displays it </li></ul></ul><ul><ul><li>Attacker abuses this by sending his own script in the [username] parameter which will be executed by the browser </li></ul></ul><ul><ul><li>www.vulnerable.asp?username=<script>alert(‘XSS’);</script> </li></ul></ul>
  55. 57. How XSS attack can happen <ul><ul><li>If parameter causes web application to display below message, XSS attack is successful : </li></ul></ul><ul><li>But these scripts are only being executed on the attackers own computer ? </li></ul><ul><li>Attacker now knows its possible it insert his own malicious scripts into the URL and have them executed by the web application </li></ul>
  56. 58. How XSS attack can happen <ul><li>Attacker now crafts a malicious URL sends this to a user via email to trick him into giving up his UserID and Passwords </li></ul>
  57. 59. Phishing attack via Cross Site Scripting 1. XSS Attack 2. Website vulnerable to XSS 5. Victim Information stolen 3. Create email with malicious hyperlink 4. Email Sent to victim
  58. 60. How XSS attack can happen <ul><ul><li>Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross Site Scripting attacks. In these cases, an attacker can post a message to the board which can be viewed by other users later on. </li></ul></ul>
  59. 61. XSS Worms <ul><li>Self-replicating XSS code usually found in social networking websites e.g. Orkut, Facebook, Myspace etc. </li></ul><ul><li>Abuses “ circle of trust ” concept to quickly infect user profiles </li></ul><ul><li>“ Samy ” Worm which infected MySpace in 2005 was able to infect 1 million profiles in 24 hours </li></ul>
  60. 62. Comparison of Samy with other worms First 24 hours of worm propagation
  61. 63. Defending against XSS <ul><li>Disable scripting (Not feasible) </li></ul><ul><li>Filter all user input before accepting it </li></ul><ul><li>Filter all user input before displaying it </li></ul><ul><li>Do not: </li></ul><ul><ul><li>Trust user input </li></ul></ul><ul><ul><li>Display on the page anything entered by the user unless you have validated it </li></ul></ul>
  62. 64. Defense tactics Write an HTMLEncode
  63. 65. HTML Protection <ul><li>Encoding user supplied output can also defeat XSS vulnerabilities by preventing inserted scripts from being transmitted to users in an executable form. Applications can gain significant protection from javascript based attacks by converting the following characters in all generated output to the appropriate HTML entity encoding: </li></ul>&#45; - &#43; + &#59;   ; &#37;   % &#35; # &#41; ) &#40; ( &apos; or &#39; ' &quot; or &#34; &quot; &amp; or &#38; & &gt; or &#62; > &lt; or &#60; < Encoding Character HTML Entities
  64. 66. Phishing counter-measures <ul><li>IE8 will have an XSS filter for protecting against cross site scripting attacks </li></ul>
  65. 67. NoScript <ul><li>Award winning Firefox add-on </li></ul><ul><li>All Javascript is blocked by default </li></ul><ul><li>User authorizes which Javascript will execute on the page </li></ul><ul><li>Cumbersome but easily the best browser based protection against XSS </li></ul>
  66. 68. SQL Injection
  67. 69. <ul><li>SQL stands for Structured Query Language and allows us to access a database </li></ul><ul><li>SQL can: </li></ul><ul><ul><li>retrieve data from a database </li></ul></ul><ul><ul><li>insert new records in a database </li></ul></ul><ul><ul><li>delete records from a database </li></ul></ul><ul><ul><li>update records in a database </li></ul></ul>What is SQL?
  68. 70. UserID: Test Password : 123 Select * from Users where UserID = ‘Test’ and Password = ‘123’; <ul><ul><li>Web Applications take user input and build an SQL statement which they send to the database </li></ul></ul>Drop example
  69. 72. UserID: Test; drop table users ; -- Password : 123 Select * from Users where UserID = ‘Test’; drop table users ; -- and Password = ‘123’; <ul><ul><li>Web Applications take user input and build an SQL statement which they send to the database </li></ul></ul>
  70. 73. What is SQL injection? <ul><li>The process of attacker adding his own SQL Statements in user input </li></ul><ul><li>Used by attackers to </li></ul><ul><ul><li>Gain confidential information (Credit Card numbers, Account details etc.) </li></ul></ul><ul><ul><li>Bypass authorization </li></ul></ul><ul><ul><li>Perform unauthorized updates </li></ul></ul><ul><ul><li>In worst case scenarios cause a total denial of service attack </li></ul></ul>
  71. 74. What is SQL injection? <ul><li>SQL statements “injected” into an existing SQL command </li></ul><ul><li>Injection occurs through : </li></ul><ul><ul><li>Input fields (e.g. UserID and Password entry) </li></ul></ul><ul><ul><li>Query string (values added to website’s URL) </li></ul></ul><ul><ul><li>Manipulated values in HTML </li></ul></ul>
  72. 75. Defaults or Vulnerable
  73. 76. How do attackers know? <ul><li>Insider Information </li></ul><ul><li>Trial and error </li></ul><ul><ul><li>Error messages often reveal too much </li></ul></ul><ul><ul><li>Malicious user can force an error to discover information about the database </li></ul></ul><ul><li>Inserting a simple ‘ into a login field can tell a hacker if a page is vulnerable of not </li></ul>
  74. 79. How do attackers know?
  75. 80. How do attackers know?
  76. 81. SQL Injection attack on U.N.
  77. 82. Worst case scenario <ul><li>With the right privileges the user can access ALL databases on the server </li></ul><ul><li>Once a malicious user can access the database, they are likely to use: </li></ul><ul><ul><li>xp_cmdshell - Access to the underlying OS </li></ul></ul><ul><ul><li>xp_grantlogin - Database users </li></ul></ul><ul><ul><li>xp_regread - Read registry keys </li></ul></ul>Find it
  78. 83. Some valid arguments by web-app owners <ul><li>“ What if my website doesn't connect to any critical database ?” </li></ul><ul><li>“ I don’t store any Credit Card numbers or personal information !” </li></ul><ul><li>“ There is no information to steal” </li></ul>
  79. 84. <ul><li>It gets worse … </li></ul>
  80. 85. Malware Infection via SQL Injection
  81. 86. The new landscape <ul><li>Lets take a look at the big picture </li></ul><ul><li>Malware easily poses one of the biggest security threats to both people and organizations today </li></ul>
  82. 87. Malware : Changing threat landscape <ul><li>Used to be about DOS attacks, bragging rights, website defacement </li></ul><ul><li>Has now become a full-fledged industry generating billions of dollars in revenue </li></ul><ul><li>Its now about making $$$$ </li></ul>
  83. 88. Malware : Changing threat landscape <ul><li>Attacker are motivated to find more and more ways to steal information and sell this on underground black markets </li></ul><ul><li>All this without drawing attention to themselves </li></ul><ul><li>What sort of information are we talking about ? </li></ul>
  84. 89. What’s for sale ?
  85. 90. Malware spreading techniques <ul><li>Email </li></ul><ul><li>Operating System vulnerabilities </li></ul><ul><li>Browser weaknesses </li></ul><ul><li>Remote Access Trojans </li></ul><ul><li>Phishing </li></ul><ul><li>Insecure Web Applications !! </li></ul>
  86. 91. SQL injection as a way to spread malware <ul><li>Identify a high profile website vulnerable to SQL injection </li></ul><ul><li>Launch an SQL injection attack that fills the database with malicious scripts . </li></ul><ul><li>These scripts will download malware (viruses, Trojans, worms, keyloggers etc.) from a remote server/location </li></ul><ul><li>Anytime the website is visited, the malicious script is executed and the visitor’s computer infected. </li></ul>
  87. 92. Check if website is vulnerable to SQL injection Insert malicious <Script> tags in database
  88. 93. Before Injection After Injection
  89. 94. User visits compromised website Malicious script embedded in the database is executed Malware is downloaded onto the user’s PC
  90. 95. U.S. Sony Playstation website incident <ul><li>In July 2008, Sony’s US based website was SQL injected to serve malicious script </li></ul><ul><li>Visitors would receive false warnings that their PC was infected with viruses and worms </li></ul><ul><li>Goal was to fool visitors into buying fake security products </li></ul>
  91. 96. Automated Mass SQL Injections <ul><li>Disturbing new trend which dominated 2008 </li></ul><ul><li>SQL injections are usually targeted attacks specifically tailored for each website. </li></ul><ul><li>Attackers have figured out a way to automate the process </li></ul>
  92. 97. Automated Mass SQL Injections <ul><li>Attackers use an automated utility to locate websites that are vulnerable to SQL injection. </li></ul><ul><li>Utility injects malicious scripts into the websites </li></ul><ul><li>Same attack as before but MASSIVE spread. Hundreds to thousands of websites can be compromised </li></ul>
  93. 98. Mass SQL injections
  94. 99. Mass SQL injections
  95. 100. Automated Mass SQL Injections
  96. 101. Automated Mass SQL Injections <ul><li>Sophos Security threat report for 2009 </li></ul><ul><ul><li>Biggest malware threats: SQL Injection attack against websites </li></ul></ul><ul><ul><li>Report predicts that SQL injection will be primary way of distributing web borne malware in the future </li></ul></ul><ul><li>Mass SQL Injection attacks dominated 2008 </li></ul>
  97. 102.
  98. 103.
  99. 104. Automated Mass SQL Injections http://www.microsoft.com/technet/security/advisory/954462.mspx
  100. 105. SQL Injection Defense <ul><li>It is quite simple: input validation </li></ul><ul><li>Check all input </li></ul><ul><li>Web Applications should not directly build SQL statements based on user input </li></ul><ul><li>This enables malicious input to be injected </li></ul>
  101. 106. SQL Injection Defense <ul><li>The real challenge is making best practices consistent through all your code </li></ul><ul><ul><li>Enforce &quot;strong design&quot; in new applications </li></ul></ul><ul><ul><li>You should audit your existing websites and source code </li></ul></ul>Set rs = cn. Execute(“Select * from Users where UserID = ‘” & request.form(“txtuserid”) & “’ and password = ‘” & request.form(“txtpassword”)”’”
  102. 107. Follow the Least Privilege principle <ul><li>Web Application should have least necessary privileges to access the database </li></ul><ul><li>Do not allow Web Application to access database with following accounts: </li></ul><ul><ul><li>“ SA”,”DBA”,High-privilege user account </li></ul></ul><ul><ul><li>Sys, System , Scott , MdSys, IIUSER_ORA </li></ul></ul><ul><li>Harden your Database Servers </li></ul>
  103. 108. SQL Injection Defense <ul><li>Fail intelligently i.e. Error messages should be customized NOT to display any information about what technology the web application is using. </li></ul>“ The application experienced an error and could not continue. The error has been logged for administrative purposes. Please click here to try again”
  104. 109. Implementing Web Application Security in your organization
  105. 110. Implementing Web App. Security <ul><li>By no means the task of a single person </li></ul><ul><li>Must be embraced at multiple levels </li></ul><ul><li>Each player must be aware of their responsibilities </li></ul>
  106. 111. The Web Developer
  107. 112. Role of the Web Developer <ul><li>Most critical (and most overlooked) role in web application security </li></ul><ul><li>Developers (unintentionally) introduce the majority of security bugs </li></ul><ul><li>Programmer’s job is to quickly develop and deploy the web application. NOT to make sure its secure </li></ul><ul><li>Security is seen as a delaying factor </li></ul>
  108. 113. Role of the Web Developer <ul><li>Developers must be trained regarding the following : </li></ul><ul><ul><li>Input validation as the key in defensive programming </li></ul></ul><ul><ul><li>Validating on the Server; NOT on the client </li></ul></ul><ul><ul><li>Remember the least privilege principal </li></ul></ul>
  109. 114. 25 most dangerous programming errors <ul><li>Released by SANS in January 12, 2009 </li></ul><ul><li>Consensus list amongst security experts of the 25 most dangerous programming errors that lead to security bugs </li></ul><ul><li>Intended as a reference for programmers and vendors on how to secure their code </li></ul>http://www.sans.org/top25errors/
  110. 115. 25 most dangerous programming errors <ul><li>We’ve already discussed some of these: </li></ul><ul><li>CWE-20: Improper Input Validation </li></ul><ul><ul><li>It's the number one killer of healthy software …… </li></ul></ul><ul><li>CWE-116: Improper Encoding or Escaping of Output </li></ul><ul><ul><li>root of most injection-based attacks…….. </li></ul></ul>
  111. 116. 25 most dangerous programming errors <ul><li>CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') </li></ul><ul><ul><li>Attackers can influence the SQL that you use to communicate with your database </li></ul></ul><ul><li>CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') </li></ul><ul><ul><li>one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications... </li></ul></ul>And so on …
  112. 117. IT Management
  113. 118. Role of IT Management <ul><li>Build up your Developers and QA unit’s security skills through awareness/training </li></ul><ul><li>Ensure that QA staff also test web apps from a security perspective </li></ul>
  114. 119. Hacme Bank (www.foundstone.com) <ul><li>Training application with built-in vulnerabilities </li></ul><ul><li>Designed to teach developers / QA staff how to build secure software </li></ul>
  115. 120. The IT Auditor / IT Security Officer
  116. 121. Role of IT Security / IT Auditor <ul><li>Last line of defense against insecure web applications </li></ul>
  117. 122. Role of IT Security / IT Auditor <ul><li>Ensure that all web apps are subject to security reviews before deployment </li></ul><ul><li>Two levels of security reviews </li></ul><ul><ul><li>Web Application Security Scanning </li></ul></ul><ul><ul><li>Source Code review </li></ul></ul>
  118. 123. Security Testing <ul><li>“ Catch & Patch ” reactive approach </li></ul><ul><li>Can be cumbersome in an organization running hundreds of web applications </li></ul><ul><ul><li>Identify and prioritize high risk web applications </li></ul></ul><ul><li>For effectiveness both manual and automated testing should be performed </li></ul>
  119. 124. Commercial Scanners No. Security Scanner URL 1. Acunetix Web Vulnerability Scanner http://www.acunetix.com 2. Watchfire Appscan http://www.watchfire.com/products/appscan/default.aspx 3. Milescan Web Security Auditor http://www.milescan.com/hk/ 4. HP WebInspect software https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200%5E9570_4000_100__
  120. 125. Security Testing <ul><li>What automated scanning tools excel at: </li></ul><ul><ul><li>Testing for 100s of common vulnerabilities and misconfigurations that are impractical to test for manually. </li></ul></ul><ul><ul><li>Ability to schedule automated scanning/testing for off-production hours to avoid conflicts. </li></ul></ul>
  121. 126. Security Testing <ul><li>What automated scanners have problem with: </li></ul><ul><ul><li>Identifying a lack of authorization checking (when it should be applied but isn't) </li></ul></ul><ul><ul><li>Detailed exploits that require intelligent feedback and analysis </li></ul></ul><ul><ul><li>White box testing – Automated tools are most effective at ‘guessing’ and using known signatures to identify issues. Software code reviews may find many more lurking issues that the tools can not, especially with custom developed software. </li></ul></ul>
  122. 127. Security Testing <ul><li>Common Issues </li></ul><ul><ul><li>Testing can adversely impact a system being scanned. Performance issues and crashing can happen. It is usually difficult to know what the impact will be before scanning on any given web/app or database server. </li></ul></ul><ul><ul><li>The most rigorous testing usually requires special planning and may overload log files, set off IDS sensors and leave ‘junk’ application data. </li></ul></ul><ul><ul><li>Information overload and false positives. </li></ul></ul><ul><ul><li>COST !!! </li></ul></ul>
  123. 128. Freely available tools No. Security Scanner URL 1. Free Cross Site Scripting Scanner http://www.acunetix.com/cross-site-scripting/scanner.htm 2. Security Compass Tools http://www.securitycompass.com/exploitme.shtml 3. Microsoft Source Code Analyzer for SQL Injection http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en 4. HP Scrawlr (free tool for SQL injection) https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?mcc=DNXA&jumpid=in_r11374_us/en/large/tsg/w1_0908_scrawlr_redirect/mcc_DNXA
  124. 129. Exploit-Me by Security Compass <ul><li>Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use. </li></ul><ul><li>XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities. </li></ul><ul><li>SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities. </li></ul>http:// www.securitycompass.com/exploitme.shtml
  125. 130. Exploit-Me by Security Compass
  126. 131. Exploit-Me by Security Compass
  127. 132. Source Code Reviews <ul><li>Much more intensive than security testing </li></ul><ul><li>Nearly all web application security issues reside in the source code </li></ul><ul><li>Can find issues that security scanners will miss </li></ul><ul><li>One of the most neglected security areas </li></ul>
  128. 133. Global Information Security Survey – 2008
  129. 134. Review <ul><li>Code Review is a must ! </li></ul><ul><li>UserId = request.form(“txtuserid”) </li></ul><ul><li>Password = request.form(“txtpassword”) </li></ul><ul><li>If UserID = “ DEVELOPER ” then </li></ul><ul><ul><li>/* Give access to all modules */ </li></ul></ul><ul><ul><li>.. </li></ul></ul><ul><li>else </li></ul><ul><ul><li>String = “Select * from UserTable where UserId = ‘”& UserID & “’ and Password = ‘” & Password & “’” </li></ul></ul><ul><li>End if </li></ul>Eliminate backdoors
  130. 135. Source Code Reviews <ul><li>Source Code reviews are usually seen as unnecessary and a delaying factor </li></ul><ul><li>Make a business case for management </li></ul><ul><li>Remember that the earlier security is considered the cheaper and easier it will be to implement. </li></ul>
  131. 136. Cost of fixing a security flaw increases as software goes into Production
  132. 137. Sample Case Study <ul><li>Your organization’s corporate website is accessed by an attacker via SQL injection. Several 100’s of customer records are compromised. </li></ul><ul><li>How much would it cost to fix this during : </li></ul><ul><ul><li>Production ? </li></ul></ul><ul><ul><li>QA? </li></ul></ul>
  133. 138. Sample Case Study <ul><li>Costs to fix during Production : </li></ul><ul><ul><li>Application downtime ($) </li></ul></ul><ul><ul><li>Incident Response ($) </li></ul></ul><ul><ul><li>Consultancy ($) </li></ul></ul><ul><ul><li>Re-testing and validation ($) </li></ul></ul><ul><ul><li>Fines ($) </li></ul></ul><ul><ul><li>Customer good will (???) </li></ul></ul>
  134. 139. Sample Case Study <ul><li>Costs to fix during Source Code review: </li></ul><ul><ul><li>Zero ($) </li></ul></ul>Set rs = cn. Execute(“Select * from Users where UserID = ‘” & request.form(“txtuserid”) & “’ and password = ‘” & request.form(“txtpassword”)”’”
  135. 140. Microsoft Threat Modeling via STRIDE and DREAD
  136. 141. Threat Risk Modeling <ul><li>Risk Assessment methodology developed by Microsoft which is quickly gaining prominence </li></ul><ul><li>Aims to identify any security issues in a system before it is operational </li></ul><ul><li>Think like an attacker </li></ul><ul><li>The principal idea behind threat modeling is that you cannot build secure systems unless you understand your threats. </li></ul>© Toronto Area Security Klatch 200 7
  137. 142. Threat Risk Modeling <ul><li>Used primarily for web applications but can be applied to all systems </li></ul><ul><li>Allows you to apply a structured approach to system security and to address the top threats that have the greatest risk </li></ul><ul><li>Threat Modeling listed amongst the most- </li></ul><ul><li>wanted security skills of 2007 (and </li></ul><ul><li>beyond) ( www.csoonline.com ) </li></ul>© Toronto Area Security Klatch 200 7
  138. 143. Steps in Threat Modeling Identify Assets 1 Create an architecture overview 2 Decompose the application 3 Identify the threats (STRIDE) 4 Document the threats 5 Rate the threats (DREAD) 6
  139. 144. Threat Risk Modeling <ul><li>The output is a list of rated threats. The threat model helps you to focus on the most potent threats to the system. </li></ul>© Toronto Area Security Klatch 200 7 System Threat # 1 Threat # 2 Threat # 3 Threat # n
  140. 145. Step 1: Identify Assets <ul><li>Build a list of assets that require protection, including: </li></ul><ul><ul><li>Confidential data, such as customer databases </li></ul></ul><ul><ul><li>Web pages </li></ul></ul><ul><ul><li>System availability </li></ul></ul><ul><ul><li>Anything else that, if compromised, would prevent correct operation of your application </li></ul></ul>
  141. 146. Step 2: Create An Architecture Overview <ul><li>Identify what the application does </li></ul><ul><li>Identify the technologies </li></ul><ul><li>Create an application architecture diagram </li></ul>NTFS Permissions (Authentication) File Authorization URL Authorization .NET Roles (Authentication) User-Defined Role (Authentication) SSL (Privacy/Integrity) Trust Boundary Alice Mary Bob IIS Anonymous Authentication Forms Authentication IPSec (Private/Integrity) Trust Boundary ASPNET (Process Identity) Microsoft ASP.NET Microsoft Windows r Authentication Microsoft SQL Server™
  142. 147. Step 3: Decompose the Application <ul><li>Break down the application and understand the logic behind it </li></ul><ul><li>Examine interactions between different modules </li></ul><ul><li>Use DFD or UML diagrams </li></ul>
  143. 148. Step 4: Identify the threats <ul><li>In this step, threats that might compromise the system are identified through meetings/brainstorming sessions with project team members </li></ul><ul><li>Microsoft uses the STRIDE methodology for identifying known threats </li></ul>
  144. 149. STRIDE Methodology for Threat Identification <ul><li>A methodology for identifying and categorizing threats </li></ul><ul><li>“ Business” oriented – easier for non-technical persons to relate to </li></ul>© Toronto Area Security Klatch 200 7
  145. 150. Threat Identif./Categorization via STRIDE © Toronto Area Security Klatch 200 7 Types of threats Examples S poofing <ul><li>Forging e-mail messages </li></ul><ul><li>Replaying authentication packets </li></ul>T ampering <ul><li>Altering data during transmission </li></ul><ul><li>Changing data in files </li></ul>R epudiation <ul><li>Deleting a critical file and deny it </li></ul><ul><li>Purchasing a product and deny it </li></ul>I nformation disclosure <ul><li>Exposing information in error messages </li></ul><ul><li>Exposing code on Web sites </li></ul>D enial of service <ul><li>Flooding a network with SYN packets </li></ul><ul><li>Flooding a network with forged ICMP packets </li></ul>E levation of privilege <ul><li>Exploiting buffer overruns to gain system privileges </li></ul><ul><li>Obtaining administrator privileges illegitimately </li></ul>
  146. 151. Step 5: Document the Threats <ul><li>Document the threats identified using a standard template: </li></ul><ul><li>Leave Risk blank (for now) </li></ul>Threat Description Injection of SQL Commands Threat target SQL Server Backend database Risk Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Filter all browser input for malicious characters, and use a stored procedure with parameters to access the database
  147. 152. Step 6: Rate the Threats <ul><li>Now that threats have been identified, they are required to be rated </li></ul><ul><li>We can use the standard formula: </li></ul><ul><ul><li>Risk = Probability * Damage Potential </li></ul></ul><ul><li> Problem is that above formula is usually too project simplistic for team members to agree on </li></ul>
  148. 153. Risk Ratings using DREAD Methodology <ul><li>Microsoft Uses the DREAD model to generate risk ratings: </li></ul><ul><ul><li>D amage potential : How great is the damage if this threat occurs </li></ul></ul><ul><ul><li>R eproducibility : How easy is it to reproduce the attack ? </li></ul></ul><ul><ul><li>E xploitability   : How easy is to launch the attack ? </li></ul></ul><ul><ul><li>A ffected users  : How many users are affected ? </li></ul></ul><ul><ul><li>D iscoverability : How easy is it locate this threat ? </li></ul></ul><ul><li>Each of the above can be ranked as High (1), Medium (2), Low (3) and added to get the total risk rating </li></ul>© Toronto Area Security Klatch 200 7
  149. 154. Risk Ratings using DREAD Methodology © Toronto Area Security Klatch 200 7 High (3) Medium (2) Low (1) D Damage Potential Attacker can completely compromise the system gaining full access Sensitive information might be leaked Leakage of trivial information R Reproducibility Attack can be reproduced every time and does not require some condition Attack can be reproduced only within a specific condition Attack is very difficult to reproduce E Exploitability Novice attacker can use this threat Skills required In-depth knowledge of system required A Affected Users All Users Some users Only specific users D Discoverability Information about this threat is available on the Internet It would take some time before attacker becomes aware of this vulnerability Highly unlikely that users will come across this security flaw
  150. 155. Risk Ratings using DREAD Methodology Sample DREAD Risk Rating Threat D R E A D Total Rating Injection of SQL commands 3 3 2 2 2 12 High Leakage of passwords through network monitoring 2 2 2 3 2 11 Medium Stealing of passwords through key loggers 2 3 3 2 3 14 High DREAD Risk Rating 5-7 Low Risk 8-11 Medium Risk 12-15 High Risk
  151. 156. Step 6: Rate the threats <ul><li>Threats identified in step 5 can now be rated </li></ul>Threat Description Injection of SQL Commands Threat target SQL Server Backend database Risk High Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Filter all browser input for malicious characters, and use a stored procedure with parameters to access the database
  152. 157. Threat Risk Modeling <ul><li>Free Threat Modeling tool available from microsoft.com </li></ul>© Toronto Area Security Klatch 200 7
  153. 158. Resources
  154. 159. Open Web Application Security Project <ul><li>www.owasp.org </li></ul><ul><li>Web based community dedicated to web application security </li></ul><ul><li>Most popular documents are OWASP Guide and OWASP Top 10 vulnerabilities </li></ul>
  155. 160. OWASP Top 10 No. Vulnerability A1 Cross Site Scripting (XSS) A2 Injection Flaws A3 Malicious File Execution A4 Insecure Direct Object Reference A5 Cross Site Request Forgery (CSRF) A6 Information Leakage and Improper Error Handling A7 Broken Authentication and Session Management A8 Insecure Cryptographic Storage A9 Insecure Communications A10 Failure to restrict URL access
  156. 161. Hacking
  157. 162. Google <ul><li>Search Engine that drives the world </li></ul><ul><li>This amazing functionality can be used against an organization to gather information </li></ul><ul><li>Primary concern is with Information LEAKAGE </li></ul><ul><li>Used properly Google can be utilized as a security scanner </li></ul>
  158. 163. Google Hacking <ul><li>  Google syntax can be leveraged to run specific searches against an organization </li></ul><ul><li>Can be used to find </li></ul><ul><ul><li>Files containing password information </li></ul></ul><ul><ul><li>Web Email Access </li></ul></ul><ul><ul><li>Database files </li></ul></ul><ul><ul><li>Remote Access Servers </li></ul></ul><ul><ul><li>Web Servers such as IIS , Apache Servers etc. </li></ul></ul><ul><ul><li>Security Reports </li></ul></ul><ul><ul><li>Web Application vulnerabilities (SQL Injection, XSS etc.) </li></ul></ul>
  159. 164. Google Hacking <ul><li>Site: limits the search to a website of particular interest </li></ul><ul><li>Example : site:microsoft.com </li></ul>
  160. 165. Google Hacking <ul><li>InTitle: Searches within the title of a page </li></ul><ul><li>Example intitle:”Test Page for Apache” </li></ul>
  161. 166. Google Hacking <ul><li>intitle:”Welcome to Outlook Web Access” </li></ul>
  162. 167. Google Hacking <ul><li>intitle:”Welcome to IIS” </li></ul>
  163. 168. Google Hacking <ul><li>intitle:”Nessus Scan Report” “This file was generated by Nessus” </li></ul>
  164. 169. Google Hacking <ul><li>  Filetype: Limits search to particular file extensions </li></ul><ul><li>Example: “filetype:xls” </li></ul>
  165. 170. Google Hacking <ul><li>Filetype:xls UserID | Email </li></ul>
  166. 171. Google Hacking <ul><li>  inurl : Google searches within the url of a document </li></ul><ul><li>Example: inurl:5800 &quot;VNC Desktop&quot; </li></ul>
  167. 172. Google Hacking <ul><li>intitle:&quot;Remote Desktop Web Connection&quot; inurl:tsweb </li></ul>
  168. 173. How to protect yourself <ul><li>Have a policy in your organization regarding which information can be put on the web </li></ul><ul><li>Regularly run Google searches against your own organization’s web presence </li></ul><ul><li>Remove default administrative web pages </li></ul><ul><li>Use “ robots.txt ” file </li></ul>
  169. 174. Google Hacking Database <ul><li> http://johnny.ihackstuff.com/ghdb.php </li></ul>The Google Hacking Database (GHDB) is a complete collection of all known Google hacks contributed by the Google hacking community to the public. GHDB is one of the best resources available on the Internet for search engine hacking.
  170. 175. FoundStone's SiteDigger Tool <ul><li>Automated tool for running Google searches against your organization </li></ul><ul><li>Requires a Google License Key </li></ul><ul><li>Provides an extensive report of the target website, showing possible information leakage via Google Hacking. </li></ul>
  171. 176. Conclusion
  172. 177. Conclusion <ul><li>Two things have changed in the last few years </li></ul><ul><ul><li>Attackers are no longer targeting organizations for pride and ego but for profit </li></ul></ul><ul><ul><li>Software has become the primary target of exploitation </li></ul></ul><ul><li>Firwalls, SSL, Passwords etc. amount to nothing if your web application is insecure </li></ul>
  173. 178. Conclusion <ul><li>“2007 dollar figure of the actual cost of insecure software to the U.S. to be at least $180 billion per year” </li></ul>
  174. 179. Conclusion <ul><li>Never trust anything coming from the browser </li></ul><ul><li>Be on good terms with your developers </li></ul><ul><li>Integrate security within your software lifecycle </li></ul><ul><li>Security training for QA, Developers </li></ul><ul><ul><ul><ul><ul><li>And lastly … </li></ul></ul></ul></ul></ul>
  175. 180. Don’t become this guy !
  176. 181. Thanks for listening !

Notas do Editor

  • 09-06-09 class-a SQLRecon