web application threats and remediation terry labach, ist security team

Web Application Threats and Remediation

Terry Labach, IST Security Team

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

IST Security Team

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

The problem

While we use firewalls and other means to prevent attackers from access to our networks, we encourage access to our web sites, literally inviting miscreants to attack us

Complex web application systems contain flaws that attackers can use for a variety of nefarious purposes

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Risks

Loss of confidential data Vandalism of web sites Financial theft Denial of service Spread of spam or viruses Damaged reputation

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

OWASP Top Ten for 2010

A1 Injection A2 Cross Site Scripting (XSS) A3 Broken Authentication and Session Management A4 Insecure Direct Object References A5 Cross Site Request Forgery (CSRF) A6 Security Misconfiguration A7 Failure to Restrict URL Access A8 Unvalidated Redirects and Forwards A9 Insecure Cryptographic Storage A10 Insufficient Transport Layer Protection

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

SANS Institute

PHP Remote File Include SQL Injection Cross-Site Scripting (XSS) Cross-site request forgeries (CSRF)

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

General principles

Specify what is allowed, not what is forbidden Use software engineering best practices (no

cowboy coders) Test applications fully Test environments must duplicate production

environments Test bad input, not just good input

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Trust no one

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Example attacks

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Failure to restrict URL access

OWASP A6 Includes elements of data leakage Attackers can access documents through URLs that

should be protected

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Preventing data leakage

Permissions, server settings, .htaccess can help, but best to prevent unneeded files from being present at all

Limit development to dedicated machines, publish only final files to production server

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Cross-site scripting (XSS)

OWASP A2 Crafted URLs can allow scripts to be run by client’s

browser This can result in victims:

Having authentication credentials stolen Being redirected to malicious web sites

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Preventing cross-site scripting

Sanitize all user input Remove meta-characters e.g. “’`<> Characters may be encoded, best to remove

anything not obviously harmless (e.g. a-zA-Z0-9) Foreign language support allows pathway to inject

meta-characters Validation must be done on server end, validation

done in the browser (e.g. through Javascript) can be bypassed

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Broken Authentication

OWASP A3 Authentication of users can be faked or credentials

stolen to allow access to resources

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Preventing authentication theft

Don’t pass authentication information in hidden fields

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

SQL injection

OWASP A1 SQL commands are entered in user input fields If allowed as part of query to back-end database,

can result in data theft manipulation or vandalism of data

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Preventing injection attacks

Sanitize user input Use appropriate data types and enumerations

instead of text fields

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Automated Vulnerability Scanning

Hackers can perform vast numbers of typical attacks using automated processes to identify likely targets

The good guys can do the same, and a number of vendors provide such solutions

IBM AppScan selected after a lengthy evaluation process

IST Security Team will provide web application scans as a service

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

IBM AppScan

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Resources

Security information OWASP

www.owasp.org

SANS Institute (SysAdmin, Audit, Network, Security) www.sans.org

Jeremiah Grossman www.whitehatsec.com/home/resource/grossman.html

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Resources

Vendors IBM (Appscan)

www.ibm.com/software/awdtools/appscan/

Cenzic (Hailstorm) www.cenzic.com

HP (WebInspect) www.hp.com

WhiteHat www.whitehatsec.com

WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation

Questions and Comments