securing web applications
DESCRIPTION
Securing Web Applications. Part 1 of 2 Understanding Threats and Attacks. Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints. Attackers vs. Defenders. - PowerPoint PPT PresentationTRANSCRIPT
It’s always better live. MSDN Events
Securing Web Applications
Part 1 of 2Understanding Threats and Attacks
Challenges When Implementing Security
Attacker needs to understand only one security issueDefender needs to secure all entry pointsAttacker has unlimited timeDefender works with time and cost constraints
Attackers vs. Defenders
Developers and management think that security does not add any business valueAddressing security issues just before a product is released is very expensive
Security As an Afterthought
Security?
Secure systems are more difficult to useComplex and strong passwords are difficult to rememberUsers prefer simple passwordsSecurity vs. Usability
Agenda
A Closer look at Top Web Vulnerabilities:Cross Site ScriptingInjection FlawsMalicious File ExecutionInsecure Direct Object ReferenceCross Site Request Forgery (CSRF)Information Leakage and Improper Error HandlingBroken Authentication and Session ManagementInsecure CryptographyInsecure CommunicationsFailure to Restrict URL Access
Open Web Application Security Project (OWASP)http://www.owasp.org/index.php/Top_10_2007
Cross Site Scripting (XSS)What is Cross Site Scripting
Exploit applications that echo raw, unfiltered input to Web pagesMalicious code is echoed back into the HTMLFind a <form> field or query string parameter whose value is echoed to the Web page and put in malicious script and get a user to navigate to the page
Allows attackers to execute scriptsCan hijack user sessionsDeface web sites or insert hostile contentConduct Phishing attacksTake over the user’s browsers
Cross Site Scripting (XSS)
Three known types of cross site scriptingReflectedStored DOM Injection
Cross Site Scripting (XSS)
ReflectedA page will reflect user supplied data directly back to the userOccurs when a site does not filter content before displaying itAllows for hidden site details such as session or authentication structure to be captured and potentially utilized
Cross Site Scripting (XSS)
Stored / Sticky XSSStores hostile / non-approved data in a file or a databaseSometimes assumed that stored data is inherently safe
Internal attacks often exploit this assumptionDangerous to Systems such as:
Content Management SystemsBlogs or forumsSites that allow users to see input by other users
Cross Site Scripting (XSS)
DOM based attacksJavaScript code is manipulatedAttacks can be a blend of various attacksGenerally carried out using JavaScript
Allows hackers to manipulate the rendered pageManipulating the DOM tree
Can allow Form Data HijackingCan occur without user interaction in complete transparencyCan utilize the XmlHttpRequest Object (AJAX)Can compromise checkout information
Cross Site Scripting (XSS)
Cross Site Scripting DemoDiscovery using Reflected MethodUsing Stored or Sticky MethodNon-Persistent Attack via Email
Cross Site Request Forgery
Simple and Potentially DevastatingForces a logged-on victim’s browser to send a request to a vulnerable web applicationThen performs an action on behalf of the victimOccurs when authorization is performed solely on automatically submitted credentials such as:
Session cookiesBasic authorization credentialsSource IP AddressesSSL CertificatesWindows domain credentials
Cross Site Request Forgery
Cross Site Request Forgery
Cross Site Request Forgery Demo
Injection Flaws
SQL Injection flaws are common vulnerabilitiesOccurs when external input is used in database commands
The supplied data changes the command being executedCan allow attackers to create, read, update or delete data. Can potentially compromise an entire application
Injection Flaws
Example exploit:SELECT COUNT(*)FROM UsersWHERE User = ‘User’ AND Password = ‘Password’
The query relies on user submitted information to perform the query
Malicious code can be submitted such asWhere input could be ‘or 1 = 1 --
‘ closes preceding string in SQL statementor 1=1 matches every record in the table-- comments out the remainder of the SQL statement
Injection Flaws
SQL Injection Flaw DemosAdding an Admin AccountCompromising Database Table Structure and DataDefacing a Website
Injection Flaws
Not limited to SQL Injection onlyLDAP, XPATH, XXI, MX(Mail)HTML Injection (XSS)HTTP Injection (HTTP Response Splitting)
Malicious File Execution
Occurs when the application is tricked into executing commands or creating files on the serverSystem allows potentially hostile input to be utilized with file or stream functions such as URLS or file system referencesCan lead to arbitrary remote and hostile content being included or invoked by server
Allows for remote code executionRemote root installations or system compromises
Insecure Direct Object Reference
Occurs when an internal implementation object is exposed such as a:
FileDirectoryDatabase Record or KeyURLForm Parameter
These can be manipulated if no access control check is in place
Insecure Direct Object Reference
Applications expose internal objects to users Parameter Tampering allow references to be changed
Can violate the intended but unenforced access control policyAny exposed application construct could be vulnerableCode can be attacked when user input is determining location of Object
Using input parameters such as:../../…/ - can allow an attacker to traverse the file system
Insecure Direct Object Reference
Insecure Direct Object Reference Demo
Accessing Source CodeAccessing Sensitive Information
Information Leakage and Improper Error Handling
Applications can unintentionally leak information about their configuration or internal workings
They can leak state informationImproper error handling exposes internal workings and implementation details
Stack tracesFailed SQL statementsOther debugging information
This Information can help a hacker successfully exploit other vulnerabilities
This is an extremely common error and can occur if the web.config file is not properly configured
Information Leakage and Improper Error Handling
Information Leakage and Improper Error Handling DEMO
Too Much Info on Login AttemptsToo Much Error Information
Broken Authentication and Session Management
Improper authentication and session managementUse of pseudo random session valuesFailing to protect credentials and session tokens after login
Can lead to hijacking of user or admin accountsUndermine authorization and accountability controlsCan cause privacy violations
Broken Authentication and Session Management
Generally ancillary functions cause problems such as:
LogoutPassword ManagementTimeoutRemember meSecret questionAccount update
Broken Authentication and Session Management
Broken Authentication and Session Management Demo
Displaying Others Profile Information
Insecure Cryptographic Storage
Correct use of data encryption tools is key to protectionFlaws can lead to disclosure of sensitive data and compliance violationsSome of the most common flaws include:
Not encrypting sensitive dataInsecure use of strong algorithmsUsage of weak / homegrown algorithms A.K.A. “encraption”Hard coding keys or not protecting them
Insecure Communications
Unencrypted traffic can be sniffedCan access conversationPotentially expose sensitive information or credentials
Could risk exposing authentication or session tokenTraffic sniffers can access credentials or sensitive informationVaries by networkNot using SSL for each authenticated request
Failure to Restrict URL Access
Generally URL protection is based on authenticationPages can still be accessed if not secured properlySecurity by obscurity is not sufficient• Hidden URLS that are only available to certain
users can be stumbled upon or discoveredClient side privilege authentication
Failure to Restrict URL Access
Failure to Restrict URL Access Demo
Security by Obscurity