Company LOGO WEB SYSTEM. Components of a Generic Web Application System.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Expose the Vulnerability Paul Hogan Ward Solutions.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Understand Database Security Concepts

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Hacking Web Server Defiana Arnaldy, M.Si

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

The 10 Most Critical Web Application Security Vulnerabilities

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Hands-On Ethical Hacking and Network Defense

Web Application Testing with AppScan Terry Labach.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.

1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Databases and security continued CMSC 461 Michael Wilson.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

Attacking Applications: SQL Injection & Buffer Overflows.

NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Website Development with PHP and MySQL Saving Data.

ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Web Applications Testing By Jamie Rougvie Supported by.

The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture.

Web Server Administration Chapter 7 Installing and Testing a Programming Environment.

GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Figure 9-3: Webserver and E-Commerce Security Importance of Webservice and E-Commerce Security  Cost of disruptions  The cost of loss of reputation.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

CNIT 124: Advanced Ethical Hacking Docker (not in textbook) & Ch 8: Exploitation.

CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Server Concepts Dr. Charles W. Kann.

SQL Injection Attacks Many web servers have backing databases

A Security Review Process for Existing Software Applications

Web Applications Security What are web Applications?

Security mechanisms and vulnerabilities in .NET

Lecture 2 - SQL Injection

Lecture 5: Functions and Parameters

Designing IIS Security (IIS – Internet Information Service)

Web Application Development Using PHP

Presentation transcript:

Company LOGO WEB SYSTEM

Components of a Generic Web Application System

URL Mappings to the Web Application System

Web Application Architecture

Web Server vs Web Application  Web Server:  Serves client request and forward to proper application for further processing (e.g. IIS, Apache, thttpd and etc.)  Web Application:  Using programming language (e.g. ASP, PHP, Java,.Net, Perl or C) to  implement business logic and serve the client  Web Application does not run without Web Server  Web Server does run without Web Application (Serving static content)  Web Application should contain:  Web Server and underlying OS  Web Application Code  Backend Server

Web Server Vulnerability  Can be identified by:  Port scan for web related ports (TCP 80, 443 and etc)  Vulnerability scanner (Whisker.pl, N-Stealth, Nikto.pl and others)  Example:  IIS  File system traversal vulnerability  Unicode and superflous decode vulnerability  Various buffer overflow in ISAPI filters (.ida,.printer, WebDAV and etc)  Impact:  Usually the attacker can take over the system running the web server

Web Application Vulnerability  Vulnerability on web application itself  Can be identified by:  Source code review  Application testing  Automatic scanner  Manual testing  Example:  SQL or command Injection  E-Shop lifting  Passport reset password flaw  Impact:  Data confidentiality and integrity breached  System compromised

Flowchart for a One-Way Web Hack  We need two things to make an effective  attack:  Interactive terminal access  Ability to transfer files

Step 1: Finding the Entry Point  URL parsing vulnerability  n Unicode / Double decode attack  tem32\cmd.Exe+c:\inetpub \scripts  Parameter parsing vulnerability  Example: script uses open() insecurely  bin/news.cgi?story= txt|cp+/bin/sh+/usr/local/apache/cgi-bin/sh.cgi  SQL Injection  Etc…

Invoking the Command Interpreter

Invoking the Command Interpreter, con’t  Care must be taken to get cmd.exe to receive commands properly  Content-length must be right  Remember to run “exit” command  Make a script to automate POSTing  commands  This can be done for /bin/sh, too

Web Based Command Prompt  POSTing commands isn’t desirable  We want to run commands interactively  And we don’t want to trip an IDS or get blocked by a firewall  Solution: web based command prompt

Web Based Command Prompt (WCP)

Installing the Web Based Command Prompt  How do we get our script on the server?  Use our script for POSTing commands  Script files: write to a file one line at a time using “echo”  Script files usually don’t need extra permissions  Binary files: on certain shells you can echo  arbitrary characters to a file  echo -e "\x0B\xAD\xC0\xDE\x0B\xAD\xC0\xDE\x0B\xAD\x C0\xDE" > file

Uploading Files  We’d also like to upload files to the server  FTP, NFS, NetBIOs aren’t good to use for obvious reasons  Create a file uploader script in your favorite language  Get it on the server the same way as the web based command prompt

Now what?  Now we can do all sorts of fun stuff!!!  Find source code of web apps  Find server configuration files  Try to perform privilege elevation attacks that work locally  Screw with the database

Hacking IIS5(windows 2000 server) via unicode bug  Cari file html disimpan

Hacking IIS5(windows 2000 server) via unicode bug  Jalankan cmd.exe

Hacking IIS5(windows 2000 server) via unicode bug  Copy file cmd.exe

Hacking IIS5(windows 2000 server) via unicode bug  IT’S SHOW TIME..

Hacking IIS5(windows 2000 server) via unicode bug  Deface time

SQL Injection  Hackers typically test for SQL injection vulnerabilities by sending the application input that would cause the server to generate an invalid SQL query.  If the server then returns an error message to the client, the attacker will attempt to reverse-engineer portions of the original SQL query using information gained from these error messages.  The typical administrative safeguard is simply to prohibit the display of database server error messages. Regrettably, that’s not sufficient.  If your application does not return error messages, it may still be susceptible to “blind” SQL injection attacks.

Solution  To secure an application against SQL injection, developers must never allow client supplied data to modify the syntax of SQL statements.  In fact, the best protection is to isolate the web application from SQL altogether.  All SQL statements required by the application should be in stored procedures and kept on the database server.  The application should execute the stored procedures using a safe interface such as JDBC’s CallableStatement or ADO’s Command Object.  If arbitrary statements must be used, use PreparedStatements.  Both PreparedStatements and stored procedures compile the SQL statement before the user input is added, making it impossible for user input to modify the actual SQL statement.

Web Application Vulnerability  Application Design  Application Implementation  Application Deployment  Infrastructure Configuration

Application Design  Vulnerability in the stage of application design  Examples:  Weak password (policy)  No protection (Encryption) on confidential data  Bad choice on using cryptography  Weak authentication/authorization mechanism

Application Deployment  Transition of application state (e.g. from test to production)  Did not strip out information  Test/Guest accounts  Test information  Debug configuration  Account/Password information  No audit/test before deployment  Deployed bugged version  Expose test environment

Find Web Application Vulnerability  How Do You Find Web Application Vulnerability Today?  Raise Your Hand If You Use Automatic Tool!  Raise Your Hand If You Use Manual Test!  Raise Your Hand If You Don’t Use Any of Them!

Assesment Plan  Do You know what will be tested?  Do you have control to add or delete the test?  Who is making the plan?  What is the methodology?  What is the knowledge base?

Accuracy  How accurate is the result?  Can any tool identify “ANY” of the case study we are going to talk about?  Is it confused by your customized error page?  Can it login into your HTML Form-based authentication application?  Can it assess authorization or access control problem?

Accountability & Traceability  Can you verify or reproduce any single vulnerability found?  How easy/hard would that be?  Can you identify what is the risk brought to you by the vulnerability?  Can you change/define how the risk is calculated?