Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Slides:

Advertisements

Similar presentations

Advertisements

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Hands on Demonstration for Testing Security in Web Applications

Cross Site Scripting & SQL injection

WebGoat & WebScarab “What is computer security for $1000 Alex?”

EECS 354 Network Security Cross Site Scripting (XSS)

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Vulnerability Assessment Course Applications Assessment.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Security

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Workshop 3 Web Application Security Li Weichao March

OWASP Zed Attack Proxy Project Lead

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Attacking Applications: SQL Injection & Buffer Overflows.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Web Applications Testing By Jamie Rougvie Supported by.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Crash Course in Web Hacking

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

TESTING FOR VULNERABILITIES AND APPLICATION SECURITY REVIEW George-Alexandru Andrei CTO BIT SENTINEL.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Group 18: Chris Hood Brett Poche

Web Application Security

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

TOPIC: Web Security (Part-4)

World Wide Web policy.

Cross-Site Scripting Travis Deyarmin.

Example – SQL Injection

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Presentation transcript:

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011

Agenda  Evolving Threats –Operating System –Application –User Generated Content  JPL’s Application Security Program  Securing Web applications -Common vulnerabilities -Prevention techniques -Security testing tools  Summary 2

10 Years ago…  Operating System Attacks –Direct attacks –Buffer Overflow –Denial of Service  Mitigation –System administrators got quicker at patch management –Vendors started releasing fixes quicker –Firewalls had better protection 3

3 years ago…  Application Threats –Hackers moved up a level from OS to Application –Directed attacks against SSH Apache web servers SQL database servers  Mitigation –SA’s got quicker at patch management –Vendors started releasing fixes quicker –Firewalls had better protection –IT Sec started scanning applications not just operating systems 4

Today…  User Content Threats –Hackers moved up one more level from application itself to content within the application –Attacking User Content –User generated code SQL injection, Cross Site Scripting –Neither SA’s nor vendors know how to fix user code  Mitigation –Help user become security aware –Security in the Lifecycle –Scan code 5

Half of the Security Incidents involved Applications  Problem : –In 2008, 49% of the JPL security incidents involved application vulnerabilities (shown in red). 6

Agenda  Evolving Threats –Operating System –Application –User Generated Content  JPL’s Application Security Program <<  Securing Web Applications -Common vulnerabilities -Prevention techniques -Security testing tools  Summary 7

JPL’s Application Security Program  Security Guidelines 8  Training & Awareness  Security in Lifecycle  Scanning Tools  App Security Registry

JPL Application Security Program  Security Guidelines –Programming languages PERL, ColdFusion, Java –Security checklists  Training & Awareness –Developer training courses Web Application Security Online AppSec Training tutorials –Quarterly Application Security Newsletter 9

Application Security Program  Security in Lifecycle –IT Security checklist –Security process  Security Scanning tools –AppScan Web application testing Static source code analysis 10

Application Security Program  Application Security Registry –Inventory of applications –Technical information about applications for security purposes –Identifies responsible personnel for each application in the inventory 11

Agenda  Evolving Threats –Operating System –Application –User Generated Content  JPL’s Application Security Program  Securing Web Applications << -Common vulnerabilities -Prevention techniques -Security testing tools  Summary 12

Common Web Vulnerabilities  Open Web Application Security Project (OWASP) Top 10 list –Identifies the most common vulnerabilities  Top Vulnerability categories –Injection flaws –Cross site scripting flaws 13

Injection Flaws  Allows attackers to execute malicious code through a web application or other system –Access to OS via shell commands –Access to backend Database through SQL SQL Injection 14

Injection Flaws  SQL Injection –Application receives input from a user –Input is sent as part of a database query –Allows malicious users to execute commands on the database  Occurs due to: - Improper input validation - Over privileged database logins 15

Potential Effects of SQL Injection  Complete access to database  Bypass authentication controls  Potential command line access from database machine 16

SQL Injection Example  Vulnerable Query: –SELECT user FROM Users where loginName = ‘ $User’ and LoginPassword = ‘ $Password’  Injected Query: –Attacker Input: $Password = ‘ OR 1 = 1 -- –SELECT user FROM Users where loginName = ‘ jsmith’ and LoginPassword = ‘Demo1234 ‘ OR 1 =

SQL Injection Example 18 Injected Query: Attacker’s extra input to password: ‘OR 1 = 1 --

SQL Injection Example 19 Application vulnerable to SQL injection

Preventing SQL Injection  Use parameterized queries  Use input validation  Use low privileged accounts  Limit error messages  OWASP SQL Injection Prevention Cheat Sheet 20

Testing Tools for SQL Injection  SQL Inject Me – Firefox add on  Other tools –Absinthe –Paros 21

Testing tool for SQL Injection  Absinthe 22

Cross-site scripting (XSS)  Tricks the browser into executing code –JavaScript, VBScript, ActiveX, HTML, or Flash can be injected into a vulnerable application  Application receives input from the user  Input is returned back to the user without being sanitized 23

Potential Effects of XSS  Redirection  Web page contents modified  Scripting commands  Cookies compromised 24

XSS Example 25 Input String: alert(“XSS”)

Preventing XSS  Filter meta characters, scripting, object tags – and  Use encoding - HTML encode or URL encode  Detailed information on XSS prevention - OWASP XSS Prevention Cheat SheetOWASP XSS Prevention Cheat Sheet 26

Testing Tool for XSS  Paros Proxy 27

Summary  Changes in threats require keeping pace with changes  Secure web applications by –Fixing common web vulnerabilities –Using prevention techniques –Using security testing tools 28

Resources  Open Source Web Application Security Project (OWASP) –  SQL Injection Cheat Sheet  XSS Cheat Sheet – _Sheethttps:// _Sheet  Tools –Paros –SQL Injectme –Absinthe 29

QUESTIONS? 30