Web application security Sebastian Lopienski CERN Deputy Computer Security Officer Openlab/summer student lectures 2013.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
OWASP Web Vulnerabilities and Auditing
SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Workshop 3 Web Application Security Li Weichao March
PHP Security.
OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
The OWASP Way Understanding the OWASP Vision and the Top Ten.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Computer and Software Security Sebastian Lopienski CERN Deputy Computer Security Officer openlab and summer student lectures 2014.
Web Application Security Sebastian Lopienski CERN Computer Security Team Summer/openlab students lectures 2012.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
A Security Review Process for Existing Software Applications
Presentation transcript:

Web application security Sebastian Lopienski CERN Deputy Computer Security Officer Openlab/summer student lectures 2013

2 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Focus on Web applications – why? Web applications are: often much more useful than desktop software => popular often publicly available easy target for attackers –finding vulnerable sites, automating and scaling attacks easy to develop not so easy to develop well and securely often vulnerable, thus making the server, the database, internal network, data etc. insecure

3 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Threats Web defacement  loss of reputation (clients, shareholders)  fear, uncertainty and doubt information disclosure (lost data confidentiality) e.g. business secrets, financial information, client database, medical data, government documents data loss (or lost data integrity) unauthorized access  functionality of the application abused denial of service  loss of availability or functionality (and revenue) “foot in the door” (attacker inside the firewall)

4 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team An incident in September 2008

5 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team HTTP etc. – a quick reminder Web browser (IE, Firefox…) Web server (Apache, IIS…) GET /index.html HTTP/1.1 HTTP/ OK POST login.php HTTP/1.1 Referer: index.html […] username=abc&password=def HTTP/ OK Set-Cookie: SessionId=87325 GET /list.php?id=3 HTTP/1.1 Cookie: SessionId=87325 HTTP/ OK Executing PHP login.php executing JavaScript

6 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Google hacking Finding (potentially) vulnerable Web sites is easy with Google hacking Use special search operators: (more at –only from given domain (e.g. abc.com): site:abc.com –only given file extension (e.g. pdf): filetype:pdf –given word (e.g. secret) in page title: intitle:secret –given word (e.g. upload) in page URL: inurl:upload Run a Google search for: intitle:index.of.bash_history -inurl:https login "Cannot modify header information" "ORA-00933: SQL command not properly ended" Thousands of queries possible! (look for GHDB, Wikto) for your favourite domain: site:domain.com

7 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team OWASP Top Ten OWASP (Open Web Application Security Project) Top Ten flaws –A1 Injection –A2 Broken Authentication and Session Management –A3 Cross-Site Scripting (XSS) –A4 Insecure Direct Object References –A5 Security Misconfiguration –A6 Sensitive Data Exposure –A7 Missing Function Level Access Control –A8 Cross-Site Request Forgery (CSRF) –A9 Using Components with Known Vulnerabilities –A10 Unvalidated Redirects and Forwards

8 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team A1: Injection flaws Executing code provided (injected) by attacker –SQL injection –OS command injection –LDAP, XPath, SSI injection etc. Solutions: –validate user input –escape values (use escape functions) –use parameterized queries (SQL) –enforce least privilege when accessing a DB, OS etc. cat confirmation | mail cat /etc/passwd | mail select count(*) from users where name = ’$name’ and pwd = ’anything’ or ’x’ = ’x’; ’ -> \’

9 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Similar to A1: Malicious file execution Remote, hostile content provided by the attacker is included, processed or invoked by the web server Remote file include (RFI) and Local file include attacks: include($_GET["page"]. ".php"); └ > include("home.php"); └ > include(" └ > include("C:\ftp\upload\exploit.png"); Solution: validate input, harden PHP config string ends at %00, so.php not added

10 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team A2: Broken authn & session mgmt Understand session hijacking techniques, e.g.: –session fixation (attacker sets victim’s session id) –stealing session id: eavesdropping (if not https), XSS Trust the solution offered by the platform / language –and follow its recommendations (for code, configuration etc.) Additionally: –generate new session ID on login (do not reuse old ones) –use cookies for storing session id –set session timeout and provide logout possibility –consider enabling “same IP” policy (not always possible) –check referer (previous URL), user agent (browser version) –require https (at least for the login / password transfer)

11 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team A3: Cross-site scripting (XSS) Cross-site scripting (XSS) vulnerability –an application takes user input and sends it to a Web browser without validation or encoding –attacker can execute JavaScript code in the victim's browser –to hijack user sessions, deface web sites etc. Reflected XSS – value returned immediately to the browser alert("XSS"); Persistent XSS – value stored and reused (all visitors affected) Solution: validate user input, encode HTML output

12 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team A4: Insecure Direct Object Reference Attacker manipulates the URL or form values to get unauthorized access –to objects (data in a database, objects in memory etc.): (your cart) (someone else’s cart ?) –to files: -> home.php -> /etc/passwd Solution: –avoid exposing IDs, keys, filenames to users if possible –validate input, accept only correct values –verify authorization to all accessed objects (files, data etc.) string ends at %00, so.php not added

13 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team A7: Missing Function Level Access Control “Hidden” URLs that don’t require further authorization –to actions: (even if requires authorization) –to files: Problem: missing authorization Solution –add missing authorization –don‘t rely on security by obscurity – it will not work!

14 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team A8: Cross-site request forgery Cross-site request forgery (CSRF) – a scenario –Alice logs in at bank.com, and forgets to log out –Alice then visits a evil.com (or just webforums.com), with: –Alice‘s browser wants to display the image, so sends a request to bank.com, without Alice’s consent –if Alice is still logged in, then bank.com accepts the request and performs the action, transparently for Alice (!) There is no simple solution, but the following can help: –expire early user sessions, encourage users to log out –use “double submit” cookies and/or secret hidden fields –use POST rather than GET, and check referer value

15 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Client-server – no trust Security on the client side doesn’t work (and cannot) –don’t rely on the client to perform security checks (validation etc.) –e.g. is not enough –authentication should be done on the server side, not by the client Don’t trust your client –HTTP response header fields like referrer, cookies etc. –HTTP query string values (from hidden fields or explicit links) –e.g. in an online shop can (and will!) be abused Do all security-related checks on the server Don’t expect your clients to send you SQL queries, shell commands etc. to execute – it’s not your code anymore Put limits on the number of connections, set timeouts

16 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Advice Protect code and data – make sure they can’t be simply accessed / downloaded: –password files (and other data files) –.htaccess file (and other configuration files) –.bak,.old,.php~ etc. files with application source code Forbid directory indexing (listing) in Apache: Options –Indexes

17 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Harden the Web server strip-down the system configuration –only necessary packages, accounts, processes & services patch OS, Web server, and Web applications –use automatic patching if available use a local firewall –allow only what is expected (e.g. no outgoing connections) harden Web server configuration –incl. programming platform (J2EE, PHP etc.) configuration run Web server as a regular (non-privileged) user use logs –review regularly, store remotely

18 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Programming in PHP Read Disable allow_url_fopen and allow_url_include Disable register_globals Use E_STRICT to find uninitialized variables Disable display_errors Don’t leave phpinfo() files in the production version –Google search: intitle:phpinfo filetype:php

19 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Web scanning tools – how they work 1. Crawling2. Scanning3. Reporting

20 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Web scanning - HTTP requests /etc/passwd c:\\boot.ini../../../../../../../../../../etc/passwd../../../../../../../../../../boot.ini a;env a);env /e ¿'"( sleep(4)# 1+and+sleep(4)# ')+and+sleep(4)=' "))+and+sleep(4)=" ;waitfor+delay+'0:0:4'-- "));waitfor+delay+'0:0:4'-- benchmark(1000, MD5(1))# 1))+and+benchmark( ,MD5(1))# pg_sleep(4)-- "))+and+pg_sleep(4)-- fake_alert("TbBPEYaN3gA72vQAlao1") |+ping+-c+4+localhost run+ping+-n+3+localhost &&+type+%SYSTEMROOT%\win.ini ;+type+%SYSTEMROOT%\win.ini `/bin/cat+/etc/passwd` run+type+%SYSTEMROOT%\win.ini b"+OR+"81"="81 C:\boot.ini %SYSTEMROOT%\win.ini C:\boot.ini%00.php %SYSTEMROOT%\win.ini%00.php d'z"0 echo+'mlYRc'+.+'buwWR'; print+'mlYRc'+++'buwWR' Response.Write("mlYRc+buwWR") import+time;time.sleep(4); Thread.sleep(4000);

21 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Wapiti – sample results rame><script>alert('qf3p4bpva2')</script>&amp ;main=experiments/documents.php index="></frame><script>alert('qf3p4bpva2' )</script>&main=experiments/documents.php XSS (index)

22 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Skipfish – sample results

23 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Security tools that are disabled, or impossible to use Things to avoid

24 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Summary understand threats and typical attacks validate, validate, validate (!) do not trust the client read and follow recommendations for your language use web scanning tools harden the Web server and programming platform configuration

25 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team An incident in September 2008

26 Creating Secure SoftwareSebastian Lopienski, CERN Computer Security Team Thank you! Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.