Web Security Overview Lohika ASC team 2009

2 Agenda Web Security Overview The Evolution of Web Applications …………… The Evolution of Web Applications …………… Common Web Application Functions ………………………..5 Common Web Application Functions ………………………..5 Server/Browser Information Flow and Vulnerabilities ……...6 Server/Browser Information Flow and Vulnerabilities ……...6 The Security Aspects ………………………………………….8 The Security Aspects ………………………………………….8 Web Security Assessment Main Stages……………………10 Web Security Assessment Main Stages……………………10 Web Application Vulnerabilities - Top 10……………………14 Web Application Vulnerabilities - Top 10……………………14 Path Manipulation Attack …………………………………….21 Path Manipulation Attack …………………………………….21 Parameter Manipulation Attack ……………………………..25 Parameter Manipulation Attack ……………………………..25 ASC Products Overview ………………………………….…36 ASC Products Overview ………………………………….…36

3 Web Security Overview Early days of Internet Web sites were static docs One-way information flow: Server -> Browser No authentication/authorization Low interest for malicious intruders: no sensitive information stored, everything in public view Typically attackers modified the files to deface the site Attackers used the server’s storage and bandwidth to distribute “warez” Current days The majority of site are web applications Web applications rely on two-way information flow: Server Browser Web applications are different and complicated: Different technologies Registration Login Financial transactions Web search Authoring of content by users Content generated on fly Content tailored to specific user => Security is a big issue! The Evolution of Web Applications The Evolution of Web Applications

4 Rapid evolution of web applications: No longer a set of static pages Rely on multiple tech layers and concepts to provide interactive content Replacing desktop applications in many areas Are used everywhere Web Security Overview The Evolution of Web Applications The Evolution of Web Applications

5 Web Security Overview 2. Shopping 1. Social Networking 5. Banking 8.Web Search 3. Auctions 7.Gambling 6.Web logs 4. Web mail 9. Interactive information Common Web Application Functions

6 Web Security Overview Browser Firewall HTTP Server Auth Service Web Service Database Browser External User Internal User Internal HTTP Server Server Infrastructure Two-way information flow: Server  Browser

7 Web Security Overview Browser External User Firewall HTTP Server Auth Service Web Service Database Browser Internal User Internal HTTP Server Server Infrastructure Two-way information flow: Server  Browser

8 Web Security Overview Application security sometimes gets overlooked by Dev, QA or Operations teams for various reasons: Risks involved are underestimated / not fully realized Lack of competence Lack of time Any business that relies on a vulnerable web application is potentially at risk of having a major business impact with serious implications. The Security Aspect  In recent years, Web application security has become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization.

9 Web Security Overview This is a problem The Security Aspect

10 Web Security Assessment main stages Web Security Overview

11 Web Security Overview Map the Application’s content

12 Web Security Overview Analyze the Application 1. Identify functionality 1. Identify functionality 2. Identify data entry points 2. Identify data entry points 3. Identify technologies 3. Identify technologies Attack Vectors

13 Web Security Overview Attack patterns and goals

14 Web Security Overview Injection Examples of injection flaws are SQL, XML, LDAP, HTTP header injection (cookies, requests), and OS command injections Attacks occur when untrusted data, such as a query, command or argument, is sent to an interpreter Vulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data Cross Site Scripting There are three types of XSS attacks: stored, reflected, and Dom based XSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browser Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control Web Application Vulnerabilities Top 10 Web Application Vulnerabilities Top 10

15 Web Security Overview Broken Authentication and Session Management Users are impersonated due to leaks or flaws in the authentication process Attacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detected Flaws used against one account may be replicated against an account with higher privileges Insecure Direct Object References Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for Almost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class) Remote referencing includes: Web Services, CORBA, RMI, RPC Web Application Vulnerabilities Top 10 (Continued) Web Application Vulnerabilities Top 10 (Continued)

16 Web Security Overview Cross Site Request Forgery (CSRF) Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submitting Forged requests can be hidden in image tags, XSS attacks and a number of other techniques CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases Security Misconfiguration Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration These attacks can result in a complete system compromise Web Application Vulnerabilities Top 10 (Continued) Web Application Vulnerabilities Top 10 (Continued)

17 Web Security Overview Failure to Restrict URL Access This attack takes place when an authorized user can simply change a URL to access a privileged page Attackers generally look for administrative functions to employ this attack on Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access Unvalidated Redirects and Forwards Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information Victims trust these links because the link is to a valid site Web Application Vulnerabilities Top 10 (Continued) Web Application Vulnerabilities Top 10 (Continued)

18 Web Security Overview Insecure Cryptographic Storage The most common reason for this attack is that data that should be encrypted is stored in cleartext Can result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithms The use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk Insufficient Transport Layer Protection Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie Poorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificate Attacks can lead to account theft, phishing attacks and admin accounts being compromised Web Application Vulnerabilities Top 10 (Continued) Web Application Vulnerabilities Top 10 (Continued)

19 Path Manipulation attacks and Parameter Manipulation attacks Path Manipulation attacks and Parameter Manipulation attacks Web Security Overview

20  One of the most dangerous and most common attack techniques are: Web Security Overview Attack Techniques

21 Path manipulation: 1. Directory Indexing Path manipulation: 1. Directory Indexing  Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory.  The following information could be obtained based on directory indexing data: Note: if directory contain(index.html/home.html/default.htm) the normal base file is not present. Web Security Overview

22 Example: 1.Given the following URL 2.truncating the path to look for 3.and may cause the webserver to reveal directory contents or to cause unhandled exceptions.  Path truncation attacks are requests for known directories without filenames.  This may cause directory listings to be displayed Path manipulation: 2. Path Truncation Path manipulation: 2. Path Truncation Web Security Overview

23 Path manipulation: 3. Path Traversal Path manipulation: 3. Path Traversal  These attacks are expressions in the URI that will cause the Web server to display the contents of files above the webroot Example: 1.Given the following URL 2.Or following it can occurs while web application uses the string to specify a file location without first completely parsing out traversal characters Web Security Overview

24 Path manipulation: 4. Predictable Resource location. Directory enumeration Path manipulation: 4. Predictable Resource location. Directory enumeration  Directory enumeration lists all directory paths and possibilities on the application server, including hidden directories that could possibly contain sensitive information Web Security Overview

25  HTTP GET request with query parameters  HTTP POST request with parameters  HTTP Cookies  Custom HTTP headers Web Security Overview Parameter manipulation: Where can we find the Entry Points of web application?

26 Parameter manipulation: 1. Abnormal input. parameter overflow Parameter manipulation: 1. Abnormal input. parameter overflow  Abnormal input attack strings are composed of characters that can cause unhandled exceptions.  Unhandled exceptions often cause error messages to be displayed that disclose sensitive information about the application’s internal mechanics.  Source code may even be disclosed Example: 1.Given the following URL (where %00 is poisonous null byte ) 2.Or following Web Security Overview

27 Parameter manipulation: 2. Brute Force authentication attack. Parameter manipulation: 2. Brute Force authentication attack..  The brute force attack is a method of obtaining a user's authentication credentials application’s internal mechanics.  Using brute force, attackers attempt combinations of the accepted character set in order to find a specific combination that gains access to the authorized area Web Security Overview

28 Parameter manipulation: 3. SQL injection Parameter manipulation: 3. SQL injection Simple injection with ‘OR true’ construction:  Identify the availability of SQL injection use Incorrectly filtered escape characters: This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application. Example: ?login=aaa' (get error: You have an error in your SQL syntax…) ?login=aaa‘ OR 1=1 OR ‘bbb (use “or 1=1” signatures) SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘aaa’ OR 1=1 OR ‘bbb’ AND pass=‘qwert’; Example: SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘admin‘ AND pass=‘qwert’; Web Security Overview

29 Parameter manipulation: 3. SQL injection Parameter manipulation: 3. SQL injection Web Security Overview

30 alert(document.cookie); ' or true# Example: 1.Given the following URL 2. After login the “Welcome Vlad to our site” message appears on the site page 3. What happens if user name will be following: OR 1=1 --&password=unknown 4. of course - SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘anyuser’ OR 1=1 --’ AND pass=‘unknown’; 5. You are logged under anyuser !!! Web Security Overview Parameter manipulation: 3. SQL injection Parameter manipulation: 3. SQL injection

31 Web Security Overview Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Parameter manipulation: 5. Cross Site Scripting Parameter manipulation: 5. Cross Site Scripting

32 Web Security Overview Simple XSS Attack Example: Welcome Stefan Parameter manipulation: 5. Cross Site Scripting Parameter manipulation: 5. Cross Site Scripting

33 Web Security Overview alert("Attacked") Welcome alert("Attacked") Parameter manipulation: 5. Cross Site Scripting Parameter manipulation: 5. Cross Site Scripting

34 Example: 6.Try to login under following user name: alert(111); ’ OR ‘1=1#&password=… 7. After login the “Welcome alert(111); ’ OR ‘1=1# to our site” message appears in html source of this page. As a result, The popup message box with “111” appears – it is XXS !!! 8. What happens if user name will be following: alert(document.cookies); ’ OR =‘1 9. And what happens if user name will be following: document.writeln(" “ ); ’ OR 1=1# Web Security Overview Parameter manipulation: 5. Cross Site Scripting Parameter manipulation: 5. Cross Site Scripting

35 ASC Products Overview Web Security Overview

36 Application Security Center Product Overview WebInspect QAInspect Assessment Management Platform (AMP) Web Security Overview

37 Web Security Overview Security Center Product Overview – Entire Suite Security Center Product Overview – Entire Suite Security Inspect Security Inspect Security Inspect

38 Q. A. ? Web Security Overview