Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen.

Slides:



Advertisements
Similar presentations
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Copyright Security-Assessment.com 2005 From The Trenches (Australia) What We Are Seeing Within Security Today by Peter Benson.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Copyright Security-Assessment.com 2005 From The Trenches What we are seeing within security today by Nick von Dadelszen.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Copyright Security-Assessment.com 2005 Internet Security and Fraud Current Online Trends by Nick von Dadelszen.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
The OWASP Foundation OWASP Chennai Phishing.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Norman SecureSurf Protect your users when surfing the Internet.
Martin Kruliš by Martin Kruliš (v1.0)1.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing
Web Security Overview Lohika ASC team 2009
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Session 11: Security with ASP.NET
GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
HTTP and Server Security James Walden Northern Kentucky University.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Penetration Testing James Walden Northern Kentucky University.
A Security Review Process for Existing Software Applications
CSC 2720 Building Web Applications Web Application Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
CIS 290 LINUX Security Basic Network Security “Chroot Jail”
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Module 11: Securing a Microsoft ASP.NET Web Application.
Copyright Security-Assessment.com 2005 GoogleMonster Using The Google Search Engine For Underhand Purposes by Nick von Dadelszen.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Copyright Security-Assessment.com 2004 Security-Assessment.com Advances in Web Application Hacking by Nick von Dadelszen.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Security: Exploits & Countermeasures
Riding Someone Else’s Wave with CSRF
Lecture 2 - SQL Injection
HACKIN G CITRIX.
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Presentation transcript:

Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen

Copyright Security-Assessment.com 2005 Security-Assessment.com – Who We Are NZ’s only pure-play security firm Largest team of security professionals in NZ Offices in Auckland, Wellington and Sydney Specialisation in multiple security fields – Security assessment – Security management – Forensics / incident response – Research and development

Copyright Security-Assessment.com 2005 Web Application Trends Still seeing old issues – XSS, SQL injection, parameter manipulation New ways to find and exploit existing issues – Input validation, Google Move to hacking the client – Phishing, man-in-the-middle, trojans

Copyright Security-Assessment.com 2005 Examples Of New Attacks Null Byte Upload.Net XSS Filtering Bypass HTTP Header Manipulation

Copyright Security-Assessment.com 2005 Null Byte Upload 1 ASP has trouble handling Null bytes when using FileScripting Object Take the following HTML code: Your Picture:

Copyright Security-Assessment.com 2005 Null Byte Upload 2 Form posts to the following ASP code: Public Sub Save(Path) Set objFSO = Server.CreateObject("Scripting.FileSystemObject") Set objFSOFile = objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile + ".bmp")) ‘ Write the file contents objFSOFile.Close End Sub

Copyright Security-Assessment.com 2005 Null Byte Upload 3 If the POSTED filename contains a NULL byte, the FileSystem object only uses the information up to the NULL byte to create the file nc.exe test.bmp creates nc.exe in file system Must use Proxy to change filename WebScarab Handles Hex natively

Copyright Security-Assessment.com 2005

.Net XSS Filtering Bypass 1 ASP.Net 1.1 contains request Validation Built-in validators allow out-of-the-box protection for XSS and SQL injection Has a flaw allowing bypass of the filters Validator bans all strings in the form of <letter Close tags are allowed

Copyright Security-Assessment.com 2005.Net XSS Filtering Bypass 2 Bypass performed by adding a NULL byte between the < and the letter foo.bar/test.asp?term= alert('Vulnerable') Validator no longer sees this as an invalid tag and allows it through Browsers disregard NULL bytes when parsing so HTML code is still run

Copyright Security-Assessment.com 2005 HTTP Header Manipulation 1 HTTP Response headers are set by the server When user input is included in headers then an attacker can control those headers Examples of user input included in headers are: – Cookies – Redirections – Referer

Copyright Security-Assessment.com 2005 HTTP Header Manipulation 2 Standard redirect – Request: – – Response headers: – HTTP/ Object moved – Location: /index.html?query=test

Copyright Security-Assessment.com 2005 HTTP Header Manipulation 3 Header Insertion – Request: – %20Header:%20blah – Response headers: – HTTP/ Object moved – Location: /index.html?query=test – New Header: blah

Copyright Security-Assessment.com 2005 HTTP Header Manipulation 4 Malicious Redirect (Mozilla Only) – Request: – on:%20http:// Response headers: – HTTP/ Object moved – Location: /index.html?query=test – Location:

Copyright Security-Assessment.com 2005 Examples Of Other Recent Issues.Net authentication bypass tag escaping Use of TRACE to capture authentication credentials HTTP response splitting Session riding

Copyright Security-Assessment.com 2005.Net Authentication Bypass 1 ASP.Net provides built-in Forms-based authentication Web.config tells server when to require authentication – The following in web.config protects the /secure directory

Copyright Security-Assessment.com 2005.Net Authentication Bypass 2 Request to a page redirects to a login page – Using Mozilla the page is provided unauthenticated – Using IE the following request also works –

Copyright Security-Assessment.com 2005 GoogleMonster Using The Google Search Engine For Underhand Purposes

Copyright Security-Assessment.com 2005 Google Google is a great search tool – Trolls Internet searching for pages – Finds pages based on links – Finds even those pages you don’t want people to know about – Caches pages

Copyright Security-Assessment.com 2005 Simple Start We can use a standard Google search to find interesting pages such as indexes. – "index of /etc" – "index of /etc" passwd – "index of /etc" shadow Lots of irrelevant results

Copyright Security-Assessment.com 2005 Advanced Operators Google allows us to do more than just simple searching using advanced operators E.g. – filetype: – inanchor: – intext: – intitle: – inurl: – site: – intitle:index.of./etc passwd – filetype:mdb users.mdb

Copyright Security-Assessment.com 2005 Combining Operators We can combine multiple operators to create very specific searches – filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To" – "# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd

Copyright Security-Assessment.com 2005 Searching For Vulnerabilities We can use Google to search for specific web vulnerabilities – +"Powered by phpBB " -phpbb.com -phpbb.pl – inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

Copyright Security-Assessment.com 2005 Enter the GHDB GHDB = Google Hacking Database Over 900 unique search criteria for finding information Created and maintained at johhny.ihackstuff.com

Copyright Security-Assessment.com 2005 Targeting Websites We can use the site: operator to restrict queries to a particular domain This allows an attacker to use Google to test a site for vulnerabilities without actually touching that site. Enter Wikto – Web Server Assessment Tool

Copyright Security-Assessment.com 2005

Protecting Against Client Attacks Will Two-Factor Authentication Help?

Copyright Security-Assessment.com 2005 What is Two-Factor Authentication Many different types of two-factor – One-time passwords Password-generating token (SecureID, Vasco) SMS tokens Scratch pads – Client-side Certificates Smart cards USB keys – Biometrics

Copyright Security-Assessment.com 2005 The Trouble With Two-Factor Designed for small user base Has a usability cost No clear market leader Potentially large implementation costs Will not stop all attacks – Man-in-the-middle – Intelligent Trojans

Copyright Security-Assessment.com 2005 The Weakness Of SSL Relies on trust Tells you that you have a secure session with A website, not THE website Certificates can be faked Root certificates can be installed – MarketScore Allows for Man-in-the-middle and IDN attacks

Copyright Security-Assessment.com 2005 MITM vs Two-Factor

Copyright Security-Assessment.com 2005 Will Two-Factor Help? Does increase security Makes attacks harder Will require attacks to be more focused Must be a business decision – Amount of security required – Cost vs benefit

Copyright Security-Assessment.com 2005 Defence Against Client Attacks Authentication is the key – Client authentication – Server authentication Users must protect themselves – Don’t use public terminals – Anti-virus – Firewall – Automatic updates

Copyright Security-Assessment.com 2005 Questions?