June 14, 2007 Web Application Security Workshop James Walden.

Slides:



Advertisements
Similar presentations
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Advertisements

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
A Security Review Process for Existing Software Applications
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
CSC 2720 Building Web Applications Web Application Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
May 2, 2007St. Cloud State University Software Security.
Web 2.0 Security James Walden Northern Kentucky University.
August 1, The Software Security Problem August 1, 2006.
Attacking Applications: SQL Injection & Buffer Overflows.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Injection CSC 482/582: Computer SecuritySlide #1.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Crash Course in Web Hacking
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Application Vulnerabilities
CSC 482/582: Computer Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
SQL Injection.
Security.
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

June 14, 2007 Web Application Security Workshop James Walden

April 12, 2007 About the Speaker Background Ph.D. from Carnegie Mellon University 10 years of secure development experience. Gives workshops in secure programming and software security at a variety of conferences. Assistant Professor at NKU Specialize in software security. 4 years experience teaching security.

April 12, 2007 What is web application security? The art and science of developing web applications that function correctly even when under attack.

April 12, 2007 Firewalls don’t protect web apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server

April 12, 2007 What is web application security? It’s more than just cryptography. SSL won’t solve all your problems. It’s more than securing the web server. Web applications have their own problems. It’s more than application firewalls. Firewall can’t know every safe action at every possible state in your application.

April 12, 2007 The source of the problem “Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” John Viega & Gary McGraw

April 12, 2007 Penetrate and Patch Discover flaws after deployment. Often by attackers. Users may not deploy patches. Patches may have security flaws (15%?) Patches are maps to vulnerabilities. Attackers reverse engineer to create attacks.

April 12, 2007 A Growing Problem

April 12, 2007 Vulnerability Trends for 2006

April 12, 2007 Web Application Vulnerabilities Input-based Security Problems Injection Flaws Insecure Remote File Inclusion Unvalidated Input Authentication and Authorization Cross-Site Scripting Authentication Access Control Other Bugs Error Handling and Information Leakage Insecure Storage Insecure Communications

April 12, 2007 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter.

April 12, 2007 SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

April 12, 2007 SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query);

April 12, 2007 SQL Injection Attack Example Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.

April 12, 2007 Impact of SQL Injection SELECT SSN FROM USERS WHERE UID=‘$UID’ INPUTRESULT 5Returns info for user with UID 5. ‘ OR 1=1--Returns info for all users. ‘ UNION SELECT Field FROM Table WHERE 1=1-- Returns all rows from another table. ‘;DROP TABLE USERS-- Deletes the users table. ‘;master.dbo.xp_c mdshell ‘cmd.exe format c: /q /yes’ -- Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.

April 12, 2007 SQL Injection Demo

April 12, 2007 Impact of SQL Injection 1. Leakage of sensitive information. 2. Legal consequences of losing PII. 3. PR consequences of losing PII. 4. Modification of sensitive information. 5. Loss of sensitive information. 6. Denial of service against db server.

April 12, 2007 The Problem: String Building Building a SQL command string with user input in any language is dangerous. Variable interpolation. String concatenation with variables. String format functions like sprintf(). String templating with variable replacement.

April 12, 2007 Mitigating SQL Injection Ineffective Mitigations Blacklists Stored Procedures Effective Mitigations Whitelists Prepared Queries

April 12, 2007 Ineffective Mitigation: Blacklist Filter out known bad SQL metacharacters, such as single quotes. Problems: 1. Numeric parameters don’t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? 5. 2 nd Order SQL Injection.

April 12, 2007 Ineffective Mitigation: Stored Procedures SQL Stored Procedures build strings too: CREATE PROCEDURE nchar(128) AS nchar(256) = ‘SELECT cc FROM cust WHERE id=‘’’ + ‘’’’ RETURN

April 12, 2007 Mitigation: Whitelist Reject input that doesn’t match your list of safe characters to accept. Identify what’s good, not what’s bad. Reject input instead of attempting to repair. Still have to deal with single quotes when required, such as in names.

April 12, 2007 Mitigation: Prepared Queries require_once 'MDB2.php'; $mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) { die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password = ?”; $types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data);

April 12, 2007 Insecure Remote File Inclusion Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. Dynamic code Includes in PHP, Java,.NET DTDs for XML documents Key Idea Attacker controls pathname for inclusion.

April 12, 2007 Impact of Remote File Inclusion 1. Loss of control of web application. 2. Installation of malware. 3. Attacks launched against other sites. 4. Denial of service.

April 12, 2007 Mitigating Remote File Inclusion 1. Turn off remote file inclusion. 2. Do not run code from uploaded files. 3. Do not use user-supplied paths. 4. Validate all paths before loading code.

April 12, 2007 Unvalidated Input Unvalidated input is an architecture flaw. Individual input-related bugs are easy to fix. How do you defend against the general problem of input-based attacks? Key Ideas Application needs to validate all input. Input validation needs to be part of design.

April 12, 2007 Input Validation Principles All input must be validated. Input must be validated on the server. Use a standard set of validation rules. Reject all input that isn’t in your whitelist. Blacklists can miss bad inputs. Input repairs can produce bad input.

April 12, 2007 Input Validation Architecture View Output encoding. Controller General input validation. Model Model-specific validation. Validation Rules View Selection State Change User Input State Query Change Notice

April 12, 2007 Validating Input Check that input matches specified: Data type Character set Input length NULLs or empty strings allowed? Numeric range List of legal values List of patterns

April 12, 2007 Impact of Unvalidated Input 1. More input-related vulnerabilities. 2. Loss of application integrity. 3. Loss of sensitive information. 4. Effort required to patch individual input- related bugs.

April 12, 2007 Mitigating Unvalidated Input Design for input validation. Architect app so all input is checked. Create a standard library of validation rules. Use a whitelist approach. Educate developers about validation. Verify that all input is validated.

April 12, 2007 Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. XSS used to obtain session ID for Bank site (transfer money to attacker) Shopping site (buy goods for attacker) Key ideas Attacker sends malicious code to server. Victim’s browser loads code from server and runs it.

April 12, 2007 Anatomy of an XSS Attack 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

April 12, 2007 XSS URL Examples = get="> alert(document.cookie) page2.html?tw= alert(‘Test’); aler t(document.cookie) &frompage=4&page=1&ct =VVTV&mh=0&sh=0&RN=1 rch_exe?search_text=_%22%3E%3Cscript%3Ealert%28d ocument.cookie%29%3C%2Fscript%3E

April 12, 2007 Why does XSS Work? Same-Origin Policy Browser only allows Javascript from site X to access cookies and other data from site X. Attacker needs to make attack come from site X. Vulnerable Server Program Any program that returns user input without filtering out dangerous code.

April 12, 2007 Impact of XSS 1. Attackers can hijack user accounts. 2. Attackers can hijack admin accounts too. 3. Attacker can do anything a user can do. 4. Difficult to track down source of attack.

April 12, 2007 Mitigating XSS 1. Disallow HTML input 2. Allow only safe HTML tags 3. Filter output Replace HTML special characters in output ex: replace with > also replace (, ), #, & 4. Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for.

April 12, 2007 Authentication Authentication is the process of determining a user’s identity. Key Ideas HTTP is a stateless protocol. Every request must be authenticated. Use username/password on first request. Use session IDs on subsequent queries.

April 12, 2007 Authentication Attacks Sniffing passwords Guessing passwords Identity management attacks Replay attacks Session ID fixation Session ID guessing

April 12, 2007 Impact of Authentication Attacks 1. Attackers can hijack user accounts. 2. Attackers can hijack admin accounts too. 3. Attacker can do anything a user can do. 4. Difficult to track down source of attack.

April 12, 2007 Mitigating Authentication Attacks Use SSL to prevent sniffing attacks. Require strong passwords. Use secure identity management. Use a secure session ID mechanism. IDs chosen at random from large space. Regenerate session IDs with each request. Expire session IDs in short time.

April 12, 2007 Access Control Access control determines which users have access to which system resources. Levels of access control Site URL Function Function(parameters) Data

April 12, 2007 Impact of Broken Access Control 1. Access to other customer’s accounts. 2. Execute code as other users. 3. Execute administrative code. 4. Leakage of sensitive information. 5. Legal consequences of losing PII. 6. PR consequences of losing PII.

April 12, 2007 Mitigating Broken Access Control 1. Check every access. 2. Use whitelist model at every layer. 3. Do not rely on client-level access control. 4. Do not rely on security through obscurity.

April 12, 2007 Improper Error Handling Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. Errors can provide too much data Stack traces SQL statements Subsystem errors User typos, such as passwords.

April 12, 2007 Impact of Improper Error Handling 1. Returning user input can create a cross-site vulnerability. 2. Information leakage can increase the probability of a successful attack against the application. 3. Leakage of sensitive information. 4. Legal consequences of losing PII. 5. PR consequences of losing PII.

April 12, 2007 Mitigating Improper Error Handling 1. Catch all exceptions. 2. Check all error codes. 3. Wrap application with catch-all handler. 4. Send user-friendly message to user. 5. Store details for debugging in log files. 6. Don’t log passwords or other sensitive data.

April 12, 2007 Insecure Storage Storing sensitive data without encrypting it, or using a weak encryption algorithm, or using a strong encryption system improperly. Problems Not encrypting sensitive data. Using home grown cryptography. Insecure use of weak algorithms. Storing keys in code or unprotected files.

April 12, 2007 Impact of Insecure Storage 1. Leakage of sensitive information. 2. Legal consequences of losing PII. 3. PR consequences of losing PII.

April 12, 2007 Storage Recommendations Hash algorithms MD5 and SHA1 look insecure. Use SHA256. Encrypting data Use AES with 128-bit keys. Key generation Generate random keys. Use secure random source.

April 12, 2007 Mitigating Insecure Storage 1. Use well studied public algorithms. 2. Use truly random keys. 3. Store keys in protected files. 4. Review code to ensure that all sensitive data is being encrypted. 5. Check database to ensure that all sensitive data is being encrypted.

April 12, 2007 Insecure Communication Applications fail to encrypt sensitive data in transit from client to server and vice- versa. Need to protect User authentication and session data. Sensitive data (CC numbers, SSNs) Key Idea Use SSL for all authentication connections.

April 12, 2007 Impact of Insecure Communication 1. Attackers can hijack user accounts. 2. Attacker can do anything a user can do. 3. Leakage of sensitive information. 4. Legal consequences of losing PII. 5. PR consequences of losing PII.

April 12, 2007 Mitigating Insecure Communication 1. Use SSL for all authenticated sessions. 2. Use SSL for all sensitive data. 3. Verify that SSL is used with automated vulnerability scanning tools.

April 12, 2007 Going Further

April 12, 2007 References 1. Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, “Java Gotchas,” Mitre, Common Weaknesses – Vulnerability Trends, Gary McGraw, Software Security, Addison-Wesley, J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, us/library/aa aspx, OWASP Top 10, Ivan Ristic, Web Application Firewalls: When Are They Useful?, OWASP AppSec EU Joel Scambray, Mike Shema, and Caleb Sima, Hacking Exposed: Web Applications, 2 nd edition, Addison-Wesley, 2006.