Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc."— Presentation transcript:

1 1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc. mnystrom@cisco.com

2 222 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Who am I? Security Architect in Cisco’s InfoSec Responsible for consulting with application teams to secure their architecture Monitor for infrastructure vulnerabilities Infrastructure security architect 12 years developing application architectures Java programmer Master of Engineering – NC State University Bachelor’s - Iowa State University – (1990)

3 333 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Why worry? Guess.com sanctioned by FTC for exposing private information “…permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database.” U.S. Army systems hacked using WebDAV vulnerability in IIS “…it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise. “ Millions of credit card numbers compromised at Data Processors InternationalMillions of credit card numbers compromised at Data Processors International "All indications are the attack on this company's (Internet) address came from the outside, and efforts continue to analyze this attack to see if it could be traced to the attacker," the investigator said. Utah ISP is victim of retaliation following hackers' attack on Al-Jazeera “…impersonating an Al-Jazeera employee, tricked the Web addressing company Network Solutions into making technical changes that effectively turned over temporary control of the network's Arabic and English Web sites...''

4 444 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Why worry? (cont.)

5 555 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom The goal of an attack Steal data Blackmail Beachhead for other attacks Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation

6 666 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom A word of warning These tools and techniques can be dangerous The difference between a hacker and a cracker is…permission Admins will see strange activity in logs, and come looking for you Authorities are prosecuting even the “good guys” for using these tools

7 777 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Commonly attacked services SMTP servers (port 25) sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application” RPC servers (port 111 & others) NetBIOS shares (ports 135, 139, 445) Blaster worm Sasser worm FTP servers (ports 20, 21) wuftpd vulnerabilities SSH servers (port 22) OpenSSH, PAM vulnerabilities Web servers (ports 80, 443) Apache chunked encoding vulnerability

8 888 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Web server attack Scan to find open ports Find out what’s running on open ports (banner grabbing) Profile the server Windows (look for Kerberos, NetBIOS, AD) Unix Use TCP fingerprinting Probe for weaknesses on interesting ports Default configuration files and settings (e.g. popular IIS ones) Buffer overflows Insecure applications Launch attack Use exploit code from Internet… …or build your own

9 999 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Scanning… What O/S is this system?

10 10 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Scanning… What O/S is this system?

11 11 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Example Web Application Web server Web app transport DB App server (optional) Web client: IE, Mozilla, etc. HTTP reply (HTML, JavaScript, VBScript, etc.) HTTP request Clear- text or SSL Apache IIS Netscape etc. J2EE server ColdFusion Oracle 9iAS etc. Perl C++ CGI Java ASP PHP etc. ADO ODBC JDBC etc. Oracle SQL Server etc. InternetDMZProtected network Internal network AJP IIOP T9 etc.

12 12 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom OWASP Top 10 Web Application Security Vulnerabilities 1.Unvalidated parameters 2.Broken access control 3.Broken account/session management 4.Cross-site scripting flaws 5.Buffer overflows 6.Command injection flaws 7.Error handling problems 8.Insecure use of cryptography 9.Remote administration flaws 10.Web and app server mis-configuration http://www.owasp.org

13 13 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Principles Turn off un-needed services Keep systems patched Don’t trust input Watch for logic holes Only provide the necessary information Hide sensitive information Encryption Access controls

14 14 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #1: Unvalidated Parameters Attacker can easily change any part of the HTTP request before submitting URL Cookies Form fields Hidden fields Headers Encoding is not encrypting Toasted Spam: http://www.toastedspam.com/decode64 Input must be validated on the server (not just the client). CoolCarts: http://www.extremelasers.com Countermeasures Tainting (Perl) Code reviews (check variable against list of allowed values, not vice- versa) Application firewalls CodeSeeker: http://www.owasp.org/codeseeker/ http://www.owasp.org/codeseeker/ Real-time auditing: http://www.covelight.com

15 15 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #2: Broken Access Control Usually inconsistently defined/applied Examples Forced browsing past access control checks Path traversal File permissions – may allow access to config/password files Client-side caching Countermeasures Use non-programmatic controls Verify access control via central container Code reviews

16 16 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #3: Broken Account and Session Management Weak authentication Password-only Easily guessable usernames (admin, etc.) Unencrypted secrets are sniffable How to break in Guess/reset password Have app email you new password Sniff or crack password Backend authentication How are database passwords stored? Trust relationships between hosts (IP address can be spoofed, etc.) Countermeasures Strong passwords Remove default user names Protect sensitive files

17 17 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #4: Cross-Site Scripting (XSS) Attacker uses trusted application/company to reflect malicious code to end-user Attacker can “hide” the malicious code Unicode encoding 2 types of attacks Stored Reflected Wide-spread problem! Countermeasures input validation Positive Negative: “ ( ) # &” Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38” User/customer education

18 18 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #5: Buffer Overflows Mostly affects web/app servers Can affect apps/libraries too Goal: crash the target app and get a shell Buffer overflow example echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 www.targetsystem.com Replace all those “a”s with something like this… char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” Countermeasures Keep up with bug reports/patches Code reviews Run with limited privileges Use “safer” languages like Java

19 19 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #6: Command Injection Allows attacker to relay malicious code in form variables or URL System commands SQL Interpreted code (Perl, Python, etc.) Many apps use calls to external programs sendmail Examples Path traversal: “../” Add more commands: “; rm –r *” SQL injection: “’ OR 1=1” Countermeasures Taint all input Avoid system calls (use libraries instead) Run with limited privileges

20 20 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #7: Error Handling Examples: stack traces, DB dumps Helps attacker know how to target the app Inconsistencies can be revealing too “File not found” vs. “Access denied” Fail-open errors Need to give enough info to user w/o giving too much info to attacker Countermeasures Code review Modify default error pages (404, 401, etc.)

21 21 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Error messages example

22 22 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #8: Poor Cryptography Insecure storage of credit cards, passwords, etc. Poor choice of algorithm (or invent your own) Poor randomness Session IDs Tokens Cookies Improper storage in memory Countermeasures Store only what you must Store a hash instead of the full value (SHA-1) Use only vetted, public cryptography

23 23 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #9: Remote Administration Flaws Problems Weak authentication (username=“admin”) Weak encryption Countermeasures Don’t place admin interface on same server Use strong authentication: certificates, tokens, strong passwords, etc. Encrypt entire session (VPN or SSL) Control who has accounts IP restrictions

24 24 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #10: Web/App Server Misconfiguration Tension between “work out of the box” and “use only what you need” Developers ≠ web masters Examples Unpatched security flaws (BID example) Misconfigurations that allow directory traversal Administrative services accessible Default accounts/passwords Countermeasures Create and use hardening guides Turn off all unused services Set up and audit roles, permissions, and accounts Set up logging and alerts

25 25 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Principles Turn off un-needed services Keep systems patched Don’t trust input Watch for logic holes Only provide the necessary information Hide sensitive information Encryption Access controls

26 26 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Tools used in this preso WebGoat –vulnerable web applications for demonstrationWebGoat VMWare – runs Linux & Windows 2000 virtual machines on demo laptop.VMWare nmap –host/port scanning to find vulnerable hostsnmap Ethereal – network traffic sniffingEthereal Metasploit Framework – exploit toolMetasploit Framework Brutus – password crackingBrutus Sleuth – HTTP mangling against web sitesSleuth

Download ppt "1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc."

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Company LOGO WEB SYSTEM. Components of a Generic Web Application System.

Company LOGO WEB SYSTEM. Components of a Generic Web Application System.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
Web Services and Authentication

Web Services and Authentication
1 Security in Application & SDLC Barkan Asaf Nov, 2006.

1 Security in Application & SDLC Barkan Asaf Nov, 2006.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Similar presentations

Ads by Google