Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security “The Forgotten Layer” Paul Klahn, CISSP November 21, 2002.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Security “The Forgotten Layer” Paul Klahn, CISSP November 21, 2002."— Presentation transcript:

1 Web Application Security “The Forgotten Layer” Paul Klahn, CISSP November 21, 2002

2 Web Application Security Informational website E-commerce website Extranet Search Engine Transaction Engine

3 “75% of hacks occur at the Application Layer” “3 of 4 business websites are vulnerable to attack” (Gartner) The Threat is Real

4 But I Have a Firewall!! Firewall Intrusion Detection Authentication Antivirus

5 A Firewall is NOT enough Allowing authorized incoming Internet traffic to network from outside via port 80 and 443. http = port 80 https = port 443 IDS, SSL and data-encryption, passwords, or standard scanning will not protect you from application layer attacks.

6 Three Pieces to the Puzzle The Web Server Microsoft IIS, Netscape Commerce, Apache Front-End Server Code Code that makes up the Web page Back-End Server Code Access to a database or other application

7 Three Pieces to the Puzzle The Web Server Microsoft IIS, Netscape Commerce, Apache System Administrator Front-End Server Code Code that makes up the Web page Web Designer, Programmer Back-End Server Code Access to a database or other application Database admin, Programmer

8 Application Layer Browser User Input HTML/HTTP Web Server User Interface Code Front End Application Backend Application Database Data

9 Application Weaknesses System Architecture System Configuration Application Design Implementation Configuration Operations

10 Application Risks Incorrect Calculations Theft, Integrity issues Data accessed by unauthorized users Data theft or loss Proprietary data, Integrity, Privacy issues Denial of Service Disruption of Business Operations

11 Critiquing the Web Application Level Architectural Infrastructure & Design Development Languages Web and Database Servers Programming code principles

12 Development Languages Sun (Java, JavaBeans, JavaScript, J2EE) Microsoft (Active Server Pages, Site Server,.NET, and Commerce Server) Open source community (PHP, HTML, XML) Others (ColdFusion, Perl, CGI)

13 Most Common Attack Techniques Parameter Manipulation Known Vulnerability Checks Extension Checking Common File Checks Data Extension Checking Brute Force Path Truncation Hidden Web Paths Web Server Testing Application Mapping Directory Enumeration Backup Checking Cookie Manipulation

14 Parameter Manipulation Cross-Site Scripting SQL Injection Reverse Directory Transversal Buffer Overflow Hidden Field Manipulation Involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user.

15 Cross-Site Scripting Occurs when dynamically generated web pages display input that is not properly validated. Search Engines Error Message Forms Web Message Boards Risks: Compromise confidential information, manipulate or steal cookies, create requests mistaken for valid user, and execute malicious code.

16 Cross-Site Scripting Press this link to get to your bank Underlying link: http://www.mybank.com?a= The JavaScript program collects and sends user names and passwords Enter your login information 1 2 Username Password 3

17 Cross-Site Scripting

18 Real Site Fake Hacker Site Collects Usernames And Passwords Redirects User back to real site, making it look Transparent

19 SQL Injection Act of passing SQL code not intended by the developer into an application. Example: Potentially malicious input, such as “ ‘ “, which could close the SQL string. Risks: Unintended system and application access

20 SQL Injection

21

22

23

24

25

26 Reverse Directory Transversal Sending malformed URL strings to access non- public portions of the web server’s content. Example: Adding../’s to existing URL’s, and adjusting the amount of directories to transverse. (www.server.com/../../../password) Risks: Gain access to a system

27 Reverse Directory Transversal

28

29

30 Buffer Overflow Something very large being placed in a box far too small for it to fit in. Risks: Gain complete control of a system. Example: Executing malicious code in content of the local system’s security.

31 Buffer Overflow

32

33

34

35

36 Hidden Field Manipulation Modifying hidden parameters in the HTML, and then submitting the altered values to the remote server. Risk(s): Loss of revenue Example: Change pricing data on a site.

37 Hidden Field Manipulation

38

39

40

41 Known Vulnerability Checks All exploitable holes and bugs in operating systems, web servers, applications, and other third-party components that have been published, posted, or otherwise communicated. Risk(s): Exploit systems where patches have not been installed in a timely fashion.

42 Known Vulnerability Checks /msadc/..à?¯..à?¯..à?¯..à?¯.. /winnt/system32/cmd.exe?/c+dir+c:

43 Extension Checking Backup files and scripts on the web server. Risk(s): Retrieving script’s source code Example: Attacker who finds hi.asp might search for hi.old and hi.back

44 Common File Checks Commonly existing duplicate, uploaded, and hidden files that should be removed from the web server. Risk(s): Detailed information that attackers can use to compromise a site. Example: Admin.htm, test.htm, and deploy.exe

45 Data Extension Checking Finding old renamed files left on the server. Risk(s): Retrieve script’s source code Example: Attacker might find hi.asp, and then search for hi.asp.back or hi.asp.old

46 Forceful Browsing Checks for all variations of commonly existing files. Risk(s): Gain access to system Example: A password file search would encompass file including psswd.txt, password.htm, password.dat, and all other variations.

47 Forceful Browsing

48

49

50 Path Truncation Looking for directory listings or unusual errors within each truncation. Risk(s): Gain access to system Example: A link /customers/id/993/details.html, which looks for vulnerabilities within each truncation. /customers/id/993 /customers/id/ /customers/

51 Hidden Web Paths Finding hidden or commented out references to paths on your server. Risk(s): Gain access to developers code, or other non- public files. Example: <!my old path /webroot/ol/bleh.asp

52 Application Mapping Exposes and follows all known (and unknown) links located on your site. Risk(s): Attackers gains information for vulnerability checking and application testing.

53 Directory Enumeration Finds all directory paths and possibilities on the application server. Risk(s): Gain sensitive information and accurate map of targeted site.

54 Backup Checking Checks for common folders where backup source code files are kept. Risk(s): Receiving all the source code for a site due to improper permissions. Example: Administrators leave backup copies of their site stored somewhere on their server.

55 Cookie Manipulation Cookies are not securely encoded, allowing a hacker to modify them. Risk(s): Bypassing authentication, gain access to accounts and information of other users. Example: “Poisoning” the cookies (User ID’s and timestamps)

56 Cookie Manipulation

57

58

59

60 Layer 7 - Security Recommendations Implement Application Firewall(s) Password Strength System and Web Server Logging Input Sanitization Two-factor Authentication Update Patches Remove Banners

61 Architectural Infrastructure & Design Web server / Web application / Database server demilitarized zones (DMZ) End to end encryption (SSL) Two-factor authentication Application Traffic Management Firewall Access Control Load-balancing/High Availability Web application firewalls

62 Manual Vulnerability Mitigation Knowledge of application interfaces Inspection of all client scripts and pages Consideration of 3 rd party code Ability to obtain and understand current vulnerabilities

63 Manual Vulnerability Mitigation Multiple points of failure Vulnerabilities / Bugs discovered weekly Site complexity Application development time demands Creative vs. productive vs. paranoid

64 Offensive Tools - Commercial Network & Known Vulnerability Scanners –ISS / Internet Scanner –NAI / CyberCop –eEye / Retina –SPI Dynamics / WebInspect Network & Known Vulnerability Scanning Services –Qualys –FoundStone Application Scanners –Sanctum / AppScan

65 Offensive Tools – Public Domain Known Vulnerability Scanners –Whisker –Nessus Proxy Scanners –Achilles –HTTPush –RFProxy

66 Defensive Measures Content Integrity –TripWire –Gilian Network Separation –Whale –SpearHead Access Control –Netegrity –Securant

67 Defensive Measures Protected OS –Argus –HP Known Attack Detection –Entercept –eEye Application Protection –Sanctum

68 Summary Hackers victimized 90% of large corporations and government agencies within the last 12 months (CSI and FBI) $18 Billion in lost sales forecasted due to security concerns in 2002 (according to the Federal Trade Commission) 75% of attacks are at the application level (Gartner Group) - the Network Firewalls and Network Scanning are mandatory but NOT enough Performing application level audits and/or application level prevention and detection is crucial. Automatic tools exist that can assist in securing the application.

69 FishNet Security - Contacts Paul Klahn Director of Assessment Services FishNet Security 888-732-9406 pklahn@fishnetsecurity.com

Download ppt "Web Application Security “The Forgotten Layer” Paul Klahn, CISSP November 21, 2002."

Similar presentations

Module XII Web Application Vulnerabilities

Module XII Web Application Vulnerabilities
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall

Barracuda Web Application Firewall
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Web Security Overview Lohika ASC team 2009

Web Security Overview Lohika ASC team 2009

Similar presentations

Ads by Google