Download presentation
Presentation is loading. Please wait.
Published byKelly Nash Modified over 9 years ago
1
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University waldenj@nku.edu
2
November 13, 2008 Ohio Information Security Forum Why Do Hackers Target Web Apps?
3
November 13, 2008 Ohio Information Security Forum History of Web Security YearTechnologySecurity 1993CGIFirewalls, SSL 1995PHPFirewalls, SSL 1997ASP, JSPFirewalls, SSL 2000REST, SOAFirewalls, SSL 2006AJAXFirewalls, SSL
4
November 13, 2008 Ohio Information Security Forum Attack Surface A system’s attack surface consists of all of the ways an adversary can enter the system. Merchant’s Bank Building
5
November 13, 2008 Ohio Information Security Forum Defender’s View of Attack Surface firewall VPN wireless web server
6
November 13, 2008 Ohio Information Security Forum Firewalls don’t protect Web Apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp
7
November 13, 2008 Ohio Information Security Forum SSL won’t stop injection attacks, XSS Firewall Port 443 HTTPS Traffic Web Client Web Server Application Database Server telnet ftp
8
November 13, 2008 Ohio Information Security Forum Revised View of Attack Surface firewall VPN wireless external web server external web apps database
9
November 13, 2008 Ohio Information Security Forum Intranet Security Assumptions Since the firewall protects you Patches don’t have to be up to date. Passwords don’t have to be strong. There’s no need to be careful when you code. There’s no need to audit your source code. There’s no need to run penetration tests. But do your users have web browsers?
10
November 13, 2008 Ohio Information Security Forum Javascript Malware controls Clients Firewall Port 80 HTTP Traffic Web Server (Javascript malware) Web Client telnet ftp Intranet Main Server Wiki Group Server
11
November 13, 2008 Ohio Information Security Forum
12
November 13, 2008 Ohio Information Security Forum Sources of Javascript Malware 1.Evil web site owner inserts in page. 2.Attacker inserts malware into defaced page. 3.Attacker inserts malware into a public comment or forum post (stored XSS.) 4.Attacker creates link that causes web site to echo malware to user (reflected XSS.)
13
November 13, 2008 Ohio Information Security Forum Re-revised View of Attack Surface firewall VPN wireless external web server external web apps database internal web servers internal web apps
14
November 13, 2008 Ohio Information Security Forum Web Applications firewall VPN wireless external web server external web apps database internal web servers internal web apps
15
November 13, 2008 Ohio Information Security Forum Web Application Vulnerabilities Input-based Security Problems –Injection Flaws –Insecure Remote File Inclusion –Unvalidated Input Authentication and Authorization –Authentication –Access Control –Cross-Site Attacks Other Bugs –Error Handling and Information Leakage –Insecure Storage –Insecure Communications
16
November 13, 2008 Ohio Information Security Forum SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--
17
November 13, 2008 Ohio Information Security Forum Cross-Site Scripting 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.
18
November 13, 2008 Ohio Information Security Forum Application Feature Vulnerability Map Database interaction Displays user-supplied data Error messages File upload/download Login SQL injection. Cross-site scripting. Information leakage. Path traversal. Authentication, session management, access control flaws.
19
November 13, 2008 Ohio Information Security Forum Web Application Attack Surface form inputs HTTP headers URLs cookies
20
November 13, 2008 Ohio Information Security Forum Traditional Web Applications HTTP Request (form submission) HTTP Response (new web page) Server processingUser waits HTTP Request (form submission) User interaction HTTP Response (new web page) User waits Server processing
21
November 13, 2008 Ohio Information Security Forum AJAX Asynchronous Javascript and XML User interacts with client-side Javascript. Javascript makes asynchronous requests to server for data. Continues to allow user to interact with application. Updates when receives encoded data from server.
22
November 13, 2008 Ohio Information Security Forum AJAX Applications Server processing User interaction Server processing Client-side Code HTTP request (asynchronous) partial update HTTP Response (data) partial updateHTTP request (asynchronous) HTTP Response (data) HTTP request (asynchronous) HTTP Response (data) partial update User interaction Server processing
23
November 13, 2008 Ohio Information Security Forum Architecture Differences Traditional Application on server. Entire form sent to server. –User fills in input items. –Clicks on submit. Server returns new page. –Presentation + Data. AJAX App on client and server. JavaScript receives user input, issues function calls to server when needed. –Get map tile. –Save location data. Server returns individual data items. JavaScript incorporates data items into existing page.
24
November 13, 2008 Ohio Information Security Forum Example Client-side Code var auth = checkPassword(user, pass); if (auth == false) { alert(‘Authentication failed.’); return; } var itemPrice = getPrice(itemID); debitAccount(user, itemPrice); downloadItem(itemID);
25
November 13, 2008 Ohio Information Security Forum JSON var json = getItem() // json = “[ ‘Toshiba’, 499, ‘LCD TV’]” var item = eval(json) // item[0] = ‘Toshiba’ // item[1] = 499 // item[2] = ‘LCD TV’
26
November 13, 2008 Ohio Information Security Forum JSON Injection Evil input: ‘];alert(‘XSS’);// var json = getItem() // json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//” var item = eval(json) // Alert box with ‘XSS’ appears. // Use json2.js validation library to prevent.
27
November 13, 2008 Ohio Information Security Forum Client-Side State Storage Technologies Client-Side Storage Issues User can always modify client-side data. Cross-Domain Attacks (between subdomains). Cross-directory Attacks. Cross-port Attacks. Cookies DOM Storage (HTML5) Flash LSOs UserData (IE)
28
November 13, 2008 Ohio Information Security Forum AJAX Application Attack Surface form inputs HTTP headers URLs cookies client-side code client-side state server API client-side data transforms
29
November 13, 2008 Ohio Information Security Forum firewall VPN wireless external web server external web apps database internal web servers internal web apps form inputs HTTP headers URLs cookies client-side code client-side state server API client-side data transforms is nearly fractal. A site’s attack surface
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.