1 / 28

Web application security

Web application security. Sebastian Lopienski & Marthe Engebretsen CERN Computer Security Team HEPiX Autumn 2009, LBL See also: http://indico.cern.ch/contributionDisplay.py?contribId=38&sessionId=13&confId=27391. Outline. Why Web applications Threats Web at CERN Possible solutions Tools

evan-jimenez
Download Presentation

Web application security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web application security Sebastian Lopienski & Marthe Engebretsen CERN Computer Security Team HEPiX Autumn 2009, LBL See also:http://indico.cern.ch/contributionDisplay.py?contribId=38&sessionId=13&confId=27391

  2. Outline • Why Web applications • Threats • Web at CERN • Possible solutions • Tools • Requirements • How they work • Commercial vs. open source • Pros and cons of some chosen ones Web application security - 2

  3. Focus on Web applications? Web applications are: • often much more useful than desktop software => popular • often publicly available • easy target for attackers • finding vulnerable sites, automating and scaling attacks • easy to develop • not so easy to develop well and securely • often vulnerable, thus making the server, the database, internal network, data etc. insecure Web application security - 3

  4. Threats • Web defacement • loss of reputation (clients, shareholders) • fear, uncertainty and doubt • information disclosure (lost data confidentiality) e.g. business secrets, financial information, client database, medical data, government documents • data loss (or lost data integrity) • unauthorized access • functionality of the application abused • denial of service • loss of availability or functionality (and revenue) • “foot in the door” (attacker inside the firewall) Web application security - 4

  5. Web landscape at CERN • many Web sites centrally hosted • official (35%), private (55%), test (10%) • Windows/IIS (65%), Linux/Apache (30%), Sharepoint, J2EE • ~10% scriptable • other hosts with Web ports open on the firewall Web application security - 5

  6. September 2008 Web application security - 6

  7. Approaches What to do? • Provide training for Web application developers • Limit the number of Web applications • Harden the Web hosting service • Perform vulnerability scanning • Detect successful attacks Web application security - 7

  8. Tools - top requirements • Handle automatic scanning of Web sites • Easily parsable/processable reports • Low false positive rate • preferred over low false negative rate Web application security - 8

  9. Tools – how they work • Crawling • Scanning • Reporting Web application security - 9

  10. Web application security - 10

  11. Web application security - 11

  12. Scanning - HTTP requests http://www.google.fr/ /etc/passwd c:\\boot.ini ../../../../../../../../../../etc/passwd ../../../../../../../../../../boot.ini a;env a);env /e ¿'"( sleep(4)# 1+and+sleep(4)# ')+and+sleep(4)=' "))+and+sleep(4)=" ;waitfor+delay+'0:0:4'-- "));waitfor+delay+'0:0:4'-- benchmark(1000, MD5(1))# 1))+and+benchmark(10000000,MD5(1))# pg_sleep(4)-- "))+and+pg_sleep(4)-- gt5mgbxkht http://www.google.fr Wapiti:+2.1.0+version <SCrIPT>fake_alert("TbBPE8YaN3gA72vQAlao1")</SCrIPT> |+ping+-c+4+localhost run+ping+-n+3+localhost &&+type+%SYSTEMROOT%\win.ini ;+type+%SYSTEMROOT%\win.ini `/bin/cat+/etc/passwd` run+type+%SYSTEMROOT%\win.ini b"+OR+"81"="81 http://w3af.sourceforge.net/w3af/remoteFileInclude.html ../../../../../../../../../../../../../../../etc/passwd%00.php C:\boot.ini %SYSTEMROOT%\win.ini C:\boot.ini%00.php %SYSTEMROOT%\win.ini%00.php d'z"0 <!--#include+file="/etc/passwd"--> <!--#include+file="C:\boot.ini"--> echo+'mlYRc'+.+'buwWR'; print+'mlYRc'+++'buwWR' Response.Write("mlYRc+buwWR") import+time;time.sleep(4); Thread.sleep(4000); hTtp://w3af.sf.net/ Web application security - 12

  13. Different tools • HP WebInspect • IBM Rational AppScan • Acunetix WVS • N-Stalker • SyhuntSandcat • W3AF - Web Application Attack and Audit Framework • Wapiti • Cenzic Hailstorm • Retina Web App Scanner • NTOSpider • Burp Suite • CORE IMPACT Pro • OWASP WebScarab Project • MileSCAN • WebKing • WebApp360 • Typhon • Nessus • Nikto2 • Wikto • Wfuzz • Powerfuzzer • SQLmap • Cross Site Scripting Backdoor • Acunetix XSS-Scanner • Paros Proxy • ProxyStrike • Grabber • Suru • Burp Proxy • OWASP Pantera Web Assessment Studio Project 5 commercial and 2 open source tested against one ”known-vulnerable” test site and several ”unknown” test sites Web application security - 13

  14. Cross-Site Scripting Reflected Permanent SQL Injection Blind SQL Injection File Inclusions and Execution Local/Directory traversal Remote Information leakage Improper error handling Known-vulnerable test site Web application security - 14

  15. Disclaimer The primary choice of Web application vulnerability assessment tools that we evaluated was arbitrary, and it is possible that a good tool was not tested during this evaluation. We have not followed any formal, scientific methodology when testing these tools. The tests were driven by our requirements, and we focused on some particular aspects and characteristics of tools while ignoring others – so conclusions may not be applicable in different environments. Presentation title - 15

  16. Commercial tools Commercial tools + Scan both application and server + Allow customization of almost everything + Have powerful crawling, scanning and reporting engines - Designed for GUI runs and reporting within the tool itself - CLI based on settings from GUI - Internal formats or over-verbose XML reports Web application security - 16

  17. Open source tools Open source tools + Designed for command line execution + Save data in open and parsable formats + Find the basic vulnerabilities with low false positive rate - Have a lower customization level, and find less vulnerabilities than the commercial tools - Small development teams - Somewhat unknown future Web application security - 17

  18. Acunetix WVS Web application security - 18

  19. Acunetix WVS Pros: • Powerful tool • Many possibilites to change settings and checks • CLI is good and well documented • Report generation through CLI • False positive handling within the tool Cons: • Failed to find some blind SQL Injections • Strange false positives • Reports all variants of one vulnerability • XML reports huge Platform: Windows & MS SQL Server or Access Price: € 2700 + € 800 maintenance Web application security - 19

  20. IBM Rational AppScan Web application security - 20

  21. IBM Rational AppScan Pros: • Good GUI and reporting within the tool • ”Delta analysis” to compare results of two scan of a site • Python API for automatic scanning, and for adding functionality Cons: • CLI uses settings of previous, manually-run scans • Didn’t find some SQL Injection bugs • XML reports messy Platform: Windows Price (educational): ~$10k(incl. 1y support) Web application security - 21

  22. HP WebInspect Web application security - 22

  23. HP WebInspect Pros: • Good GUI, especally reporting • Crawling and scanning can be done simultaneously • Lots of settings and custom made policies Cons: • Instable: crashed during installation and by syntax errors in CLI • Missed some SQL Injection bugs • Hard to read generated reports • XML reports big/messy Platform: Windows & MS SQL Server Price: ? (> $10k) Web application security - 23

  24. W3AF – open source Pros: • Plug-in approach – use what you want, write your own tests • Many plugins provided • Active community (mailing list) • Made for command line execution (but GUI available) Cons: • Some problems with BlindSQL-and Eval-plugin (Too many retries...) • Strange false positives • XML report badly structured Require: Windows/Linux, Python 2.5 Developers: ~10 Since: 2006 Releases: 3 Latest: W3AF 1.0-rc2 Revision: ~3000 Web application security - 24

  25. Wapiti – open source Pros: • Finds less vulnerabilities (less false positives) • Made for command line execution • Very simple to use • Good in finding SQL Injection vulnerabilities Cons: • Finds less vulnerabilities (more false negatives) • Very small community • Return MemoryErrors for some scans (looping?) • Uncertain future? Require: Windows/Linux, Python 2.4 Developers: ~2 First release: June 2006 Releases: 13 Latest: Wapiti 2.1.0 Revision: ~ 100 Web application security - 25

  26. Wapiti – sample results <vulnerabilityType name="Cross Site Scripting"> <vulnerabilityList> <vulnerability level="1"> <url> http://xxx.web.cern.ch/xxx/default2.php?index=&quot;&gt;&lt;/frame&gt;&lt;script&gt;alert('qf3p4bpva2')&lt;/script&gt;&amp;main=experiments/documents.php </url> <parameter> index=&quot;&gt;&lt;/frame&gt;&lt;script&gt;alert('qf3p4bpva2')&lt;/script&gt;&amp;main=experiments/documents.php </parameter> <info> XSS (index) </info> </vulnerability> Web application security - 26

  27. Summary/conclusion • No tool is perfect • but they can still help you find basic vulnerabilities • Commercial tools are made (and are good)for in-depth scanning of a few well-known sites • Open source tools are less sophisticated, and are made for automatic runs • Wapiti and W3AF chosen • a commercial tool may be used in the future for specific Web applications Web application security - 27

  28. Thank you! • Questions? • Sebastian.Lopienski@cern.ch

More Related