• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web Application Security Introduction
 

Web Application Security Introduction

on

  • 554 views

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) - It gives a ...

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) - It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps:
- SQL Injection
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a "hacking homework" is presented where a vulnerable local web shop is supposed to be hacked in various ways.

For a full-grown coverage of the topic feel free to check out my Web Application Security Training Workshop slide deck: https://de.slideshare.net/BjrnKimminich/web-application-security-21684264.

/!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!

Statistics

Views

Total Views
554
Views on SlideShare
439
Embed Views
115

Actions

Likes
2
Downloads
23
Comments
0

5 Embeds 115

http://kimminich.de 90
http://kimminich.wordpress.com 18
http://www.kimminich.de 5
https://www.linkedin.com 1
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web Application Security Introduction Web Application Security Introduction Presentation Transcript

    • V1.0.4 (09.05.2014) Björn Kimminich https://twitter.com/bkimminich https://linkedin.com/in/bkimminich https://google.com/+BjörnKimminich http://slideshare.net/BjrnKimminich
    • 2007+ Software Architect & Security Officer at Kuehne+Nagel Corporate Web Development 2011+ Part-time lector for Java & Agile Software Develoment at private UAS Nordakademie 2012+ OWASP Member & QA Developer OWASP Zed Attack Proxy (ZAP)
    • Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
    • Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
    • Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html
    • Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111
    • Web Applications have become the #1 target 75% of Attacks target the Application Layer (Gartner) Most Web Applications are vulnerable 95% of Web Applications have some sort of vulnerability (Imperva) 78% of easily exploitable weaknesses occur in Web Applications (Symantec) Web Applications are valuable targets Customer data, Credit Cards, ID Theft, Fraud, … Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment
    • Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf „61 percent of malicious sites are actually regular websites that have been compromised and infected with malicious code.“
    • Open Web Application Security Project Open community Non-profit organization Core purpose Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software https://www.owasp.org Source: https://www.owasp.org
    • A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Action Control A8: Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Action Control A8: Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards
    • SELECT user_id FROM user_data WHERE user_name = 'bkimminich' AND user_password = '680e89[…]75ab'; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'"; // …
    • SELECT user_id FROM user_data WHERE user_name = '' or 1=1 --' AND user_password = '1234'; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'"; // …
    • Bypass Authentication admin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1 ') or ('1'='1 Source: http://ha.ckers.org/sqlinjection
    • Spy out Data ' UNION SELECT login, password, 'x' FROM user-- 1 UNION SELECT 1,1,1 FROM user-- Manipulate Data '; UPDATE user SET type = 'admin' WHERE id = 23;-- Manipulate the DB Server ' ;GO EXEC cmdshell('format C') -- Cheat Sheet: http://ha.ckers.org/sqlinjection Source: http://ha.ckers.org/sqlinjection
    • Plain SQL via JDBC HQL via Hibernate String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName"); try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); } Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");
    • Avoid Interpreters at all if possible Use an interface that supports bind variables For SQL: Prepared Statements Enforce Least Privileges for the application‘s DB user Perform White List Input Validation on all user supplied input Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
    • White List = Positive Security Rule „Block what is not explicitly allowed!“ Example: Allow only [a-z], [A-Z] and [0-9] Define once, (almost) never worry again Can be quite effortsome to define for a whole application Black List = Negative Security Rule „Allow what is not explicitly blocked!“ Example vs. SQL Injection: Block [-#';] Example vs. HTML Injection: Block [<>";'script] Can be bypassed by masking attack patterns Must be updated for new attack patterns
    • Plain SQL via JDBC HQL via Hibernate String customerName = request.getParameter("customerName"); assert(CustomerValidator.doesExist(customerName); String query = "SELECT account_balance FROM user_data WHERE user_name = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, customerName); ResultSet results = pstmt.executeQuery(); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId"); safeHQLQuery.setParameter("productId", userSuppliedParameter);
    • Source: http://www.h-online.com/security/features/Web-application-security-747201.html ServerBrowser Database Web Application Bug! URL HTML Victim Request Website Server Response
    • Source: http://www.h-online.com/security/features/Web-application-security-747201.html ServerBrowser Database Web Application Bug! Website Server Response HTML URL URL Subsequent Victim Request
    • Simple Patterns <SCRIPT>javascript:alert('XSS');</SCRIPT> <IMG SRC=javascript:alert('XSS')> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Masked / Evasive Patterns <IMG SRC=javascript:alert(&quot;XSS&quot;)> '';!--"<XSS>=&{()} <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav&#x09;ascript:alert('XSS');"> Source: http://ha.ckers.org/xss.html
    • Masked / Evasive Patterns (continued) <DIV STYLE="background- image:00750072006C0028'006a006100760061 007300630072006900700074003a0061006c00 65007200740028.10270058.1053005300270029' 0029"> <b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> … Cheat Sheet: http://ha.ckers.org/xss.htmlSource: http://ha.ckers.org/xss.html
    • Scriptlet in Java Server Page (JSP) <%String searchCriteria = request.getParameter("searchValue");%> <%-- Later on the same or subsequent JSP... --> Search results for <b><%=searchCriteria%></b>: ...
    • Eliminate XSS Don‘t include user supplied input in your output! Defend against XSS Output Encode all user supplied input Perform White List Input Validation on user input Use an HTML Sanitizer for larger user supplied HTML chunks Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
    • Encoding with Struts Bean Taglib Encoding with OWASP Enterprise Security API ... Search results for <b><bean:write name='searchCriteria'/></b>: ... ... <easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml> ...
    • Using a simple prepackaged policy Defining a customized policy private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS) .and(Sanitizers.LINKS); return policy.sanitize(html); } private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY = new HtmlPolicyBuilder() .allowCommonInlineFormattingElements().allowCommonBlockElements() .allowAttributes("face", "color", "size", "style", "align").onElements("font") .allowAttributes("style").onElements("div", "span").allowElements("a") .allowAttributes("href").onElements("a").allowStandardUrlProtocols() .requireRelNofollowOnLinks().toFactory();
    • bank.com Web App Browser Bug! evil.org Web App LoginRequest GET / HTTP/1.1 Host: www.evil.org Response HTTP/1.1 200 OK ... <html> ... <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/> ... </html> CSRF-Attack GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com
    • Intranet Firewall 192.168.0.1 Web App Browser Bug! evil.org Web App LoginRequest GET / HTTP/1.1 Host: www.evil.org Response HTTP/1.1 200 OK ... <html> ... <img src=“http://192.168.0.1/admin ?setAccessMode=remote&resetPassword“/> ... </html> CSRF-Attack GET/admin/setAccessMode =remote&resetPassword HTTP/1.1 Host: 192.168.0.1
    • Add a secret, not automatically submitted, token to all sensitive requests This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application) Tokens should be cryptographically strong or random Make sure your application has no XSS holes which could be exploited to attack other applications (or itself) Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
    • What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters? [img]http://forum.com/logout.do[/img]
    • ServerNetwork Security Firewall IDS IPS Web App Malicious Requests exploit vulnerabilities and compromise application
    • ServerNetwork Security Firewall IDS IPS Web App Blackbox ScannerPenetration Test Whitebox Scanner Web App Sourcecode Code Analysis Fix + Patch Application New security holes might be introduced during ongoing development and bugfixing! Vulnerabilities might be insufficiently fixed
    • ServerNetwork Security Firewall IDS IPS Web App WAF Guidelines Ruleset WhitelistBlacklist Heuristics Defines legal/ illegal Requests Rejects illegal requests Sometimes rejects legitimate requests („False Positives“) or fails to recognize illegal requests („False Negative“)
    • Do not perform any attacks on servers, networks and applications… …you do not own and operate yourself …or have the owners permission to pentest
    • Source: http://code.google.com/p/bodgeit/
    • Download latest version http://code.google.com/p/bodgeit/downloads/list Unzip bodgeit.war into /webapps of an existing Serlvet Engine e.g. Tomcat, Jetty, … Launch your Server Browse to the BodgeIt Store e.g. http://localhost:8080/bodgeit Source: http://code.google.com/p/bodgeit/
    • Try to pass as many challenges as possible! No Scanners! No Cheating! No Decompilers! Source: http://code.google.com/p/bodgeit/
    • …for your attention! For more details, exercises and the seven remaining OWASP Top 10 check out my Web Application Security Training Workshop slides: http://slideshare.net/BjrnKimminich/web- application-security-21684264