V1.0.4 (09.05.2014)
Björn Kimminich
https://twitter.com/bkimminich
https://linkedin.com/in/bkimminich
https://google.com/+...
2007+
Software Architect
& Security Officer
at Kuehne+Nagel
Corporate Web
Development
2011+
Part-time lector for
Java & Ag...
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html
Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111
Web Applications have become the #1 target
75% of Attacks target the Application Layer
(Gartner)
Most Web Applications are...
Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
„6...
Open Web Application Security Project
Open community
Non-profit organization
Core purpose
Be the thriving global community...
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object R...
SELECT user_id
FROM user_data
WHERE user_name = 'bkimminich'
AND user_password = '680e89[…]75ab';
// …
String query = "SEL...
SELECT user_id
FROM user_data
WHERE user_name = '' or 1=1
--' AND user_password = '1234';
// …
String query = "SELECT user...
Bypass Authentication
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1
') or ('1'='1
Source: http:...
Spy out Data
' UNION SELECT login, password, 'x' FROM user--
1 UNION SELECT 1,1,1 FROM user--
Manipulate Data
'; UPDATE us...
Plain SQL via JDBC
HQL via Hibernate
String query = "SELECT account_balance FROM user_data WHERE
user_name = " + request.g...
Avoid Interpreters at all if possible
Use an interface that supports bind variables
For SQL: Prepared Statements
Enforce L...
White List = Positive Security Rule
„Block what is not explicitly allowed!“
Example: Allow only [a-z], [A-Z] and [0-9]
Def...
Plain SQL via JDBC
HQL via Hibernate
String customerName = request.getParameter("customerName");
assert(CustomerValidator....
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web
Applicat...
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web
Applicat...
Simple Patterns
<SCRIPT>javascript:alert('XSS');</SCRIPT>
<IMG SRC=javascript:alert('XSS')>
<IFRAME SRC="javascript:alert(...
Masked / Evasive Patterns (continued)
<DIV STYLE="background-
image:00750072006C0028'006a006100760061
00730063007200690070...
Scriptlet in Java Server Page (JSP)
<%String searchCriteria = request.getParameter("searchValue");%>
<%-- Later on the sam...
Eliminate XSS
Don‘t include user supplied input in your output!
Defend against XSS
Output Encode all user supplied input
P...
Encoding with Struts Bean Taglib
Encoding with OWASP Enterprise Security API
...
Search results for <b><bean:write name='s...
Using a simple prepackaged policy
Defining a customized policy
private String sanitizeHtml(String html) {
PolicyFactory po...
bank.com
Web
App
Browser
Bug!
evil.org
Web
App
LoginRequest
GET / HTTP/1.1
Host: www.evil.org
Response
HTTP/1.1 200 OK
......
Intranet
Firewall
192.168.0.1
Web
App
Browser
Bug!
evil.org
Web
App
LoginRequest
GET / HTTP/1.1
Host: www.evil.org
Respons...
Add a secret, not automatically submitted,
token to all sensitive requests
This makes it impossible for the attacker to
sp...
What shenanigans
might our troll friend
have in mind with any
unwelcome forum
posts he encounters?
[img]http://forum.com/l...
ServerNetwork Security
Firewall IDS IPS Web
App
Malicious Requests
exploit vulnerabilities
and
compromise application
ServerNetwork Security
Firewall IDS IPS Web
App
Blackbox
ScannerPenetration Test
Whitebox
Scanner
Web App
Sourcecode
Code
...
ServerNetwork Security
Firewall IDS IPS Web
App
WAF
Guidelines
Ruleset
WhitelistBlacklist
Heuristics
Defines legal/
illega...
Do not perform any attacks on servers,
networks and applications…
…you do not own and operate yourself
…or have the owners...
Source: http://code.google.com/p/bodgeit/
Download latest version
http://code.google.com/p/bodgeit/downloads/list
Unzip bodgeit.war into /webapps
of an existing Ser...
Try to pass as many challenges as possible!
No Scanners! No Cheating! No Decompilers!
Source: http://code.google.com/p/bod...
…for your attention!
For more details, exercises
and the seven remaining
OWASP Top 10 check out my
Web Application Securit...
Web Application Security Introduction
Web Application Security Introduction
Web Application Security Introduction
Web Application Security Introduction
Web Application Security Introduction
Web Application Security Introduction
Web Application Security Introduction
Web Application Security Introduction
Upcoming SlideShare
Loading in...5
×

Web Application Security Introduction

3,111

Published on

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) - It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps:
- SQL Injection
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a "hacking homework" is presented where a vulnerable local web shop is supposed to be hacked in various ways.

For a full-grown coverage of the topic feel free to check out my Web Application Security Training Workshop slide deck: https://de.slideshare.net/BjrnKimminich/web-application-security-21684264.

/!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!

Published in: Technology

Web Application Security Introduction

  1. 1. V1.0.4 (09.05.2014) Björn Kimminich https://twitter.com/bkimminich https://linkedin.com/in/bkimminich https://google.com/+BjörnKimminich http://slideshare.net/BjrnKimminich
  2. 2. 2007+ Software Architect & Security Officer at Kuehne+Nagel Corporate Web Development 2011+ Part-time lector for Java & Agile Software Develoment at private UAS Nordakademie 2012+ OWASP Member & QA Developer OWASP Zed Attack Proxy (ZAP)
  3. 3. Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
  4. 4. Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
  5. 5. Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html
  6. 6. Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111
  7. 7. Web Applications have become the #1 target 75% of Attacks target the Application Layer (Gartner) Most Web Applications are vulnerable 95% of Web Applications have some sort of vulnerability (Imperva) 78% of easily exploitable weaknesses occur in Web Applications (Symantec) Web Applications are valuable targets Customer data, Credit Cards, ID Theft, Fraud, … Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment
  8. 8. Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf „61 percent of malicious sites are actually regular websites that have been compromised and infected with malicious code.“
  9. 9. Open Web Application Security Project Open community Non-profit organization Core purpose Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software https://www.owasp.org Source: https://www.owasp.org
  10. 10. A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Action Control A8: Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Action Control A8: Cross Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards
  11. 11. SELECT user_id FROM user_data WHERE user_name = 'bkimminich' AND user_password = '680e89[…]75ab'; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'"; // …
  12. 12. SELECT user_id FROM user_data WHERE user_name = '' or 1=1 --' AND user_password = '1234'; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'"; // …
  13. 13. Bypass Authentication admin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1 ') or ('1'='1 Source: http://ha.ckers.org/sqlinjection
  14. 14. Spy out Data ' UNION SELECT login, password, 'x' FROM user-- 1 UNION SELECT 1,1,1 FROM user-- Manipulate Data '; UPDATE user SET type = 'admin' WHERE id = 23;-- Manipulate the DB Server ' ;GO EXEC cmdshell('format C') -- Cheat Sheet: http://ha.ckers.org/sqlinjection Source: http://ha.ckers.org/sqlinjection
  15. 15. Plain SQL via JDBC HQL via Hibernate String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName"); try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); } Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");
  16. 16. Avoid Interpreters at all if possible Use an interface that supports bind variables For SQL: Prepared Statements Enforce Least Privileges for the application‘s DB user Perform White List Input Validation on all user supplied input Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
  17. 17. White List = Positive Security Rule „Block what is not explicitly allowed!“ Example: Allow only [a-z], [A-Z] and [0-9] Define once, (almost) never worry again Can be quite effortsome to define for a whole application Black List = Negative Security Rule „Allow what is not explicitly blocked!“ Example vs. SQL Injection: Block [-#';] Example vs. HTML Injection: Block [<>";'script] Can be bypassed by masking attack patterns Must be updated for new attack patterns
  18. 18. Plain SQL via JDBC HQL via Hibernate String customerName = request.getParameter("customerName"); assert(CustomerValidator.doesExist(customerName); String query = "SELECT account_balance FROM user_data WHERE user_name = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, customerName); ResultSet results = pstmt.executeQuery(); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId"); safeHQLQuery.setParameter("productId", userSuppliedParameter);
  19. 19. Source: http://www.h-online.com/security/features/Web-application-security-747201.html ServerBrowser Database Web Application Bug! URL HTML Victim Request Website Server Response
  20. 20. Source: http://www.h-online.com/security/features/Web-application-security-747201.html ServerBrowser Database Web Application Bug! Website Server Response HTML URL URL Subsequent Victim Request
  21. 21. Simple Patterns <SCRIPT>javascript:alert('XSS');</SCRIPT> <IMG SRC=javascript:alert('XSS')> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Masked / Evasive Patterns <IMG SRC=javascript:alert(&quot;XSS&quot;)> '';!--"<XSS>=&{()} <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> Source: http://ha.ckers.org/xss.html
  22. 22. Masked / Evasive Patterns (continued) <DIV STYLE="background- image:00750072006C0028'006a006100760061 007300630072006900700074003a0061006c00 65007200740028.10270058.1053005300270029' 0029"> <b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> … Cheat Sheet: http://ha.ckers.org/xss.htmlSource: http://ha.ckers.org/xss.html
  23. 23. Scriptlet in Java Server Page (JSP) <%String searchCriteria = request.getParameter("searchValue");%> <%-- Later on the same or subsequent JSP... --> Search results for <b><%=searchCriteria%></b>: ...
  24. 24. Eliminate XSS Don‘t include user supplied input in your output! Defend against XSS Output Encode all user supplied input Perform White List Input Validation on user input Use an HTML Sanitizer for larger user supplied HTML chunks Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
  25. 25. Encoding with Struts Bean Taglib Encoding with OWASP Enterprise Security API ... Search results for <b><bean:write name='searchCriteria'/></b>: ... ... <easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml> ...
  26. 26. Using a simple prepackaged policy Defining a customized policy private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS) .and(Sanitizers.LINKS); return policy.sanitize(html); } private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY = new HtmlPolicyBuilder() .allowCommonInlineFormattingElements().allowCommonBlockElements() .allowAttributes("face", "color", "size", "style", "align").onElements("font") .allowAttributes("style").onElements("div", "span").allowElements("a") .allowAttributes("href").onElements("a").allowStandardUrlProtocols() .requireRelNofollowOnLinks().toFactory();
  27. 27. bank.com Web App Browser Bug! evil.org Web App LoginRequest GET / HTTP/1.1 Host: www.evil.org Response HTTP/1.1 200 OK ... <html> ... <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/> ... </html> CSRF-Attack GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com
  28. 28. Intranet Firewall 192.168.0.1 Web App Browser Bug! evil.org Web App LoginRequest GET / HTTP/1.1 Host: www.evil.org Response HTTP/1.1 200 OK ... <html> ... <img src=“http://192.168.0.1/admin ?setAccessMode=remote&resetPassword“/> ... </html> CSRF-Attack GET/admin/setAccessMode =remote&resetPassword HTTP/1.1 Host: 192.168.0.1
  29. 29. Add a secret, not automatically submitted, token to all sensitive requests This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application) Tokens should be cryptographically strong or random Make sure your application has no XSS holes which could be exploited to attack other applications (or itself) Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
  30. 30. What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters? [img]http://forum.com/logout.do[/img]
  31. 31. ServerNetwork Security Firewall IDS IPS Web App Malicious Requests exploit vulnerabilities and compromise application
  32. 32. ServerNetwork Security Firewall IDS IPS Web App Blackbox ScannerPenetration Test Whitebox Scanner Web App Sourcecode Code Analysis Fix + Patch Application New security holes might be introduced during ongoing development and bugfixing! Vulnerabilities might be insufficiently fixed
  33. 33. ServerNetwork Security Firewall IDS IPS Web App WAF Guidelines Ruleset WhitelistBlacklist Heuristics Defines legal/ illegal Requests Rejects illegal requests Sometimes rejects legitimate requests („False Positives“) or fails to recognize illegal requests („False Negative“)
  34. 34. Do not perform any attacks on servers, networks and applications… …you do not own and operate yourself …or have the owners permission to pentest
  35. 35. Source: http://code.google.com/p/bodgeit/
  36. 36. Download latest version http://code.google.com/p/bodgeit/downloads/list Unzip bodgeit.war into /webapps of an existing Serlvet Engine e.g. Tomcat, Jetty, … Launch your Server Browse to the BodgeIt Store e.g. http://localhost:8080/bodgeit Source: http://code.google.com/p/bodgeit/
  37. 37. Try to pass as many challenges as possible! No Scanners! No Cheating! No Decompilers! Source: http://code.google.com/p/bodgeit/
  38. 38. …for your attention! For more details, exercises and the seven remaining OWASP Top 10 check out my Web Application Security Training Workshop slides: http://slideshare.net/BjrnKimminich/web- application-security-21684264
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×