Designing and Testing Secure Web Applications
Background and Material  <ul><li>Will Bechtel, Blue Oasis - CISSP </li></ul><ul><li>18 years of experience in Software Dev...
Overview <ul><li>Application vulnerabilities – why should you care? </li></ul><ul><li>Review top ten web application vulne...
Application vulnerabilities – why should you care? <ul><li>2004 – Victoria’s Secret fined $50,000 for breach of privacy on...
OWASP Top 10 Web App Vulnerabilities <ul><li>Unvalidated Input </li></ul><ul><li>Broken Access Control </li></ul><ul><li>B...
Typical Web Application Scenario Web Server (IIS) Client Web Browser  (Internet Explorer) HTTP(S) ODBC Firewall Firewall D...
Web Application Attack Scenario Web Server Web  Browser HTTP(S) ODBC Firewall Firewall DMZ Proxy Server HTTP(S) Attack Wor...
Hacme Bank Examples <ul><li>SQL Injection </li></ul><ul><li>URL Parameter Manipulation </li></ul><ul><li>FORM Parameter Ma...
Introduction to Automated Web Application Testing Tools <ul><li>Tools automate the ‘attack’ on the web server/database ser...
What automated testing tools excel at: <ul><li>Testing for 100s of common vulnerabilities and misconfigurations that are i...
What automated testing tools have problems with: <ul><li>Detailed exploits that require intelligent feedback and analysis ...
Common issues with automated test tools: <ul><li>Testing can adversely impact a system being scanning.  Performance issues...
Some techniques for addressing common issues with automated test tools: <ul><li>Always run scans on development, then test...
SPI Dynamics - WebInspect <ul><li>Automated tool for scanning web applications and web services. </li></ul><ul><li>Smart u...
SPI Dynamics – WebInspect - Challenges <ul><li>False positives and noise. </li></ul><ul><li>Can be difficult to know how b...
Application Security Inc – AppDetective <ul><li>Automated tool for scanning databases. </li></ul><ul><li>Smart update to g...
Application Security Inc – AppDetective - Challenges <ul><li>Getting the DBAs to let you test their systems without having...
Licensing Issues <ul><li>WebInspect licensed by company, not per server.  Good for large organizations – prices out smalle...
OWASP Top Ten Mitigation Techniques <ul><li>Unvalidated Input, Cross Site Scripting(XSS), Injection Problems, Buffer overf...
OWASP Top Ten Mitigation Techniques <ul><li>Injection Flaws </li></ul><ul><ul><li>Mitigation Techniques:  Use Prepared sta...
Web Application Security References <ul><li>Open Web Application Security Organization -  http://www.owasp.org/   </li></u...
Web Application Testing Tools <ul><li>Paros Proxy  http://www.parosproxy.org/download.shtml  - – Proxy Server </li></ul><u...
Upcoming SlideShare
Loading in...5
×

Building Secure Web Applications

600

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
600
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Building Secure Web Applications

  1. 1. Designing and Testing Secure Web Applications
  2. 2. Background and Material <ul><li>Will Bechtel, Blue Oasis - CISSP </li></ul><ul><li>18 years of experience in Software Development, IT and Security. </li></ul><ul><li>Development of web based applications for Sony, American Express, Cellular One, Federal Express, Sega, US Navy, Wells Fargo. </li></ul><ul><li>Example .Net Web application from www.foundstone.com – Hacme Bank. </li></ul><ul><li>Top ten vulnerabilities from Open Web Application Security Project (OWASP) – www.owasp.org </li></ul>
  3. 3. Overview <ul><li>Application vulnerabilities – why should you care? </li></ul><ul><li>Review top ten web application vulnerabilities (www.owasp.org). </li></ul><ul><li>Review simplified common Web Application Architecture. </li></ul><ul><li>Review web application attack architecture. </li></ul><ul><li>Show web application attacks on Foundstone’s Hacme Bank example application. </li></ul><ul><li>Introduction to automated testing tools for scanning web applications. </li></ul><ul><li>Overview of Web application security testing tool – SPI Dynamic’s WebInspect. </li></ul><ul><li>Overview of database server testing tool Application Security Inc.’s AppDetective. </li></ul>
  4. 4. Application vulnerabilities – why should you care? <ul><li>2004 – Victoria’s Secret fined $50,000 for breach of privacy on website. Parameter alteration. </li></ul><ul><li>2002 – Tower Records agreement which could pay up to $11,000 for each of occurrence (up to 5000 ). Parameter alteration. </li></ul><ul><li>None of the above mention the lawsuits that are sure to follow … so LIABILITY is the issue. </li></ul>
  5. 5. OWASP Top 10 Web App Vulnerabilities <ul><li>Unvalidated Input </li></ul><ul><li>Broken Access Control </li></ul><ul><li>Broken Authentication and Session Management </li></ul><ul><li>Cross Site Scripting (XSS) flaws </li></ul><ul><li>Buffer Overflows </li></ul><ul><li>Injection Problems </li></ul><ul><li>Improper Error Handling </li></ul><ul><li>Insecure Storage </li></ul><ul><li>Denial of Service </li></ul><ul><li>Insecure Configuration Management </li></ul>
  6. 6. Typical Web Application Scenario Web Server (IIS) Client Web Browser (Internet Explorer) HTTP(S) ODBC Firewall Firewall DMZ Internet Database (MSSQL)
  7. 7. Web Application Attack Scenario Web Server Web Browser HTTP(S) ODBC Firewall Firewall DMZ Proxy Server HTTP(S) Attack Workstation Proxy Server allows changes to requests after leaving web browser, but before reaching the server – changes to parameters, etc Internet Database
  8. 8. Hacme Bank Examples <ul><li>SQL Injection </li></ul><ul><li>URL Parameter Manipulation </li></ul><ul><li>FORM Parameter Manipulation </li></ul><ul><li>Cross-Site scripting </li></ul><ul><li>Cookie Manipulation </li></ul>
  9. 9. Introduction to Automated Web Application Testing Tools <ul><li>Tools automate the ‘attack’ on the web server/database server. </li></ul><ul><li>Send protocol specific requests to the server to test for common vulnerabilities </li></ul><ul><li>Can execute policy based scans for specific purposes </li></ul>
  10. 10. What automated testing tools excel at: <ul><li>Testing for 100s of common vulnerabilities and misconfigurations that are impractical to test for manually. </li></ul><ul><li>Regression testing of servers to ensure they stay secure – especially after activities like patching or new code deployment. </li></ul><ul><li>Ability to schedule automated scanning/testing for off-production hours to avoid conflicts. </li></ul>
  11. 11. What automated testing tools have problems with: <ul><li>Detailed exploits that require intelligent feedback and analysis – example: Advanced SQL Injection for Hacme Bank. </li></ul><ul><li>White box testing – Automated tools are most effective at ‘guessing’ and using known signatures to identify issues. Software code reviews may find many more lurking issues that the tools can not, especially with custom developed software. </li></ul>
  12. 12. Common issues with automated test tools: <ul><li>Testing can adversely impact a system being scanning. Performance issues and crashing can happen. It is usually difficult to know what the impact will be before scanning on any given web/app or database server. </li></ul><ul><li>The most rigorous testing usually requires special planning and may overload log files, set off IDS sensors and leave ‘junk’ application data. </li></ul><ul><li>Information overload and false positives. </li></ul>
  13. 13. Some techniques for addressing common issues with automated test tools: <ul><li>Always run scans on development, then test, then production. This doesn’t eliminate issues because many times these environments are not exactly the same, but it usually reduces the likelihood of adverse effects. </li></ul><ul><li>The first scans for any given system should be run manually and monitored with the system admin so that any issues can be identified and the scan can be stopped if needed. </li></ul><ul><li>If testing data will be injected, back up database/system prior to testing, then restore after test. You probably are better off creating a second test environment for this case. </li></ul><ul><li>Coordinate testing around known process schedules, ensure other security personnel who monitor security sensors or management systems are in the loop. </li></ul>
  14. 14. SPI Dynamics - WebInspect <ul><li>Automated tool for scanning web applications and web services. </li></ul><ul><li>Smart update to get latest vulnerability tests. </li></ul><ul><li>Scriptable – can automate login process/etc. </li></ul><ul><li>Has 2 phases </li></ul><ul><ul><li>Crawl </li></ul></ul><ul><ul><ul><li>Read only – does not post any data </li></ul></ul></ul><ul><ul><ul><li>Determines vulnerabilities by interacting with app – uses informed guessing and reads signatures </li></ul></ul></ul><ul><ul><ul><li>Lower impact </li></ul></ul></ul><ul><ul><li>Audit </li></ul></ul><ul><ul><ul><li>Submits data to exposes vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>High impact – will put test data into application </li></ul></ul></ul>
  15. 15. SPI Dynamics – WebInspect - Challenges <ul><li>False positives and noise. </li></ul><ul><li>Can be difficult to know how best to test an application. Multiple scans with and without credentials provide best coverage but are most complicated. </li></ul><ul><li>Although there are explanations for vulnerabilities and references to how to mitigate the risk, it can be difficult to determine how to prioritize remediation/control analysis. </li></ul><ul><li>Tool can automatically find the issues, but addressing them can be overwhelming. </li></ul><ul><li>Application usage/environment must be factored into risk ratings. </li></ul>
  16. 16. Application Security Inc – AppDetective <ul><li>Automated tool for scanning databases. </li></ul><ul><li>Smart update to get latest vulnerability tests. </li></ul><ul><li>Has 2 primary phases </li></ul><ul><ul><li>Pen Test </li></ul></ul><ul><ul><ul><li>Black Box – tests without authentication or access. </li></ul></ul></ul><ul><ul><ul><li>Determines vulnerabilities by interacting with app – uses informed guessing and reads signatures </li></ul></ul></ul><ul><ul><ul><li>Acts as an ‘outsider’ would </li></ul></ul></ul><ul><ul><li>Audit </li></ul></ul><ul><ul><ul><li>Utilizes supplied credentials to read configuration </li></ul></ul></ul><ul><ul><ul><li>Can identify configuration/patching/other problems </li></ul></ul></ul>
  17. 17. Application Security Inc – AppDetective - Challenges <ul><li>Getting the DBAs to let you test their systems without having a stroke  </li></ul><ul><li>Potential impact on other applications that use shared DB Server. </li></ul><ul><li>Can be difficult to determine the real level of risk – there is always a trade-off between the risk of the fix breaking something and leaving the opening. </li></ul>
  18. 18. Licensing Issues <ul><li>WebInspect licensed by company, not per server. Good for large organizations – prices out smaller companies. </li></ul><ul><li>AppDetective licenses per ‘instance’. More practical for small companies, can get pricey for larger organizations. </li></ul>
  19. 19. OWASP Top Ten Mitigation Techniques <ul><li>Unvalidated Input, Cross Site Scripting(XSS), Injection Problems, Buffer overflows </li></ul><ul><ul><li>Mitigation techniques: Code reviews. Do not rely on client-side (javascript) validation. Develop or purchase common input validation routines (validated), then put policies/standards in place that require they be used or if not, that other routines used pass similar validation. </li></ul></ul><ul><li>Broken Access Control </li></ul><ul><ul><li>Mitigation techniques: Code reviews of custom code. Use trusted components. URL filtering. Avoid client-side caching (for cookies, etc). </li></ul></ul><ul><li>Broken Authentication and Session Management </li></ul><ul><ul><li>Mitigation techniques: Ensure password complexity and secure storage, SSL to protect credentials in transit, avoicd client-side caching. </li></ul></ul><ul><li>Cross Site Scripting (XSS) flaws </li></ul><ul><ul><li>Mitigation techniques: Develop or purchase common input validation routines (validate them), then put policies/standards in place that require they be used or if not, that other routines used pass similar validation. </li></ul></ul>
  20. 20. OWASP Top Ten Mitigation Techniques <ul><li>Injection Flaws </li></ul><ul><ul><li>Mitigation Techniques: Use Prepared statements and stored procedures. Check return codes for proper/expected values </li></ul></ul><ul><li>Improper Error Handling </li></ul><ul><ul><li>Mitigation Techniques: Fail closed. Do not return unneeded information to the user (log it). </li></ul></ul><ul><li>Insecure Storage </li></ul><ul><ul><li>Mitigation Techniques: Avoid storing sensitive information – if possible require re-entry. Do not ‘roll your own’ encryption – use industry validated components. </li></ul></ul><ul><li>Denial of Service </li></ul><ul><ul><li>Mitigation Techniques: If possible limit resources a single user can utilize. Do not allow unauthenticated users to execute expensive operations. </li></ul></ul><ul><li>Insecure Configuration Management </li></ul><ul><ul><li>Mitigation Techniques: Patch regularly. Utilize vendor and industry supplied hardening guidelines for web/app/database at both the OS and application tier. </li></ul></ul>
  21. 21. Web Application Security References <ul><li>Open Web Application Security Organization - http://www.owasp.org/ </li></ul><ul><li>Web Application Security Consortium - http://www.webappsec.org/ </li></ul>
  22. 22. Web Application Testing Tools <ul><li>Paros Proxy http://www.parosproxy.org/download.shtml - – Proxy Server </li></ul><ul><li>Foundstone – Hacme Bank and other free tools - http:// www.foundstone.com/index.htm?subnav =products/ navigation.htm&subcontent =/products/ overview.htm </li></ul><ul><li>SPI Dynamics – WebInspect http://www.spidynamics.com/products/webinspect/index.html - Web app security assessment tool </li></ul><ul><li>Watchfire (purchased) Sanctum – AppScan http://www.watchfire.com/products/security/default.aspx - Web app security assessment tool </li></ul><ul><li>Application Security Inc - AppDetective http://www.appsecinc.com/products/appdetective/ - Database security assessment tool. </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×