Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan Lee Kinsman – Software Architect Alan Kan – Technical Specialist

Agenda
Introductions & facilities
The importance of web application security
Vulnerability Analysis
Top Attacks Overview
Hands on Labs 1-2
Vulnerability Analysis (continued)
Hands on Labs 3-5
Automated Vulnerability Analysis
AppScan Overview
Hands on Lab 6

Welcome to the Hacking 101 Workshop
Introductions
Restrooms
Emergency Exits
Smoking Policy

POT Objectives
By the end of this session you will:
Understand the web application environment
Understand and differentiate between network and application level vulnerabilities
Understand where the vulnerabilities exist
Understand how to leverage AppScan to perform an automated scan for vulnerabilities

Agenda
Hands on Labs 1-2
Hands on Labs 3-5
AppScan Overview
Hands on Lab 6

The Alarming Truth LexisNexis Data Breach - Washington Post Feb 17, 2008 IndiaTimes.com Malware — InformationWeek Feb 17,2008 Hacker breaks into Ecuador’s presidential website — Thaindian, Feb 11, 2008 Hacking Stage 6 — Wikipedia, Feb 9 2007 Hacker steals Davidson Cos client data - Falls Tribune, Feb 4 2008 RIAA wiped off the Net — TheRegister, Jan 20 2008
Chinese hacker steals 18M identities
- HackBase.com, Feb 10,2008
Mac blogs defaced by XSS
The Register, Feb 17, 2008
Your Free MacWorld Expo Platinum Pass — CNet, Jan 14, 2008 Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008 Drive-by Pharming in the Wild — Symantec, Jan 21 2008 Italian Bank hit by XSS fraudsters — Netcraft, Jan 8 2008 Greek Ministry websites hit by hacker intrusion — eKathimerini, Jan 31,2008

“ Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen ”
nzherald.co.nz Sep 12, 2007
“ A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen. “
abc.net.au Sep 17, 2007
“ Turkish hackers bring down insurer's site…The site was shut down as a precaution and was unavailable for most of today”
SMH.com.au July 20, 2007
“ Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information.”
SMH.com.au October 14 2007
“ Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.”
Jon Oltsik – Enterprise Strategy Group
The Alarming Truth

Security and compliance risks
90% of sites are vulnerable to application attacks
80% of organizations will experience an application security incident by 2010
64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection.
(Disability Discrimination Act (DDA), Payment Card Industry (PCI) Standards, SOX
75% of the cyber attacks today are at the application level
Compliance requirements: Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA
Security and compliance integrity risks have serious adverse impacts on a company’s identity, customer relations and business results.

Reality: Security and Spending Are Unbalanced Sources: Gartner, Watchfire % of Attacks % of Dollars 75% 10% 25% 90% Sources: Gartner, Watchfire of All Attacks on Information Security Are Directed to the Web Application Layer 75% of All Web Applications Are Vulnerable 2/3 Network Server Web Applications Security Spending

2006 Vulnerability Statistics (31,373 sites) ** http://www.webappsec.org/projects/statistics/

The Myth: Our Site Is Safe We Use Network Vulnerability Scanners We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We Use SSL Encryption

Confusing Network Security Discipline with Application Security “Application developers and their superiors in IT departments too often mistakenly believe that firewalls, IDS / IPS, and network traffic encryption are sufficient measures for application security. By doing so they are confusing application security with network security” “None of those technologies hardens application code. All those technologies deal with traffic to applications, not with the applications themselves…. Applications need protection through separate, specific security discipline – application security” Application Security Testing, Gartner, March 2, 2007

High Level Web Application Architecture Review (Presentation) App Server (Business Logic) Database Client Tier (Browser) Middle Tier Data Tier Firewall Sensitive data is stored here Protects Network Internet SSL Protects Transport Customer App is deployed here

Network Defenses for Web Applications Intrusion Detection System Intrusion Prevention System Application Firewall Firewall System Incident Event Management (SIEM) Perimeter IDS IPS App Firewall Security

Port 80 and Port 443 are open for business….

Building Security & Compliance into the SDLC Developers SDLC Developers Developers Enable Security to effectively drive remediation into development Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production Build Coding QA Security Production

Agenda
Hands on Labs 1-2
Hands on Labs 3-5
AppScan Overview
Hands on Lab 6

Where are the Vulnerabilities? Network Network Operating System Operating System Applications Applications Database Database Third-party Components Third-party Components Web Server Web Server Configuration Web Server Web Server Configuration Web Applications Client-Side Custom Web Services Web Applications Client-Side Custom Web Services Network Nessus ISS QualysGuard eEye Retina Foundstone Host Symantec NetIQ ISS CA Harris STAT Database AppSec Inc NGS Software App Scanners Watchfire SPI Dynamics Cenzic NT Objectives Acunetix WVS Code Scanning Emerging Tech Fortify Ounce Labs Secure Software Klockwork Parasoft Network Operating System Applications Database Web Server Web Server Configuration Third-party Components Web Applications Client-Side Custom Web Services Security

Security Defects: Those I manage vs. Those I own Requires automatic application lifecycle security Patch latency primary issue Business Risk Requires application specific knowledge Match signatures & check for known misconfigurations. Detection Early detection saves $$$ As secure as 3 rd party software Cost Control SQL injection, path tampering, Cross site scripting, Suspect content & cookie poisoning Known vulnerabilities (patches issued), misconfiguration Type(s) of Exploits Business logic - dynamic data consumed by an application 3 rd party technical building blocks or infrastructure (web servers,) Location within Application Insecure application development In-house Insecure application development by 3 rd party SW Cause of Defect Application Specific Vulnerabilities (ASVs) Infrastructure Vulnerabilities or Common Web Vulnerabilities (CWVs)

OWASP and the OWASP Top 10 list
Open Web Application Security Project – an open organization dedicated to fight insecure software
“The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are”
We will use the Top 10 list to cover some of the most common security issues in web applications

The OWASP Top 10 list Hackers can impersonate legitimate users, and control their accounts. Identity Theft, Sensitive Information Leakage, … Cross Site scripting Hacker can forcefully browse and access a page past the login page Hacker can access unauthorized resources Failure to Restrict URL Access Unencrypted credentials “sniffed” and used by hacker to impersonate user Sensitive info sent unencrypted over insecure channel Insecure Communications Confidential information (SSN, Credit Cards) can be decrypted by malicious users Weak encryption techniques may lead to broken encryption Insecure Cryptographic Storage Hacker can “force” session token on victim; session tokens can be stolen after logout Session tokens not guarded or invalidated properly Broken Authentication & Session Management Malicious system reconnaissance may assist in developing further attacks Attackers can gain detailed system information Information Leakage and Improper Error Handling Blind requests to bank account transfer money to hacker Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Cross-Site Request Forgery Web application returns contents of sensitive file (instead of harmless one) Attacker can access sensitive files and resources Insecure Direct Object Reference Site modified to transfer all interactions to the hacker. Execute shell commands on server, up to full control Malicious File Execution Hackers can access backend database information, alter it or steal it. Attacker can manipulate queries to the DB / LDAP / Other system Injection Flaws Example Impact Negative Impact Application Threat

1. Cross-Site Scripting (XSS)
What is it?
Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context
What are the implications?
Session Tokens stolen (browser security circumvented)
Complete page content compromised
Future pages in browser compromised

Cross Site Scripting – The Exploit Process Evil.org User bank.com 1) Link to bank.com sent to user via E-mail or HTTP 2) User sends script embedded as data 3) Script/data returned, executed by browser 4) Script sends user’s cookie and session information without the user’s consent or knowledge 5) Evil.org uses stolen session information to impersonate user

XSS Example I HTML code:

XSS Example II HTML code:

XSS – Details
Common in Search, Error Pages and returned forms.
But can be found on any type of page
Any input may be echoed back
Path, Query, Post-data, Cookie, Header, etc.
Browser technology used to aid attack
XMLHttpRequest (AJAX), Flash, IFrame…
Has many variations
XSS in attribute, DOM Based XSS, etc.

Exploiting XSS
If I can get you to run my JavaScript, I can…
Steal your cookies for the domain you’re browsing
Track every action you do in that browser from now on
Redirect you to a Phishing site
Completely modify the content of any page you see on this domain
Exploit browser vulnerabilities to take over machine
…
XSS is the Top Security Risk today (most exploited)

Agenda
Hands on Labs 1-2
Hands on Labs 3-5
AppScan Overview
Hands on Lab 6

Hands-on Labs
Lab 1 – Profile Web Application
Lab 2 – Steal Cookies
Lab 3 – Login without Credentials
Lab 4 – Steal Usernames and Passwords
Lab 5 – Logging into the Administrative Portal
Lab 6 – Automated Scan of Website

Lab 1 Profile Web Application
The Goal of this lab is to profile the demo.testfire.net application
Identify the Lab Workbook and where to start (page 5), where to stop (page 11)

Lab 2 Steal Cookies
The goals of the lab is to utilize a Cross Site Scripting vulnerability on the demo.testfire.net application in order to access cookies on a target user’s browser

Agenda
Security Landscape
Hands on Labs 1-2
Hands on Labs 3-5
AppScan Overview
Hands on Lab 6

2 - Injection Flaws
What is it?
User-supplied data is sent to an interpreter as part of a command, query or data.
SQL Injection – Access/modify data in DB
SSI Injection – Execute commands on server and access sensitive data
LDAP Injection – Bypass authentication
…

SQL Injection
User input inserted into SQL Command:
Get product details by id: Select * from products where id=‘ $REQUEST[“id”] ’;
Hack: send param id with value ‘ or ‘1’=‘1
Resulting executed SQL: Select * from products where id=‘ ’ or ‘1’=‘1 ’
All products returned

SQL Injection Example I

SQL Injection Example II

SQL Injection Example - Exploit

SQL Injection Example - Outcome

Injection Flaws (SSI Injection Example) Creating commands from input

The return is the private SSL key of the server

3 - Malicious File Execution
What is it?
Application tricked into executing commands or creating files on server
Command execution on server – complete takeover
Site Defacement, including XSS option

Malicious File Execution – Example I

Malicious File Execution – Example cont.

4 - Insecure Direct Object Reference
What is it?
Part or all of a resource (file, table, etc.) name controlled by user input.
Access to sensitive resources
Information Leakage, aids future hacks

Insecure Direct Object Reference - Example

Insecure Direct Object Reference – Example Cont.

5 - Information Leakage and Improper Error Handling
What is it?
Unneeded information made available via errors or other means.
Sensitive data exposed
Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.)
Information aids in further hacks

Information Leakage - Example

Improper Error Handling - Example

Information Leakage – Different User/Pass Error

6 - Failure to Restrict URL Access
What is it?
Resources that should only be available to authorized users can be accessed by forcefully browsing them
Sensitive information leaked/modified
Admin privileges made available to hacker

Failure to Restrict URL Access - Admin User login /admin/admin.aspx

Simple user logs in, forcefully browses to admin page

Failure to Restrict URL Access: Privilege Escalation Types
Access given to completely restricted resources
Accessing files that shouldn’t be served (*.bak, “Copy Of”, *.inc, *.cs, ws_ftp.log, etc.)
Vertical Privilege Escalation
Unknown user accessing pages past login page
Simple user accessing admin pages
Horizontal Privilege Escalation
User accessing other user’s pages
Example: Bank account user accessing another’s

Agenda
Security Landscape
Hands on Labs 1-2
Hands on Labs 3-5
AppScan Overview
Hands on Lab 6

Hands-on Labs 3-5
Lab 1 – Profile Web Application
Lab 2 – Steal Cookies
Lab 3 – Login without Credentials
Lab 4 – Steal Usernames and Passwords
Lab 5 – Logging into the Administrative Portal
Lab 6 – Automated Scan of Website

Lab 3 overview Login without Credentials
The goal of the lab is to use locate a SQL injection vulnerability and exploit it to log into the demo.testfire.net application without a password

Lab 4 overview – Steal Username and Password
The Goal of this Lab is to exploit the SQL Injection vulnerability further in order to extract all the usernames and passwords from the demo.testfire.net application

Lab 5 overview – Logging in to Admin Portal
The Goal of this lab is to use Information Leakage and Direct Access to URLs to find and log into the administrative portal

Agenda
Security Landscape
Hands on Labs 1-2
Hands on Labs 3-5
AppScan Overview
Hands on Lab 6

Watchfire in the Rational Portfolio Developer Test Functional Test Automated Manual Rational RequisitePro Rational ClearQuest Rational ClearQuest Defects Project Dashboards Detailed Test Results Quality Reports Performance Test SOFTWARE QUALITY SOLUTIONS Test and Change Management Test Automation Quality Metrics DEVELOPMENT OPERATOINS BUSINESS Rational ClearQuest Requirements Test Change Rational PurifyPlus Rational Test RealTime Rational Functional Tester Plus Rational Functional Tester Rational Robot Rational Manual Tester Rational Performance Tester Security and Compliance Test AppScan Policy Tester Interface Compliance Policy Tester Test Automation Content Compliance ADA 508, GLBA, Safe Harbor Quality, Brand, Search, Inventory

AppScan
What is it?
AppScan is an automated tool used to perform vulnerability assessments on Web Applications
Why do I need it?
To simplify finding and fixing web application security problems
What does it do?
Scans web applications, finds security issues and reports on them in an actionable fashion
Who uses it?
Security Auditors – main users today
QA engineers – when the auditors become the bottle neck
Developers – to find issues as early as possible (most efficient)

What does AppScan test for? Network Operating System Applications Database Third-party Components Web Applications AppScan Web Server Web Server Configuration

How does AppScan work?
Approaches an application as a black-box
Traverses a web application and builds the site model
Determines the attack vectors based on the selected Test policy
Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules
HTTP Request Web Application HTTP Response

AppScan Goes Beyond Pointing out Problems

Actionable Fix Recommendations

AppScan with QA Defect Logger for ClearQuest

IBM Watchfire on the Net
Watchfire.com - http://www.watchfire.com
Product evaluation download
AppScan Extensions Framework – http://axf.watchfire.com
Power Point Reporter, Pyscan, Defect Logger CQ
Watchfire Blog – http:// blog.watchfire.com/wfblog
Expert opinion and watchfire news
AppScan Knowledge On Demand (computer based training)
App Security 101, OWASP Top 10, WASC Threat Classifications, Common Attacks

Lab 6 overview
The goal of this lab is to use AppScan in order to automate the detection of vulnerabilities within a web application

Session summary

Session summary
Understand the web application environment
Understand and differentiate between network and application level vulnerabilities
Understand where the vulnerabilities exist
Hands on exercises to understand types of vulnerabilities
Hands on exercise to leverage automated scan for vulnerabilities

Next steps
Further discussions with IBM Rational Account Representative and/or AppScan product expert.
Jono Massy-Greene [email_address] 04-462-3487 021-228-3703
Alan Kan [email_address] 09-359-8768 021-668-185
Schedule a Security Business Value Assessment
Schedule a Vulnerability Assessment of one our your Applications

Register today with discount code “HDDE” and receive $100 off your registration fee! Visit www.ibm.com/rational/rsdc for more information IBM Rational Software Development Conference 2008 June 1 – 5, 2008; Orlando, Florida
CONFERENCE HIGHLIGHTS:
Over 3,000 customers and partners
Over 300 sessions – 14 tracks
Executive Summit 2008
3- and 5-hour Technical Workshops
Access to IBM Engineers
and IBM Research
Keynotes with industry-leading experts
Exhibit hall showcasing complimentary
product and services
Unlimited networking opportunities
IBM Solution Center
Interactive Birds-of-a-Feather Sessions

We appreciate your feedback. Please fill out the survey form in order to improve this educational event.

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101

by Alan Kan

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101 Presentation Transcript