The Web Is Broken
      Why every feature is, in fact, a loophole!
The first matrix I designed was quite
             naturally, perfect. It was a work of art.
          Flawless. Sublime. ...
RoadMap
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Brea...
RoadMap…
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Bre...
Who Am I?
    • I am SpiderMan

    • Apart from that, I:
          – am a part of ADMS
          – work on WebAppSec
    ...
Web 1.0 versus Web 2.0




Bipin Upadhyay                            http://projectbee.org
Technologies Involved




Bipin Upadhyay                           http://projectbee.org
Fundamentals

                                         ntals,
                                ndame
                      ...
Fundamentals…

                            User             User




                                Firewall / IDS


    ...
Network Sec. versus Web Sec.

                                         Ports
                                             ...
Network Sec. versus Web Sec…

                                      Ports
                                           0



...
How serious is the matter!
    • 90% of web applications have serious
      vulnerabilities –Gartner Group

    • 78% of a...
How serious is the matter!...




Bipin Upadhyay                        http://projectbee.org
How serious is the matter!...




Bipin Upadhyay                        http://projectbee.org
What’s @ Stake
    •    Money
    •    Data
    •    Reputation
    •    Faith/Trust
    •    and…




Bipin Upadhyay     ...
What’s @ Stake…
    •…




Bipin Upadhyay                     http://projectbee.org
It’s a Mythical World out there…
    • Myths often prevail rationality.
    • Myths often are the cause of devastation.


...
Myth Buster
    • Myth:
          – My developers have implemented security




    • Reality:
          – Security ain’t ...
Myth Buster…
    • Myth:
          – Security is a non-functional requirement




    • Reality:
          – By definition...
Myth Buster…
    • Myth:
          – We use blah-blah framework. We’re safe




    • Reality:
          – Frameworks are ...
Myth Buster…
    • Myth:
          – Java is secure by design




    • Reality:
          – May be! But web isn’t… nor is...
Myth Buster…
    • Myth:
          – SSL is secure from sniffing




    • Reality:
          – Far from it. It’s difficul...
Myth Buster…
    • Myth:
          – Procedures means no SQL Injection




    • Reality:
          – Not always.

Bipin U...
Myth Buster…
    • Myth:
          – I use firewall. I am safe.




    • Reality:
          – So what? Your browser ports...
Myth Buster…
    • Myth:
          – I use latest antivirus and my system is patched.




    • Reality:
          – Big D...
Myth Buster…
    • Myth:
          – I browse net from inside a LAN.




    • Reality:
          – Urghhh! Browser dude, ...
Myth Buster…
    • Myth:
          – Human stupidity is infinite




    • Reality:
          – There you go! ☺

Bipin Upa...
RoadMap…
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Bre...
Injection Attacks
    • A form of attack where the user input
      manipulates the underlying platform in an
      undesi...
SQL Injections




Bipin Upadhyay                    http://projectbee.org
XSS
    • OWASP Top - 10 2007 #1

    • Any type of user input that is reflected back to
      the user without being puri...
XSS…
    • XSS attacks include, but not limited to:
          – Cookie Theft & Session Hijacking
          – Site Defaceme...
CSRF
    • Also called Unauthorized Requests.

    • The server is punished/exploited for trusting
      the user.

    • ...
Cookie Poisoning
    • Cookies sometimes store confidential data

    • This information can be manipulated for fun
      ...
HTTP Response Splitting
    • Attacker splits Http Response into two.

    • Watch out for redirection scripts using user
...
Google Hacking
    • Search engines index all permissible
      documents inside the web tree

    • These data can be rec...
Scary Cracks
    • Credit Cards & Google

    • Google.com UTF-7 XSS Vulnerability

    • Yamanner

    • “Samy is my Hero...
RoadMap…
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Bre...
The Arsenal
    •    A Web browser
    •    Textbox/Textarea
    •    Iframe
    •    TamperData/TamperIE
    •    WebScar...
RoadMap…
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Bre...
Google Hacking
    • Search engines index anything and everything
    • Demo




Bipin Upadhyay                           ...
Exploiting Mistakes
    • Client side validation isn’t enough
    • Demo

    • “Clues in Codes/Comments”
    • Demo

    ...
Exploiting Mistakes…
    • Too verbose error messages
    • Demo

    • Cookie Isn’t for sensitive data
    • Demo

    • ...
Exploiting Zero Days
    • URI Vulnerabilities
    • Demo




Bipin Upadhyay                          http://projectbee.org
Injection Attacks
    • SQL Injections
    • Demo

    • Command Injection
    • Demo

    • XPATH Injection
    • Demo


...
XSS Family
    • XSS (Cross Site Scripting)
    • Demo

    • XSS and encoding mistakes
    • Demo

    • CSRF, the sleepi...
Http Response Splitting
    • Why user is evil?
    • Demo




Bipin Upadhyay                             http://projectbe...
RoadMap…
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Bre...
SDLC
    • Integrate security into SDLC


                 Design

                          Coding

                     ...
Design Phase
    • Stick to standards

    • Encourage usage of well-proven frameworks

    • Prefer Whitelisting over Bla...
Coding Phase
    • Do NOT trust the user.

    • Do NOT rely on Client side validation.

    • Prefer HttpOnly Cookie to a...
Coding Phase…
    • Proper encoding can avoid most problems

    • Input Encoding
          – prefer UTF-8 and ISO-8859-1
...
Coding Phase…
    • Sanitize anything
      that comes from the
      user.




Bipin Upadhyay                   http://pr...
Coding Phase…
    • Filter Metacharacters:
          •      <     %3c   >    %3e
          •      |     %7c   ‘    %60
   ...
Testing Phase
    • Code Auditing:
          – OWASP – LAPSE plugin (Java)
          – SPI Dynamics’ DevInspect (Java & .N...
Deployment Phase
    • Keep out of the Web Tree; use robots.txt

    • Set minimal permissions

    • Keep the system patc...
Education
                                 pers.
                      d e v el o
                    r
          ate you
...
Final Words
    • www was designed for information exchange

    • Today, too much is at stake

    • Ignorance, no longer...
Final Words…




                       …be prepared.
      “Do you know what HTML 5.0 and XHTML2.0 has in store
         ...
…and Finally,
     String.fromCharCode(84,104,97,110,107,32,89,1
                       11,117,33)

                   i.e...
Acknowledgements
    •    Lalit Patel (http://lalit.org) & Lucky (http://reboot.in)
    •    http://flickr.com
    •    ht...
References
    •    http://search.yahoo.com (To be safer)
    •    http://0x000000.com
    •    http://ha.ckers.org
    • ...
Got Questions???




                     Shoot them

Bipin Upadhyay                      http://projectbee.org
Upcoming SlideShare
Loading in...5
×

"The Web Is Broken" by Bipin Upadhyay

4,071

Published on

Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly.
http://codeinmybug.wordpress.com/2007/10/12/the-web-is-broken/

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,071
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
150
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

"The Web Is Broken" by Bipin Upadhyay

  1. 1. The Web Is Broken Why every feature is, in fact, a loophole!
  2. 2. The first matrix I designed was quite naturally, perfect. It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure. Bipin Upadhyay http://projectbee.org
  3. 3. RoadMap • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  4. 4. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  5. 5. Who Am I? • I am SpiderMan • Apart from that, I: – am a part of ADMS – work on WebAppSec – am co-author of a yet to be released book • I can be pinged @: – http://blog.projectbee.org – Om-[AT]-PROJectBee-[DOT]-org Bipin Upadhyay http://projectbee.org
  6. 6. Web 1.0 versus Web 2.0 Bipin Upadhyay http://projectbee.org
  7. 7. Technologies Involved Bipin Upadhyay http://projectbee.org
  8. 8. Fundamentals ntals, ndame Fu he same re, still t ss or mo le Bipin Upadhyay http://projectbee.org
  9. 9. Fundamentals… User User Firewall / IDS Web server (Server side scripts like PHP, ASP, JSP etc.) Database Database Bipin Upadhyay http://projectbee.org
  10. 10. Network Sec. versus Web Sec. Ports 0 80 443 Attacker Web Server 65535 Firewall/IDS/IPS Bipin Upadhyay http://projectbee.org
  11. 11. Network Sec. versus Web Sec… Ports 0 Victim Malicious OR Compromised 65535 Web Server Firewall/NATed IP Bipin Upadhyay http://projectbee.org
  12. 12. How serious is the matter! • 90% of web applications have serious vulnerabilities –Gartner Group • 78% of attacks are at the web application level –Symantec • XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre • Every 8-9/10 sites vulnerable to XSS –WASC Bipin Upadhyay http://projectbee.org
  13. 13. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  14. 14. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  15. 15. What’s @ Stake • Money • Data • Reputation • Faith/Trust • and… Bipin Upadhyay http://projectbee.org
  16. 16. What’s @ Stake… •… Bipin Upadhyay http://projectbee.org
  17. 17. It’s a Mythical World out there… • Myths often prevail rationality. • Myths often are the cause of devastation. Bipin Upadhyay http://projectbee.org
  18. 18. Myth Buster • Myth: – My developers have implemented security • Reality: – Security ain’t no feature dude! It’s a metrics. Bipin Upadhyay http://projectbee.org
  19. 19. Myth Buster… • Myth: – Security is a non-functional requirement • Reality: – By definition, Yes! Bipin Upadhyay http://projectbee.org
  20. 20. Myth Buster… • Myth: – We use blah-blah framework. We’re safe • Reality: – Frameworks are encouraged. Human brain isn’t. Bipin Upadhyay http://projectbee.org
  21. 21. Myth Buster… • Myth: – Java is secure by design • Reality: – May be! But web isn’t… nor is human brain. Bipin Upadhyay http://projectbee.org
  22. 22. Myth Buster… • Myth: – SSL is secure from sniffing • Reality: – Far from it. It’s difficult for sure, though Bipin Upadhyay http://projectbee.org
  23. 23. Myth Buster… • Myth: – Procedures means no SQL Injection • Reality: – Not always. Bipin Upadhyay http://projectbee.org
  24. 24. Myth Buster… • Myth: – I use firewall. I am safe. • Reality: – So what? Your browser ports are open. Bipin Upadhyay http://projectbee.org
  25. 25. Myth Buster… • Myth: – I use latest antivirus and my system is patched. • Reality: – Big Deal!!! Bipin Upadhyay http://projectbee.org
  26. 26. Myth Buster… • Myth: – I browse net from inside a LAN. • Reality: – Urghhh! Browser dude, browser! Bipin Upadhyay http://projectbee.org
  27. 27. Myth Buster… • Myth: – Human stupidity is infinite • Reality: – There you go! ☺ Bipin Upadhyay http://projectbee.org
  28. 28. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  29. 29. Injection Attacks • A form of attack where the user input manipulates the underlying platform in an undesired way. • Several variants:- – SQL Injection – Command Injection – LDAP Injection – XPATH Injection – XML Injection – JSON Injection Bipin Upadhyay http://projectbee.org
  30. 30. SQL Injections Bipin Upadhyay http://projectbee.org
  31. 31. XSS • OWASP Top - 10 2007 #1 • Any type of user input that is reflected back to the user without being purified. • Input can be HTML, CSS, or Javascript • Two kinds --Persistent & Non-Persistent XSS Bipin Upadhyay http://projectbee.org
  32. 32. XSS… • XSS attacks include, but not limited to: – Cookie Theft & Session Hijacking – Site Defacement & Phishing – Key logging – History Theft – Port Scanning – CSRF & Web Worms – DoS-ing – … limited only by imagination Bipin Upadhyay http://projectbee.org
  33. 33. CSRF • Also called Unauthorized Requests. • The server is punished/exploited for trusting the user. • CSRF is, arguably, more dangerous than XSS. • Doesn’t necessarily require javascript. • OWASP Top - 10 2007 #5, (also called the Sleeping Giant) Bipin Upadhyay http://projectbee.org
  34. 34. Cookie Poisoning • Cookies sometimes store confidential data • This information can be manipulated for fun and profit. e.g., price of a product on an ecommerce site Bipin Upadhyay http://projectbee.org
  35. 35. HTTP Response Splitting • Attacker splits Http Response into two. • Watch out for redirection scripts using user input in response headers • CR-LF (0x0d & 0x0a) is the key to response splitting • Web/browser cache poisoning, XSS etc. attacks possible Bipin Upadhyay http://projectbee.org
  36. 36. Google Hacking • Search engines index all permissible documents inside the web tree • These data can be recovered using special queries: – site:<sitename> – inurl:<string> – intitle:<string> – filetype:<string> Bipin Upadhyay http://projectbee.org
  37. 37. Scary Cracks • Credit Cards & Google • Google.com UTF-7 XSS Vulnerability • Yamanner • “Samy is my Hero” OR Samy Worm • Bank Of India Hack • GMail CSRF Vulnerability Bipin Upadhyay http://projectbee.org
  38. 38. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  39. 39. The Arsenal • A Web browser • Textbox/Textarea • Iframe • TamperData/TamperIE • WebScarab • Fuzzer (Crowbar) • Google Bipin Upadhyay http://projectbee.org
  40. 40. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  41. 41. Google Hacking • Search engines index anything and everything • Demo Bipin Upadhyay http://projectbee.org
  42. 42. Exploiting Mistakes • Client side validation isn’t enough • Demo • “Clues in Codes/Comments” • Demo • Insecure implementation of “Forgot Password” feature • Demo Bipin Upadhyay http://projectbee.org
  43. 43. Exploiting Mistakes… • Too verbose error messages • Demo • Cookie Isn’t for sensitive data • Demo • Brute forcing Session id • Demo Bipin Upadhyay http://projectbee.org
  44. 44. Exploiting Zero Days • URI Vulnerabilities • Demo Bipin Upadhyay http://projectbee.org
  45. 45. Injection Attacks • SQL Injections • Demo • Command Injection • Demo • XPATH Injection • Demo Bipin Upadhyay http://projectbee.org
  46. 46. XSS Family • XSS (Cross Site Scripting) • Demo • XSS and encoding mistakes • Demo • CSRF, the sleeping Giant • Demo Bipin Upadhyay http://projectbee.org
  47. 47. Http Response Splitting • Why user is evil? • Demo Bipin Upadhyay http://projectbee.org
  48. 48. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  49. 49. SDLC • Integrate security into SDLC Design Coding Testing Deployment Bipin Upadhyay http://projectbee.org
  50. 50. Design Phase • Stick to standards • Encourage usage of well-proven frameworks • Prefer Whitelisting over Blacklisting • Prefer Onion Model over Garlic Model Bipin Upadhyay http://projectbee.org
  51. 51. Coding Phase • Do NOT trust the user. • Do NOT rely on Client side validation. • Prefer HttpOnly Cookie to avoid cookie theft • Use nonces to prevent CSRF • Don’t just hash passwords, salt them too • Avoid too verbose/meaningful error messages Bipin Upadhyay http://projectbee.org
  52. 52. Coding Phase… • Proper encoding can avoid most problems • Input Encoding – prefer UTF-8 and ISO-8859-1 – refer http://ha.ckers.org/charsets.html • Output Encoding – avoid rich html input from user – decimal encode input before displaying – refer OWASP_Encoding_Project Bipin Upadhyay http://projectbee.org
  53. 53. Coding Phase… • Sanitize anything that comes from the user. Bipin Upadhyay http://projectbee.org
  54. 54. Coding Phase… • Filter Metacharacters: • < %3c > %3e • | %7c ‘ %60 • & %26 ( %28 • %od %0a .. • / %2f %5c • RegEx are your friend • Use Stored Procedures • Prefer usage of bind variables in SQL statement Bipin Upadhyay http://projectbee.org
  55. 55. Testing Phase • Code Auditing: – OWASP – LAPSE plugin (Java) – SPI Dynamics’ DevInspect (Java & .NET), etc. • Web Application Scanners – w3af – Watchfire AppScan – SPI Dynamics’ WebInspect, etc. • No substitute for an experienced human eye Bipin Upadhyay http://projectbee.org
  56. 56. Deployment Phase • Keep out of the Web Tree; use robots.txt • Set minimal permissions • Keep the system patched & patched • Use Web Application Firewall – urlScan – ModSecurity – SecureIIS, etc. …but, most importantly Bipin Upadhyay http://projectbee.org
  57. 57. Education pers. d e v el o r ate you Educ Bipin Upadhyay http://projectbee.org
  58. 58. Final Words • www was designed for information exchange • Today, too much is at stake • Ignorance, no longer a bliss • Take responsibility and… Bipin Upadhyay http://projectbee.org
  59. 59. Final Words… …be prepared. “Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…” –Ronald van den Heetkamp Bipin Upadhyay http://projectbee.org
  60. 60. …and Finally, String.fromCharCode(84,104,97,110,107,32,89,1 11,117,33) i.e., Thank You! ☺ Bipin Upadhyay http://projectbee.org
  61. 61. Acknowledgements • Lalit Patel (http://lalit.org) & Lucky (http://reboot.in) • http://flickr.com • http://flickr.com/photos/jeanetteb1/1400824517 • http://flickr.com/photos/jbhalper/334521840 • http://flickr.com/photos/hondawang/566041603 • http://flickr.com/photos/14018070@N08/1438910620 • http://flickr.com/photos/44368636@N00/76684587 • http://www.cyberpunkreview.com/images/matrixreloaded63.jpg • www.flickr.com/photos/johnengler/211482969 • http://www.flickr.com/photos/lamkevin/458083458 • http://www.flickr.com/photos/beavis/459281241 • http://flickr.com/photos/briansolis/326278887 • http://www.flickr.com/photos/focus2capture/297232107 • http://flickr.com/photos/complexify/97303317 • http://flickr.com/photos/amyking/142161588 • http://xkcd.com/327/ Bipin Upadhyay http://projectbee.org
  62. 62. References • http://search.yahoo.com (To be safer) • http://0x000000.com • http://ha.ckers.org • http://sla.ckers.org • http://gnucitizen.com • XSS Attacks (Syngress Publications) • PenTesting for Web Applications (Wrox) • Hacking Exposed (Tata McGraw Hill) • 19 Deadly Sins of Sotware Security (Tata McGraw Hill) • OWASP & WASC • David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes, Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,…. ……………………………. a lot many Bipin Upadhyay http://projectbee.org
  63. 63. Got Questions??? Shoot them Bipin Upadhyay http://projectbee.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×