Your SlideShare is downloading. ×
"The Web Is Broken" by Bipin Upadhyay
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

"The Web Is Broken" by Bipin Upadhyay

3,991
views

Published on

Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly. …

Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly.
http://codeinmybug.wordpress.com/2007/10/12/the-web-is-broken/

Published in: Technology

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,991
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
150
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Web Is Broken Why every feature is, in fact, a loophole!
  • 2. The first matrix I designed was quite naturally, perfect. It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure. Bipin Upadhyay http://projectbee.org
  • 3. RoadMap • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 4. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 5. Who Am I? • I am SpiderMan • Apart from that, I: – am a part of ADMS – work on WebAppSec – am co-author of a yet to be released book • I can be pinged @: – http://blog.projectbee.org – Om-[AT]-PROJectBee-[DOT]-org Bipin Upadhyay http://projectbee.org
  • 6. Web 1.0 versus Web 2.0 Bipin Upadhyay http://projectbee.org
  • 7. Technologies Involved Bipin Upadhyay http://projectbee.org
  • 8. Fundamentals ntals, ndame Fu he same re, still t ss or mo le Bipin Upadhyay http://projectbee.org
  • 9. Fundamentals… User User Firewall / IDS Web server (Server side scripts like PHP, ASP, JSP etc.) Database Database Bipin Upadhyay http://projectbee.org
  • 10. Network Sec. versus Web Sec. Ports 0 80 443 Attacker Web Server 65535 Firewall/IDS/IPS Bipin Upadhyay http://projectbee.org
  • 11. Network Sec. versus Web Sec… Ports 0 Victim Malicious OR Compromised 65535 Web Server Firewall/NATed IP Bipin Upadhyay http://projectbee.org
  • 12. How serious is the matter! • 90% of web applications have serious vulnerabilities –Gartner Group • 78% of attacks are at the web application level –Symantec • XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre • Every 8-9/10 sites vulnerable to XSS –WASC Bipin Upadhyay http://projectbee.org
  • 13. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  • 14. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  • 15. What’s @ Stake • Money • Data • Reputation • Faith/Trust • and… Bipin Upadhyay http://projectbee.org
  • 16. What’s @ Stake… •… Bipin Upadhyay http://projectbee.org
  • 17. It’s a Mythical World out there… • Myths often prevail rationality. • Myths often are the cause of devastation. Bipin Upadhyay http://projectbee.org
  • 18. Myth Buster • Myth: – My developers have implemented security • Reality: – Security ain’t no feature dude! It’s a metrics. Bipin Upadhyay http://projectbee.org
  • 19. Myth Buster… • Myth: – Security is a non-functional requirement • Reality: – By definition, Yes! Bipin Upadhyay http://projectbee.org
  • 20. Myth Buster… • Myth: – We use blah-blah framework. We’re safe • Reality: – Frameworks are encouraged. Human brain isn’t. Bipin Upadhyay http://projectbee.org
  • 21. Myth Buster… • Myth: – Java is secure by design • Reality: – May be! But web isn’t… nor is human brain. Bipin Upadhyay http://projectbee.org
  • 22. Myth Buster… • Myth: – SSL is secure from sniffing • Reality: – Far from it. It’s difficult for sure, though Bipin Upadhyay http://projectbee.org
  • 23. Myth Buster… • Myth: – Procedures means no SQL Injection • Reality: – Not always. Bipin Upadhyay http://projectbee.org
  • 24. Myth Buster… • Myth: – I use firewall. I am safe. • Reality: – So what? Your browser ports are open. Bipin Upadhyay http://projectbee.org
  • 25. Myth Buster… • Myth: – I use latest antivirus and my system is patched. • Reality: – Big Deal!!! Bipin Upadhyay http://projectbee.org
  • 26. Myth Buster… • Myth: – I browse net from inside a LAN. • Reality: – Urghhh! Browser dude, browser! Bipin Upadhyay http://projectbee.org
  • 27. Myth Buster… • Myth: – Human stupidity is infinite • Reality: – There you go! ☺ Bipin Upadhyay http://projectbee.org
  • 28. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 29. Injection Attacks • A form of attack where the user input manipulates the underlying platform in an undesired way. • Several variants:- – SQL Injection – Command Injection – LDAP Injection – XPATH Injection – XML Injection – JSON Injection Bipin Upadhyay http://projectbee.org
  • 30. SQL Injections Bipin Upadhyay http://projectbee.org
  • 31. XSS • OWASP Top - 10 2007 #1 • Any type of user input that is reflected back to the user without being purified. • Input can be HTML, CSS, or Javascript • Two kinds --Persistent & Non-Persistent XSS Bipin Upadhyay http://projectbee.org
  • 32. XSS… • XSS attacks include, but not limited to: – Cookie Theft & Session Hijacking – Site Defacement & Phishing – Key logging – History Theft – Port Scanning – CSRF & Web Worms – DoS-ing – … limited only by imagination Bipin Upadhyay http://projectbee.org
  • 33. CSRF • Also called Unauthorized Requests. • The server is punished/exploited for trusting the user. • CSRF is, arguably, more dangerous than XSS. • Doesn’t necessarily require javascript. • OWASP Top - 10 2007 #5, (also called the Sleeping Giant) Bipin Upadhyay http://projectbee.org
  • 34. Cookie Poisoning • Cookies sometimes store confidential data • This information can be manipulated for fun and profit. e.g., price of a product on an ecommerce site Bipin Upadhyay http://projectbee.org
  • 35. HTTP Response Splitting • Attacker splits Http Response into two. • Watch out for redirection scripts using user input in response headers • CR-LF (0x0d & 0x0a) is the key to response splitting • Web/browser cache poisoning, XSS etc. attacks possible Bipin Upadhyay http://projectbee.org
  • 36. Google Hacking • Search engines index all permissible documents inside the web tree • These data can be recovered using special queries: – site:<sitename> – inurl:<string> – intitle:<string> – filetype:<string> Bipin Upadhyay http://projectbee.org
  • 37. Scary Cracks • Credit Cards & Google • Google.com UTF-7 XSS Vulnerability • Yamanner • “Samy is my Hero” OR Samy Worm • Bank Of India Hack • GMail CSRF Vulnerability Bipin Upadhyay http://projectbee.org
  • 38. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 39. The Arsenal • A Web browser • Textbox/Textarea • Iframe • TamperData/TamperIE • WebScarab • Fuzzer (Crowbar) • Google Bipin Upadhyay http://projectbee.org
  • 40. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 41. Google Hacking • Search engines index anything and everything • Demo Bipin Upadhyay http://projectbee.org
  • 42. Exploiting Mistakes • Client side validation isn’t enough • Demo • “Clues in Codes/Comments” • Demo • Insecure implementation of “Forgot Password” feature • Demo Bipin Upadhyay http://projectbee.org
  • 43. Exploiting Mistakes… • Too verbose error messages • Demo • Cookie Isn’t for sensitive data • Demo • Brute forcing Session id • Demo Bipin Upadhyay http://projectbee.org
  • 44. Exploiting Zero Days • URI Vulnerabilities • Demo Bipin Upadhyay http://projectbee.org
  • 45. Injection Attacks • SQL Injections • Demo • Command Injection • Demo • XPATH Injection • Demo Bipin Upadhyay http://projectbee.org
  • 46. XSS Family • XSS (Cross Site Scripting) • Demo • XSS and encoding mistakes • Demo • CSRF, the sleeping Giant • Demo Bipin Upadhyay http://projectbee.org
  • 47. Http Response Splitting • Why user is evil? • Demo Bipin Upadhyay http://projectbee.org
  • 48. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 49. SDLC • Integrate security into SDLC Design Coding Testing Deployment Bipin Upadhyay http://projectbee.org
  • 50. Design Phase • Stick to standards • Encourage usage of well-proven frameworks • Prefer Whitelisting over Blacklisting • Prefer Onion Model over Garlic Model Bipin Upadhyay http://projectbee.org
  • 51. Coding Phase • Do NOT trust the user. • Do NOT rely on Client side validation. • Prefer HttpOnly Cookie to avoid cookie theft • Use nonces to prevent CSRF • Don’t just hash passwords, salt them too • Avoid too verbose/meaningful error messages Bipin Upadhyay http://projectbee.org
  • 52. Coding Phase… • Proper encoding can avoid most problems • Input Encoding – prefer UTF-8 and ISO-8859-1 – refer http://ha.ckers.org/charsets.html • Output Encoding – avoid rich html input from user – decimal encode input before displaying – refer OWASP_Encoding_Project Bipin Upadhyay http://projectbee.org
  • 53. Coding Phase… • Sanitize anything that comes from the user. Bipin Upadhyay http://projectbee.org
  • 54. Coding Phase… • Filter Metacharacters: • < %3c > %3e • | %7c ‘ %60 • & %26 ( %28 • %od %0a .. • / %2f %5c • RegEx are your friend • Use Stored Procedures • Prefer usage of bind variables in SQL statement Bipin Upadhyay http://projectbee.org
  • 55. Testing Phase • Code Auditing: – OWASP – LAPSE plugin (Java) – SPI Dynamics’ DevInspect (Java & .NET), etc. • Web Application Scanners – w3af – Watchfire AppScan – SPI Dynamics’ WebInspect, etc. • No substitute for an experienced human eye Bipin Upadhyay http://projectbee.org
  • 56. Deployment Phase • Keep out of the Web Tree; use robots.txt • Set minimal permissions • Keep the system patched & patched • Use Web Application Firewall – urlScan – ModSecurity – SecureIIS, etc. …but, most importantly Bipin Upadhyay http://projectbee.org
  • 57. Education pers. d e v el o r ate you Educ Bipin Upadhyay http://projectbee.org
  • 58. Final Words • www was designed for information exchange • Today, too much is at stake • Ignorance, no longer a bliss • Take responsibility and… Bipin Upadhyay http://projectbee.org
  • 59. Final Words… …be prepared. “Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…” –Ronald van den Heetkamp Bipin Upadhyay http://projectbee.org
  • 60. …and Finally, String.fromCharCode(84,104,97,110,107,32,89,1 11,117,33) i.e., Thank You! ☺ Bipin Upadhyay http://projectbee.org
  • 61. Acknowledgements • Lalit Patel (http://lalit.org) & Lucky (http://reboot.in) • http://flickr.com • http://flickr.com/photos/jeanetteb1/1400824517 • http://flickr.com/photos/jbhalper/334521840 • http://flickr.com/photos/hondawang/566041603 • http://flickr.com/photos/14018070@N08/1438910620 • http://flickr.com/photos/44368636@N00/76684587 • http://www.cyberpunkreview.com/images/matrixreloaded63.jpg • www.flickr.com/photos/johnengler/211482969 • http://www.flickr.com/photos/lamkevin/458083458 • http://www.flickr.com/photos/beavis/459281241 • http://flickr.com/photos/briansolis/326278887 • http://www.flickr.com/photos/focus2capture/297232107 • http://flickr.com/photos/complexify/97303317 • http://flickr.com/photos/amyking/142161588 • http://xkcd.com/327/ Bipin Upadhyay http://projectbee.org
  • 62. References • http://search.yahoo.com (To be safer) • http://0x000000.com • http://ha.ckers.org • http://sla.ckers.org • http://gnucitizen.com • XSS Attacks (Syngress Publications) • PenTesting for Web Applications (Wrox) • Hacking Exposed (Tata McGraw Hill) • 19 Deadly Sins of Sotware Security (Tata McGraw Hill) • OWASP & WASC • David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes, Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,…. ……………………………. a lot many Bipin Upadhyay http://projectbee.org
  • 63. Got Questions??? Shoot them Bipin Upadhyay http://projectbee.org