"The Web Is Broken" by Bipin 3~ Upadhyay

Slide 1: The Web Is Broken Why every feature is, in fact, a loophole!

Slide 2: The first matrix I designed was quite naturally, perfect. It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure. Bipin Upadhyay http://projectbee.org

Slide 3: RoadMap • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org

Slide 4: RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org

Slide 5: Who Am I? • I am SpiderMan • Apart from that, I: – am a part of ADMS – work on WebAppSec – am co-author of a yet to be released book • I can be pinged @: – http://blog.projectbee.org – Om-[AT]-PROJectBee-[DOT]-org Bipin Upadhyay http://projectbee.org

Slide 6: Web 1.0 versus Web 2.0 Bipin Upadhyay http://projectbee.org

Slide 7: Technologies Involved Bipin Upadhyay http://projectbee.org

Slide 8: Fundamentals ntals, ndame Fu he same re, still t ss or mo le Bipin Upadhyay http://projectbee.org

Slide 9: Fundamentals… User User Firewall / IDS Web server (Server side scripts like PHP, ASP, JSP etc.) Database Database Bipin Upadhyay http://projectbee.org

Slide 10: Network Sec. versus Web Sec. Ports 0 80 443 Attacker Web Server 65535 Firewall/IDS/IPS Bipin Upadhyay http://projectbee.org

Slide 11: Network Sec. versus Web Sec… Ports 0 Victim Malicious OR Compromised 65535 Web Server Firewall/NATed IP Bipin Upadhyay http://projectbee.org

Slide 12: How serious is the matter! • 90% of web applications have serious vulnerabilities –Gartner Group • 78% of attacks are at the web application level –Symantec • XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre • Every 8-9/10 sites vulnerable to XSS –WASC Bipin Upadhyay http://projectbee.org

Slide 13: How serious is the matter!... Bipin Upadhyay http://projectbee.org

Slide 14: How serious is the matter!... Bipin Upadhyay http://projectbee.org

Slide 15: What’s @ Stake • Money • Data • Reputation • Faith/Trust • and… Bipin Upadhyay http://projectbee.org

Slide 16: What’s @ Stake… •… Bipin Upadhyay http://projectbee.org

Slide 17: It’s a Mythical World out there… • Myths often prevail rationality. • Myths often are the cause of devastation. Bipin Upadhyay http://projectbee.org

Slide 18: Myth Buster • Myth: – My developers have implemented security • Reality: – Security ain’t no feature dude! It’s a metrics. Bipin Upadhyay http://projectbee.org

Slide 19: Myth Buster… • Myth: – Security is a non-functional requirement • Reality: – By definition, Yes! Bipin Upadhyay http://projectbee.org

Slide 20: Myth Buster… • Myth: – We use blah-blah framework. We’re safe • Reality: – Frameworks are encouraged. Human brain isn’t. Bipin Upadhyay http://projectbee.org

Slide 21: Myth Buster… • Myth: – Java is secure by design • Reality: – May be! But web isn’t… nor is human brain. Bipin Upadhyay http://projectbee.org

Slide 22: Myth Buster… • Myth: – SSL is secure from sniffing • Reality: – Far from it. It’s difficult for sure, though Bipin Upadhyay http://projectbee.org

Slide 23: Myth Buster… • Myth: – Procedures means no SQL Injection • Reality: – Not always. Bipin Upadhyay http://projectbee.org

Slide 24: Myth Buster… • Myth: – I use firewall. I am safe. • Reality: – So what? Your browser ports are open. Bipin Upadhyay http://projectbee.org

Slide 25: Myth Buster… • Myth: – I use latest antivirus and my system is patched. • Reality: – Big Deal!!! Bipin Upadhyay http://projectbee.org

Slide 26: Myth Buster… • Myth: – I browse net from inside a LAN. • Reality: – Urghhh! Browser dude, browser! Bipin Upadhyay http://projectbee.org

Slide 27: Myth Buster… • Myth: – Human stupidity is infinite • Reality: – There you go! ☺ Bipin Upadhyay http://projectbee.org

Slide 28: RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org

Slide 29: Injection Attacks • A form of attack where the user input manipulates the underlying platform in an undesired way. • Several variants:- – SQL Injection – Command Injection – LDAP Injection – XPATH Injection – XML Injection – JSON Injection Bipin Upadhyay http://projectbee.org

Slide 30: SQL Injections Bipin Upadhyay http://projectbee.org

Slide 31: XSS • OWASP Top - 10 2007 #1 • Any type of user input that is reflected back to the user without being purified. • Input can be HTML, CSS, or Javascript • Two kinds --Persistent & Non-Persistent XSS Bipin Upadhyay http://projectbee.org

Slide 32: XSS… • XSS attacks include, but not limited to: – Cookie Theft & Session Hijacking – Site Defacement & Phishing – Key logging – History Theft – Port Scanning – CSRF & Web Worms – DoS-ing – … limited only by imagination Bipin Upadhyay http://projectbee.org

Slide 33: CSRF • Also called Unauthorized Requests. • The server is punished/exploited for trusting the user. • CSRF is, arguably, more dangerous than XSS. • Doesn’t necessarily require javascript. • OWASP Top - 10 2007 #5, (also called the Sleeping Giant) Bipin Upadhyay http://projectbee.org

Slide 34: Cookie Poisoning • Cookies sometimes store confidential data • This information can be manipulated for fun and profit. e.g., price of a product on an ecommerce site Bipin Upadhyay http://projectbee.org

Slide 35: HTTP Response Splitting • Attacker splits Http Response into two. • Watch out for redirection scripts using user input in response headers • CR-LF (0x0d & 0x0a) is the key to response splitting • Web/browser cache poisoning, XSS etc. attacks possible Bipin Upadhyay http://projectbee.org

Slide 36: Google Hacking • Search engines index all permissible documents inside the web tree • These data can be recovered using special queries: – site:<sitename> – inurl:<string> – intitle:<string> – filetype:<string> Bipin Upadhyay http://projectbee.org

Slide 37: Scary Cracks • Credit Cards & Google • Google.com UTF-7 XSS Vulnerability • Yamanner • “Samy is my Hero” OR Samy Worm • Bank Of India Hack • GMail CSRF Vulnerability Bipin Upadhyay http://projectbee.org

Slide 38: RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org

Slide 39: The Arsenal • A Web browser • Textbox/Textarea • Iframe • TamperData/TamperIE • WebScarab • Fuzzer (Crowbar) • Google Bipin Upadhyay http://projectbee.org

Slide 40: RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org

Slide 41: Google Hacking • Search engines index anything and everything • Demo Bipin Upadhyay http://projectbee.org

Slide 42: Exploiting Mistakes • Client side validation isn’t enough • Demo • “Clues in Codes/Comments” • Demo • Insecure implementation of “Forgot Password” feature • Demo Bipin Upadhyay http://projectbee.org

Slide 43: Exploiting Mistakes… • Too verbose error messages • Demo • Cookie Isn’t for sensitive data • Demo • Brute forcing Session id • Demo Bipin Upadhyay http://projectbee.org

Slide 44: Exploiting Zero Days • URI Vulnerabilities • Demo Bipin Upadhyay http://projectbee.org

Slide 45: Injection Attacks • SQL Injections • Demo • Command Injection • Demo • XPATH Injection • Demo Bipin Upadhyay http://projectbee.org

Slide 46: XSS Family • XSS (Cross Site Scripting) • Demo • XSS and encoding mistakes • Demo • CSRF, the sleeping Giant • Demo Bipin Upadhyay http://projectbee.org

Slide 47: Http Response Splitting • Why user is evil? • Demo Bipin Upadhyay http://projectbee.org

Slide 48: RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org

Slide 49: SDLC • Integrate security into SDLC Design Coding Testing Deployment Bipin Upadhyay http://projectbee.org

Slide 50: Design Phase • Stick to standards • Encourage usage of well-proven frameworks • Prefer Whitelisting over Blacklisting • Prefer Onion Model over Garlic Model Bipin Upadhyay http://projectbee.org

Slide 51: Coding Phase • Do NOT trust the user. • Do NOT rely on Client side validation. • Prefer HttpOnly Cookie to avoid cookie theft • Use nonces to prevent CSRF • Don’t just hash passwords, salt them too • Avoid too verbose/meaningful error messages Bipin Upadhyay http://projectbee.org

Slide 52: Coding Phase… • Proper encoding can avoid most problems • Input Encoding – prefer UTF-8 and ISO-8859-1 – refer http://ha.ckers.org/charsets.html • Output Encoding – avoid rich html input from user – decimal encode input before displaying – refer OWASP_Encoding_Project Bipin Upadhyay http://projectbee.org

Slide 53: Coding Phase… • Sanitize anything that comes from the user. Bipin Upadhyay http://projectbee.org

Slide 54: Coding Phase… • Filter Metacharacters: • < %3c > %3e • | %7c ‘ %60 • & %26 ( %28 • %od %0a .. • / %2f %5c • RegEx are your friend • Use Stored Procedures • Prefer usage of bind variables in SQL statement Bipin Upadhyay http://projectbee.org

Slide 55: Testing Phase • Code Auditing: – OWASP – LAPSE plugin (Java) – SPI Dynamics’ DevInspect (Java & .NET), etc. • Web Application Scanners – w3af – Watchfire AppScan – SPI Dynamics’ WebInspect, etc. • No substitute for an experienced human eye Bipin Upadhyay http://projectbee.org

Slide 56: Deployment Phase • Keep out of the Web Tree; use robots.txt • Set minimal permissions • Keep the system patched & patched • Use Web Application Firewall – urlScan – ModSecurity – SecureIIS, etc. …but, most importantly Bipin Upadhyay http://projectbee.org

Slide 57: Education pers. d e v el o r ate you Educ Bipin Upadhyay http://projectbee.org

Slide 58: Final Words • www was designed for information exchange • Today, too much is at stake • Ignorance, no longer a bliss • Take responsibility and… Bipin Upadhyay http://projectbee.org

Slide 59: Final Words… …be prepared. “Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…” –Ronald van den Heetkamp Bipin Upadhyay http://projectbee.org

Slide 60: …and Finally, String.fromCharCode(84,104,97,110,107,32,89,1 11,117,33) i.e., Thank You! ☺ Bipin Upadhyay http://projectbee.org

Slide 61: Acknowledgements • Lalit Patel (http://lalit.org) & Lucky (http://reboot.in) • http://flickr.com • http://flickr.com/photos/jeanetteb1/1400824517 • http://flickr.com/photos/jbhalper/334521840 • http://flickr.com/photos/hondawang/566041603 • http://flickr.com/photos/14018070@N08/1438910620 • http://flickr.com/photos/44368636@N00/76684587 • http://www.cyberpunkreview.com/images/matrixreloaded63.jpg • www.flickr.com/photos/johnengler/211482969 • http://www.flickr.com/photos/lamkevin/458083458 • http://www.flickr.com/photos/beavis/459281241 • http://flickr.com/photos/briansolis/326278887 • http://www.flickr.com/photos/focus2capture/297232107 • http://flickr.com/photos/complexify/97303317 • http://flickr.com/photos/amyking/142161588 • http://xkcd.com/327/ Bipin Upadhyay http://projectbee.org

Slide 62: References • http://search.yahoo.com (To be safer) • http://0x000000.com • http://ha.ckers.org • http://sla.ckers.org • http://gnucitizen.com • XSS Attacks (Syngress Publications) • PenTesting for Web Applications (Wrox) • Hacking Exposed (Tata McGraw Hill) • 19 Deadly Sins of Sotware Security (Tata McGraw Hill) • OWASP & WASC • David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes, Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,…. ……………………………. a lot many Bipin Upadhyay http://projectbee.org

Slide 63: Got Questions??? Shoot them Bipin Upadhyay http://projectbee.org