Clarice Technologies - Securing Web Applications- A Complete Solution


Published on

As the number of Web sites reaches around 300 million and Internet users reach 2 billion, results from security assessment of various websites have confirmed that over 80% of all websites have serious Security Vulnerabilities. With frequencies of attacks increasing each day and new attack methods being introduced almost as quickly as existing methods are discovered and defeated, every enterprise needs to develop a comprehensive plan to defeat website threats.

Clarice Technologies
Specialists in User Experience Design and Web/Mobile technologies.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Clarice Technologies - Securing Web Applications- A Complete Solution

  1. 1. Securing WebApplications:A Complete SolutionAs the number of Web sites reaches around 300 million and Internet usersreach 2 billion, results from security assessment of various websites have con-firmed that over 80% of all websites have serious Security Vulnerabilities. Withfrequencies of attacks increasing each day and new attack methods beingintroduced almost as quickly as existing methods are discovered anddefeated, every enterprise needs to develop a comprehensive plan to defeatwebsite | November 2012 1/22
  2. 2. IntroductionIn view of the increased adoption of Internet over the past few years, and morethan that, increased usage of internet for various activities like e-commerce,financial transactions and social networking, security of web applications hasnever been much sought than what it is today. As the number of Web sitesreaches around 300 million and Internet users reach 2 billion, there’s a thirdcommunity that is popping up at the same pace, and that is of hackers, whocontinue to relentlessly attack at the web application level and seek to breachinto Enterprise’s as well as Individual’s secured data and information. Results fromsecurity assessment of various websites have confirmed that over 80% of allwebsites have serious Security Vulnerabilities. With frequencies of attacksincreasing each day and new attack methods being introduced almost as quicklyas existing methods are discovered and defeated, every enterprise needs todevelop a comprehensive plan to defeat website threats.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 2/22
  3. 3. Terms associatedwith Security ofWeb ApplicationsBefore looking at how to optimize security of web sites and webapplications, let us look at some of the terms generally associatedwith security of web applications.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 3/22
  4. 4. 01 Security Vulnerability Security Vulnerabilities are the flaws in assets or software of a product or the absence of security controls that makes it infeasible, even when using the prod- uct properly, to prevent an attacker from usurping privileges on the users system, regulating its operation, compromising data on it, or assuming ungranted trust. If an application has security vulnerability, it can allow an attacker to access privileged data, delete or steal critical data or break into the If an application has security system and operate at the same priority level as the application and destroy the vulnerability, it can allow an entire system. attacker to access privileged data, delete or steal critical data02 SQL Injection “” SQL injection is a code injection technique that exploits a security vulnerability in a websites software. It is a technique often used to attack a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection The only truly secure attack is considered one of the top 10 web application vulnerabilities. system is one that is pow- ered off, cast in a block of concrete and sealed in a lead-lined room with03 Cross-site Scripting (XSS) armed guards. Cross-site scripting (XSS) is a security hazard that allows crackers or hackers to Gene Spafford interfere with your program’s logic by inserting their own logic into your HTML. In an XSS attack, a Web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 4/22
  5. 5. protected itself against cross-site scripting.Because dynamic web sites rely on user input, a malicious user can input malicious script into the page by hiding it Dynamic web sites rely on within legitimate requests. user input, a malicious user can input malicious script into the page by hiding it within legitimate requests04 Cross-site Request Forgery (CSRF) Cross-site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attackers choice. A successful CSRF exploit can compromise end An attacker may force the user data and operation in case of normal user. If the targeted end user is the users of a web application to administrator account, this can compromise the entire web application. execute actions of the attackers choice.05 Parameter Tampering Parameter Tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that users authorization. This points the browser to a link, page or site other than the one the user intends (although it may look exactly the same to the casual observer). Parameter tampering can be employed by criminals and identity thieves to surreptitiously obtain personal or business information about the user. Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 5/22
  6. 6. 06 Session Hijacking Session hijacking, also known as TCP session hijacking, is a method of taking The attacker can masquer- over a web user session by surreptitiously obtaining the session ID and masquer- ade as that user and do any- ading as the authorized user. Once the users session ID has been accessed thing the user is authorized (through session prediction), the attacker can masquerade as that user and do to do on the network. anything the user is authorized to do on the network.07 Abuse of Functionality Abuse of Functionality is an attack technique that uses a websites own features and functionality to consume, defraud or circumvent access control mecha- Attack technique that uses a nisms. Some functionality of a web site, possibly even security features, may be websites own features and abused to cause unexpected behavior. When a piece of functionality is open to functionality to consume, abuse, an attacker could potentially annoy other users or perhaps defraud the defraud or circumvent system entirely. The potential and level of abuse will vary from web site to web access control mechanisms. site and application to application.08 Buffer Overflow Buffer Overflow exploits are attacks that alter the flow of an application by over- writing parts of the memory. Buffer overflows can be triggered by inputs that aredesigned to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited. Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 6/22
  7. 7. “”09 Information Security Information Security is protection of the availability, privacy, and integrity of data. IT has following key principles: If you spend more on coffee than on IT security, - Confidentiality : only allow access to data for which the user is permitted you will be hacked. What’s - Integrity: ensure that data is not tampered or altered by unauthorized users more, you deserve to be - Availability: ensure that systems and data are available to authorized users hacked. when they need it. Richard Clarke10 Content Spoofing Content spoofing is a type of exploit used by a malicious hackers to present a Content spoofing often faked or modified web site to the user and making them believe that certain con- exploits an established trust tent appearing on a website is legitimate and not from an external source. The relationship between a com- intent is, typically, to defraud victims (as in phishing) although sometimes the puter user and an organiza- purpose is simply to misrepresent an organization or an individual. Content tion. spoofing often exploits an established trust relationship between a computer user and an organization Apart from the above, there are several other terms like Brute Force, Credential/Session Prediction, Denial of Service, Format String attack, Informa- tion Leakage, Insufficient anti-automation etc used to describe various security vulnerabilities that web applications are exposed to. Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 7/22
  8. 8. Security Levels inWeb ApplicationsThe principle of Security is to provide multiple levels of protection toprotect critical assets. Security at every layer of a web application isequally important as each level provides resistance to potentialthreats to the web application. Security could be incorporated atvarious levels.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 8/22
  9. 9. 01 Network Security Network Security could be achieved in the following ways: Authenticating the user, commonly with a username - Authenticating the user, commonly with a username and a password (including and a password two-factor or three-factor authentications) - Putting up a firewall that enforces access policies such as what services are allowed to be accessed by the network users - Install anti-virus software or Intrusion Prevention System that help detect and prevent action of malware that get transmitted over networs02 OS level Security Choice of Operating System could also determine the level of security a web application provides. Operating Systems like Windows provide security through various security features like: - Access Tokens: Evidence that a user successfully logged-in Represent access rights of a - Security Descriptors: Represent access rights of a logged-in user logged-in user - Object Manager: Reads the security descriptors and passes on the information to the Security Reference Monitor (SRM). SRM determines whether a user’s action is legal or illegal - NTFS : Allows system administrators to set global or very specific file access per- missions Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 9/22
  10. 10. 03 Server Level Security Web Sites are hosted on Web Servers. Most of the web servers could be config- ured for high level security by: - Setting them up to provide directory and file level security based on usernames and passwords Use "Secure Sockets Layer" - Use "Secure Sockets Layer" (SSL) and "Transport Layer Security" (TLS) protocols (SSL) and "Transport Layer to authenticate users and send things over the network or Internet that you want Security" (TLS) protocols to to keep from prying Eyes authenticate users and send - Enhancing web application security by signing up for notices about web appli- things over the network cation updates - Making sure that you log all admin level accesses with date, times and user- names and ensure that logs are working properly04 Application Security The highest level of security could be put at the application level itself. From developer’s perspective, this is the most important level of security and hence needs utmost attention. This level of security could be applied at design level as well development level. Following are some of the ways in which application level security could be attained: Input Validation Input validation is applied whenever input is received from outside the current trust boundary. The application design should assume that user input is malicious and hence needs to be constrained, rejected and then sanitized. Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 10/22
  11. 11. “” Data needs to be validated for type, length, format and range. Input validationshould not just be applied at client-side. It should be applied across all tiers. History has taught us:Authentication never underestimate theIn addition to ensuring that only valid users get access to the web application, it’salso imperative that your design identifies secured storage of credentials that are amount of money, time,accepted from the users. It also needs to ensure that secured mechanisms are and effort someone willused to protect these credentials over the wire. Design needs to drive users to expend to thwart a securitychoose strongest passwords. system. Its always better to assume the worst. AssumeAuthorization your adversaries are betterThis feature ensures that a role based access is defined for the web application. than they are. Assume sci-Access to system level resources need to be restricted. All identities that are used ence and technology willby the application are identified and the resources accessed by each identity are soon be able to do thingsknown. they cannot yet. Give yourself a margin for error.Sensitive Data Handling Give yourself more secu-The design should ensure that Secrets are not stored unless necessary and if theyneed to be stored, they are not stored at the code level. Sensitive information like rity than you need today.Passwords, keys, database connections etc should not be stored in plain text, but When the unexpectedneed to be encrypted and stored in secured storage. Sensitive data should not be happens, youll be glad youlogged or stored in persistent cookies. did. Bruce SchneierSession ManagementApplication security can be effectively handled at session level. Session lifetimeneeds to be limited. Session state needs to be protected from unauthorizedaccess. SSL could be used to protect Authentication cookies.Exception ManagementStructured exception handling should be applied across the application.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 11/22
  12. 12. “”Minimum information should be disclosed in case of an exception.For informa-tion security purpose, generic messages should be displayed to end users. Errorsalso need to be logged to the error logs. A business will have good security if its corporateAuditing and LoggingLevels of Auditing and Logging needs be determined during design. The design culture is correct. Thatshould also consider how to flow caller identity across multiple tiers for auditing. depends on one thing:In addition, it should identify the storage, security and analysis of the application tone at the top. There willlog files. be no grassroots effort to overwhelm corporate ne- glect. William Malik, Vice Presi- dent and Research Area Director for Information Security at Gartner.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 12/22
  13. 13. Preventing andFixing SecurityVulnerabilitiesSecuring Web Applications: A Complete SolutionClarice Technologies | November 2012 13/22
  14. 14. Sr. Vulnerability How to prevent or fix the vulnerability In-order to prevent Cross-Site Scripting issues, you can add input validation to Web Forms pages by using validation controls: for exam- 1. Cross-site Scripting ple, testing for valid dates or values within a range. In addition, valida- (XSS) tion controls allow you to completely customize how error informa- tion is displayed to the user. SQL Injection could be used by Strict type checking (Don’t trust what the user enters). If you expect user name to be entered, then validate whether it contains only alpha numerals. Also, escape or filter the special characters and user inputs. Use prepared statements to 2. SQL Injection execute the queries and use stored procedures wherever possible. Don’t allow multiple queries to be executed on a single statement. Further, don’t leak the database information to the end user by displaying the “syntax errors”, etc. If possible, use a good ORM tool like Hibernate or iBATIS.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 14/22
  15. 15. In-order to prevent CSRF attacks, it is necessary to implement a unique identifier in every request, which is a parameter that an attacker cannot guess. One can add the session id taken from the ses- 3. Cross-site Request sion cookie and add it as a parameter. The server must check that this parameter matches the session cookie, and if not discard the Forgery (CSRF) request.The reason an attacker cannot guess this parameter is the "same origin policy" that applies to cookies, so the attacker cannot forge a fake request that will seem real to the server. Any secret that is hard to guess and is not accessible to an attacker can be used instead of the session. Session Hijacking can be prevented by Encryption of the data traffic passed between the parties; in particular the session key, though ide- 4. Session Hijacking ally all traffic for the entire session by using SSL/TLS. Use of a long random number or string as the session key can also help. Regenerat- ing the session i.d after a successful login prevents session fixation. One of the ways to prevent Buffer Overflow is to avoid using library files included with the compiler. Library files are commonly included with a programming language. If 5. Buffer Overflows a hacker finds a weakness with a particular library file, any application that includes that particular library file also has the weakness. So if a hacker wants to exploit a home-grown application, he will often start by trying to exploit known weaknesses in commonly used libraries.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 15/22
  16. 16. Some other techniques to prevent Buffer Overflows include : Code auditing (automated or manual), Safe Functions, Periodic scanning of applications etc. To prevent this, all input parameters must be validated (including form fields, query strings, cookies, and HTTP Headers). Always use SSL cer- tificates (https) on authentication pages and in the modules that does 6. Parameter Tampering some secured transactions. Also, Don’t use persistent cookies for storing authentication tokens (session ids). Cookies with sensitive data should be encrypted. Do not rely on HTTP header information to make security decisions.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 16/22
  17. 17. Guidelines and BestPractices on Securityfor DevelopmentCommunityFrom developer’s perspective, ensuring that simple principles are fol-lowed at the design and code level could lay a strong foundation fora highly secured web application. Section below lists down simpleguidelines and best practices that could be followed.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 17/22
  18. 18. Identify potential Security Vulnerabilities upfront. Identify what is to be secured and what are the most likely security threats. Also visualize type of people who are likely to attack your site, capabilities of these individuals or groups, their motives for attacking and vulnerabilities that they are most likely to target- Apply security solutions that are compliant to global security standards / regulations like PCI, SOX etc- Add secured data storage and data transmission features to the solution (data encryption etc)- Provide secured HTTPS based Internet connectivity. Use SSL certificates for your web applications- Examine the code – before deployment – for risk-prone operations- Proper Configuration Management should be designed. Configuration stores should be secured- Never use any account with admin privilege to connect to your database- Always use CAPTCHA to verify the users in input forms- Sensitive data should never be transmitted with the GET protocol- Ensure that the applications login does not have permissions to access tables directly Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 18/22
  19. 19. - Always do input validations on server side even though you have JavaScript validation in place. Remember, JavaScript can be turned off in client side and the validations can be easily bye-passed- Consider re-authenticating users when doing critical transaction. Or you can have a separate transaction password if required- Session tokens should be encrypted whether passed as cookies, hidden fields, etc especially if they contain user identifiable or sensitive information- Any input that is accepted and processed from a user or other application (in the case of web services) should be validated against a list of known good parameters (white list) versus looking for bad or malicious syntax (black list)- Ensure that Session identifiers are not passed in query strings- Use the error messages that are more generic. Never frame an error message that is very subjective which could hint an attacker- All special characters from incoming data should be escaped in order to remove an additional programmatic meaning- Runtime exceptions should be caught and never dumped to the user- Testing – Use combination of black box and white box testing for testing Web Application Security Securing Web Applications: A Complete Solution Clarice Technologies | November 2012 19/22
  20. 20. ConclusionBuilding a highly functional web application with minimal security is like buildingan elaborate fortress, but leaving its main gate open and unguarded. It is ofparamount importance for designers and developers of web applications toconsider security as a primary design goal and to follow secure coding guidelinesin order to provide the highest possible degree of assurance to their customers.For organizations, it is important to integrate website security into their overallsecurity planning because, what is at stake is not only a direct loss of revenues,but they may face a serious loss to their reputations as well. In some cases, theymay be faced with legal penalties for violating customer privacy or trust. In orderto create an effective security plan, information security and softwaredevelopment teams must identify website vulnerabilities during both websitedevelopment and production, mitigate them quickly and efficiently, share thedata within the organization, track the progress of fixing the vulnerabilities, andprovide management with updates of the security posture as needed.Securing Web Applications: A Complete SolutionClarice Technologies | November 2012 20/22
  21. 21. Clarice Technologies Capabilities We are a one-stop shop for design & development of Web based solutions as well as Mobile applications. The various horizontals that we have experience with allows us to identify various security threats and apply preventive methods for the protection of applications. We use industry best practices while planning the security strategy in both design and development cycles. Our depth of experi- ence in the product world enables us to provide our customers the best UX design as well as robust development necessary for any application. Product Engineering Expertise- Apps for iOS, Android, and Windows phone platforms- HTML5/CSS, JavaScript, JQuery, Ext JS- GWT, Flash/Flex, Silverlight, Template engines, CMS User Experience Expertise- Information Architecture, Interaction & Visual Design- Enterprise and consumer product user interfaces and RIAs- Total user experience for target audience | November 2012 21/22
  22. 22. Customers Clarice Technologies has helped design and engineer a broad range of world class products like:- Private Cloud infrastructure for Android device sync- The Tap n Tap UI system for Android Tablets, complete with built in applica tions- Multiple iPhone and iPad applications for the world’s top Graphics Software Company- Consumer and enterprise management solution for a large multinational chip manufacturing company- HTML5 application interfacing with hardware for controlling key parameters- Dashboard for CIOs covering Risk Management and Compliance Manage- ment for one the biggest security technology company- New UI system for desktop and mobile products for a leading anti-virus and internet security company- UI redesign partners for a big Indian retail bank- Corporate website, several major brand websites and internet TV platform for a leading TV channel company- Mobile social networking apps for a social networking startup (acquired by Google)- Application for a world leader in lighting solutions that works on Desktop, iPad & Andrioid Tablets- A time bound app using complex algorithms for swift movement of | November 2012 22/22
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.