BEST PRACTICES OF<br />2010<br />WEB APPLICATION SECURITY<br />by SamvelGevorgyan<br />
TOP 10 HIGH LEVEL VULNERABILITIES<br />01. Cross-Site Scripting (XSS) [Symantec - 2007]<br />02. Information leakage<br />...
CROSS-SITE SCRIPTING<br />DESCRIPTION:<br />	Cross-Site Scripting is a type of web application vulnerability when the atta...
CROSS-SITE SCRIPTING<br />TYPES:<br />Non-Persistant<br />Persistant<br />1.Non-Persistant:<br />In this type of XSS vulne...
CROSS-SITE SCRIPTING<br />Non-Persistant<br />EXAMPLE:<br />"><script>document.locat...
CROSS-SITE SCRIPTING<br />2.Persistant:<br />In this case attacker stores his executable script in the vulnerable website ...
Chat messages
E-mail messages
Wall posts, etc.</li></li></ul><li>CROSS-SITE SCRIPTING<br />Persistant<br />EXAMPLE:<br />
CROSS-SITE SCRIPTING<br />Persistant<br />Comment in raw format:<br />and I like the way this website developers<br />work...
CROSS-SITE SCRIPTING<br />Potentially Dangerous HTML elemets:<br />TAGS<br /><ul><li><applet>
<object> ,etc. </li></ul>	ATTRIBUTES<br />src, href, lowsrc,  xmlns, style, etc.<br />
CROSS-SITE SCRIPTING<br />Potentially Dangerous HTML events:<br /><ul><li>Onblur
Onscroll, etc.</li></ul>*all HTML events<br />
Upcoming SlideShare
Loading in...5

Best practices of web app security (samvel gevorgyan)


Published on

Published in: Technology
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • “A clever person solves a problem. A wise person avoids it.”Albert Einstein
  • Best practices of web app security (samvel gevorgyan)

    1. 1. BEST PRACTICES OF<br />2010<br />WEB APPLICATION SECURITY<br />by SamvelGevorgyan<br />
    2. 2. STATISTICS OF VULNERABILITIES<br />Source:<br />
    3. 3. STATISTICS OF RISK LEVELS<br />Source:<br />
    4. 4. TOP 10 HIGH LEVEL VULNERABILITIES<br />01. Cross-Site Scripting (XSS) [Symantec - 2007]<br />02. Information leakage<br />03. SQL Injection [~2005]<br />04. Cross-Site Request Forgery (CSRF) [1990s]<br />05. ClickJacking [J.Grossman and R.Hansen - 2008]<br />06. Phishing[1987, 1996]<br />07. Path Traversal or Local/Remote File Inclusion<br />08. Shell injection<br />09. Session Hijacking [early 2000s]<br />10. File uploads<br />
    5. 5. CROSS-SITE SCRIPTING<br />DESCRIPTION:<br /> Cross-Site Scripting is a type of web application vulnerability when the attacker injects his executable code into the vulnerable website.<br /><ul><li>EXAMPLE:</li></ul><script>alert(“XSS”)</script><br />
    6. 6. CROSS-SITE SCRIPTING<br />TYPES:<br />Non-Persistant<br />Persistant<br />1.Non-Persistant:<br />In this type of XSS vulnerability the attacker is able to execute his own code in a website but no changes can be done in that website.<br />
    7. 7. CROSS-SITE SCRIPTING<br />Non-Persistant<br />EXAMPLE:<br />"><script>document.location=""+document.cookie;</script><br />OR<br />”><script>document.write(“<img src=‘“+ document.cookie+”’/>”);</script><br />
    8. 8. CROSS-SITE SCRIPTING<br />2.Persistant:<br />In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.<br />Common targets are:<br /><ul><li>Comments
    9. 9. Chat messages
    10. 10. E-mail messages
    11. 11. Wall posts, etc.</li></li></ul><li>CROSS-SITE SCRIPTING<br />Persistant<br />EXAMPLE:<br />
    12. 12. CROSS-SITE SCRIPTING<br />Persistant<br />Comment in raw format:<br />and I like the way this website developers<br />work..hahaha :D :D<br /><SCRIPT/XSS <br />SRC=""><br /></SCRIPT> <br />
    13. 13. CROSS-SITE SCRIPTING<br />Potentially Dangerous HTML elemets:<br />TAGS<br /><ul><li><applet>
    14. 14. <body>
    15. 15. <embed>
    16. 16. <frame>
    17. 17. <script>
    18. 18. <frameset>
    19. 19. <html>
    20. 20. <iframe>
    21. 21. <img>
    22. 22. <style>
    23. 23. <layer>
    24. 24. <ilayer>
    25. 25. <meta>
    26. 26. <object> ,etc. </li></ul> ATTRIBUTES<br />src, href, lowsrc, xmlns, style, etc.<br />
    27. 27. CROSS-SITE SCRIPTING<br />Potentially Dangerous HTML events:<br /><ul><li>Onblur
    28. 28. Onchange
    29. 29. Onclick
    30. 30. Ondrag
    31. 31. Onerror
    32. 32. Onfocus
    33. 33. Onkeypress
    34. 34. Onkeyup
    35. 35. Onload
    36. 36. Onmouseover
    37. 37. Onmousemove
    38. 38. Onmove
    39. 39. Onresize
    40. 40. Onselectstart
    41. 41. Onselect
    42. 42. Onsubmit
    43. 43. Onunload
    44. 44. Onscroll, etc.</li></ul>*all HTML events<br />
    45. 45. CROSS-SITE SCRIPTING<br />SOLUTIONS:<br /><ul><li>PHP function strip_tags()
    46. 46. PHP Input Filter
    47. 47. PHP libraries:
    48. 48. HTML_Safe
    49. 49. htmLawed
    50. 50. kses
    51. 51. Safe HTML Checker, etc.</li></li></ul><li>BEST SOLUTION<br />OWASP HTML Purifier:<br />SAFE<br /> HTML Purifier defeats XSS with an audited whitelist<br />CLEAN<br />HTML Purifier ensures standards-compliant output<br />OPEN<br /> HTML Purifier is open-source and highly customizable<br />
    52. 52. BEST SOLUTION<br />COMPARISON:<br />Source:<br />
    53. 53. BEST SOLUTION<br />COMPARISON:<br />Source:<br />
    54. 54. INFORMATION LEAKAGE<br />DESCRIPTION:<br /> Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.<br /><ul><li>EXAMPLE:</li></ul> Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20<br />
    55. 55. INFORMATION LEAKAGE<br />CAUSES OF:<br />Directory listing misconfiguration<br />Unproper error handling<br />Unproper filetype handling<br />Sensitive HTML comments, etc.<br />1.Directory listing misconfiguration:<br />Leaving directory listing enabled allows the attacker to read the list of all files in a directory.<br />
    56. 56. INFORMATION LEAKAGE<br />Directory listing misconfiguration<br /><ul><li>EXAMPLE:</li></ul>Index of /admin<br />
    57. 57. INFORMATION LEAKAGE<br />2.Unproper error handling:<br />Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.<br /><ul><li>EXAMPLE:</li></ul> Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81<br />
    58. 58. INFORMATION LEAKAGE<br />3.Unproper filetype handling:<br /> Unproper filetype handling allows your important files to be readable by the attacker.<br /><ul><li>EXAMPLE:
    59. 59. sql_backup.tar.gz
    60. 60. memberlist.xml
    61. 61. phpinfo.html
    62. 62.
    63. 63. Login.php.bkp</li></li></ul><li>INFORMATION LEAKAGE<br />Unproper filetype handling<br />EXAMPLE:<br /><br />…<br /> private $host = "localhost";<br /> private $usr = “root“;<br /> private $pwd = “i7kT0w“;<br /> public $db = "brav_new";<br /> public function Connect(){ … }<br />…<br />
    64. 64. INFORMATION LEAKAGE<br />4.Sensitive HTML comments:<br /> Notes left by webdevelopers may content important information which will cause of the information leakage. <br /><ul><li>EXAMPLE:</li></ul><form enctype="multipart/form-data" action="upload.php" method="POST"><br /> <!--check for filetypes php, cgi, pl, bat, exe, dll, reg--><br /> <input name="upload_file" type="file" /> <br /> …<br />
    65. 65. BEST SOLUTION<br />Directory listing misconfiguration<br />put a blank file named index.html in that directory.<br />put a file named .htaccess in that directory consisting of only this line:Options –indexes<br /> NOTE: all sub-directories of that directory will also get their directory listings turned off.<br />
    66. 66. BEST SOLUTION<br />Unproper error handling<br />The following configurations should be done in php.ini file:<br /><ul><li>error_reporting = E_ALL
    67. 67. display_errors = Off
    68. 68. log_errors = On
    69. 69. error_log = path/PHP_errors.log //any file in which the web server has write privileges.</li></li></ul><li>BEST SOLUTION<br />Unproper error handling<br />Create an .htaccess file in public_html directory with the following lines:<br /> php_flag display_errors off<br /> php_flag log_errors on<br /> php_value error_log path/PHP_errors.log<br /> <Files path/PHP_errors.log><br /> Order allow,deny<br /> Deny from all<br /> Satisfy All<br /> </Files<br />
    70. 70. BEST SOLUTION<br />Unproper filetype handling<br />Don’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website:<br /><ul><li>Compressed files(*.zip, *.rar, *.tar.gz, etc.)
    71. 71. Database files(*.sql, *.cvs, *.xml, *.xls, etc.)
    72. 72. Unknown files(*.inc, *.copy, *.bkp, etc.)</li></li></ul><li>BEST SOLUTION<br />Sensitive HTML comments<br />No sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.<br />
    73. 73. SQL INJECTION<br />DESCRIPTION:<br /> This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.<br /><ul><li>EXAMPLE:</li></ul>,database(),1,2+--<br />
    74. 74. SQL INJECTION<br />TYPES:<br />Normal<br />Blind<br />1.Normal:<br />In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen.<br />
    75. 75. SQL INJECTION<br />Normal SQL Injection<br /><ul><li>EXAMPLE:</li></ul>,2,user(),database(),<br /> 5,version(),7+--<br />
    76. 76. SQL INJECTION<br />2.Blind:<br />This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response.<br /><ul><li>EXAMPLE:</li></ul><br /> and+substring(@@version,1,1)=5+--<br />
    77. 77. SQL INJECTION<br />SOLUTIONS:<br /><ul><li>PHP.ini configuration
    78. 78. magic_quotes_gpc = on
    79. 79. PHP functions
    80. 80. filter_var()
    81. 81. mysql_real_escape_string()
    82. 82. sprintf()
    83. 83. Put variables into the quotes(e.g: ‘$id’)
    84. 84. Assign min privilages for mysql users</li></li></ul><li>BEST SOLUTION<br />GreenSQL open source database firewall:<br />Activity monitoring and audit<br />User rights management<br />Real-time database protection<br />Intrusion preventation(IPS)<br />Database caching<br />Encrypted comunication over SSL<br />Virtual patching<br />Reporting<br />
    85. 85. BEST SOLUTION<br />GreenSQL open source database firewall:<br />
    86. 86. CROSS-SITE REQUEST FORGERY<br />DESCRIPTION:<br /> This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.<br /><ul><li>EXAMPLE:</li></ul> <img src=“” style=“display:none” /> <br />
    87. 87. CROSS-SITE REQUEST FORGERY<br />EXAMPLE:<br /><div style=“display:none”><br /> <iframe name=“hidden”></iframe><br /> <form name=“Form” action= “” target=“hidden” method=“POST”><br /> <input type=“text” name=“message” value=“I like” /><br /> <input type=“submit” /><br /> </form><br /> <script>document.Form.submit();</script><br /> </div><br />
    88. 88. CROSS-SITE REQUEST FORGERY<br />USELESS DEFENSES:<br /><ul><li>Only accept POST</li></ul>Stops simple link-based attacks (IMG, frames, etc.)<br />But hidden POST requests can be created with frames, scripts, etc.<br /><ul><li> Referer checking</li></ul>Some users prohibit referers, so you can’t just require referer headers<br />Techniques to selectively create HTTP request without referers exist<br /><ul><li>Requiring multi-step transactions</li></ul>CSRF attack can perform each step in order<br />
    89. 89. CROSS-SITE REQUEST FORGERY<br />SOLUTIONS:<br /><ul><li> CAPTHCAs</li></ul>This is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.<br /><ul><li> One-time tokens</li></ul>Unlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.<br />
    90. 90. BEST SOLUTION<br />Business Processing<br />Add Tokento HTML<br />OWASPCSRFGuard<br />Verify Token<br />OWASP CSRFGuard<br /><ul><li>Adds token to:
    91. 91. href attribute
    92. 92. src attribute
    93. 93. hidden field in all forms
    94. 94. Actions:
    95. 95. Log
    96. 96. Invalidate
    97. 97. Redirect</li></ul>User<br />(Browser)<br />1. Add token with regex<br />2. Add token with HTML parser<br />3. Add token in browser with Javascript<br />Source: <br />
    98. 98. CLICK-JACKING<br />DESCRIPTION:<br /> This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.<br /><ul><li>EXAMPLE:</li></ul> <div style="position:fixed; width:100%; height:100%; z-index:999;" onclick="alert(‘ClickJacked');"></div><br />
    99. 99. CLICK-JACKING<br />EXAMPLE:<br />
    100. 100. BEST SOLUTION<br /><ul><li>FrameKiller(frame busting):</li></ul> <style> html{ display : none; }</style> <script>if( self == top ) { = 'block' ; } else { top.location = self.location; }<br /> </script><br /><ul><li>OWASP CSRFGuard</li></li></ul><li>THANK YOU!!<br />SPECIAL THANKS FOR KIND SUPPORT:<br /><ul><li>MANU ZACHARIA</li></ul> MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP, AFCEH<br /> Certified ISO 27001:2005 LA<br /><ul><li>C-DAC ACTS</li></ul> Advanced Computing Training School<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.