Application and Website Security -- Fundamental Edition


Published on

This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The above code illustrates a SQL injection vulnerability
  • The code here is vulnerable to XSS
  • The code here is vulnerable to remote include in two locations
  • The code here is vulnerable to a remote include
  • The code here is vulnerable to directory traversal
  • Application and Website Security -- Fundamental Edition

    1. 1. Application and WebsiteSecurity – FundamentalEditionDaniel OwensIT Security Professional
    2. 2. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
    3. 3. Purpose Drum up interestSession Prerequisites None
    4. 4. Communication Media and SecurityConcerns Communication media: „Wired‟ networks „Wireless‟ networks Security concerns: The Insider The Outsider The Technology Nature
    5. 5. A Note About Security Security helps functionality – if it doesn’t help functionality, it isn’t security. -Daniel Owens
    6. 6. Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to NASA‟s reputation Lost public confidence Lost revenue Congressional inquiries
    7. 7. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
    8. 8. SQL | LDAP Injection SQL and LDAP Injection The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists Example Strings include: 1‟1 %31%27%20%4F%52%20%27%31%27%3D%27%31 &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61& #39&#49 *(|(mail=*))
    9. 9. Java SQL Injection static void main(String[] args){ Connection conn=null; String username=args[0]; String password=args[1]; String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”; conn=DriverManager.getConnection(“jdbc:odbc:l ogistics”,”admin”,”LetMeIn”); Statement stmnt=conn.createStatement(); ResultSet rs=stmnt.executeQuery(query); … }
    10. 10. Demonstration 1 SQL InjectionBypassing Security Checks
    11. 11. Case Study 1SQL InjectionOwning Networks
    12. 12. Cross-Site Scripting (XSS) XSS The injection of client-side code Comes in three kinds: Persistent Non-Persistent DOM Only occurs when user input influences the output Can be stopped by assuming all input is malicious until proven otherwise through a whitelist Can lead to a complete system compromise – for
    13. 13. Cross-Site Scripting (cont.) XSS (cont.) Sample strings: <script src= << </script << <link rel=“stylesheet” href=> %3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20- %3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22) %3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22vie w- source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall. js%22%3E%3C%2Fscript%3E <img src=”” onMouseOver=”alert(document.cookie)”; />
    14. 14. ASP.NET Cross-Site Scripting <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { Response.Write(txtString.Text); } </script> // CONTINUED ON NEXT SLIDE
    15. 15. ASP.NET Cross-Site Scripting (cont.) // CONTINUED FROM PREVIOUS SLIDE <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert(„hi‟);</script>" /> <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
    16. 16. Demonstration 2 XSS Having Fun
    17. 17. Remote File Include/Execution |Code Injection Remote File Include and Execution An attacker tricks the system into including and/or executing arbitrary files Code Injection Attacker tricks the system into executing arbitrary code by injecting the commands into the code Both Code of the attacker‟s choosing is executed Contrary to popular belief, ANY language can suffer this
    18. 18. PHP Remote File Include <?php …. require_once($_GET[„config‟]); require_once($_GET[„base‟].”/index.php”); …. ?>
    19. 19. ASP.NET Remote File Include <% …. set url = Request.QueryString; set xml =Server.CreateObject(“Microsoft.XMLHTTP”); “GET”, url, false xml.send “” Response.write xml.responseText set xml = nothing …. %>
    20. 20. Hidden Elements | Cookies Hidden Elements and Cookies Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view They do not provide secure storage They are not immutable storage locations Neither should contain sensitive information Both should be considered malicious until proven otherwise Any data in it should not be directly used for output Whitelisting should be used to prove innocence
    21. 21. Hidden Elements | Cookies (cont.) Hidden Elements and Cookies (cont.) � -575840793 ReferrerUrlQ in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr orddOnClickreturnconfirm ... „USERNAME (RandomData)); return false;ddhSetTargetText(ctl00_SimpleSearchForm_Use r2_InputFieldTextbox, „USERNAME (<a>pizza is good for you</a>USERACCOUNT)); return; fd- ctl00$SimpleSearchForm$User1$UserListGridView<+ � fd
    22. 22. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
    23. 23. Session Hijacking – Cookie Theft Cookie Theft The theft of a client‟s cookies by an attacker Often possible because of other vulnerabilities – browser flaws (sandboxing), having TRACE enabled, XSS, etc Can be hampered if mechanisms such as NONCEs are used NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information Additional mechanisms include using secure cookies, but this has limited impact
    24. 24. Session Hijacking – SessionFixation Session Fixation An attacker uses a „known‟ session ID Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session This is often a phishing or other social engineering attack Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly Difficult to stop if sessions are guessable
    25. 25. Demonstration 3Session Hijacking Session Fixation
    26. 26. Directory Traversal Directory Traversal An attacker is able to trick the system into traversing the directory structure In many instances, arbitrary files can be viewed Attackers are often attempting to execute a file or gather information If user input dictates the output, care must be taken to ensure the input is „valid‟ Whitelists become invaluable In extreme cases, an attacker can actually use this to gain administrator access to the server
    27. 27. PHP Directory Traversal <?php …. $date=$_GET[„date‟]; if($handle=fopen(“calendar/$date”,”rb”)){ print(fread($handle,filesize(“calendar/$date”))); fclose($handle); } …. ?>
    28. 28. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
    29. 29. Session Hijacking – Spoofing Spoofing Pretending to be someone else, an attacker attempts to gain the victim‟s privileges Comes in three basic forms Blind (write-only) Half pipe (read-only) Full pipe Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
    30. 30. Demonstration 4Session Hijacking Spoofing
    31. 31. Case Study 2Session Hijacking Spoofing
    32. 32. Weak Encryption | Using Encoding Weak/Home-Grown Encryption The use of weak and home grown encryption has led to the compromise of many systems It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial Encoding The use of algorithms that take output and simply change the format (normally it is the number of bits used per character) This is not secure by any means
    33. 33. Case Study 3Weak Encryption | Encoding XOR SHA Base64
    34. 34. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion and Appendices
    35. 35. Security Compass XSS-Me A free Firefox plug-in Performs semi-automated XSS attacks against POST fields SQL Inject-Me A free Firefox plug-in Performs semi-automated SQL injection attacks against POST fields Access-Me A free Firefox plug-in…
    36. 36. Other Firefox Add-ons Web Developer Add-on Free Let‟s you view source files cleanly and easily Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh) Let‟s you view and modify form fields and cookie data Tamper Data Free Let‟s you modify most request data
    37. 37. Fuzzers Free Perl script Performs basic tests of your SERVER JBroFuzz Free Java application Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion Powerfuzzer Free and commercial versions (Python script) Easy and multi-talented… automated
    38. 38. Other Tools Sothink SWF Decompiler Decompiles any Adobe Flash or Flux script Cavaj Free Decompiles any Java program Nikto Free Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
    39. 39. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
    40. 40. For More Information Microsoft Security Site (all audiences) MSDN Security Site (developers) TechNet Security Site (IT professionals) SANS Top-20 (IT Professionals)
    41. 41. For More Information (cont.) Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers) GRC IT Security Office Most Common Software Errors common-software-errors.html
    42. 42. Acknowledgements I stole the background from Microsoft I stole a lot from my experiences and previous writings