The document provides an agenda for a course on application and website security. The agenda covers common input validation flaws like SQL injection and cross-site scripting, access control flaws like session hijacking, encryption flaws, security tools, and concludes with additional resources for further information. The document uses examples to demonstrate various security vulnerabilities and how they can be exploited.
4. Communication Media and Security
Concerns
Communication media:
„Wired‟ networks
„Wireless‟ networks
Security concerns:
The Insider
The Outsider
The Technology
Nature
5. A Note About Security
Security helps functionality – if it doesn’t help
functionality, it isn’t security.
-Daniel Owens
6. Consequences of Poor Security
Stolen intellectual property
System downtime
Lost productivity
Damage to NASA‟s reputation
Lost public confidence
Lost revenue
Congressional inquiries
7. Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
8. SQL | LDAP Injection
SQL and LDAP Injection
The injection of malicious code intended to
bypass filtering and execute a query of the
attacker‟s choosing
Can be thwarted using strongly typed variables,
parameterized statements, escaping, and whitelists
Example Strings include:
1‟1
%31%27%20%4F%52%20%27%31%27%3D%27%31
1' OR '1'=&
#391
*(|(mail=*))
12. Cross-Site Scripting (XSS)
XSS
The injection of client-side code
Comes in three kinds:
Persistent
Non-Persistent
DOM
Only occurs when user input influences the
output
Can be stopped by assuming all input is malicious until
proven otherwise through a whitelist
Can lead to a complete system compromise – for
17. Remote File Include/Execution |
Code Injection
Remote File Include and Execution
An attacker tricks the system into including and/or
executing arbitrary files
Code Injection
Attacker tricks the system into executing arbitrary
code by injecting the commands into the code
Both
Code of the attacker‟s choosing is executed
Contrary to popular belief, ANY language can
suffer this
19. ASP.NET Remote File Include
<%
….
set url = Request.QueryString;
set xml
=Server.CreateObject(“Microsoft.XMLHTTP”);
xml.open “GET”, url, false
xml.send “”
Response.write xml.responseText
set xml = nothing
….
%>
20. Hidden Elements | Cookies
Hidden Elements and Cookies
Hidden fields and cookies were merely intended
to provide data storage without cluttering up the
user‟s view
They do not provide secure storage
They are not immutable storage locations
Neither should contain sensitive information
Both should be considered malicious until proven
otherwise
Any data in it should not be directly used for output
Whitelisting should be used to prove innocence
21. Hidden Elements | Cookies (cont.)
Hidden Elements and Cookies (cont.)
� -575840793
ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Log
in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr
orddOnClickreturnconfirm ... „USERNAME
(RandomData)'); return
false;ddhSetTargetText('ctl00_SimpleSearchForm_Use
r2_InputFieldTextbox', „USERNAME (<a
href=pizza.gov>pizza is good for
you</a>USERACCOUNT)'); return; fd-
ctl00$SimpleSearchForm$User1$UserListGridView<+
� fd
22. Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
23. Session Hijacking – Cookie Theft
Cookie Theft
The theft of a client‟s cookies by an attacker
Often possible because of other vulnerabilities –
browser flaws (sandboxing), having TRACE enabled,
XSS, etc
Can be hampered if mechanisms such as
NONCEs are used
NONCEs should be a set of characteristics unique to
the specific session – client IP, server IP, server port,
user agent string, and other key information
Additional mechanisms include using secure cookies,
but this has limited impact
24. Session Hijacking – Session
Fixation
Session Fixation
An attacker uses a „known‟ session ID
Often, the attacker opens the session and keeps it
open while attempting to convince a victim to login
using the known session
This is often a phishing or other social
engineering attack
Can be hampered if session IDs are „rekeyed‟ on
login AND sessions expire and are removed
quickly
Difficult to stop if sessions are guessable
26. Directory Traversal
Directory Traversal
An attacker is able to trick the system into
traversing the directory structure
In many instances, arbitrary files can be viewed
Attackers are often attempting to execute a file or
gather information
If user input dictates the output, care must be
taken to ensure the input is „valid‟
Whitelists become invaluable
In extreme cases, an attacker can actually use
this to gain administrator access to the server
28. Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
29. Session Hijacking – Spoofing
Spoofing
Pretending to be someone else, an attacker
attempts to gain the victim‟s privileges
Comes in three basic forms
Blind (write-only)
Half pipe (read-only)
Full pipe
Network configuration and other protection
mechanisms can make this difficult to defeat
(both for the attacker and for the developer)
32. Weak Encryption | Using Encoding
Weak/Home-Grown Encryption
The use of weak and home grown encryption has
led to the compromise of many systems
It is also what makes session hijacking via
spoofing, and man-in-the-middle with bucket brigade
and substitution attacks so trivial
Encoding
The use of algorithms that take output and simply
change the format (normally it is the number of
bits used per character)
This is not secure by any means
34. Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion and Appendices
35. Security Compass
XSS-Me
A free Firefox plug-in
Performs semi-automated XSS attacks against
POST fields
SQL Inject-Me
A free Firefox plug-in
Performs semi-automated SQL injection attacks
against POST fields
Access-Me
A free Firefox plug-in…
36. Other Firefox Add-ons
Web Developer Add-on
Free
Let‟s you view source files cleanly and easily
Let‟s you quickly enable and disable things (like
cookies, JavaScript, and Meta Refresh)
Let‟s you view and modify form fields and cookie
data
Tamper Data
Free
Let‟s you modify most request data
37. Fuzzers
BED.pl
Free Perl script
Performs basic tests of your SERVER
JBroFuzz
Free Java application
Let‟s you fuzz any part of an HTTP/HTTPS
request in a semi-automated fashion
Powerfuzzer
Free and commercial versions (Python script)
Easy and multi-talented… automated
38. Other Tools
Sothink SWF Decompiler
Decompiles any Adobe Flash or Flux script
Cavaj
Free
Decompiles any Java program
Nikto
Free
Provides scans of the website looking for
common, basic vulnerabilities and
misconfigurations
39. Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
40. For More Information
Microsoft Security Site (all audiences)
http://www.microsoft.com/security
MSDN Security Site (developers)
http://msdn.microsoft.com/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/technet/security
SANS Top-20 (IT Professionals)
http://www.sans.org/top20/
41. For More Information (cont.)
Common Weakness Enumeration
(CWE)/SANS Top 25 Most Dangerous
Programming Errors (developers)
http://cwe.mitre.org/top25/index.html
GRC IT Security Office
http://itsecurity.grc.nasa.gov
Most Common Software Errors
http://discussweb.com/software-testing/803-most-
common-software-errors.html
42. Acknowledgements
I stole the background from Microsoft
I stole a lot from my experiences and
previous writings
Editor's Notes
The above code illustrates a SQL injection vulnerability
The code here is vulnerable to XSS
The code here is vulnerable to remote include in two locations
The code here is vulnerable to a remote include
The code here is vulnerable to directory traversal