Web Application Scanning 101
Upcoming SlideShare
Loading in...5
×
 

Web Application Scanning 101

on

  • 4,352 views

This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: ...

This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.

Statistics

Views

Total Views
4,352
Views on SlideShare
4,349
Embed Views
3

Actions

Likes
2
Downloads
99
Comments
0

1 Embed 3

http://www.slideshare.net 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Web Application Scanning 101 Web Application Scanning 101 Presentation Transcript

  • Web Security 101 An overview of some common application exploits Mike Shema Security Research Engineer, Qualys Inc.
  • Web Security Web application (in)security continues to grow Web-related vulnerabilities pop up on Bugtraq daily. (http://www.securityfocus.com/bid/) Web-related attacks are large and expensive to investigate, react, and resolve. Web security became a requirement of PCI in 2008. XSS remains a significant problem Original CERT advisory February 2000 (http://www.cert.org/advisories/CA-2000-02.html) USENET references to “malicious html” and “malicious javascript” as far back as 1996 comp.security.unix post on March 1996: http://tinyurl.com/2s593m Entertaining discussion of JavaScript: http://tinyurl.com/2g2476 2
  • Web Security Reported web server vulnerabilities have decreased IIS 6.0 released April 2003 MS06-034 (specially-crafted ASP file could cause buffer overflow) No resurgence of Code Red or Nimda style vulnerabilities Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008) 40 security bugs according to changelog 24 specific to core or mod_ssl Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008) 13 security bugs according to changelog Active Sites According to Netcraft 2 specific to core or mod_ssl 35,000,000 30,000,000 And the number of servers continues 25,000,000 20,000,000 to grow significantly Apache 15,000,000 IIS 10,000,000 5,000,000 0 May-03 Apr-08 3
  • Leave the Buffer Overflows at Home Exploiting most web vulnerabilities has a very low barrier to entry. Low sophistication attacks can still lead to high impact exploits More codified lists defined in the OWASP TOP 10 and the WASC Threat Classification 4
  • Threats Evolve Financial motivation Infect rather than deface Increased potential for targeted attacks Exploit the trust between the server and browser 5
  • Attacks Adapt Bring the exploit to victim rather than bring the victim to the exploit. “Web 2.0”: More business logic and capabilities moved to the web browser. Social networking as an enabler for non-technical attacks. Insert malicious content into a web page Target the web browser 6
  • Persistent Browser Problems Assumption of trust in HTML and JavaScript (no “signed” content) No separation of UI generation and data manipulation Few restrictions on pulling together inter- domain content, no “trusted peers” for a domain. 7
  • What do these attacks look like? Review some examples to see where vulnerabilities exist and how they are exploited. 8
  • The Usual Suspects SQL Injection One of the easiest vulnerabilities to prevent. Occurs when users can alter the actual query. For example, SQL queries made with strong concatenation or even raw SQL queries in a URL parameter. 9
  • Recent Examples Hacking & Happiness One password to rule them all Poor separation of duties Lack of rate limiting http://tinyurl.com/9f7ata 10
  • Recent Examples Session Fixation & Stock Inflation Buy stocks using someone else’s account. 11
  • Recent Examples Victim receives an e-mail with a legitimate link to the trading site: https://site/login.cgi?sid=65531 Session ID = 655321 x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server a.b.101.92 --> /login.cgi?sid=655321 Authenticated Redirect to /welcome.cgi?sid=655321 <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Authenticated Trade executed <-- server 12
  • Recent Examples Inspection & Infiltration Abusing server-side scripts http://tinyurl.com/d6ymuc 13
  • Recent Examples ../lists/admin/index.php?_SERVER[ConfigFile]=../../php.ini Viewing arbitrary files on the web server for sensitive content A confluence of programming error, misconfiguration, and lack of host hardening 14
  • Wildly Different Vulnerabilities Programming errors Session fixation Cross-site request forgery Lack of input validation Insecure environment 15
  • Where Are The Worms? Attacks like Nimda, Code Red or SQL Slammer haven’t been repeated in a while Exploit preferences seem to fall to the lowest common denominator 16
  • Manual & Automated Testing Complementary approaches What matters most for your environment? Cost Scalability Repeatability Comprehensiveness Accuracy What to expect from each approach? 17
  • Automated Testing Ideal for large-scale or repetitive scans Primarily focuses on syntax problems, misconfigurations, and known issues Several challenges to determining a good scanner Crawling & site coverage Authentication & session management Comprehensiveness & accuracy 18
  • Manual Testing Ideal for in-depth security review Biggest advantage over automated testing is the ability to understand the application’s business logic Typically relies on some form of automated testing 19
  • Proactive Countermeasures Prevent the initial compromise in order to minimize the potential for the application to be used as a distribution point for malicious content Web application hardening Prevent unexpected HTML injection Identify areas where user-generated content is permitted Pre-inspect content Quarantine content Continuous site monitoring 20
  • Development Quick Reference Don’t store raw passwords. Store the salted hash Don’t use string concatenation when building SQL queries. Use parameterized queries HTML encode user-supplied content that is written to a web page Normalize input Work with an expected character set & encoding. Decode multi-level URL encoding 21
  • Summary The web browser continues to bear more and more functionality that used to be relegated to desktop applications -- but the browser security model hasn’t kept pace. Attackers placing more focus on compromising trusted sites rather than lure victims to fake sites. Social networking, Web 2.0, and similar concepts place more and more personal data only a browser request away. Most reported compromises seem due to lack of input validation (XSS and SQL injection). 22
  • Thank you! 23
  • Questions was-info@qualys.com 24