• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
TS-5358
 

TS-5358

on

  • 869 views

 

Statistics

Views

Total Views
869
Views on SlideShare
869
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    TS-5358 TS-5358 Presentation Transcript

    • Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358
    • Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using open source security tools 2008 JavaOneSM Conference | java.sun.com/javaone | 2
    • Agenda Detect Defend Learn 2008 JavaOneSM Conference | java.sun.com/javaone | 3
    • Which is Easier to Hack? Google finds 2M suspicious sites Web 1.0 App Web 2.0 App Top 3 Security Vulnerabilities Top 3 Security Vulnerabilities •Unvalidated input parameters •Cross-site scripting •Broken access control •Injection flaw •Broken authentication and session management •Malicious file execution Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007) 2008 JavaOneSM Conference | java.sun.com/javaone | 4
    • What’s New About Web 2.0 Security? OWASP 2007 Top 10 Web 2.0 Examples Cross-site scripting +++ Flash: cross-site flashing Injection flaws ++++ AJAX, mash-up Malicious file execution +++ Insecure direct object reference + JavaScript™ Object Notation (JSON) Cross-site request forgery +++ Flash Information leakage / improper error +++++ AJAX, JSON handling Broken authentication and session ++++ Cross-domain, mash-up management Insecure cryptographic storage + Insecure communications ++ Failure to restrict URL access ++ http://www.owasp.org/index.php/Top_10_2007 2008 JavaOneSM Conference | java.sun.com/javaone | 5
    • Use Case Scenario Use Open Source / commercial security tools to examine WebGoat (and Roller) from SecuriBench http://suif.stanford.edu/~livshits/securibench/intro.html 2008 JavaOneSM Conference | java.sun.com/javaone | 6
    • Example #1: Post-Me Scenarios: newsgroup, forum, blogs, etc. Characteristics How can I re-direct readers •Plain data input screen to my malicious website? •No sensitive personal data •High usage, high traffic 2008 JavaOneSM Conference | java.sun.com/javaone | 7
    • Example #1: What’s the Issue? Cross-site Request Forgery What happens: Hackers post a message with the malicious URL or parameters: <IMG SRC="attack?screen=7&menu=410&transferFunds=4000" width="1" height="1" /> Result: when reading the posting, newsgroup readers will invoke a malicious URL without noticing the tiny “1x1 image” (cross-site request forgery)! 2008 JavaOneSM Conference | java.sun.com/javaone | 8
    • Example #2: Online Travel Scenarios: online travel service, mash-up Characteristics •AJAX with JSON Can I change the price? •Financial transactions •Mash-up, possibly 2008 JavaOneSM Conference | java.sun.com/javaone | 9
    • Example #2: What’s the Issue? JSON Poisoning What happens: Hackers intercepts the JSON, tampers it, and posts it. { "From": "Boston", "To": "Seattle", "flights": [ {"stops": "0", "transit" : "N/A", "price": "$0"}, {"stops": "2", "transit" : "Newark,Chicago", "price": "$900"} ] } Result: hackers pay $0 2008 JavaOneSM Conference | java.sun.com/javaone | 10
    • Example #3: Change Password Scenarios: online services, mash-up Characteristics •SOAP-based Web services Can I change •Perhaps mash-up somebody’s password? •HTTP or HTTPS, depends 2008 JavaOneSM Conference | java.sun.com/javaone | 11
    • Example #3: What’s the Issue SOAP Injection What happens: Hackers tries changing the password, intercepts the SOAP message, tampers it, and posts it. <?xml version='1.0' encoding='UTF-8'?> … <wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'> bar</password> </wsns1:changePassword> </wsns0:Body> </wsns0:Envelope> Result: hackers change someone’s password for future access 2008 JavaOneSM Conference | java.sun.com/javaone | 12
    • What About Flex Application… Cross-site Flashing You can detect XSF using SwfIntruder 2008 JavaOneSM Conference | java.sun.com/javaone | 13
    • What About… Phishing attack Ad malware Botnet ActiveX controls Serialization security, e.g. DOJO, JQUERY 2008 JavaOneSM Conference | java.sun.com/javaone | 14
    • Agenda Detect Defend Learn 2008 JavaOneSM Conference | java.sun.com/javaone | 15
    • Strategy #1: Security Development Lifecycle Remark: Show demo or examples of these artifacts 2008 JavaOneSM Conference | java.sun.com/javaone | 16
    • Defensive Coding: Examples Scenarios Sample Actions Cross-site request forgery Filter specific tags (e.g. <IMG>) Prompt user with security token for important actions or high value transactions Shorter time period for user sessions JSON poisoning Client-side and server-side input validation JavaScript output encoding Obfuscate JavaScript SOAP injection Use of nonce WS-Security best practices Turn off WSDL 2008 JavaOneSM Conference | java.sun.com/javaone | 17
    • Strategy #2: Custom Security Test Category Public / Open Source Commercial Discovery tools NMAP Nessus Web server vulnerabilities Nikto Code quality* OWASP, FindBugs Fortify, Klockwork Application vulnerabilities Paros AppScan, Hailstorm Penetration testing WebScarab, Paros, SwfIntruder Hybrid security testing = white box* + black box testing Remark: Show demo of running different security testing tools on Roller 2008 JavaOneSM Conference | java.sun.com/javaone | 18
    • Agenda Detect Defend Learn 2008 JavaOneSM Conference | java.sun.com/javaone | 19
    • Lesson 1: Security Findings by Category 2008 JavaOneSM Conference | java.sun.com/javaone | 20
    • Lesson 2: What You Can and Can’t Do Obvious, e.g. Difficult ones, e.g. • Information leakage • Cross-site Scripting • Port scan • Cross-site Request Forgery • OS fingerprinting • Denial of Service • Web server Hard ones, e.g. vulnerabilities scanner • New Web 2.0 vulnerabilities 2008 JavaOneSM Conference | java.sun.com/javaone | 21
    • Lesson 3: Summary Don’t practice penetration testing tools on production system! “Trust no one” Do we know what to detect, or to test Different security testing tools provide different findings 2008 JavaOneSM Conference | java.sun.com/javaone | 22
    • For More Information Concepts • OWASP top 10 vulnerabilities http://www.owasp.org/index.php/Category:Vulnerability • Cannings , Dwivedi and Lackey. Hacking Exposed Web 2.0. McGrawHill, 2008 • Andrew Andreu. Professional Pen Testing for Web Applications • Shyamsuda and Gould. You Are Hacked. JavaOneSM Conference 2007 http://developers.sun.com/learning/javaoneonline/2007/pdf/TS-6014.pdf Security Incident Updates • Top 10 Web 2.0 attack vectors http://www.net-security.org/article.php?id=949 • http://www.us-cert.gov/current/current_activity.html • CERN http://security.web.cern.ch/security/ Also RSA, Microsoft, Symantec major security vendor websites 2008 JavaOneSM Conference | java.sun.com/javaone | 23
    • For More Information (cont’d) Tutorial • http://www.irongeek.com/i.php?page=security/hackingillustrated Tools • http://sectools.org/ • http://www.cotse.com/tools/ • http://www.securityhaven.com/tools.html • http://framework.metasploit.com/ • http://www.paneuropa.co.uk/penetration_testing.htm • http://www.owasp.org/index.php/Category:OWASP_Download 2008 JavaOneSM Conference | java.sun.com/javaone | 24
    • Ray Lai, rayymlai@gmail.com TS-5358 2008 JavaOneSM Conference | java.sun.com/javaone | 25