Web Application Security


Published on


Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Worldwide problem
  • STEVE ORRIN: We all know that there are pressures on the application lifecycle. Let’s review the facts: Time to market demands are ever increasing – bringing new apps up quickly while not compromising their usability and ‘cool factor’ is imperative. Budgets are tight in today’s economic environment and expenses are closely monitored. Unfortunately, this doesn’t translate into a lessening of the market’s expectation for new applications. At the end of the day, the question facing most development teams is ‘How do we meet the functional specification on time with the resources available?” Application complexity is growing – as applications grow in size complexity is added at every step. Businesses and the market expect new applications to perform, meet the functional spec, deploy quickly – and to be secure. And while the deployment pace speeds up, so does the scale and complexity of the sites the new applications are being deployed on. This increases the number and type of potential points of failure within an application --- any one of which could be the source of an enormous problem for the enterprise. Increasing Business Risks Driven by Security Defects. As more business gets done on the web, the risks posed by security defects in deployed applications are accelerating. Hackers are increasingly active and sophisticated about how they choose and target their victims. Dealing with this threat effectively is not trivial. Growing government scrutiny and regulations, including GLBA and HIPAA. With the increase in the value of information and assets accessible through the Web, governments around the world are creating laws and regulations to protect consumers from online fraud and theft. Compliance to U.S. laws like HIPAA and GLBA are for the first time putting the issue of application security into the CEO’s office and board rooms of the largest enterprises in the world. Failure to comply can come at an enormous cost. And finally, recent court activity relating to liability protection for bad software has added new areas of risk for all businesses. Simply put, it doesn’t look like Caveat Emptor (buyer beware) will be sufficient to protect companies from liability claims and class action lawsuits. Enterprises must take systematic and significant measures to ensure that the applications under their domain do not directly or indirectly lead to harm of the customer or the shareholders. Add to this the fact that cost escalates dramatically the longer you wait to find and fix defects, and it is clear things need to change (NEXT SLIDE)
  • STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide
  • As you can see from this slide the relative costs associated with waiting to detect and fix defects increases at a staggering rate from one stage to the next. By the time an application has been deployed, a defect found in it can cost as much as 100X as much to fix than if it had been caught during the development and testing process. This is measured in terms of lost time, resources and lost business as the result of the application being down.
  • Each layer of the application has its own unique vulnerabilities. A vulnerability fixed at one layer may still be exploited at another layer. An exploit at any layer of the application effects the integrity and behavior for the entire application The bottom line, Code and Content Change every day – and contain bugs and backdoors at every layer (NEXT SLIDE)
  • In the Web application layer, we see 10 major types of application level hacks that can occur with varying degreed of impact on the business ranging from site defacement to eHijacking to downloading the company’s proprietary database. For example, in a text field used to collect data from a customer, a hacker may be able to insert a script that eHijacks customer information from the site through a vulnerability called cross site scripting. (HIGHLIGHT A FEW EXAMPLES)
  • Also could be an example of 3rd party missconfiguration
  • Web Application Security

    1. 1. Web Application Security Presented by: Colin English Zerflow
    2. 2. Session Overview <ul><li>Web Application Security </li></ul><ul><ul><li>The Myth and The Facts </li></ul></ul><ul><ul><li>Examples of Web Application Vulnerabilities </li></ul></ul><ul><li>Web Application Auditing & Testing </li></ul>
    3. 3. The Myth <ul><li>“ Our site is safe”: </li></ul><ul><ul><li>We have firewalls in place </li></ul></ul><ul><ul><li>We encrypt our data </li></ul></ul><ul><ul><li>We have a privacy policy </li></ul></ul>
    4. 4. Recent News Qwest Glitch exposes customer data - Securityfocus.com May 23, 2002 Hackers attack eBay accounts — ZDNet News Mar 25,2002 NY Times Internal Network Hacked — Internet.com, Feb 27, 2002 Sites Revealed Passwords For Thousands Of Ameritech Users — NewsBytes Feb 22,2002 Software bug bites U.S. Military — BBC, Mar 18,2003 NASA investigating hacker theft of sensitive documents - ComputerWorld Aug 8 ,2002 Glitch at Fidelity Canada exposes customer information — ComputerWorld, May 30, 2002 <ul><ul><li>Hacker Accesses 2.2 Million Credit Cards </li></ul></ul><ul><li>- CNN, Feb 18,2003 </li></ul><ul><li>Gov’t Web Sites open </li></ul><ul><li>to Hack Attacks </li></ul><ul><ul><li>CBS News, Jan 25, 2003 </li></ul></ul>Vivendi Says Online Shareholder Voting Hacked — NewsBytes, Apr 29, 2002 Hackers steal students soc.sec. numbers — ABCNews, Mar 6,2003 FTD.com hole leaks personal information — CNet, Feb 13, 2003 Security worries hold back UK online tax returns — TheRegister, Jan 29,2003
    5. 5. Pressures on the Application Lifecycle <ul><li>Time-to-Market </li></ul><ul><ul><li>Bringing new applications to market quickly </li></ul></ul><ul><li>Complexity is Growing </li></ul><ul><ul><li>Increasing application lifecycle complexity </li></ul></ul><ul><li>Increasing Business Risks Driven by Security Defects </li></ul><ul><ul><li>Hacker activity increasing </li></ul></ul><ul><ul><li>Government scrutiny and regulation increasing </li></ul></ul><ul><ul><li>Liability precedents for security defects </li></ul></ul><ul><li>Costs Escalate Dramatically the longer you wait to Find and Fix </li></ul><ul><ul><li>Bad software costs the economy $59.5 billion a year- cost of breakdowns and repairs (Nat. Institute of Standards & Technology, May 2002) </li></ul></ul>Financial Services Application
    6. 6. Cyber crime on the Rise <ul><li>On average, there are 5 to 15 defects in every 1,000 lines of code </li></ul><ul><ul><li>US Dept. of Defense and the Software Engineering Institute </li></ul></ul><ul><li>It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each </li></ul><ul><ul><li>5 Year Pentagon Study </li></ul></ul><ul><li>A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week </li></ul><ul><ul><li>Gartner Group </li></ul></ul><ul><li>MS $100 million Trustworthy-Computing initiative: improve SW security & reduce number of software updates and security bulletins issued </li></ul>
    7. 7. Application Security Defects <ul><li>Frequent </li></ul><ul><ul><li>3 out of 4 business websites are vulnerable to attack (Gartner) </li></ul></ul><ul><li>Pervasive </li></ul><ul><ul><li>75% of hacks occur at the Application level (Gartner) </li></ul></ul><ul><li>Undetected </li></ul><ul><ul><li>QA testing tools not designed to detect security defects in applications </li></ul></ul><ul><ul><li>Manual patching - reactive, time consuming and expensive </li></ul></ul><ul><li>Dangerous </li></ul><ul><ul><li>When exploited, security defects destroy company value and customer trust </li></ul></ul>167 Audits conducted – 98% vulnerable: all had firewalls and encryption solutions in place…
    8. 8. Cost Increases Later in the Lifecycle Security is Addressed Cost to Fix dramatically increases the longer you wait to test
    9. 9. Web Application Vulnerabilities Without any protection, holes and backdoors exist at every layer waiting to be exploited Web Server User Interface Code Frontend Application Backend Application Database Data Invalid Data can exploit weakness in the application acting as escape holes resulting in access to unauthorized accounts, O/S network, sensitive data and may result in an application denial of service Valid Input HTML/HTTP Browser Invalid Input HTML/HTTP
    10. 10. Types of Application Hacks Through a browser, a hacker can use the smallest bug or backdoor to change, or pervert, the intent of the application Application Attack Types Negative Outcome Examples Form field: collect data Buffer overflow Crash servers/close business Online shopping Hidden fields eShoplifting Text Field: collect data Cross Site scripting eHijacking - Get account info Front end Apps 3 rd Party Misconfiquration Admin access Backend Apps Stealth Commanding Site defacement Sloppy code Backdoors/Debug options Download proprietary database Customer account Cookie poisoning Identity theft/illegal transactions Database Parameter Tampering/SQL injection Fraud Web Server Published Vulnerabilities Crash site Web Server Forceful Browsing Access sensitive data
    12. 12. Hidden Field Manipulation <ul><li>Vulnerability explanation : </li></ul><ul><ul><li>The application sends data to the client using a hidden field in a form. Modifying the hidden field damages the data returning to the web application </li></ul></ul><ul><li>Why Hidden Field Manipulation : </li></ul><ul><ul><li>Passing hidden fields is a simple and efficient way to pass information from one part of the application to another (or between two applications) without the use of complex backend systems. </li></ul></ul><ul><li>As a result of this manipulation : </li></ul><ul><ul><li>The application acts according to the changed information and not according to the original data </li></ul></ul>
    13. 13. Hidden Field Manipulation - Example
    14. 14. Hidden Field Manipulation - Example
    15. 15. Hidden Field Manipulation - Example
    16. 16. Hidden Field Manipulation - Example
    17. 17. Backdoor & Debug options <ul><li>Vulnerability explanation : </li></ul><ul><ul><li>The application has hidden debug options that can be activated by sending a specific parameter or sequence </li></ul></ul><ul><li>Why Backdoor and Debug options : </li></ul><ul><ul><li>Leaving debug options in the code enables developers to find and fix bugs faster </li></ul></ul><ul><ul><li>Developers leave backdoors as a way of guaranteeing their access to the system </li></ul></ul><ul><li>As a result of this manipulation : </li></ul><ul><ul><li>Activation of the hidden debug option allows the hacker to have extreme access to the application (usually unlimited). </li></ul></ul>
    18. 18. Backdoor & Debug options - Example
    19. 19. Backdoor & Debug options - Example
    20. 20. Backdoor & Debug options - Example
    21. 21. Cross Site Scripting <ul><li>Vulnerability explanation : </li></ul><ul><ul><li>A third party creates a link (or sends an email) and the URL contains a parameter with a script – once the user connects, the site runs this script </li></ul></ul><ul><li>Why Cross Site Scripting : </li></ul><ul><ul><li>Many parameters are implanted within the HTML of following responses, while not checking their content for scripts. </li></ul></ul><ul><li>As a result of this manipulation : </li></ul><ul><ul><li>“Virtual hijacking” of the session. Any information flowing between the legitimate user and site can be manipulated or transmitted to the evil 3 rd party. </li></ul></ul>
    22. 22. Press this link to get to your bank Underlying link: http://www.mybank.com?a=<evil javascript> The JavaScript program collects and sends user names and passwords Enter your login information Cross Site Scripting - Example 1 2 Username Password 3
    23. 23. Parameter Tampering <ul><li>Vulnerability explanation : </li></ul><ul><ul><li>Parameters are used to obtain information from the client. This information can be changed in a site’s URL parameter </li></ul></ul><ul><li>Why Parameter Tampering : </li></ul><ul><ul><li>Developers focus on the legal values of parameters and how they should be utilized. Little if any attention is given to the incorrect values </li></ul></ul><ul><li>As a result of this manipulation : </li></ul><ul><ul><li>The application can perform a function that was not intended by its developer like giving access to customer information </li></ul></ul>
    24. 24. Parameter Tampering - Example
    25. 25. Parameter Tampering - Example
    26. 26. The Missing Piece <ul><li>Protection for the application itself </li></ul><ul><ul><li>Applications are vulnerable </li></ul></ul><ul><ul><li>Developers lack tools and know how to build secure applications </li></ul></ul><ul><ul><li>No amount of QA testing will capture all the security vulnerabilities </li></ul></ul><ul><ul><li>Systematic failures in the application can be engineered by hackers </li></ul></ul>
    27. 27. Web Application Hacking - Results
    28. 28. Auditing & Testing <ul><li>The process </li></ul><ul><ul><li>Coverage of relevant business process </li></ul></ul><ul><ul><li>Full inspection of client side scripts and comments </li></ul></ul><ul><ul><li>Full inspection of application interfaces </li></ul></ul><ul><ul><li>Analysis of potential vulnerabilities </li></ul></ul><ul><ul><li>Testing of potential vulnerabilities </li></ul></ul><ul><ul><li>Check for installation of known patches </li></ul></ul><ul><li>The knowledge </li></ul><ul><ul><li>Complete understanding of the application logic </li></ul></ul><ul><ul><li>Complete knowledge of application manipulation methods </li></ul></ul><ul><ul><li>Awareness of all the known patches issues </li></ul></ul><ul><ul><li>Complete understanding of most secure configuration of all tools </li></ul></ul>
    29. 29. Auditing – The Problem <ul><li>Multiple points of people failure </li></ul><ul><ul><li>Development, QA, Operations, Vendor software, Outsourcing </li></ul></ul><ul><li>New third party bugs discovered every day </li></ul><ul><ul><li>site exposed during patch latency </li></ul></ul><ul><li>Site Complexity </li></ul><ul><ul><li>many line of codes and application interactions </li></ul></ul><ul><li>Compressed application development cycle </li></ul><ul><ul><li>time to market needs will impact development and QA </li></ul></ul><ul><li>Distributed Knowledge </li></ul><ul><ul><li>Any single person does not have all the knowledge needed for a full audit. </li></ul></ul>
    30. 30. What is a Viable Solution? <ul><li>VIABLE = Positive Security Model : </li></ul><ul><ul><li>Assessment : bullet-proof applications before production </li></ul></ul><ul><ul><li>Application Firewalls : block, log and alert against known/unknown attacks </li></ul></ul><ul><ul><li>Behavioral/ Policy-based </li></ul></ul><ul><ul><ul><li>Automatically builds a policy in real time for the site </li></ul></ul></ul><ul><ul><ul><li>Allows only intended business interactions </li></ul></ul></ul><ul><ul><ul><li>Maintains intended application behavior </li></ul></ul></ul><ul><ul><li>e.g., Code Red and Nimda blocked without updates or rules </li></ul></ul><ul><ul><li>Not Viable = Negative Security Model : </li></ul></ul><ul><ul><li>Signature/Rules-based – Blocks known attacks based on signatures, heuristics or rules </li></ul></ul><ul><ul><li>e.g., - need patch installed or signatures written to block Code Red & Nimda </li></ul></ul>
    31. 31. Demo
    32. 32. Thank You for Your Attention