TDIS 2014 - Dealing with the risks: web applications

676 views

Published on

Event: Trusted Digital Identity Symposium 2014
Topic: Dealing with the risks - web applications
Location: Living Tomorrow (Brussels Vilvoorde)
Organizer: Vasco Data Security

  • Be the first to comment

TDIS 2014 - Dealing with the risks: web applications

  1. 1. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
  2. 2. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
  3. 3. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  4. 4. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  5. 5. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  6. 6. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  7. 7. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  8. 8. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
  9. 9. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  10. 10. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  11. 11. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  12. 12. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  13. 13. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
  14. 14. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
  15. 15. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  16. 16. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  17. 17. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
  18. 18. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
  19. 19. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
  20. 20. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  21. 21. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  22. 22. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  23. 23. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
  24. 24. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  25. 25. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
  26. 26. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  27. 27. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  28. 28. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
  29. 29. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  30. 30. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  31. 31. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  32. 32. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  33. 33. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  34. 34. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
  35. 35. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
  36. 36. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
  37. 37. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  38. 38. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  39. 39. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  40. 40. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
  41. 41. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  42. 42. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  43. 43. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
  44. 44. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com

×