Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan Lee Kinsman – Software Architect Al...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>V...
Welcome to the Hacking 101 Workshop <ul><li>Introductions </li></ul><ul><li>Restrooms </li></ul><ul><li>Emergency Exits </...
POT Objectives <ul><li>By the end of this session you will: </li></ul><ul><li>Understand the web application environment <...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>V...
The Alarming Truth LexisNexis Data Breach - Washington Post Feb 17, 2008 IndiaTimes.com Malware — InformationWeek Feb 17,2...
<ul><li>“ Security Intelligence Service director Warren Tucker revealed government department websites had been attacked a...
Security and compliance risks <ul><li>90% of sites are vulnerable to application attacks  </li></ul><ul><li>80% of organiz...
Reality: Security and Spending Are Unbalanced Sources: Gartner, Watchfire % of Attacks % of Dollars 75% 10% 25% 90% Source...
2006 Vulnerability Statistics (31,373 sites)  **  http://www.webappsec.org/projects/statistics/
The Myth: Our Site Is Safe We Use Network Vulnerability Scanners We Have Firewalls in Place We Audit It Once a Quarter wit...
Confusing Network Security Discipline with Application Security “Application developers and their superiors in IT departme...
High Level Web Application Architecture Review (Presentation) App Server (Business Logic) Database Client Tier (Browser) M...
Network Defenses for Web Applications Intrusion Detection System Intrusion Prevention System Application Firewall Firewall...
Port 80 and Port 443 are open for business….
Building Security & Compliance into the SDLC Developers SDLC Developers Developers Enable Security to effectively drive re...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security  </li></ul><ul><li>...
Where are the Vulnerabilities? Network Network Operating System Operating System Applications Applications Database Databa...
Security Defects: Those I manage vs. Those I own Requires automatic application lifecycle security Patch latency primary i...
OWASP and the OWASP Top 10 list <ul><li>Open Web Application Security Project – an open organization dedicated to fight in...
The OWASP Top 10 list Hackers can impersonate legitimate users, and control their accounts. Identity Theft, Sensitive Info...
1. Cross-Site Scripting (XSS) <ul><li>What is it? </li></ul><ul><ul><li>Malicious script echoed back into HTML returned fr...
Cross Site Scripting – The Exploit Process Evil.org User bank.com 1) Link to bank.com sent to user via E-mail or HTTP 2) U...
XSS Example I HTML code:
XSS Example II HTML code:
XSS – Details <ul><li>Common in Search, Error Pages and returned forms. </li></ul><ul><ul><li>But can be found on any type...
Exploiting XSS <ul><li>If I can get you to run my JavaScript, I can… </li></ul><ul><ul><li>Steal your cookies for the doma...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>V...
Hands-on Labs <ul><li>Lab 1 – Profile Web Application </li></ul><ul><li>Lab 2 – Steal Cookies </li></ul><ul><li>Lab 3 – Lo...
Lab 1 Profile Web Application <ul><li>The Goal of this lab is to profile the demo.testfire.net application </li></ul><ul><...
Lab 2 Steal Cookies <ul><li>The goals of the lab is to utilize a Cross Site Scripting vulnerability on the demo.testfire.n...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>Security Landscape </li></ul><ul><li>Vulnerability Analysis </...
2 - Injection Flaws <ul><li>What is it? </li></ul><ul><ul><li>User-supplied data is sent to an interpreter as part of a co...
SQL Injection <ul><li>User input inserted into SQL Command: </li></ul><ul><ul><li>Get product details by id: Select * from...
SQL Injection Example I
SQL Injection Example II
SQL Injection Example - Exploit
SQL Injection Example - Outcome
Injection Flaws (SSI Injection Example)  Creating commands from input
The return is the private SSL key of the server
3 - Malicious File Execution <ul><li>What is it? </li></ul><ul><ul><li>Application tricked into executing commands or crea...
Malicious File Execution – Example I
Malicious File Execution – Example cont.
Malicious File Execution – Example cont.
4 - Insecure Direct Object Reference <ul><li>What is it? </li></ul><ul><ul><li>Part or all of a resource (file, table, etc...
Insecure Direct Object Reference - Example
Insecure Direct Object Reference – Example Cont.
Insecure Direct Object Reference – Example Cont.
5 - Information Leakage and Improper Error Handling <ul><li>What is it? </li></ul><ul><ul><li>Unneeded information made av...
Information Leakage  - Example
Improper Error Handling - Example
Information Leakage – Different User/Pass Error
6 - Failure to Restrict URL Access <ul><li>What is it? </li></ul><ul><ul><li>Resources that should only be available to au...
Failure to Restrict URL Access  - Admin User login /admin/admin.aspx
Simple user logs in, forcefully browses to admin page
Failure to Restrict URL Access:  Privilege Escalation Types <ul><li>Access given to completely restricted resources </li><...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>Security Landscape </li></ul><ul><li>Vulnerability Analysis </...
Hands-on Labs 3-5 <ul><li>Lab 1 – Profile Web Application </li></ul><ul><li>Lab 2 – Steal Cookies </li></ul><ul><li>Lab 3 ...
Lab 3 overview Login without Credentials <ul><li>The goal of the lab is to use locate a SQL injection vulnerability and ex...
Lab 4 overview – Steal Username and Password <ul><li>The Goal of this Lab is to exploit the SQL Injection vulnerability fu...
Lab 5 overview – Logging in to Admin Portal <ul><li>The Goal of this lab is to use Information Leakage and Direct Access t...
Agenda <ul><li>Introductions & facilities </li></ul><ul><li>Security Landscape </li></ul><ul><li>Vulnerability Analysis </...
Watchfire in the Rational Portfolio Developer Test Functional Test Automated Manual Rational RequisitePro  Rational ClearQ...
AppScan <ul><li>What is it? </li></ul><ul><ul><li>AppScan is an automated tool used to perform vulnerability assessments o...
What does AppScan test for? Network Operating System Applications Database Third-party Components Web Applications AppScan...
How does AppScan work? <ul><li>Approaches an application as a black-box </li></ul><ul><li>Traverses a web application and ...
AppScan Goes Beyond Pointing out Problems
Actionable Fix Recommendations
AppScan with QA Defect Logger for ClearQuest
IBM Watchfire on the Net <ul><li>Watchfire.com -  http://www.watchfire.com </li></ul><ul><ul><li>Product evaluation downlo...
Lab 6 overview <ul><li>The goal of this lab is to use AppScan in order to automate the detection of vulnerabilities within...
Session summary
Session summary <ul><li>Understand the web application environment </li></ul><ul><li>Understand and differentiate between ...
Next steps <ul><li>Further discussions with IBM Rational Account Representative and/or AppScan product expert. </li></ul><...
Register today with discount code “HDDE” and receive $100 off your registration fee! Visit www.ibm.com/rational/rsdc for m...
 
We appreciate your feedback.  Please fill out the survey form in order to improve this educational event.
Upcoming SlideShare
Loading in …5
×

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101

3,903 views

Published on

Presented in March 2008 in Wellington, New Zealand.

Published in: Technology
  • Be the first to comment

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101

  1. 1. Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan Lee Kinsman – Software Architect Alan Kan – Technical Specialist
  2. 2. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  3. 3. Welcome to the Hacking 101 Workshop <ul><li>Introductions </li></ul><ul><li>Restrooms </li></ul><ul><li>Emergency Exits </li></ul><ul><li>Smoking Policy </li></ul>
  4. 4. POT Objectives <ul><li>By the end of this session you will: </li></ul><ul><li>Understand the web application environment </li></ul><ul><li>Understand and differentiate between network and application level vulnerabilities </li></ul><ul><li>Understand where the vulnerabilities exist </li></ul><ul><li>Understand how to leverage AppScan to perform an automated scan for vulnerabilities </li></ul>
  5. 5. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  6. 6. The Alarming Truth LexisNexis Data Breach - Washington Post Feb 17, 2008 IndiaTimes.com Malware — InformationWeek Feb 17,2008 Hacker breaks into Ecuador’s presidential website — Thaindian, Feb 11, 2008 Hacking Stage 6 — Wikipedia, Feb 9 2007 Hacker steals Davidson Cos client data - Falls Tribune, Feb 4 2008 RIAA wiped off the Net — TheRegister, Jan 20 2008 <ul><ul><li>Chinese hacker steals 18M identities </li></ul></ul><ul><li>- HackBase.com, Feb 10,2008 </li></ul><ul><li>Mac blogs defaced by XSS </li></ul><ul><ul><li>The Register, Feb 17, 2008 </li></ul></ul>Your Free MacWorld Expo Platinum Pass — CNet, Jan 14, 2008 Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008 Drive-by Pharming in the Wild — Symantec, Jan 21 2008 Italian Bank hit by XSS fraudsters — Netcraft, Jan 8 2008 Greek Ministry websites hit by hacker intrusion — eKathimerini, Jan 31,2008
  7. 7. <ul><li>“ Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen ” </li></ul><ul><li>nzherald.co.nz Sep 12, 2007 </li></ul><ul><li>“ A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen. “ </li></ul><ul><li>abc.net.au Sep 17, 2007 </li></ul><ul><li>“ Turkish hackers bring down insurer's site…The site was shut down as a precaution and was unavailable for most of today” </li></ul><ul><li>SMH.com.au July 20, 2007 </li></ul><ul><li>“ Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information.” </li></ul><ul><li>SMH.com.au October 14 2007 </li></ul><ul><li>“ Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.” </li></ul><ul><li>Jon Oltsik – Enterprise Strategy Group </li></ul>The Alarming Truth
  8. 8. Security and compliance risks <ul><li>90% of sites are vulnerable to application attacks </li></ul><ul><li>80% of organizations will experience an application security incident by 2010 </li></ul><ul><li>64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection. </li></ul><ul><ul><li>(Disability Discrimination Act (DDA), Payment Card Industry (PCI) Standards, SOX </li></ul></ul><ul><li>75% of the cyber attacks today are at the application level </li></ul><ul><li>Compliance requirements: Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA </li></ul>Security and compliance integrity risks have serious adverse impacts on a company’s identity, customer relations and business results.
  9. 9. Reality: Security and Spending Are Unbalanced Sources: Gartner, Watchfire % of Attacks % of Dollars 75% 10% 25% 90% Sources: Gartner, Watchfire of All Attacks on Information Security Are Directed to the Web Application Layer 75% of All Web Applications Are Vulnerable 2/3 Network Server Web Applications Security Spending
  10. 10. 2006 Vulnerability Statistics (31,373 sites) ** http://www.webappsec.org/projects/statistics/
  11. 11. The Myth: Our Site Is Safe We Use Network Vulnerability Scanners We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We Use SSL Encryption
  12. 12. Confusing Network Security Discipline with Application Security “Application developers and their superiors in IT departments too often mistakenly believe that firewalls, IDS / IPS, and network traffic encryption are sufficient measures for application security. By doing so they are confusing application security with network security” “None of those technologies hardens application code. All those technologies deal with traffic to applications, not with the applications themselves…. Applications need protection through separate, specific security discipline – application security” Application Security Testing, Gartner, March 2, 2007
  13. 13. High Level Web Application Architecture Review (Presentation) App Server (Business Logic) Database Client Tier (Browser) Middle Tier Data Tier Firewall Sensitive data is stored here Protects Network Internet SSL Protects Transport Customer App is deployed here
  14. 14. Network Defenses for Web Applications Intrusion Detection System Intrusion Prevention System Application Firewall Firewall System Incident Event Management (SIEM) Perimeter IDS IPS App Firewall Security
  15. 15. Port 80 and Port 443 are open for business….
  16. 16. Building Security & Compliance into the SDLC Developers SDLC Developers Developers Enable Security to effectively drive remediation into development Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production Build Coding QA Security Production
  17. 17. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  18. 18. Where are the Vulnerabilities? Network Network Operating System Operating System Applications Applications Database Database Third-party Components Third-party Components Web Server Web Server Configuration Web Server Web Server Configuration Web Applications Client-Side Custom Web Services Web Applications Client-Side Custom Web Services Network Nessus ISS QualysGuard eEye Retina Foundstone Host Symantec NetIQ ISS CA Harris STAT Database AppSec Inc NGS Software App Scanners Watchfire SPI Dynamics Cenzic NT Objectives Acunetix WVS Code Scanning Emerging Tech Fortify Ounce Labs Secure Software Klockwork Parasoft Network Operating System Applications Database Web Server Web Server Configuration Third-party Components Web Applications Client-Side Custom Web Services Security
  19. 19. Security Defects: Those I manage vs. Those I own Requires automatic application lifecycle security Patch latency primary issue Business Risk Requires application specific knowledge Match signatures & check for known misconfigurations. Detection Early detection saves $$$ As secure as 3 rd party software Cost Control SQL injection, path tampering, Cross site scripting, Suspect content & cookie poisoning Known vulnerabilities (patches issued), misconfiguration Type(s) of Exploits Business logic - dynamic data consumed by an application 3 rd party technical building blocks or infrastructure (web servers,) Location within Application Insecure application development In-house Insecure application development by 3 rd party SW Cause of Defect Application Specific Vulnerabilities (ASVs) Infrastructure Vulnerabilities or Common Web Vulnerabilities (CWVs)
  20. 20. OWASP and the OWASP Top 10 list <ul><li>Open Web Application Security Project – an open organization dedicated to fight insecure software </li></ul><ul><li>“The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are” </li></ul><ul><li>We will use the Top 10 list to cover some of the most common security issues in web applications </li></ul>
  21. 21. The OWASP Top 10 list Hackers can impersonate legitimate users, and control their accounts. Identity Theft, Sensitive Information Leakage, … Cross Site scripting Hacker can forcefully browse and access a page past the login page Hacker can access unauthorized resources Failure to Restrict URL Access Unencrypted credentials “sniffed” and used by hacker to impersonate user Sensitive info sent unencrypted over insecure channel Insecure Communications Confidential information (SSN, Credit Cards) can be decrypted by malicious users Weak encryption techniques may lead to broken encryption Insecure Cryptographic Storage Hacker can “force” session token on victim; session tokens can be stolen after logout Session tokens not guarded or invalidated properly Broken Authentication & Session Management Malicious system reconnaissance may assist in developing further attacks Attackers can gain detailed system information Information Leakage and Improper Error Handling Blind requests to bank account transfer money to hacker Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Cross-Site Request Forgery Web application returns contents of sensitive file (instead of harmless one) Attacker can access sensitive files and resources Insecure Direct Object Reference Site modified to transfer all interactions to the hacker. Execute shell commands on server, up to full control Malicious File Execution Hackers can access backend database information, alter it or steal it. Attacker can manipulate queries to the DB / LDAP / Other system Injection Flaws Example Impact Negative Impact Application Threat
  22. 22. 1. Cross-Site Scripting (XSS) <ul><li>What is it? </li></ul><ul><ul><li>Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Session Tokens stolen (browser security circumvented) </li></ul></ul><ul><ul><li>Complete page content compromised </li></ul></ul><ul><ul><li>Future pages in browser compromised </li></ul></ul>
  23. 23. Cross Site Scripting – The Exploit Process Evil.org User bank.com 1) Link to bank.com sent to user via E-mail or HTTP 2) User sends script embedded as data 3) Script/data returned, executed by browser 4) Script sends user’s cookie and session information without the user’s consent or knowledge 5) Evil.org uses stolen session information to impersonate user
  24. 24. XSS Example I HTML code:
  25. 25. XSS Example II HTML code:
  26. 26. XSS – Details <ul><li>Common in Search, Error Pages and returned forms. </li></ul><ul><ul><li>But can be found on any type of page </li></ul></ul><ul><li>Any input may be echoed back </li></ul><ul><ul><li>Path, Query, Post-data, Cookie, Header, etc. </li></ul></ul><ul><li>Browser technology used to aid attack </li></ul><ul><ul><li>XMLHttpRequest (AJAX), Flash, IFrame… </li></ul></ul><ul><li>Has many variations </li></ul><ul><ul><li>XSS in attribute, DOM Based XSS, etc. </li></ul></ul>
  27. 27. Exploiting XSS <ul><li>If I can get you to run my JavaScript, I can… </li></ul><ul><ul><li>Steal your cookies for the domain you’re browsing </li></ul></ul><ul><ul><li>Track every action you do in that browser from now on </li></ul></ul><ul><ul><li>Redirect you to a Phishing site </li></ul></ul><ul><ul><li>Completely modify the content of any page you see on this domain </li></ul></ul><ul><ul><li>Exploit browser vulnerabilities to take over machine </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>XSS is the Top Security Risk today (most exploited) </li></ul>
  28. 28. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>The importance of web application security </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  29. 29. Hands-on Labs <ul><li>Lab 1 – Profile Web Application </li></ul><ul><li>Lab 2 – Steal Cookies </li></ul><ul><li>Lab 3 – Login without Credentials </li></ul><ul><li>Lab 4 – Steal Usernames and Passwords </li></ul><ul><li>Lab 5 – Logging into the Administrative Portal </li></ul><ul><li>Lab 6 – Automated Scan of Website </li></ul>
  30. 30. Lab 1 Profile Web Application <ul><li>The Goal of this lab is to profile the demo.testfire.net application </li></ul><ul><li>Identify the Lab Workbook and where to start (page 5), where to stop (page 11) </li></ul>
  31. 31. Lab 2 Steal Cookies <ul><li>The goals of the lab is to utilize a Cross Site Scripting vulnerability on the demo.testfire.net application in order to access cookies on a target user’s browser </li></ul><ul><li>Identify the Lab Workbook and where to start (page 12), where to stop (page 18) </li></ul>
  32. 32. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>Security Landscape </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  33. 33. 2 - Injection Flaws <ul><li>What is it? </li></ul><ul><ul><li>User-supplied data is sent to an interpreter as part of a command, query or data. </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>SQL Injection – Access/modify data in DB </li></ul></ul><ul><ul><li>SSI Injection – Execute commands on server and access sensitive data </li></ul></ul><ul><ul><li>LDAP Injection – Bypass authentication </li></ul></ul><ul><ul><li>… </li></ul></ul>
  34. 34. SQL Injection <ul><li>User input inserted into SQL Command: </li></ul><ul><ul><li>Get product details by id: Select * from products where id=‘ $REQUEST[“id”] ’; </li></ul></ul><ul><ul><li>Hack: send param id with value ‘ or ‘1’=‘1 </li></ul></ul><ul><ul><li>Resulting executed SQL: Select * from products where id=‘ ’ or ‘1’=‘1 ’ </li></ul></ul><ul><ul><li>All products returned </li></ul></ul>
  35. 35. SQL Injection Example I
  36. 36. SQL Injection Example II
  37. 37. SQL Injection Example - Exploit
  38. 38. SQL Injection Example - Outcome
  39. 39. Injection Flaws (SSI Injection Example) Creating commands from input
  40. 40. The return is the private SSL key of the server
  41. 41. 3 - Malicious File Execution <ul><li>What is it? </li></ul><ul><ul><li>Application tricked into executing commands or creating files on server </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Command execution on server – complete takeover </li></ul></ul><ul><ul><li>Site Defacement, including XSS option </li></ul></ul>
  42. 42. Malicious File Execution – Example I
  43. 43. Malicious File Execution – Example cont.
  44. 44. Malicious File Execution – Example cont.
  45. 45. 4 - Insecure Direct Object Reference <ul><li>What is it? </li></ul><ul><ul><li>Part or all of a resource (file, table, etc.) name controlled by user input. </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Access to sensitive resources </li></ul></ul><ul><ul><li>Information Leakage, aids future hacks </li></ul></ul>
  46. 46. Insecure Direct Object Reference - Example
  47. 47. Insecure Direct Object Reference – Example Cont.
  48. 48. Insecure Direct Object Reference – Example Cont.
  49. 49. 5 - Information Leakage and Improper Error Handling <ul><li>What is it? </li></ul><ul><ul><li>Unneeded information made available via errors or other means. </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Sensitive data exposed </li></ul></ul><ul><ul><li>Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.) </li></ul></ul><ul><ul><li>Information aids in further hacks </li></ul></ul>
  50. 50. Information Leakage - Example
  51. 51. Improper Error Handling - Example
  52. 52. Information Leakage – Different User/Pass Error
  53. 53. 6 - Failure to Restrict URL Access <ul><li>What is it? </li></ul><ul><ul><li>Resources that should only be available to authorized users can be accessed by forcefully browsing them </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Sensitive information leaked/modified </li></ul></ul><ul><ul><li>Admin privileges made available to hacker </li></ul></ul>
  54. 54. Failure to Restrict URL Access - Admin User login /admin/admin.aspx
  55. 55. Simple user logs in, forcefully browses to admin page
  56. 56. Failure to Restrict URL Access: Privilege Escalation Types <ul><li>Access given to completely restricted resources </li></ul><ul><ul><li>Accessing files that shouldn’t be served (*.bak, “Copy Of”, *.inc, *.cs, ws_ftp.log, etc.) </li></ul></ul><ul><li>Vertical Privilege Escalation </li></ul><ul><ul><li>Unknown user accessing pages past login page </li></ul></ul><ul><ul><li>Simple user accessing admin pages </li></ul></ul><ul><li>Horizontal Privilege Escalation </li></ul><ul><ul><li>User accessing other user’s pages </li></ul></ul><ul><ul><li>Example: Bank account user accessing another’s </li></ul></ul>
  57. 57. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>Security Landscape </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  58. 58. Hands-on Labs 3-5 <ul><li>Lab 1 – Profile Web Application </li></ul><ul><li>Lab 2 – Steal Cookies </li></ul><ul><li>Lab 3 – Login without Credentials </li></ul><ul><li>Lab 4 – Steal Usernames and Passwords </li></ul><ul><li>Lab 5 – Logging into the Administrative Portal </li></ul><ul><li>Lab 6 – Automated Scan of Website </li></ul>
  59. 59. Lab 3 overview Login without Credentials <ul><li>The goal of the lab is to use locate a SQL injection vulnerability and exploit it to log into the demo.testfire.net application without a password </li></ul><ul><li>Identify the Lab Workbook and where to start (page 19), where to stop (page 24) </li></ul>
  60. 60. Lab 4 overview – Steal Username and Password <ul><li>The Goal of this Lab is to exploit the SQL Injection vulnerability further in order to extract all the usernames and passwords from the demo.testfire.net application </li></ul><ul><li>Identify the Lab Workbook and where to start (page 25), where to stop (page 31) </li></ul>
  61. 61. Lab 5 overview – Logging in to Admin Portal <ul><li>The Goal of this lab is to use Information Leakage and Direct Access to URLs to find and log into the administrative portal </li></ul><ul><li>Identify the Lab Workbook and where to start (page 32), where to stop (page 36) </li></ul>
  62. 62. Agenda <ul><li>Introductions & facilities </li></ul><ul><li>Security Landscape </li></ul><ul><li>Vulnerability Analysis </li></ul><ul><ul><li>Top Attacks Overview </li></ul></ul><ul><ul><li>Hands on Labs 1-2 </li></ul></ul><ul><li>Vulnerability Analysis (continued) </li></ul><ul><ul><li>Hands on Labs 3-5 </li></ul></ul><ul><li>Automated Vulnerability Analysis </li></ul><ul><ul><li>AppScan Overview </li></ul></ul><ul><ul><li>Hands on Lab 6 </li></ul></ul>
  63. 63. Watchfire in the Rational Portfolio Developer Test Functional Test Automated Manual Rational RequisitePro Rational ClearQuest Rational ClearQuest Defects Project Dashboards Detailed Test Results Quality Reports Performance Test SOFTWARE QUALITY SOLUTIONS Test and Change Management Test Automation Quality Metrics DEVELOPMENT OPERATOINS BUSINESS Rational ClearQuest Requirements Test Change Rational PurifyPlus Rational Test RealTime Rational Functional Tester Plus Rational Functional Tester Rational Robot Rational Manual Tester Rational Performance Tester Security and Compliance Test AppScan Policy Tester Interface Compliance Policy Tester Test Automation Content Compliance ADA 508, GLBA, Safe Harbor Quality, Brand, Search, Inventory
  64. 64. AppScan <ul><li>What is it? </li></ul><ul><ul><li>AppScan is an automated tool used to perform vulnerability assessments on Web Applications </li></ul></ul><ul><li>Why do I need it? </li></ul><ul><ul><li>To simplify finding and fixing web application security problems </li></ul></ul><ul><li>What does it do? </li></ul><ul><ul><li>Scans web applications, finds security issues and reports on them in an actionable fashion </li></ul></ul><ul><li>Who uses it? </li></ul><ul><ul><li>Security Auditors – main users today </li></ul></ul><ul><ul><li>QA engineers – when the auditors become the bottle neck </li></ul></ul><ul><ul><li>Developers – to find issues as early as possible (most efficient) </li></ul></ul>
  65. 65. What does AppScan test for? Network Operating System Applications Database Third-party Components Web Applications AppScan Web Server Web Server Configuration
  66. 66. How does AppScan work? <ul><li>Approaches an application as a black-box </li></ul><ul><li>Traverses a web application and builds the site model </li></ul><ul><li>Determines the attack vectors based on the selected Test policy </li></ul><ul><li>Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules </li></ul>HTTP Request Web Application HTTP Response
  67. 67. AppScan Goes Beyond Pointing out Problems
  68. 68. Actionable Fix Recommendations
  69. 69. AppScan with QA Defect Logger for ClearQuest
  70. 70. IBM Watchfire on the Net <ul><li>Watchfire.com - http://www.watchfire.com </li></ul><ul><ul><li>Product evaluation download </li></ul></ul><ul><li>AppScan Extensions Framework – http://axf.watchfire.com </li></ul><ul><ul><li>Power Point Reporter, Pyscan, Defect Logger CQ </li></ul></ul><ul><li>Watchfire Blog – http:// blog.watchfire.com/wfblog </li></ul><ul><ul><li>Expert opinion and watchfire news </li></ul></ul><ul><li>AppScan Knowledge On Demand (computer based training) </li></ul><ul><ul><li>App Security 101, OWASP Top 10, WASC Threat Classifications, Common Attacks </li></ul></ul>
  71. 71. Lab 6 overview <ul><li>The goal of this lab is to use AppScan in order to automate the detection of vulnerabilities within a web application </li></ul><ul><li>Identify the Lab Workbook and where to start (page 37), where to stop (page 59) </li></ul>
  72. 72. Session summary
  73. 73. Session summary <ul><li>Understand the web application environment </li></ul><ul><li>Understand and differentiate between network and application level vulnerabilities </li></ul><ul><li>Understand where the vulnerabilities exist </li></ul><ul><li>Hands on exercises to understand types of vulnerabilities </li></ul><ul><li>Hands on exercise to leverage automated scan for vulnerabilities </li></ul>
  74. 74. Next steps <ul><li>Further discussions with IBM Rational Account Representative and/or AppScan product expert. </li></ul><ul><ul><li>Jono Massy-Greene [email_address] 04-462-3487 021-228-3703 </li></ul></ul><ul><ul><li>Alan Kan [email_address] 09-359-8768 021-668-185 </li></ul></ul><ul><li>Schedule a Security Business Value Assessment </li></ul><ul><li>Schedule a Vulnerability Assessment of one our your Applications </li></ul>
  75. 75. Register today with discount code “HDDE” and receive $100 off your registration fee! Visit www.ibm.com/rational/rsdc for more information IBM Rational Software Development Conference 2008 June 1 – 5, 2008; Orlando, Florida <ul><li>CONFERENCE HIGHLIGHTS: </li></ul><ul><li>Over 3,000 customers and partners </li></ul><ul><li>Over 300 sessions – 14 tracks </li></ul><ul><li>Executive Summit 2008 </li></ul><ul><li>3- and 5-hour Technical Workshops </li></ul><ul><li>Access to IBM Engineers </li></ul><ul><li>and IBM Research </li></ul><ul><li>Keynotes with industry-leading experts </li></ul><ul><li>Exhibit hall showcasing complimentary </li></ul><ul><li>product and services </li></ul><ul><li>Unlimited networking opportunities </li></ul><ul><li>IBM Solution Center </li></ul><ul><li>Interactive Birds-of-a-Feather Sessions </li></ul>
  76. 77. We appreciate your feedback. Please fill out the survey form in order to improve this educational event.

×