Web Application Security"The Land that Information Security Forgot." BlackHat Europe 2001 Jeremiah Grossman firstname.lastname@example.org WhiteHat Security www.whitehatsec.com 2001(c)WhiteHat Security, Inc.
Topics Web Application Security LandscapeCommon Web Application Security Mistakes Web Application Attack Methodologies Information & Discovery Input Manipulation/Parameter Tampering Authentication/Authorization System Mis-Configurations
What is a Web Application? A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent. 2001(c)WhiteHat Security, Inc.
HTML Character Filtering Proper handling of special characters > => > < => < " => " & => &Null characters should all be removed. %00 2001(c)WhiteHat Security, Inc.
Information & Discovery Spidering/Site Crawling Identifiable Characteristics Errors and Response Codes File/Application Enumeration Network Reconnaissance 2001(c)WhiteHat Security, Inc.
Spidering/Site Crawling Site Map Hidden Services Service Map CGIs and Forms Documentation Email addresses Tools: WGET http://www.gnu.org/software/wget/wget.html 2001(c)WhiteHat Security, Inc.
Identifiable Characteristics Comment Lines URL Extensions Meta Tags Cookies Client-Side scripting languages 2001(c)WhiteHat Security, Inc.
Error and Response Codes HTTP Response Headers Error Messages 2001(c)WhiteHat Security, Inc.
File/Application EnumerationCommonly referred to as “forced browsing” or “CGIScanning”.Directory BrowsingIndex Listings Tools: Whisker http://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm 2001(c)WhiteHat Security, Inc.
Network ReconnaissanceWHOISARIN http://www.arin.net/whois/index.htmlPort Scan Nmap http://www.insecure.org/nmap/index.htmlTraceroutePing Scan (Nmap or HPING) http://www.hping.org/NSLookup/ Reverse DNSDNS Zone Transfer (DIG) 2001(c)WhiteHat Security, Inc.
Input Manipulation Parameter Tampering "Twiddling Bits." Cross-Site Scripting Filter-Bypass Manipulation OS Commands Meta Characters Path/Directory Traversal Hidden Form Field Manipulation HTTP Headers 2001(c)WhiteHat Security, Inc.
Cross-Site Scripting Bad name given to a dangerous security issueAttack targets the user of the system ratherthan the system itself.Outside client-side languages executing withinthe users web environment with the same levelof privilege as the hosted site. 2001(c)WhiteHat Security, Inc.
Accessing the DOM & Outside the DOMDocument Object Model (DOM)Client-Side languages possess an enormous amount ofpower to access and manipulate the DOM within abrowser.Complex & diverse interconnections create an increasedthe level of access within the DOM.Increased level of access to read & modify DOM dataranging anything from background colors, to a file onyour systems, and beyond to executing systems calls. 2001(c)WhiteHat Security, Inc.
Dangerous HTML “it’s all bad.”<APPLET><BODY><EMBED><FRAME><FRAMESET><HTML><IFRAME><IMG><LAYER><ILAYER><META><OBJECT><SCRIPT><STYLE>ATTRIBUTE DANGER LIST(Any HTML Tag that has these attributes) STYLE SRC HREF TYPE 2001(c)WhiteHat Security, Inc.
Twiddling BitsOS CommandsMeta CharactersPath/Directory Traversal 2001(c)WhiteHat Security, Inc.
Power of the Semi-Colon piping input to the command line.OS CommandsNormal:http://email@example.comAltered:http://firstname.lastname@example.org;+sendmail+/etc/passwdShell pipes and re-directs can also be used.
Power of the Semi-Colon piping input to the command line.Meta CharactersNormal:http://foo.com/app.cgi?list=file.txtAltered:http://foo.com/app.cgi?list=*
Power of the Semi-Colon piping input to the command line.Path Directory TraversalNormal:http://foo.com/app.cgi?directory=/path/to/dataAltered:http://foo.com/app.cgi?directory=path/to/data../../../../../../etc
More bits…Hidden Form Field ManipulationHTTP Headers 2001(c)WhiteHat Security, Inc.
System Mis-Configurations “patches, patches, and more patches…" Vendor Patches Default AccountsCheck:Web Server permission by directory browsingSoftware version from DiscoveryKnown default accounts in commercial platformsBugTraqAnonymous FTP open on Web Server 2001(c)WhiteHat Security, Inc.
Introducing OWASP Open Web Application Security Project http://www.owasp.orgThe "Open Web Application Security Project" or OWASPis a community effort focused on definingRecommendations, Specifications and Methodologiesfor Designing, Developing, Deploying and Testing thesecurity of web enabled applications or web services.The "Open Web Application Security Project" or OWASPis based on an idea from the participants of the www-mobile-code mailing list at securityfocus.comYou can join the mailing list by visitingwww.securityfocus.com. 2001(c)WhiteHat Security, Inc.