1. Workshop on Web Application Security

4. Web Application

8. Typical structure of a Web Application HTTP allowed through port 80 Firewalls and other simple boundary devices lack some degree of intelligence when it comes to observing, recognizing, and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. Without sounding critical of such other systems’ capabilities, this deficiency brought in Intrusion Detection systems

10. Network Level Attack

11. Network a mean of breach

12. Security threats revisit

21. Firewalls and Encryption do NOT protect against Web Application Vulnerabilities Only tool required is a web browser ! HTTP allowed through port 80

23. A Gartner study indicates that 75% of security breaches are due to flaws in software

28. Web Application Security

30. Basic principle behind web app attacks

31. Basic principle behind web app attacks

34. Common vulnerabilities Cause crashing of a process Buffer Overflow Vulnerability What can an attacker do ? Parameter manipulation Change values of sensitive information Cross Site Scripting Impersonate a trusted site and steal user information SQL Injection Access all data in your database resulting in a total data breach

35. Buffer Overflows

36. Buffer Overflows

37. How to Avoid

38. Parameter manipulation

43. Hidden-field tampering <input type=&quot;hidden&quot; name=“txtprice1“ value=&quot;1000.00&quot;> <input type=&quot;hidden&quot; name=“txtprice2“ value=“500.00&quot;> Sample Shopping Cart

46. Hidden-field tampering Change the price ?

51. Cross Site Scripting (XSS)

59. Phishing attack via Cross Site Scripting 1. XSS Attack 2. Website vulnerable to XSS 5. Victim Information stolen 3. Create email with malicious hyperlink 4. Email Sent to victim

62. Comparison of Samy with other worms First 24 hours of worm propagation

64. Defense tactics Write an HTMLEncode

68. SQL Injection

75. Defaults or Vulnerable

79. How do attackers know?

80. How do attackers know?

81. SQL Injection attack on U.N.

85. Malware Infection via SQL Injection

89. What’s for sale ?

92. Check if website is vulnerable to SQL injection Insert malicious <Script> tags in database

93. Before Injection After Injection

94. User visits compromised website Malicious script embedded in the database is executed Malware is downloaded onto the user’s PC

98. Mass SQL injections

99. Mass SQL injections

100. Automated Mass SQL Injections

104. Automated Mass SQL Injections http://www.microsoft.com/technet/security/advisory/954462.mspx

109. Implementing Web Application Security in your organization

111. The Web Developer

117. IT Management

120. The IT Auditor / IT Security Officer

124. Commercial Scanners No. Security Scanner URL 1. Acunetix Web Vulnerability Scanner http://www.acunetix.com 2. Watchfire Appscan http://www.watchfire.com/products/appscan/default.aspx 3. Milescan Web Security Auditor http://www.milescan.com/hk/ 4. HP WebInspect software https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200%5E9570_4000_100__

128. Freely available tools No. Security Scanner URL 1. Free Cross Site Scripting Scanner http://www.acunetix.com/cross-site-scripting/scanner.htm 2. Security Compass Tools http://www.securitycompass.com/exploitme.shtml 3. Microsoft Source Code Analyzer for SQL Injection http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en 4. HP Scrawlr (free tool for SQL injection) https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?mcc=DNXA&jumpid=in_r11374_us/en/large/tsg/w1_0908_scrawlr_redirect/mcc_DNXA

130. Exploit-Me by Security Compass

131. Exploit-Me by Security Compass

133. Global Information Security Survey – 2008

136. Cost of fixing a security flaw increases as software goes into Production

140. Microsoft Threat Modeling via STRIDE and DREAD

143. Steps in Threat Modeling Identify Assets 1 Create an architecture overview 2 Decompose the application 3 Identify the threats (STRIDE) 4 Document the threats 5 Rate the threats (DREAD) 6

154. Risk Ratings using DREAD Methodology © Toronto Area Security Klatch 200 7 High (3) Medium (2) Low (1) D Damage Potential Attacker can completely compromise the system gaining full access Sensitive information might be leaked Leakage of trivial information R Reproducibility Attack can be reproduced every time and does not require some condition Attack can be reproduced only within a specific condition Attack is very difficult to reproduce E Exploitability Novice attacker can use this threat Skills required In-depth knowledge of system required A Affected Users All Users Some users Only specific users D Discoverability Information about this threat is available on the Internet It would take some time before attacker becomes aware of this vulnerability Highly unlikely that users will come across this security flaw

155. Risk Ratings using DREAD Methodology Sample DREAD Risk Rating Threat D R E A D Total Rating Injection of SQL commands 3 3 2 2 2 12 High Leakage of passwords through network monitoring 2 2 2 3 2 11 Medium Stealing of passwords through key loggers 2 3 3 2 3 14 High DREAD Risk Rating 5-7 Low Risk 8-11 Medium Risk 12-15 High Risk

158. Resources

160. OWASP Top 10 No. Vulnerability A1 Cross Site Scripting (XSS) A2 Injection Flaws A3 Malicious File Execution A4 Insecure Direct Object Reference A5 Cross Site Request Forgery (CSRF) A6 Information Leakage and Improper Error Handling A7 Broken Authentication and Session Management A8 Insecure Cryptographic Storage A9 Insecure Communications A10 Failure to restrict URL access

161. Hacking

176. Conclusion

180. Don’t become this guy !

181. Thanks for listening !