Intro to Web Application Security


Published on

Introduction to Web Application Security presented at for the Penn State Information Assurance Club (Fall 2007)

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intro to Web Application Security

  1. 1. Information Assurance Club 2007 Understanding Web Application Security
  2. 2. What is Application Security? <ul><li>Application Security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, or deployment of the application. [Wikipedia] </li></ul><ul><li>Make sure code </li></ul><ul><li>Properly uses security mechanisms </li></ul><ul><li>Has no design or implementation flaws </li></ul>
  3. 5. Application Layer VS Network Layer <ul><li>Application Layer </li></ul><ul><ul><li>Attackers send attacks inside valid HTTP requests </li></ul></ul><ul><ul><li>Custom code is manipulated to do something it shouldn’t </li></ul></ul><ul><ul><li>Security requires software development expertise, not signatures </li></ul></ul><ul><li>Network Layer </li></ul><ul><ul><li>Firewall, hardening, patches, IDS, IPS </li></ul></ul><ul><ul><li>SSL cannot detect or prevent attacks inside HTTP requests </li></ul></ul><ul><ul><li>Security based on signature database </li></ul></ul>
  4. 6. Test Your Hacking Knowledge <ul><li>What might happen in an application if an attacker… </li></ul><ul><ul><li>Adds “; rm –rf /” to a menu selection passed to a system call </li></ul></ul><ul><ul><li>Replaces the unitprice hidden field with -500 </li></ul></ul><ul><ul><li>Sends 1000000 ‘A’ characters to a login script </li></ul></ul><ul><ul><li>Figures out the encoding used for cookies </li></ul></ul><ul><ul><li>Disables all client side Javascript for form validation </li></ul></ul><ul><ul><li>Adds to the end of an account ID parameter “%27%20OR%201%3d1” </li></ul></ul><ul><ul><li>Sends 1,000 HTTP requests per second to the search field for an hour </li></ul></ul>
  5. 7. Why Should I Care? <ul><li>How likely is a successful web application attack? </li></ul><ul><ul><li>Anyone in the world, including insiders, can send an HTTP request to your server </li></ul></ul><ul><ul><li>Vulnerabilities are highly prevalent </li></ul></ul><ul><ul><li>Easy to exploit without special tools or knowledge </li></ul></ul><ul><ul><li>Little chance of being detected </li></ul></ul><ul><ul><li>Hundreds of thousands of developers with no security background or training </li></ul></ul><ul><li>Consequences? </li></ul><ul><ul><li>Corruption or disclosure of database contents </li></ul></ul><ul><ul><li>Root access to web and application servers </li></ul></ul><ul><ul><li>Loss of authentication and access control for users </li></ul></ul><ul><ul><li>Defacement </li></ul></ul><ul><ul><li>Loss of use / availability </li></ul></ul><ul><ul><li>Secondary attacks from your site </li></ul></ul><ul><li>Application security is just as important as Network Security </li></ul>
  6. 8. Attacks Shift Towards Application Layer <ul><li>75% of All Attacks on Information Security Are Directed to the Web Application Layer </li></ul><ul><li>2/3 of All Web Applications Are Vulnerable </li></ul><ul><li>-Gartner </li></ul>
  7. 9. How Do Attackers Do It? <ul><li>Proxies </li></ul><ul><li>Browser plugins </li></ul><ul><li>Vulnerability scanning tools </li></ul><ul><li>Many attacks can be launched using only a browser and text editor </li></ul>
  8. 10. HyperText Transfer Protocol (HTTP) GET /index.html HTTP/1.1 Host: HTTP/1.1 200 OK Date: Mon, 23 April 2007 22:38:34 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: &quot;3f80f-1b6-3e1cb03b&quot; Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
  9. 11. HTTPS <ul><li>Just encryption </li></ul><ul><li>Eavesdropping </li></ul><ul><ul><li>Protect Passwords </li></ul></ul><ul><ul><li>Gmail </li></ul></ul><ul><li>Bypass IPS </li></ul><ul><li>Doesn't prevent hacking </li></ul>
  10. 12. Transparent Proxy <ul><li> </li></ul><ul><li>Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and &quot;fiddle&quot; with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. </li></ul><ul><li>Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more. </li></ul><ul><li>Others: Paros, Web Scarab, etc </li></ul>
  11. 13. Authentication Common Problems <ul><li>Never expire (facebook) </li></ul><ul><li>Not protected by SSL </li></ul><ul><li>Easy to forge (cookies) </li></ul><ul><li>Replay attacks </li></ul><ul><ul><li>Re-using cookies </li></ul></ul><ul><ul><li>Preventable with encrypted date/time stamp </li></ul></ul>
  12. 14. Authentication Best Practices <ul><li>Ensure HTTPS is being used </li></ul><ul><li>Login failures should NOT indicate whether username or password failed </li></ul><ul><li>Strong password policy (don’t store in clear text) </li></ul><ul><li>Use brute force countermeasures </li></ul><ul><ul><li>CAPTCHA </li></ul></ul><ul><ul><li>Time delay </li></ul></ul>
  13. 15. State Problems <ul><li>HTTP is a stateless protocol </li></ul><ul><li>Session ID tells client browser who you are </li></ul><ul><li>Server maintains a map of session objects </li></ul><ul><li>Hijacking techniques </li></ul><ul><ul><li>Guessing </li></ul></ul><ul><ul><li>XSS </li></ul></ul><ul><ul><li>Not using HTTPS </li></ul></ul><ul><ul><li>Session ID exposed using URL-rewriting </li></ul></ul>
  14. 16. Session Best Practices <ul><li>Single sign on/off </li></ul><ul><li>Seemingly random and at least 20 bytes </li></ul><ul><li>Timeout </li></ul><ul><li>Use SSL </li></ul><ul><li>Avoid URL-rewriting (disclosure risk) </li></ul>
  15. 17. Access Control <ul><li>Restricting access </li></ul><ul><ul><li>Who? </li></ul></ul><ul><ul><li>What can they see? </li></ul></ul><ul><ul><li>What can they do? </li></ul></ul><ul><li>Should exist in UI, BLL, and DAL </li></ul>
  16. 18. Broken Access Control <ul><li>Attacker notices URL indicating role </li></ul><ul><ul><li>/ guest /getAccountInfo </li></ul></ul><ul><li>They modify it to another directory (role) </li></ul><ul><ul><li>/ admin /getAccountInfo </li></ul></ul><ul><ul><li>/ auth /getAccountInfo </li></ul></ul><ul><li>Attacker views more accounts than just their own </li></ul>
  17. 19. Cross-Site Scripting (XSS) <ul><li>Web application vulnerability that allows an attacker to execute a malicious script in a victim's web browser </li></ul><ul><li>How it works </li></ul><ul><ul><li>Web browsers support scripting languages like Javascript that allow web pages to perform logic </li></ul></ul><ul><ul><li>If an attacker can get a web server to send their malicious script to a victim, the script executes as if it came from that web site </li></ul></ul><ul><li>Consequences </li></ul><ul><ul><li>Steal session cookies </li></ul></ul><ul><ul><li>Deface websites </li></ul></ul><ul><ul><li>Information disclosure </li></ul></ul>
  18. 20. XSS Vulnerability Pattern <ul><li>Web app vulnerable to XSS if </li></ul><ul><ul><li>Attacker can provide malicious user input </li></ul></ul><ul><ul><li>Site puts user input into a response </li></ul></ul><ul><ul><ul><li>Search, form field, message board, etc </li></ul></ul></ul><ul><ul><li>Site doesn't properly validate or sanitize that user input </li></ul></ul><ul><ul><ul><li>Unless developer is familiar with XSS, it's very likely that proper input validation is not being done </li></ul></ul></ul>
  19. 21. Two Types of XSS <ul><li>Stored XSS </li></ul><ul><ul><li>Dangerous user input is stored on the site and displayed at some later time </li></ul></ul><ul><ul><li>Typically found in message boards, guest books, surveys </li></ul></ul><ul><ul><li>Like leaving a land mine for a victim to trip across on a vulnerable site </li></ul></ul><ul><li>Reflected XSS </li></ul><ul><ul><li>Dangerous user input is immediately sent back to the user that submitted it </li></ul></ul><ul><ul><li>Possibly a malicious link with an embedded script </li></ul></ul><ul><ul><li>Typically found in search fields, error pages, etc </li></ul></ul>
  20. 22. Cross-site Scripting - Tricks <ul><li>Scripts can only access data from their own site </li></ul><ul><ul><li>Enforced by the browser “sandbox” SOP </li></ul></ul><ul><ul><ul><li>Trick: Use an anonymous proxy </li></ul></ul></ul><ul><ul><li>Scripts can't access the OS or file system </li></ul></ul><ul><ul><ul><li>Trick: Wscript </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>The browser isn't doing anything abnormal </li></ul><ul><li>Cheat Sheet: </li></ul><ul><li>Demos: </li></ul>
  21. 23. XSS Real World Example <ul><li>MySpace XSS Worm – Oct 2005 </li></ul><ul><ul><li>AKA Samy worm </li></ul></ul><ul><ul><li>Introduced an XSS attack into his own profile </li></ul></ul><ul><ul><li>When anyone viewed his profile, the attack: </li></ul></ul><ul><ul><ul><li>added Samy as a 'friend' to that user's profile </li></ul></ul></ul><ul><ul><ul><li>and infected them with the same XSS attack in their own profile </li></ul></ul></ul><ul><ul><ul><li>Then, when anyone views the infected profile, starts all over... </li></ul></ul></ul><ul><li>The exploit: </li></ul><ul><ul><li>Used 'java script' since 'javascript' was filtered out, String.fromCharCode(34) to generate a double quote, etc. </li></ul></ul><ul><ul><li>Used XmlHttpRequest (AJAX), so does Yamanner worm </li></ul></ul><ul><ul><li>10 hrs – 560 friends, 13 hrs – 6400 friends, 18 hrs - 1,000,000 friends, 19 hrs - entire site down, 22 hrs – site back up again </li></ul></ul>
  22. 25. XSS– Input Filters <ul><li>Many applications attempt XSS protection with filters </li></ul><ul><ul><li>Convert < and > to &lt and &gt </li></ul></ul><ul><ul><li>Strip out HTML tags </li></ul></ul><ul><ul><li>Eliminate <script> tags </li></ul></ul><ul><ul><li>Strip out Javascript </li></ul></ul><ul><li>.NET provides XSS protection by default </li></ul><ul><ul><li><%@ Page ValidateRequest=”true” %> </li></ul></ul><ul><ul><li>Anti-Cross Site Scripting Library </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Better to white list input instead of black list </li></ul><ul><li>VALIDATE USER INPUT!!! TRUST NOTHING FROM THE CLIENT!!! </li></ul>
  23. 26. PSU Webmail XSS <ul><li> = </li></ul><ul><li> </li></ul><ul><li>popMessage param (cookie) </li></ul><ul><li>Now what? </li></ul><ul><li>Hijack web access session ID </li></ul><ul><li>Steal email </li></ul><ul><li>Go phishing </li></ul><ul><li>Do anything the user can do </li></ul>
  24. 27. View Passwords <ul><li>javascript:(function(){var s,F,j,f,i; s = %22%22; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == %22password%22) s += f[i].value + %22 %22; } } if (s) alert(%22Passwords in forms on this page: %22 + s); else alert(%22There are no passwords in forms on this page.%22);})(); </li></ul>
  25. 28. CSRF (Sea-Surf) <ul><li>Cross-site request forgery, also known as one click attack or session riding </li></ul><ul><li>Digg and Amazon have been targets </li></ul><ul><li>Prevention </li></ul><ul><ul><li>Include a secret, user-specific token in forms that is verified in addition to the cookie </li></ul></ul><ul><ul><li>Users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session </li></ul></ul>
  26. 29. Injection Overview <ul><li>Many applications invoke interpreters </li></ul><ul><ul><li>SQL </li></ul></ul><ul><ul><li>OS command shell (cmd.exe, perl) </li></ul></ul><ul><ul><li>Sendmail, LDAP, XPath, XSLT </li></ul></ul><ul><li>Interpreters take commands and data and execute the instructions </li></ul><ul><ul><li>Attacker can send malicious data or commands into your application tricking it into behaving differently </li></ul></ul><ul><li>Frequently interpreters run as root or administrator </li></ul>
  27. 30. SQL Injection – Example <ul><li>Get rows from table based on user provided parameter </li></ul><ul><ul><li>SELECT * FROM users WHERE SSN='” + ssn + “'” </li></ul></ul><ul><li>SSN goes from user to web application to database </li></ul><ul><ul><li>Never validated </li></ul></ul><ul><ul><li>Attacker sends 123456789' OR '1'='1 </li></ul></ul><ul><li>Application builds a query </li></ul><ul><ul><li>SELECT * FROM users WHERE SSN='123456789' OR '1'='1' </li></ul></ul><ul><ul><li>Returns every user in the database </li></ul></ul><ul><li>Blind SQL Injection: </li></ul>
  28. 31. Prevent SQL Injection <ul><li>Validate user input </li></ul><ul><li>Stored procedures </li></ul><ul><li>Parameterized queries </li></ul><ul><li>Connection strings (Access Control) </li></ul><ul><ul><li>Prevent DELETE and DROP queries </li></ul></ul>
  29. 32. Injection Demo SQL Injection: Almost every IST student’s web application is vulnerable ='%20OR%201=1-- Remote Code Execution:
  30. 33. Conclusion <ul><li>Be aware of security threats </li></ul><ul><ul><li>Train yourself </li></ul></ul><ul><li>Assess security at every step of the SDLC </li></ul><ul><li>Define unacceptable risks </li></ul><ul><ul><li>Then implement policy </li></ul></ul><ul><ul><li>Ensure accountability </li></ul></ul><ul><li>Consider commercial solutions (Get help) </li></ul>
  31. 34. Where can I learn more? <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Download this presentation </li></ul><ul><ul><li> </li></ul></ul>
  32. 35. Questions? Ask questions and I'll try to answer them