The document provides an overview of web application security. It discusses what web application security entails, which is achieving an acceptable level of security for a web application solution. It explains why web application security is important given increased reliance on web apps and their global accessibility. It outlines some common security risks like browser hijacking, cookie theft, and denial of service attacks. It also discusses how security problems should be addressed earlier in the development lifecycle to reduce costs. The document then delves into specific vulnerabilities like hidden field manipulation, cookie poisoning, buffer overflows, and cross-site scripting attacks. Examples are provided to illustrate how attackers can exploit these vulnerabilities.

1. Web Application Security
“Securing from the Ground Up”
Presenters: Charles Smith & Michael Spaulding

2. What is Web Application Security?
Web Applications exist in many forms. Some
search, some count, others even transfer money
within your bank accounts. Web Applications are
employed to carry out many mission-critical
tasks and if anything is certain, our reliance
upon web applications will continue to grow.
So Simply Put,
Web Application Security is the
achievement of an acceptable level of
security assurance of a web application
solution.
Security Assurance = CIA

3. Why is web application security important?
Before software functionality was capable of being delivered via
the web, software developer’s security concerns were relative to
network and OS level threats given their user-base was limited to
internal or wan networks. All this has now changed. Web
developers now create software that runs upon web servers
accessed by anyone, anywhere. The scope and magnitude of their
software delivery has increased exponentially and in so doing,
security issues have also risen that are now web-centric and totally
bypass the legacy network and OS based defensive strategy.
- Browser Hi-Jacking
- Cookie Theft
- Server & Client Compromise
- Denial of Service
- Abuse
- User Privacy Invasion

4. Pay Me Now Or Pay Me Later
Security problems are found in the Design, Build and
Deployment/Maintenance phases of the application lifecycle. A
problem identified in any phase after the initial build may cause the
code to go back to the design stage to be addressed, and then to
pass through the necessary development phases again. This
obviously adds time, cost and resource conflicts to the entire
development process. It is well known that fixing a problem found in
the Testing phase is about 2-5 times more expensive than fixing it in
the coding phase, and fixing a problem found in the Maintenance
(deployment and beyond) phase is 5-7times more expensive than
fixing it in the coding phase

5. What Is The Ultimate Cost For Not Addressing
Security Early?

6. The Fourth Level of Web Security
Security
Behavior
Antivirus
Disruption
Desktop
1
Encryption
Interception
Transport
2
Manual Patching
Web Perversion
Web
Applications
4
Firewall
Illegal Access
3
Network

7. Desktop Transport Network Web Applications
Antivirus
Protection
Encryption
(SSL)
Firewalls/
Advanced Routers
Manual Patching
and Code Review
Digital Security Landscape

8.  The business logic that
enables:
 User’s interaction with Web site
 Transacting/interfacing with back-
end data systems (databases, CRM,
ERP etc)
 In the form of:
 3rd party packaged software; i.e.
web server, shopping cart sw,
personalization engines etc.
 Code developed in-house / web
builder / system integrator
Input and Output flow through each layer of the application
A break in any layer breaks the whole application
Web Server
User Interface Code
Front end Application
Backend Application
Database
Data
User Input
HTML/HTTP
Browser
What is a Web Application

9. The manipulation of web applications for:
Web Threat Objectives?

10. Through a browser, a hacker can use even the smallest bug or
backdoor to change, or distort, the intent of the application.
Application Attack Objective
Form field: collect data Buffer overflow Crash servers/close business
Online shopping Hidden fields eShoplifting
Sloppy code Debug options Download proprietary database
Text Field: collect data Cross Site scripting eHijacking - Get account info
Customer account Cookie poisoning Identity theft
Web Manipulation Examples

11. The results of over 300 AppAudits
conducted with AppScan
97% of Sites Are Vulnerable
7%
7%
7%
4%
25%

12. The Web’s 7 Deadly Sins
 Hidden Field ManipulationHidden Field Manipulation
 Cookie PoisoningCookie Poisoning
 Application Buffer OverflowApplication Buffer Overflow
 Third-Party MisconfigurationThird-Party Misconfiguration
 Cross-Site Server ScriptingCross-Site Server Scripting
 Parameter TamperingParameter Tampering
 SQL InjectionSQL Injection

13. Hidden Field Manipulation
 Vulnerability explanationVulnerability explanation:
The application sends data to the client using a hidden field in a form. Modifying the hidden
field damages the data returning to the web application
 Why Hidden Field ManipulationWhy Hidden Field Manipulation:
Passing hidden fields is a simple and efficient way to pass information from one part of the
application to another (or between two applications) without the use of complex backend
systems.
 As a result of this manipulationAs a result of this manipulation :
The application acts according to the changed information and not according to the original
data

14. Hidden Field Manipulation - Example

15. Hidden Field Manipulation - Example

16. Hidden Field Manipulation - Example

17. Hidden Field Manipulation - Example

18. Cookie Poisoning
 Vulnerability explanationVulnerability explanation:
The session information contained within the cookie is changed to a different value
causing the application to shift to the new session ID.
 Why Cookie PoisoningWhy Cookie Poisoning:
Some session IDs are not-secure e.g. not encrypted or weakly encrypted or hashed.
This is generally due to lack of cryptographic expertise of the part of developers.
 As a result of this manipulationAs a result of this manipulation :
Hackers can assume the user’s identity and have access to that user’s information –
identity theft/impersonation

19. Cookie Poisoning - Example

20. Cookie Poisoning - Example

21. Cookie Poisoning - Example

22. Cookie Poisoning - Example

23. Backdoor & Debug options
 Vulnerability explanationVulnerability explanation:
The application has hidden debug options that can be activated by sending a
specific parameter or sequence
 Why Backdoor and Debug optionsWhy Backdoor and Debug options:
1. Leaving debug options in the code enables developers to find and fix bugs
faster
2. Developers leave backdoors as a way of guaranteeing their access to the system
 As a result of this manipulationAs a result of this manipulation :
Activation of the hidden debug option allows the hacker to have extreme access to
the application (usually unlimited).

24. Backdoor & Debug options - Example

25. Backdoor & Debug options - Example

26. Backdoor & Debug options - Example

27. Application Buffer Overflow
 Vulnerability explanationVulnerability explanation:
Exploiting a flaw in a form to overload the server with excess information - sending
more characters will cause it to misbehave
 Why Application Buffer OverflowWhy Application Buffer Overflow:
The application does not check the number of characters
 As a result of this manipulationAs a result of this manipulation :
The application crashes and in many cases causes the whole site to shut down (DoS).
In other cases, the application executes the code received as the input

28. Application Buffer Overflow- Example

29. Application Buffer Overflow- Example

30. Application Buffer Overflow- Example

31. Application Buffer Overflow- Example

32. Application Buffer Overflow- Example

33. Stealth Commanding
 Vulnerability explanationVulnerability explanation:
Concealing dangerous commands via a Trojan horse with the intent to run malicious
or unauthorized code that is damaging to the site.
 Why Stealth CommandingWhy Stealth Commanding:
Applications tend to use the content received from a field to evaluate a new
command. However, they assume that the content is only data and not executable
code.
 As a result of this manipulationAs a result of this manipulation :
The hacker can perform any command on the web-server, including complete shut
down, defacement, or access to all information

34. Stealth Commanding - Example

35. Stealth Commanding - Example

36. Known Vulnerabilities
 Vulnerability explanationVulnerability explanation::
Some technology used in sites have inherent weaknesses that a persistent hacker, or
a hacker with automated scanning tools, can exploit easily. Users are dependent
on patches from the developer. After discovered in one site they can be used in
all the sites using the same component
 Why Known VulnerabilitiesWhy Known Vulnerabilities:
Third party vendors have bugs (Microsoft IIS etc). Since their products appear in
many sites they are examined thoroughly by a large number of hackers
 As a result of this manipulationAs a result of this manipulation:
Once a bug is found, large parts of the internet are scanned and exploited. The
actual result varies according to the vulnerability type, but ability to gain the
administrators’ passwords and take control of the site is not unusual!

37. /msadc/..à?¯..à?¯..à?¯..à?¯..
/winnt/system32/cmd.exe?/c+dir+c:
Known Vulnerabilities - Example

38. 3rd
Party Misconfigurations
 Vulnerability explanationVulnerability explanation:
A misconfiquration, or human error during install of 3rd
party software can cause
default passwords or settings unchanged – open invitation for attack
 Why 3Why 3rdrd
party misconfiqurationsparty misconfiqurations:
Occurs during the installation and maintenance of the 3rd
party application
 As a result of this manipulationAs a result of this manipulation :
Through a configuration error a hacker could create a new database that renders
the existing one unusable by the site

39. 3rd
Party Misconfiguration - Example
/msadc/Samples/SELECTOR/showcode.asp?
source=/msadc/Samples/../../../../..

40. Cross Site Scripting
 Vulnerability explanationVulnerability explanation:
A third party creates a link (or sends an email) and the URL contains a parameter
with a script – once the user connects, the site runs this script
 Why Cross Site ScriptingWhy Cross Site Scripting:
Many parameters are implanted within the HTML of following responses, while
not checking their content for scripts.
 As a result of this manipulationAs a result of this manipulation:
“Virtual hijacking” of the session. Any information flowing between the legitimate
user and site can be manipulated or transmitted to the evil 3rd
party.

41. Press this link to get to your bank
Underlying link: http://www.mybank.com?a=<evil javascript>
The JavaScript program collects and sends user names and
passwords
Enter your login information
1
2
Username
Password
3
Cross Site Scripting - Example

42. Parameter Tampering
 Vulnerability explanationVulnerability explanation:
Parameters are used to obtain information from the client. This information can be
changed in a site’s URL parameter
 Why Parameter TamperingWhy Parameter Tampering:
Developers focus on the legal values of parameters and how they should be
utilized. Little if any attention is given to the incorrect values
 As a result of this manipulationAs a result of this manipulation :
The application can perform a function that was not intended by its developer like
giving access to customer information

43. Parameter Tampering - Example

44. Parameter Tampering - Example

45. Forceful Browsing
 Vulnerability explanationVulnerability explanation:
By “guessing” the names of files and directories the hacker can view them without
going through the business logic leading to those objects
 Why forceful browsingWhy forceful browsing:
1. Default files are left during the installation process
2. New files that should not be exposed and old files which should be removed are
left (outside the normal flow) by mistake
 As a result of this manipulationAs a result of this manipulation :
Content (log files, administration facilities, application source code) is revealed due
to file and directory access

46. Forceful Browsing - Example

47. Forceful Browsing - Example

48. Forceful Browsing - Example

49. Thank You
Feedback?
Recommendations?