Download to read offline
![Example #2: What’s the Issue?
JSON Poisoning
What happens: Hackers intercepts the JSON, tampers it,
and posts it.
{ "From": "Boston", "To": "Seattle",
"flights": [ {"stops": "0", "transit"
: "N/A", "price": "$0"},
{"stops": "2", "transit" :
"Newark,Chicago", "price": "$900"} ] }
Result: hackers pay $0
2008 JavaOneSM Conference | java.sun.com/javaone | 10](https://image.slidesharecdn.com/2619984/85/TS-5358-10-320.jpg)
More Related Content
![[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...](https://cdn.slidesharecdn.com/ss_thumbnails/cb16hasegawaen-161109050843-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #2] Web Application Security Headers](https://cdn.slidesharecdn.com/ss_thumbnails/owaspwebapplicationsecurityheaders1-160429210343-thumbnail.jpg?width=640&height=640&fit=bounds)
TS-5358
- 1. Detecting and DefendingAgainst Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358
- 2. Share experience howto detect and defend security vulnerabilities in Web 2.0 applications using open source security tools 2008 JavaOneSM Conference | java.sun.com/javaone | 2
- 3. Agenda Detect Defend Learn 2008 JavaOneSM Conference | java.sun.com/javaone | 3
- 4. Which is Easierto Hack? Google finds 2M suspicious sites Web 1.0 App Web 2.0 App Top 3 Security Vulnerabilities Top 3 Security Vulnerabilities •Unvalidated input parameters •Cross-site scripting •Broken access control •Injection flaw •Broken authentication and session management •Malicious file execution Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007) 2008 JavaOneSM Conference | java.sun.com/javaone | 4
- 5. What’s New AboutWeb 2.0 Security? OWASP 2007 Top 10 Web 2.0 Examples Cross-site scripting +++ Flash: cross-site flashing Injection flaws ++++ AJAX, mash-up Malicious file execution +++ Insecure direct object reference + JavaScript™ Object Notation (JSON) Cross-site request forgery +++ Flash Information leakage / improper error +++++ AJAX, JSON handling Broken authentication and session ++++ Cross-domain, mash-up management Insecure cryptographic storage + Insecure communications ++ Failure to restrict URL access ++ http://www.owasp.org/index.php/Top_10_2007 2008 JavaOneSM Conference | java.sun.com/javaone | 5
- 6. Use Case Scenario UseOpen Source / commercial security tools to examine WebGoat (and Roller) from SecuriBench http://suif.stanford.edu/~livshits/securibench/intro.html 2008 JavaOneSM Conference | java.sun.com/javaone | 6
- 7. Example #1: Post-Me Scenarios:newsgroup, forum, blogs, etc. Characteristics How can I re-direct readers •Plain data input screen to my malicious website? •No sensitive personal data •High usage, high traffic 2008 JavaOneSM Conference | java.sun.com/javaone | 7
- 8. Example #1: What’sthe Issue? Cross-site Request Forgery What happens: Hackers post a message with the malicious URL or parameters: <IMG SRC="attack?screen=7&menu=410&transferFunds=4000" width="1" height="1" /> Result: when reading the posting, newsgroup readers will invoke a malicious URL without noticing the tiny “1x1 image” (cross-site request forgery)! 2008 JavaOneSM Conference | java.sun.com/javaone | 8
- 9. Example #2: OnlineTravel Scenarios: online travel service, mash-up Characteristics •AJAX with JSON Can I change the price? •Financial transactions •Mash-up, possibly 2008 JavaOneSM Conference | java.sun.com/javaone | 9
- 10. Example #2: What’sthe Issue? JSON Poisoning What happens: Hackers intercepts the JSON, tampers it, and posts it. { "From": "Boston", "To": "Seattle", "flights": [ {"stops": "0", "transit" : "N/A", "price": "$0"}, {"stops": "2", "transit" : "Newark,Chicago", "price": "$900"} ] } Result: hackers pay $0 2008 JavaOneSM Conference | java.sun.com/javaone | 10
- 11. Example #3: ChangePassword Scenarios: online services, mash-up Characteristics •SOAP-based Web services Can I change •Perhaps mash-up somebody’s password? •HTTP or HTTPS, depends 2008 JavaOneSM Conference | java.sun.com/javaone | 11
- 12. Example #3: What’sthe Issue SOAP Injection What happens: Hackers tries changing the password, intercepts the SOAP message, tampers it, and posts it. <?xml version='1.0' encoding='UTF-8'?> … <wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'> bar</password> </wsns1:changePassword> </wsns0:Body> </wsns0:Envelope> Result: hackers change someone’s password for future access 2008 JavaOneSM Conference | java.sun.com/javaone | 12
- 13. What About FlexApplication… Cross-site Flashing You can detect XSF using SwfIntruder 2008 JavaOneSM Conference | java.sun.com/javaone | 13
- 14. What About… Phishingattack Ad malware Botnet ActiveX controls Serialization security, e.g. DOJO, JQUERY 2008 JavaOneSM Conference | java.sun.com/javaone | 14
- 15. Agenda Detect Defend Learn 2008 JavaOneSM Conference | java.sun.com/javaone | 15
- 16. Strategy #1: SecurityDevelopment Lifecycle Remark: Show demo or examples of these artifacts 2008 JavaOneSM Conference | java.sun.com/javaone | 16
- 17. Defensive Coding: Examples Scenarios Sample Actions Cross-site request forgery Filter specific tags (e.g. <IMG>) Prompt user with security token for important actions or high value transactions Shorter time period for user sessions JSON poisoning Client-side and server-side input validation JavaScript output encoding Obfuscate JavaScript SOAP injection Use of nonce WS-Security best practices Turn off WSDL 2008 JavaOneSM Conference | java.sun.com/javaone | 17
- 18. Strategy #2: CustomSecurity Test Category Public / Open Source Commercial Discovery tools NMAP Nessus Web server vulnerabilities Nikto Code quality* OWASP, FindBugs Fortify, Klockwork Application vulnerabilities Paros AppScan, Hailstorm Penetration testing WebScarab, Paros, SwfIntruder Hybrid security testing = white box* + black box testing Remark: Show demo of running different security testing tools on Roller 2008 JavaOneSM Conference | java.sun.com/javaone | 18
- 19. Agenda Detect Defend Learn 2008 JavaOneSM Conference | java.sun.com/javaone | 19
- 20. Lesson 1: SecurityFindings by Category 2008 JavaOneSM Conference | java.sun.com/javaone | 20
- 21. Lesson 2: WhatYou Can and Can’t Do Obvious, e.g. Difficult ones, e.g. • Information leakage • Cross-site Scripting • Port scan • Cross-site Request Forgery • OS fingerprinting • Denial of Service • Web server Hard ones, e.g. vulnerabilities scanner • New Web 2.0 vulnerabilities 2008 JavaOneSM Conference | java.sun.com/javaone | 21
- 22. Lesson 3: Summary Don’t practice penetration testing tools on production system! “Trust no one” Do we know what to detect, or to test Different security testing tools provide different findings 2008 JavaOneSM Conference | java.sun.com/javaone | 22
- 23. For More Information Concepts • OWASP top 10 vulnerabilities http://www.owasp.org/index.php/Category:Vulnerability • Cannings , Dwivedi and Lackey. Hacking Exposed Web 2.0. McGrawHill, 2008 • Andrew Andreu. Professional Pen Testing for Web Applications • Shyamsuda and Gould. You Are Hacked. JavaOneSM Conference 2007 http://developers.sun.com/learning/javaoneonline/2007/pdf/TS-6014.pdf Security Incident Updates • Top 10 Web 2.0 attack vectors http://www.net-security.org/article.php?id=949 • http://www.us-cert.gov/current/current_activity.html • CERN http://security.web.cern.ch/security/ Also RSA, Microsoft, Symantec major security vendor websites 2008 JavaOneSM Conference | java.sun.com/javaone | 23
- 24. For More Information(cont’d) Tutorial • http://www.irongeek.com/i.php?page=security/hackingillustrated Tools • http://sectools.org/ • http://www.cotse.com/tools/ • http://www.securityhaven.com/tools.html • http://framework.metasploit.com/ • http://www.paneuropa.co.uk/penetration_testing.htm • http://www.owasp.org/index.php/Category:OWASP_Download 2008 JavaOneSM Conference | java.sun.com/javaone | 24
- 25. Ray Lai, rayymlai@gmail.com TS-5358 2008 JavaOneSM Conference | java.sun.com/javaone | 25