SlideShare a Scribd company logo

Web Security

K
KHOANGUYNNGANH

Web Security

Technology
1 of 22
Download to read offline
Web Security
The goal of an attack Steal data Blackmail Beachhead for other attacks Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation
A word of warning These tools and techniques can be dangerous The difference between a hacker and a cracker is…permission Admins will see strange activity in logs, and come looking for you Authorities are prosecuting even the “good guys” for using these tools
Commonly attacked services SMTP servers (port 25) ◦ sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application” RPC servers (port 111 & others) NetBIOS shares (ports 135, 139, 445) ◦ Blaster worm ◦ Sasser worm FTP servers (ports 20, 21) ◦ wuftpd vulnerabilities SSH servers (port 22) ◦ OpenSSH, PAM vulnerabilities Web servers (ports 80, 443) ◦ Apache chunked encoding vulnerability
Web server attack Scan to find open ports Find out what’s running on open ports (banner grabbing) Profile the server ◦ Windows (look for Kerberos, NetBIOS, AD) ◦ Unix ◦ Use TCP fingerprinting Probe for weaknesses on interesting ports ◦ Default configuration files and settings (e.g. popular IIS ones) ◦ Buffer overflows ◦ Insecure applications Launch attack ◦ Use exploit code from Internet… ◦ …or build your own
Scanning… What O/S is this system?
Scanning… What O/S is this system?
Example Web Application Web server Web app Web app Web app Web app transport DB DB App server (optional) Web client: IE, Mozilla, etc. HTTP reply (HTML, JavaScript, VBScript, etc.) HTTP request Clear- text or SSL • Apache • IIS • Netscape • etc. •J2EE server • ColdFusion • Oracle 9iAS • etc. • Perl • C++ • CGI • Java • ASP • PHP • etc. • ADO • ODBC • JDBC • etc. • Oracle • SQL Server • etc. Internet DMZ Protected network Internal network • AJP • IIOP • T9 • etc.
OWASP Top 10 Web Application Security Vulnerabilities 1. Unvalidated parameters 2. Broken access control 3. Broken account/session management 4. Cross-site scripting flaws 5. Buffer overflows 6. Command injection flaws 7. Error handling problems 8. Insecure use of cryptography 9. Remote administration flaws 10. Web and app server mis-configuration http://www.owasp.org
#1: Unvalidated Parameters Attacker can easily change any part of the HTTP request before submitting ◦ URL ◦ Cookies ◦ Form fields ◦ Hidden fields ◦ Headers Encoding is not encrypting ◦ Toasted Spam: http://www.toastedspam.com/decode64 Input must be validated on the server (not just the client). ◦ CoolCarts: http://www.extremelasers.com Countermeasures ◦ Tainting (Perl) ◦ Code reviews (check variable against list of allowed values, not vice-versa) ◦ Application firewalls ◦ CodeSeeker: http://www.owasp.org/codeseeker/ ◦ Real-time auditing: http://www.covelight.com
#2: Broken Access Control Usually inconsistently defined/applied Examples ◦ Forced browsing past access control checks ◦ Path traversal ◦ File permissions – may allow access to config/password files ◦ Client-side caching Countermeasures ◦ Use non-programmatic controls ◦ Verify access control via central container ◦ Code reviews
#3: Broken Account and Session Management Weak authentication ◦ Password-only ◦ Easily guessable usernames (admin, etc.) ◦ Unencrypted secrets are sniffable How to break in ◦ Guess/reset password ◦ Have app email you new password ◦ Sniff or crack password Backend authentication ◦ How are database passwords stored? ◦ Trust relationships between hosts (IP address can be spoofed, etc.) Countermeasures ◦ Strong passwords ◦ Remove default user names ◦ Protect sensitive files
#4: Cross-Site Scripting (XSS) Attacker uses trusted application/company to reflect malicious code to end-user Attacker can “hide” the malicious code ◦ Unicode encoding 2 types of attacks ◦ Stored ◦ Reflected Wide-spread problem! Countermeasures ◦ input validation ◦ Positive ◦ Negative: “< > ( ) # &” ◦ Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38” ◦ User/customer education
#5: Buffer Overflows Mostly affects web/app servers Can affect apps/libraries too Goal: crash the target app and get a shell Buffer overflow example ◦ echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 ◦ Replace all those “a”s with something like this… ◦ char shellcode[] = “xebxlfx5ex89x76x08…” Countermeasures ◦ Keep up with bug reports/patches ◦ Code reviews ◦ Run with limited privileges ◦ Use “safer” languages like Java
#6: Command Injection Allows attacker to relay malicious code in form variables or URL ◦ System commands ◦ SQL ◦ Interpreted code (Perl, Python, etc.) Many apps use calls to external programs ◦ sendmail Examples ◦ Path traversal: “../” ◦ Add more commands: “; rm –r *” ◦ SQL injection: “’ OR 1=1” Countermeasures ◦ Taint all input ◦ Avoid system calls (use libraries instead) ◦ Run with limited privileges
#7: Error Handling Examples: stack traces, DB dumps Helps attacker know how to target the app Inconsistencies can be revealing too ◦ “File not found” vs. “Access denied” Fail-open errors Need to give enough info to user w/o giving too much info to attacker Countermeasures ◦ Code review ◦ Modify default error pages (404, 401, etc.)
Error messages example
#8: Poor Cryptography Insecure storage of credit cards, passwords, etc. Poor choice of algorithm (or invent your own) Poor randomness ◦ Session IDs ◦ Tokens ◦ Cookies Improper storage in memory Countermeasures ◦ Store only what you must ◦ Store a hash instead of the full value (SHA-1) ◦ Use only vetted, public cryptography
#9: Remote Administration Flaws Problems ◦ Weak authentication (username=“admin”) ◦ Weak encryption Countermeasures ◦ Don’t place admin interface on same server ◦ Use strong authentication: certificates, tokens, strong passwords, etc. ◦ Encrypt entire session (VPN or SSL) ◦ Control who has accounts ◦ IP restrictions
#10: Web/App Server Misconfiguration Tension between “work out of the box” and “use only what you need” Developers ≠ web masters Examples ◦ Unpatched security flaws (BID example) ◦ Misconfigurations that allow directory traversal ◦ Administrative services accessible ◦ Default accounts/passwords Countermeasures ◦ Create and use hardening guides ◦ Turn off all unused services ◦ Set up and audit roles, permissions, and accounts ◦ Set up logging and alerts
Principles Turn off un-needed services Keep systems patched Don’t trust input Watch for logic holes Only provide the necessary information Hide sensitive information ◦ Encryption ◦ Access controls
Tools used in this preso WebGoat –vulnerable web applications for demonstration VMWare – runs Linux & Windows 2000 virtual machines on demo laptop. nmap –host/port scanning to find vulnerable hosts Ethereal – network traffic sniffing Metasploit Framework – exploit tool Brutus – password cracking Sleuth – HTTP mangling against web sites

Recommended

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Rails Security
Rails SecurityRails Security
Rails SecurityWen-Tien Chang
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 

Recommended

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Rails Security
Rails SecurityRails Security
Rails SecurityWen-Tien Chang
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
AOEconf17: Application Security
AOEconf17: Application SecurityAOEconf17: Application Security
AOEconf17: Application SecurityAOE
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOE
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web security 101
Web security 101Web security 101
Web security 101Kristaps Kūlis
 
Websec
WebsecWebsec
WebsecKristaps Kūlis
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

More Related Content

Similar to Web Security

Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
AOEconf17: Application Security
AOEconf17: Application SecurityAOEconf17: Application Security
AOEconf17: Application SecurityAOE
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOE
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 

Similar to Web Security (20)

Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
AOEconf17: Application Security
AOEconf17: Application SecurityAOEconf17: Application Security
AOEconf17: Application Security
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian Ike
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and Coders
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Web Security

  • 2. The goal of an attack Steal data Blackmail Beachhead for other attacks Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation
  • 3. A word of warning These tools and techniques can be dangerous The difference between a hacker and a cracker is…permission Admins will see strange activity in logs, and come looking for you Authorities are prosecuting even the “good guys” for using these tools
  • 4. Commonly attacked services SMTP servers (port 25) ◦ sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application” RPC servers (port 111 & others) NetBIOS shares (ports 135, 139, 445) ◦ Blaster worm ◦ Sasser worm FTP servers (ports 20, 21) ◦ wuftpd vulnerabilities SSH servers (port 22) ◦ OpenSSH, PAM vulnerabilities Web servers (ports 80, 443) ◦ Apache chunked encoding vulnerability
  • 5. Web server attack Scan to find open ports Find out what’s running on open ports (banner grabbing) Profile the server ◦ Windows (look for Kerberos, NetBIOS, AD) ◦ Unix ◦ Use TCP fingerprinting Probe for weaknesses on interesting ports ◦ Default configuration files and settings (e.g. popular IIS ones) ◦ Buffer overflows ◦ Insecure applications Launch attack ◦ Use exploit code from Internet… ◦ …or build your own
  • 6. Scanning… What O/S is this system?
  • 7. Scanning… What O/S is this system?
  • 8. Example Web Application Web server Web app Web app Web app Web app transport DB DB App server (optional) Web client: IE, Mozilla, etc. HTTP reply (HTML, JavaScript, VBScript, etc.) HTTP request Clear- text or SSL • Apache • IIS • Netscape • etc. •J2EE server • ColdFusion • Oracle 9iAS • etc. • Perl • C++ • CGI • Java • ASP • PHP • etc. • ADO • ODBC • JDBC • etc. • Oracle • SQL Server • etc. Internet DMZ Protected network Internal network • AJP • IIOP • T9 • etc.
  • 9. OWASP Top 10 Web Application Security Vulnerabilities 1. Unvalidated parameters 2. Broken access control 3. Broken account/session management 4. Cross-site scripting flaws 5. Buffer overflows 6. Command injection flaws 7. Error handling problems 8. Insecure use of cryptography 9. Remote administration flaws 10. Web and app server mis-configuration http://www.owasp.org
  • 10. #1: Unvalidated Parameters Attacker can easily change any part of the HTTP request before submitting ◦ URL ◦ Cookies ◦ Form fields ◦ Hidden fields ◦ Headers Encoding is not encrypting ◦ Toasted Spam: http://www.toastedspam.com/decode64 Input must be validated on the server (not just the client). ◦ CoolCarts: http://www.extremelasers.com Countermeasures ◦ Tainting (Perl) ◦ Code reviews (check variable against list of allowed values, not vice-versa) ◦ Application firewalls ◦ CodeSeeker: http://www.owasp.org/codeseeker/ ◦ Real-time auditing: http://www.covelight.com
  • 11. #2: Broken Access Control Usually inconsistently defined/applied Examples ◦ Forced browsing past access control checks ◦ Path traversal ◦ File permissions – may allow access to config/password files ◦ Client-side caching Countermeasures ◦ Use non-programmatic controls ◦ Verify access control via central container ◦ Code reviews
  • 12. #3: Broken Account and Session Management Weak authentication ◦ Password-only ◦ Easily guessable usernames (admin, etc.) ◦ Unencrypted secrets are sniffable How to break in ◦ Guess/reset password ◦ Have app email you new password ◦ Sniff or crack password Backend authentication ◦ How are database passwords stored? ◦ Trust relationships between hosts (IP address can be spoofed, etc.) Countermeasures ◦ Strong passwords ◦ Remove default user names ◦ Protect sensitive files
  • 13. #4: Cross-Site Scripting (XSS) Attacker uses trusted application/company to reflect malicious code to end-user Attacker can “hide” the malicious code ◦ Unicode encoding 2 types of attacks ◦ Stored ◦ Reflected Wide-spread problem! Countermeasures ◦ input validation ◦ Positive ◦ Negative: “< > ( ) # &” ◦ Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38” ◦ User/customer education
  • 14. #5: Buffer Overflows Mostly affects web/app servers Can affect apps/libraries too Goal: crash the target app and get a shell Buffer overflow example ◦ echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 ◦ Replace all those “a”s with something like this… ◦ char shellcode[] = “xebxlfx5ex89x76x08…” Countermeasures ◦ Keep up with bug reports/patches ◦ Code reviews ◦ Run with limited privileges ◦ Use “safer” languages like Java
  • 15. #6: Command Injection Allows attacker to relay malicious code in form variables or URL ◦ System commands ◦ SQL ◦ Interpreted code (Perl, Python, etc.) Many apps use calls to external programs ◦ sendmail Examples ◦ Path traversal: “../” ◦ Add more commands: “; rm –r *” ◦ SQL injection: “’ OR 1=1” Countermeasures ◦ Taint all input ◦ Avoid system calls (use libraries instead) ◦ Run with limited privileges
  • 16. #7: Error Handling Examples: stack traces, DB dumps Helps attacker know how to target the app Inconsistencies can be revealing too ◦ “File not found” vs. “Access denied” Fail-open errors Need to give enough info to user w/o giving too much info to attacker Countermeasures ◦ Code review ◦ Modify default error pages (404, 401, etc.)
  • 18. #8: Poor Cryptography Insecure storage of credit cards, passwords, etc. Poor choice of algorithm (or invent your own) Poor randomness ◦ Session IDs ◦ Tokens ◦ Cookies Improper storage in memory Countermeasures ◦ Store only what you must ◦ Store a hash instead of the full value (SHA-1) ◦ Use only vetted, public cryptography
  • 19. #9: Remote Administration Flaws Problems ◦ Weak authentication (username=“admin”) ◦ Weak encryption Countermeasures ◦ Don’t place admin interface on same server ◦ Use strong authentication: certificates, tokens, strong passwords, etc. ◦ Encrypt entire session (VPN or SSL) ◦ Control who has accounts ◦ IP restrictions
  • 20. #10: Web/App Server Misconfiguration Tension between “work out of the box” and “use only what you need” Developers ≠ web masters Examples ◦ Unpatched security flaws (BID example) ◦ Misconfigurations that allow directory traversal ◦ Administrative services accessible ◦ Default accounts/passwords Countermeasures ◦ Create and use hardening guides ◦ Turn off all unused services ◦ Set up and audit roles, permissions, and accounts ◦ Set up logging and alerts
  • 21. Principles Turn off un-needed services Keep systems patched Don’t trust input Watch for logic holes Only provide the necessary information Hide sensitive information ◦ Encryption ◦ Access controls
  • 22. Tools used in this preso WebGoat –vulnerable web applications for demonstration VMWare – runs Linux & Windows 2000 virtual machines on demo laptop. nmap –host/port scanning to find vulnerable hosts Ethereal – network traffic sniffing Metasploit Framework – exploit tool Brutus – password cracking Sleuth – HTTP mangling against web sites