Web security

1. © 2017 VMware Inc. All rights reserved.
Application Security
Beating Hackers at their Own Game

2. Internal 2
Mehul Patel Abhishek Nayak
Introduction
Facilitators
Santosh Jinugu

3. Internal 3
The Famous Sony Hack

4. Internal 4
LinkedIn Hacked - Accounts on Sale

5. Internal 5
Facebook Vulnerability - Allowed hackers to delete photo album

6. Internal 6
Qatar National Bank - Hacked using SQL injection

7. Internal 7
Snapshot - Recent Data Breach Survey
Techniques
used
behind
Data
Breach
As 2017 Data Breach Investigations Report

8. Internal 8
Snapshot - Recent Data Breach Survey (contd.)
Techniques Varieties of Compromised Data
Techniques
used in
Web
Hacking
As 2017 Data Breach Investigations Report

9. Internal 9
Agenda
1 Evolution of Web
2 Why Application Security is Important?
3 Application Security Standard - OWASP
4 Demo
6 Top 10 Secure Coding Guidelines
5 Current State @ VMware
7 Continuous Security - The VMware initiative
8 Key Takeaways

10. Internal 10
Build Security
Awareness for Web
Applications
02
01
Secure Web
Application
Development
Techniques
03
04
Learn how to
Discover
Vulnerabilities in
Web Applications
Enablers available at
VMware for Secure
Web Application
Development
Objectives

11. Evolution of Web
Internal 11

12. Internal 12
Evolution of Web

13. Internal 13
Evolution of Web - Tech Stack

14. Internal 14
Exponential Increase of Attack Surface
* As per McAfree Threat Prediction Report 2016

15. Internal 15
Motivation Behind the Attacks
79,790 Security incidents
2,111 Confirmed Data Breach
99% of the exploited vulnerabilities
were compromised more than a year
after the CVE was published
*According to 2015 Verizon Data Breach Report
5

01
Financial Gain
02
Reputation Damage
03
IP Damage
04
Script Kiddies
trying out their luck
05 
Data Theft
* As per Data Breach Report 2016 published by Verizon

16. Internal 16
Application Security – Need of the hour
Application threats are increasing in sophistication,
adaptiability and evasion. New variants of threats
are being detected on a daily basis. Organizations
that need to deal with these threats, have to build a
program of continuous content development around
Advanced Threats.
The key to success is the timely ability for
organizations to detect, react, repel and limit the
damages caused by threats.
79,790 Security incidents
2,111 Confirmed data breaches
99% of exploited vulnerabilities
were compromised more than a year
after the CVE was published
*According to 2015 Verizon Data Breach Report
Internal

17. Why Application Security is
Important?
Internal 17

18. Internal 18
Why Application Security is important?
CUSTOMER IMPACT
Reduced Customer Satisfaction
MITIGATION COST
Multiple stakeholders are involved;
Significant increase in mitigation costs
REPUTATION DAMAGE
May undermine the relationship with
key stakeholders and clients
COMPLIANCE
Non-compliance to security and
Privacy laws and Company’s
information security policies

19. What is Application Security?
Internal 19

20. Internal
Key Attack Surface in a Web Application
20
Financial Gain
Database Access
Access to other
user information
Unauthorized
access and
modification to
Configurations
Bypass Access
Escalate Privilege
Injection Attacks
DoS by Bot Attacks

21. Application Security Standard -
OWASP
Internal 21

22. 22
OWASP Top Ten – 2017 (Open Web Application Security Project)
Internal
Injection
Injection flaws, such as SQL, LDAP
Injection, XML injection, OS command
injection and Xpath injection
02
01
Sensitive Data Exposure
Protect sensitive data, such as credit
cards, tax IDs, and authentication
credentials.
06
03
07
08
Broken Authentication & Session
Management
Insecurity in authentication and
session management compromises
passwords, keys, or session tokens
etc.
Insufficient Attack Protection
Attack protection goes far beyond basic
input validation and involves
automatically detecting, logging,
responding, and even blocking exploit
attempts.
Cross Site Scripting
XSS flaws occur whenever an
application takes untrusted data and
sends it to a web browser without
proper validation or escaping.
Cross Site Request Forgery
Forces a logged-on victim’s browser to
send a forged HTTP request, session
cookie and any authentication
information, to a vulnerable web
application
04
05
Broken Access Control
Restrictions on what authenticated
users are allowed to do are not
properly enforced.
Security Misconfiguration
secure configuration defined and
deployed for the application,
frameworks, application server, web
server.
09
10
Components with Known
Vulnerabilities
Components, such as libraries,
frameworks, and other software
modules, almost always run with full
privileges
Underprotected APIs
Modern applications often involve rich
client applications and APIs that connect
to an API of some kind. These APIs are
often unprotected and contain numerous
vulnerabilities..

23. Internal 23
Breaking the law…anyone?

24. Internal 24
OWASP Top Ten – 01 Injection (SQL Injection)
• The most famous attack on applications
• Allows attacker to manipulate the business
logics
• Allows attacker to control the database
through the application
– By manipulating SQL queries constructed by the
application
SQL Injection
Impact
• Authentication
Bypass
• Impersonate other
User
• Unauthorized
modification to the
DB
• Unauthorized
access to Sensitive
information
• Privilege escalation
• Can shutdown DB

25. Internal 25
OWASP Top Ten – 01 Injection (SQL Injection)
Phonebook Record Manager
John’ OR 1=1 --
not needed
Username
Password
Submit
Delete
Display
SELECT * FROM phonebook WHERE
username = ‘John’ OR 1=1 --AND
password = ‘not needed’
Successful login and all
phonebook entries are
displayed

26. 26
OWASP Top Ten – 01 Injection (SQL Injection)
Attacker creates a Windows Account
SELECT * FROM Users WHERE login=‘’;exec master..xp_cmdshell ‘net users username password /add’;--’ and
password=‘’
And then adds himself as an administrator
SELECT * FROM Users WHERE login=‘’;exec master..xp_cmdshell ‘net localgroup Administrators username
/add’;--’ and password=‘’
Attacker can even shutdown the database if it is running with “sa” account
SELECT * FROM Users WHERE login=‘’;shutdown;--’ and password=‘’
Few examples of Dangerous Injected SQL Query
Internal

27. Internal 27
OWASP Top Ten – 02 Broken Authentication

28. Internal 28
OWASP Top Ten – 03 Cross Site Scripting (XSS)
XSS attacks could lead to:
- Steal sensitive information from browser
such as Session cookie which can be
used to hijack session
- Redirection to other external sites
- Web site defacing, change the look and
function of the site
- Can get elevated access privileges
- Can inject Java script virus or worms
- Capture key strokes
What it is?
• Well known and notorious attack
• Make use of client side Java Script
for carrying out attacks
• Due to lack of input validation of
user inputs
• Injecting Java Script in the user
input (GET or POST)
• Exploits the trust of particular user
• Persistence and non-persistence
XSS attacks

29. Internal 29
OWASP Top Ten – 03 Cross Site Scripting (XSS)

30. Internal 30
OWASP Top Ten – 04 Authorization Issue
https://www.onlinebank.com/user?acct=6065
Attacker notices his acct
parameter is 6065
?acct=6065
He modifies it to a nearby
number
?acct=6066
Attacker views the
victim’s account
information

31. Internal 31
OWASP Top Ten – 05 Security Misconfiguration
• Unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)
• Default accounts and their passwords still enabled
• Error Pages reveal stack traces or other overly informative error messages to users
• Security settings in development frameworks (e.g., Struts, Spring, ASP.NET) and libraries are not set to secure
values

32. Internal 32
Attacking Application Business Logic
Shopping Cart Example

33. Internal 33
Attacking Application Business Logic - Developer Assumption
 WHAT? users would always access
the stages in the intended
sequence
 WHY? because this was the order in
which the stages are delivered to
the user by the navigational links
and forms presented to the user's
browser
 HENCE? any user who completed
the ordering process must have
submitted satisfactory payment
details along the way

34. Internal 34
Attacking Application Business Logic - Security Flaw
 Forced browsing
 Access Multistage functions out of sequence
 How will the application behave?
− Error Message?
− Debug Output?
− Insecure state?

35. Internal 35

36. Internal 36

37. Current State @ VMware
Internal 37

38. Internal 38
Vulnerabilities Observed - Web Applications
…our team conducted assessment on Web Applications and found following vulnerabilities
Vulnerabilities
Authentication
&
Authorization
Insecure
Configuration
Session
Management
Injection
Attacks & Data
Validation
• Caching of sensitive
information in temporary
folders
• Disclosure of sensitive
information in URL
• Password in browser
memory
• Vulnerable to CSRF
Injection
• Vulnerable to
clickjacking attack
• Can upload any
malicious file
• High session timeout
value
• Insecure logout
implementation
• Unauthorized access
to application using
back button
• Session doesn't close
on browser closure
• Insecure HTTP
methods are enabled
• Disclosure of Product
& version
• Account lockout is not
enforced
• Weak password policy
• Insecure cookie
configuration

39. Internal 39
Vulnerabilities Observed - Web Applications (contd.)
Admin Panel was
exposed over to Internet
with default & guessable
credentials
Vulnerability : Risk
Default and Guessable credentials configured in Admin Portal High
1
2
3

40. Internal 40
Vulnerabilities Observed - Web Applications (contd.)
Injected malicious formula
which gets stored in DB
When Opened in Excel, the
formula executes. In this
case, CALC was invoked
Export the record in Excel
format
1
2
3
Vulnerability : Risk
CSV Injection High

41. Internal 41
Vulnerabilities Observed - Mobile Applications
…our team conducted assessment on Mobile Applications and found the following vulnerabilities.
Vulnerabilities
Authentication
&
Authorization
Insecure
Configuration
Session
Management
Binary
Protection and
Validation
• Weak authentication
mechanism
• Weak authorization
validation
• Disclosure of
sensitive information
in unused temporary
files in the package
• Disclosure of
sensitive information
in temporary folders
• Vulnerable to Reverse
engineering
• Absence of code
signing
• No session timeout
value
• Disclosure of
sensitive information
from device snapshot
• Certificate pinning
bypass is ``possible
• Insecure write
permissions
• Disclosure of Product
& version
• Weak password policy
• Insecure cookie
configuration
• Improper error
handling procedures

42. Internal 42
Vulnerabilities Observed - Mobile Applications (contd.)
Username & password stored using
Base64 encoding in titanium.xml
Decoded User
Name
Decoded
Password
Vulnerability : Risk
Username and password stored in temporary files using Weak encoding High

43. Internal 43
Vulnerabilities Observed - Mobile Applications (contd.)
Types of Vulnerability
Observed
Observation Summary of 26 APIs
Vulnerability : Risk
Unauthorized access to other user information because of Weak API Authentication Schema High
Change of User name in
URL from “pbc” to
“sdeswal” in Coupa Request
Change of User name in URL from “pbc”
to “sdeswal” in ServiceNow Request

44. Internal 44
Vulnerabilities Observed - Mobile Applications (contd.)
Database was pushed through
package and unencrypted
Vulnerability : Risk
Unencrypted DB having sensitive information High

45. Internal 45
Vulnerabilities Observed - APIs
…our team conducted assessment on APIs and found following common vulnerabilities across APIs
Vulnerabilities
Authentication
&
Authorization
Insecure
Configuration
Session
Management
Injection
Attacks & Data
Validation
• Missing authentication
parameters
• Authentication Token in
URL parameter
• Improper Authorization
• Vulnerable to SQL
Injection
• Vulnerable to XSS
attack
• Vulnerable to Replay
attack
• Absence of parameter
validation
• Improper error
handling
• High token timeout
value
• Insecure cookie
configuration
• Disclosure of Product
& version
• Account lockout is not
enforced
• Weak password policy

46. Top 10 Secure Coding Guidelines
Internal 46

47. Internal 47
Top 10 Secure Coding Guidelines
• Validate input at the server side
• Default deny
• Sanitize data sent to other systems
• Practise defense in depth
• Don’t Hardcode Credentials
• Secure the weakest Link
• Securely manage Users, Sessions and Permissions
• Protect Data and Privacy
• Leverage Security Features of Frameworks and Security Libraries
• Design and Architect Security In Every possible functionality

48. Continuous Security -
The VMware initiative
Internal 48

49. 49
What is Continuous Security?
“Continuous Security is a set of security processes and tools that integrates into our Continuous Delivery,
DevOps model which will enable us early detection and remediation of security vulnerabilities”.
1
2
3
4
Embeds security in Continuous Integration development processes
Drives and develops security culture in our APIs, Web and Mobile applications
Reduces time and effort in identifying and fixing vulnerabilities
In-house management of vulnerability; from identification to remediation
5 Drives secure coding practices among developers
Internal

50. 50
Continuous Security – The Journey so far and Key Enablement
for Team
Internal
TECHNOLOGY ENABLEMENT
STANDARDS & GUIDELINES
ENABLEMENT
DEVELOPERS & TESTERS
ENABLEMENT
• vRCS Framework Integrating all the tools at various phases of Continuous
Development
• Jenkins Jobs to invoke Security testing and Static Code Analysis using Fortify
• Automated Script for Conducting Security Testing
• Automated Script for conducting Static Code Analysis using Fortify
• Dedicated VM for Security Testing Tools and Automation Framework
• Continuous Security Standard for Developers and QA
• Threat Profile
• Security Test Cases
• Security Testing Clearance Criteria
• Risk Assessment Questionnaire
• Security Roles and Responsibilities
• Fortify installation and usage Guidelines
• Fortify plugin integration with Developer IDE for early detection of vulnera
bilities by Developers
• Custom Filter Sets for False Positive reduction in Fortify assessment
• Defect logging to track and close vulnerabilities from SCA, Automated
Security Testing and manual Security Testing
• Plug-N-Play Security Automation Framework for Dev & QA folks

51. Internal 51
Resources to test your Application Hacking Skills

52. Internal 52
Key Takeaways
 Defenders need to think like attackers, then help implement systems that defend
against them
 Hackers need not always bring down web applications, deface sites, steal credit
card details and credentials
 Security loopholes however small as they may seem can be leveraged to
orchestrate large attacks and cause damage
 “The only truly secure system is one that is powered off, cast in a block of
concrete and sealed in a lead-lined room with armed guards.” – Gene Spafford
 “Every program has at least 2 purposes the one for which it was Written and
another for which it wasn’t.” - A J Perlis
 Understanding the security risks associated with a web application is of critical
importance to improving the security of the Web presence of an Organization

53. Internal 53
Q&A

54. Annexure
Internal 54

55. Internal 55
References
Confluence Links Continuous Security initiative https://confluence.eng.vmware.com/display/
ITADSS/Continuous+Security
API Security Automation https://confluence.eng.vmware.com/display/
ITADSS/API+Security+Assessment+Automation
Security Taxonomy https://confluence.eng.vmware.com/display/
ITADSS/
A+Taxonomy+of+Errors+and+their+Remediation+
Guidelines
Fortify SCA https://confluence.eng.vmware.com/pages/
viewpage.action?pageId=147295069
Continuous Security using Fortify
SCA
https://confluence.eng.vmware.com/display/
ITADSS/Continuous+SCA+using+Fortify
External Links OWASP Standard https://www.owasp.org/index.php/
Top_10_2013-Top_10

56. Continuous Security – Operationalization
Internal
15
Requirements
Design
& Develop
Commit
Build
Test
Deploy
Pilot Projects
1. vCenter Licensing APIs
2. IAM Migration
• Complete Risk Assessment Questionnaire -
Completed
• Develop Threat Profile - Completed
• Develop Security Test Cases - Completed
• Installation of Fortify Plugin in
Developer’s IDE - Completed
• Perform Static Code analysis using
Fortify IDE – Completed
• Perform OnDemandScan for SCA -
Completed
• Create vRCS Pipeline - Not Planned
• Generate Build - Completed
• Trigger Jenkins job for Fortify Scan – Completed
• Review Fortify report for False Positive – Completed
• Invoke Jenkins job to trigger Automated
Security Testing –Completed
• Perform Manual Testing on API – Planned
• Perform Automated SCA - Completed
• Log Security issues in Jira –Planned
• Closure of all the Security
issues –
Completed, Completed
• Completion of action items
identified in Risk Assessment
– Completed
• Issues Reported by Fortify: 60
• Key Security Vulnerabilities
identified after False positive
analysis: 20
• Vulnerabilities Fixed: 20
Color Legends for
Activity Status:
vCenter Licensing APIs
IAM Migration
• Issues Reported by API
Automated Scanner : 02
• Vulnerabilities Fixed: 02