Web Application Scanning 101

3,706 views

Published on

This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,706
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
110
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Web Application Scanning 101

  1. 1. Web Security 101 An overview of some common application exploits Mike Shema Security Research Engineer, Qualys Inc.
  2. 2. Web Security Web application (in)security continues to grow Web-related vulnerabilities pop up on Bugtraq daily. (http://www.securityfocus.com/bid/) Web-related attacks are large and expensive to investigate, react, and resolve. Web security became a requirement of PCI in 2008. XSS remains a significant problem Original CERT advisory February 2000 (http://www.cert.org/advisories/CA-2000-02.html) USENET references to “malicious html” and “malicious javascript” as far back as 1996 comp.security.unix post on March 1996: http://tinyurl.com/2s593m Entertaining discussion of JavaScript: http://tinyurl.com/2g2476 2
  3. 3. Web Security Reported web server vulnerabilities have decreased IIS 6.0 released April 2003 MS06-034 (specially-crafted ASP file could cause buffer overflow) No resurgence of Code Red or Nimda style vulnerabilities Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008) 40 security bugs according to changelog 24 specific to core or mod_ssl Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008) 13 security bugs according to changelog Active Sites According to Netcraft 2 specific to core or mod_ssl 35,000,000 30,000,000 And the number of servers continues 25,000,000 20,000,000 to grow significantly Apache 15,000,000 IIS 10,000,000 5,000,000 0 May-03 Apr-08 3
  4. 4. Leave the Buffer Overflows at Home Exploiting most web vulnerabilities has a very low barrier to entry. Low sophistication attacks can still lead to high impact exploits More codified lists defined in the OWASP TOP 10 and the WASC Threat Classification 4
  5. 5. Threats Evolve Financial motivation Infect rather than deface Increased potential for targeted attacks Exploit the trust between the server and browser 5
  6. 6. Attacks Adapt Bring the exploit to victim rather than bring the victim to the exploit. “Web 2.0”: More business logic and capabilities moved to the web browser. Social networking as an enabler for non-technical attacks. Insert malicious content into a web page Target the web browser 6
  7. 7. Persistent Browser Problems Assumption of trust in HTML and JavaScript (no “signed” content) No separation of UI generation and data manipulation Few restrictions on pulling together inter- domain content, no “trusted peers” for a domain. 7
  8. 8. What do these attacks look like? Review some examples to see where vulnerabilities exist and how they are exploited. 8
  9. 9. The Usual Suspects SQL Injection One of the easiest vulnerabilities to prevent. Occurs when users can alter the actual query. For example, SQL queries made with strong concatenation or even raw SQL queries in a URL parameter. 9
  10. 10. Recent Examples Hacking & Happiness One password to rule them all Poor separation of duties Lack of rate limiting http://tinyurl.com/9f7ata 10
  11. 11. Recent Examples Session Fixation & Stock Inflation Buy stocks using someone else’s account. 11
  12. 12. Recent Examples Victim receives an e-mail with a legitimate link to the trading site: https://site/login.cgi?sid=65531 Session ID = 655321 x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server a.b.101.92 --> /login.cgi?sid=655321 Authenticated Redirect to /welcome.cgi?sid=655321 <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Authenticated Trade executed <-- server 12
  13. 13. Recent Examples Inspection & Infiltration Abusing server-side scripts http://tinyurl.com/d6ymuc 13
  14. 14. Recent Examples ../lists/admin/index.php?_SERVER[ConfigFile]=../../php.ini Viewing arbitrary files on the web server for sensitive content A confluence of programming error, misconfiguration, and lack of host hardening 14
  15. 15. Wildly Different Vulnerabilities Programming errors Session fixation Cross-site request forgery Lack of input validation Insecure environment 15
  16. 16. Where Are The Worms? Attacks like Nimda, Code Red or SQL Slammer haven’t been repeated in a while Exploit preferences seem to fall to the lowest common denominator 16
  17. 17. Manual & Automated Testing Complementary approaches What matters most for your environment? Cost Scalability Repeatability Comprehensiveness Accuracy What to expect from each approach? 17
  18. 18. Automated Testing Ideal for large-scale or repetitive scans Primarily focuses on syntax problems, misconfigurations, and known issues Several challenges to determining a good scanner Crawling & site coverage Authentication & session management Comprehensiveness & accuracy 18
  19. 19. Manual Testing Ideal for in-depth security review Biggest advantage over automated testing is the ability to understand the application’s business logic Typically relies on some form of automated testing 19
  20. 20. Proactive Countermeasures Prevent the initial compromise in order to minimize the potential for the application to be used as a distribution point for malicious content Web application hardening Prevent unexpected HTML injection Identify areas where user-generated content is permitted Pre-inspect content Quarantine content Continuous site monitoring 20
  21. 21. Development Quick Reference Don’t store raw passwords. Store the salted hash Don’t use string concatenation when building SQL queries. Use parameterized queries HTML encode user-supplied content that is written to a web page Normalize input Work with an expected character set & encoding. Decode multi-level URL encoding 21
  22. 22. Summary The web browser continues to bear more and more functionality that used to be relegated to desktop applications -- but the browser security model hasn’t kept pace. Attackers placing more focus on compromising trusted sites rather than lure victims to fake sites. Social networking, Web 2.0, and similar concepts place more and more personal data only a browser request away. Most reported compromises seem due to lack of input validation (XSS and SQL injection). 22
  23. 23. Thank you! 23
  24. 24. Questions was-info@qualys.com 24

×