detecting and defending against security vulnerabilities ...detecting and defending against security...
TRANSCRIPT
Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications
Ray Lai, Intuit
TS-5358
2008 JavaOneSM Conference | java.sun.com/javaone | 2
Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using open source security tools
2008 JavaOneSM Conference | java.sun.com/javaone | 3
Agenda
DetectDefendLearn
2008 JavaOneSM Conference | java.sun.com/javaone | 4
Which is Easier to Hack?
Web 1.0 App Web 2.0 AppTop 3 Security Vulnerabilities•Unvalidated input parameters•Broken access control•Broken authentication and session management
Top 3 Security Vulnerabilities•Cross-site scripting•Injection flaw•Malicious file execution
Google finds 2M suspicious sites
Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007)
2008 JavaOneSM Conference | java.sun.com/javaone | 5
What’s New About Web 2.0 Security?OWASP 2007 Top 10 Web 2.0 Examples
Cross-site scripting +++ Flash: cross-site flashing
Injection flaws ++++ AJAX, mash-up
Malicious file execution +++
Insecure direct object reference + JavaScript™ Object Notation (JSON)
Cross-site request forgery +++ Flash
Information leakage / improper error handling
+++++ AJAX, JSON
Broken authentication and session management
++++ Cross-domain, mash-up
Insecure cryptographic storage +
Insecure communications ++
Failure to restrict URL access ++
http://www.owasp.org/index.php/Top_10_2007
2008 JavaOneSM Conference | java.sun.com/javaone | 6
Use Case Scenario
Use Open Source / commercial security tools to examine WebGoat (and Roller) from SecuriBench
http://suif.stanford.edu/~livshits/securibench/intro.html
2008 JavaOneSM Conference | java.sun.com/javaone | 7
Example #1: Post-Me
Characteristics•Plain data input screen•No sensitive personal data•High usage, high traffic
Scenarios: newsgroup, forum, blogs, etc.
How can I re-direct readers to my malicious website?
2008 JavaOneSM Conference | java.sun.com/javaone | 8
Example #1: What’s the Issue?
What happens: Hackers post a message with the malicious URL or parameters:
<IMG SRC="attack?screen=7&menu=410&transferFunds=4000" width="1" height="1" />
Cross-site Request Forgery
Result: when reading the posting, newsgroup readers will invoke a malicious URL without noticing the tiny “1x1 image” (cross-site request forgery)!
2008 JavaOneSM Conference | java.sun.com/javaone | 9
Example #2: Online Travel
Scenarios: online travel service, mash-up
Characteristics•AJAX with JSON•Financial transactions•Mash-up, possibly
Can I change the price?
2008 JavaOneSM Conference | java.sun.com/javaone | 10
Example #2: What’s the Issue?
What happens: Hackers intercepts the JSON, tampers it, and posts it.
JSON Poisoning
{ "From": "Boston", "To": "Seattle", "flights": [ {"stops": "0", "transit" : "N/A", "price": "$0"}, {"stops": "2", "transit" : "Newark,Chicago", "price": "$900"} ] }
Result: hackers pay $0
2008 JavaOneSM Conference | java.sun.com/javaone | 11
Example #3: Change Password
Scenarios: online services, mash-up
Characteristics•SOAP-based Web services•Perhaps mash-up•HTTP or HTTPS, depends
Can I change somebody’s password?
2008 JavaOneSM Conference | java.sun.com/javaone | 12
Example #3: What’s the Issue
SOAP Injection
What happens: Hackers tries changing the password, intercepts the SOAP message, tampers it, and posts it.
Result: hackers change someone’s password for future access
<?xml version='1.0' encoding='UTF-8'?> …<wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'>bar</password> </wsns1:changePassword> </wsns0:Body> </wsns0:Envelope>
2008 JavaOneSM Conference | java.sun.com/javaone | 13
What About Flex Application…
Cross-site FlashingYou can detect XSF using SwfIntruder
2008 JavaOneSM Conference | java.sun.com/javaone | 14
What About…
Phishing attackAd malwareBotnetActiveX controlsSerialization security, e.g. DOJO, JQUERY
2008 JavaOneSM Conference | java.sun.com/javaone | 15
Agenda
DetectDefend
Learn
2008 JavaOneSM Conference | java.sun.com/javaone | 16
Strategy #1: Security Development Lifecycle
Remark: Show demo or examples of these artifacts
2008 JavaOneSM Conference | java.sun.com/javaone | 17
Defensive Coding: Examples
Scenarios Sample Actions
Cross-site request forgery Filter specific tags (e.g. <IMG>)Prompt user with security token for important actions or high value transactionsShorter time period for user sessions
JSON poisoning Client-side and server-side input validationJavaScript output encodingObfuscate JavaScript
SOAP injection Use of nonceWS-Security best practicesTurn off WSDL
2008 JavaOneSM Conference | java.sun.com/javaone | 18
Strategy #2: Custom Security Test
Category Public / Open Source Commercial
Discovery tools NMAP Nessus
Web server vulnerabilities Nikto
Code quality* OWASP, FindBugs Fortify, Klockwork
Application vulnerabilities Paros AppScan, Hailstorm
Penetration testing WebScarab, Paros, SwfIntruder
Hybrid security testing = white box* + black box testing
Remark: Show demo of running different security testing tools on Roller
2008 JavaOneSM Conference | java.sun.com/javaone | 19
Agenda
DetectDefendLearn
2008 JavaOneSM Conference | java.sun.com/javaone | 20
Lesson 1: Security Findings by Category
2008 JavaOneSM Conference | java.sun.com/javaone | 21
Lesson 2: What You Can and Can’t Do
Obvious, e.g.• Information leakage• Port scan• OS fingerprinting• Web server
vulnerabilities scanner
Difficult ones, e.g.• Cross-site Scripting• Cross-site Request Forgery• Denial of Service
Hard ones, e.g.• New Web 2.0
vulnerabilities
2008 JavaOneSM Conference | java.sun.com/javaone | 22
Lesson 3: Summary
Don’t practice penetration testing tools on production system! “Trust no one”Do we know what to detect, or to testDifferent security testing tools provide different findings
2008 JavaOneSM Conference | java.sun.com/javaone | 23
For More Information
Concepts• OWASP top 10 vulnerabilities
http://www.owasp.org/index.php/Category:Vulnerability• Cannings , Dwivedi and Lackey. Hacking Exposed Web 2.0.
McGrawHill, 2008• Andrew Andreu. Professional Pen Testing for Web Applications• Shyamsuda and Gould. You Are Hacked. JavaOneSM Conference 2007
http://developers.sun.com/learning/javaoneonline/2007/pdf/TS-6014.pdf
Security Incident Updates• Top 10 Web 2.0 attack vectors
http://www.net-security.org/article.php?id=949• http://www.us-cert.gov/current/current_activity.html • CERN http://security.web.cern.ch/security/
Also RSA, Microsoft, Symantec major security vendor websites
2008 JavaOneSM Conference | java.sun.com/javaone | 24
For More Information (cont’d)
Tutorial• http://www.irongeek.com/i.php?page=security/hackingillustrated
Tools• http://sectools.org/ • http://www.cotse.com/tools/ • http://www.securityhaven.com/tools.html• http://framework.metasploit.com/• http://www.paneuropa.co.uk/penetration_testing.htm• http://www.owasp.org/index.php/Category:OWASP_Download